Financial services (FS) organisations continue to be the largest buyer of IT, technology and outsourcing services globally, accounting for around 20% of the total market. While positive news for IT & technology suppliers, this trend belies some of the new challenges arising, and transformational shifts occurring, in the FS industry.

This post sets out some of the forces for change in the FS sector and the impact on tech suppliers’ legal and contract risk and processes.

Forces for change in the FS market – technology, innovation, risk and regulation

Firstly, the same technology revolution that has affected other industries is driving major changes in supply and demand of the FS market, as FS firms look for new solutions across cloud, digital, big data, analytics, RPA and blockchain – deployed through new techniques and methodologies such as Agile and DevOps.

Secondly, the number of reported cyberattacks on FS firms has spiked. New legislation (including GDPR and NIS), customer expectation and reputation management have added significant pressure on FS firms to act. They no longer see cybersecurity as a ‘vertical’ for the Head of IT to manage, but as a ‘horizontal’ to be addressed holistically across the IT ecosystem and outsourced functions.

Thirdly, broader changes in the regulatory landscape since the 2008 financial crisis have transformed the FS industry. The result is FS firms are looking to outsourced suppliers as both partners in achieving compliance and potential points of failure – while ‘FinTech’ and ‘RegTech’ solutions purportedly designed to enable regulatory compliance proliferate.

These forces have already changed the FS tech market and will continue to do so. While IT and tech is continuing to play a key role in any FS firm’s cost reduction and innovation strategy, the trends are clear: fewer ‘mega-deals’, more disaggregation, more third party cloud and software solutions, and an increased focus on integration and leveraging security and compliance tools.

New risks and challenges for suppliers in the FinTech ecosystem

This wave of innovation and change is creating new legal and contractual considerations. The need to comply with existing and upcoming FinTech-specific regulation, the increased use of and focus on data, and the new collaborations that are required to leverage new opportunities, pose new challenges for lawyers advising in the field.

Many of these new issues are being faced by the banks and the new FinTech market entrants directly. But traditional tech vendors seeking to develop new service lines, take advantage of new customer opportunities and create inter-supplier collaborations also need to think about their role in the FinTech ecosystem and the new legal challenges.

In particular:

1. Partnering with new FinTech platforms

The more complex and inter-connected supply chains inherent in FinTech mean a supplier will often find itself working with various third parties, including proprietary software vendors, cloud providers, and so on.  Many of these are disruptive FinTech start-ups and new market entrants and have very different ways of contracting and providing their services.  It will therefore be important that suppliers taking an integrator role manage their contractual risk – by negotiating robustly with their third parties, and managing risk through appropriate flow-ups with their customers.

For example, a supplier appointed to configure, integrate or implement a new “out-of-the-box” FinTech product into their broader services needs to ensure it does not become liable for that product to the extent that it cannot recover from the third party.  Similarly, it should seek to avoid committing to the service availability of that product within the customer service levels, as these are unlikely to be mirrored in the third party contract.  It is about sensible risk management and being clear with customers that the new complex ecosystem requires a different way of contracting, and that integrators and customers alike must share and manage the risk of working with these new disruptors.

iiii2. Regulatory compliance for core FS operations

The FS industry is, of course, highly regulated, both through domestic legislation (e.g. FSMA, FCA/PRA) and EU legislation (e.g. MiFID, PSD2). Earlier this year, the European Banking Authority published updated guidelines on outsourcing arrangements (we will post an update on this soon). This myriad of ever-evolving requirements often results in major FS institutions having large compliance teams, as fines for failure to adhere to the rules can be substantial.

Tech vendors need to be careful that they do not unknowingly take on responsibility for compliance with this plethora of regulation, at least not without ensuring a suitable approach to manage this regulatory environment and its associated risks. A supplier acting as an integrator, working with a third party software provider who is willing to warrant regulatory compliance for end users, must ensure that its responsibility does not go further than the limits on which the third party makes its warranty.

iiii3. Working with FS customer data

The accumulation and deployment of large sets of customer/banking data in new and innovative ways is often at the heart of a FinTech deal. The sources of this data have expanded as the ecosystem has grown, and it may include sensitive, financial and payment data.  These trends can increase the supplier’s risk through volume and scale, because, in addition to being subject to financial regulation, this data will also be protected by data protection regulation (e.g. GDPR).

Tech suppliers should be careful to avoid unwittingly positioning themselves as a data controller. Whilst this can be stated contractually, the determining factor will be what happens in practice. As customers ask suppliers to get more and more insights out of their data, suppliers are incentivised to run analytics and machine learning to get more value. At a certain point, the supplier might be exercising a reasonable or high degree of discretion in how to achieve this, which puts the supplier in the realms of controlling the purpose for which the data is used.  Suffice to say this expands the supplier’s risk both contractually and under GDPR, so ensuring the customer remains solely responsible for determining the means and processing of personal data will be important when doing data-rich deals in the FS/FinTech space.

Balancing risks and opportunities to make the most of the FinTech wave

These are a few of the issues we see arising within the broader FinTech ecosystem. While the opportunities are clear, tech suppliers will need to ensure they give appropriate consideration to the associated risks involved.