Fintech Genome

Fintech Risk Events: An open catalog of Fintech business failures


#1

Fintech is the promise a democratizing financial services using modern technology. This is only a promise at this stage. There is no well defined end-state, much less a concrete path to get there. Yet it is fairly clear that the promise will remain unfulfilled if fintech develops the same pathologies of the existing models for serving finance.

At the Open Risk Manual we maintain a list of fintech risk events. We now have a new event to study, learn from and immunize against:


Will America and Asia follow the European lead with PSD2?
#2

@Philippos the Fintech Risk Event list that is maintained on the Open Risk Manual, is very valuable. I have created a Google sheet that allows the Fintech Community to add events that are missing and that may qualify in the future. See definitions and categorization below the link.
What is missing?

Fintech Risk Events is an open catalog of observed (publicized) operational failures of fintech business models.

Basel Operational Risk Classification
It is instructive to attempt to classify events according to the globally recognized bank regulatory framework (Basel) as listed below:
Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
External Fraud - theft of information, hacking damage, third-party theft and forgery
Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
Legal Risk - Clients, Products, and Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
Physical Damage - Damage to Physical Assets - natural disasters, terrorism, vandalism
Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures
Business Execution, Delivery, and Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets
This classification may be tenuous in some instances, given the novelty of business models.


#3

Many thanks @Efi for raising awareness around this resource and even building a helpful data entry form! Hopefully the broader fintech community will join-in to shape the effort going forward.

We see two main dimensions to build on (but welcome any suggestions)

  • Capturing pointers to more events. There are probably significant gaps in current list especially in what concerns non-English speaking jurisdictions (that might have less visibility in the English media) or older relevant events recorded before fintech became a “thing”.
  • Pointers to more in-depth analysis of events. We presently borrowed from the Basel high level classification. These high level event types are very general and therefore won’t change much (versus traditional finserv). But as we go down to more detailed Level 2 and Level 3 classifications (Annex 9 of Basel) it is likely that fintech has its own emergent risk types.

The so called “operational risks” captured here were lethal for incumbent business models and the track record shows already that they are likely to be equally challenging for fintech models. Bottom-up, pro-active and shared thinking and problem solving could be a significant competitive advantage…


#4

@Philippos @Efi Great intiative. I was going to add Wells Fargo and Libor and…but realised they are Finserve incumbents. What does jump out is how small the Fintech risk events are compared to Finserve - maybe just how long Fintech has been around.

What about SWIFT hacks? Is SWIFT an old Fintech from before Fintech was a word?

Operarional risk aka cybercrime is the biggie IMHO and affects Fintech and Finserve equally.


#5

Thanks for the feedback @BernardLunn !

Large firm mishaps are collected already quite comprehensively by the ORX association. Alas not public but on a “Give to Get” basis (which means only large participating banks get to see anonymized data of other large bank’s operational risk events, amounts lost due to fraud, damage, litigation etc). The idea behind the ORX exercise was similar - to enable better understanding of the risk profile of various business lines. ORX currently have over 500K registered events leading to over $340bln of monetary loss(…!) They are not called incumbents for nothing :slight_smile:

SWIFT raises interesting questions as to where we draw the line, both in time and per type of business model (being a jointly owned infrastructure). Inclined to include it as its both a key vulnerability of digital finance and the “joint infrastructure” model will likely find replication in blockchain implementations.


#6

This is a pretty awesome list. Thanks @Philippos! Will there be a list of lessons from failures for fintech business as well?


#7

We will certainly do our part @huan.vo ! Yet the principle of the Open Risk Manual is for the fintech community of practitioners and experts to contribute to the knowledge base - to mutual benefit.


#8

Is there any reason that Powa’s failure shouldnt be included in the list?
Awaiting community approval before adding for the payments fintech out of the UK.

I was just reading about the hype before the blowup


#9

Powa dully included. Also Clinkle, a startup who “Got Hacked Before It Even Launched” :frowning:
Today is Tesco Bank news day, but in terms of inclusion it is actually a fairly old enterprise (1997)…


#10

Hi @Philippos. Very interesting initiative.

I really like the goal you’ve set: Understanding (potentially) new vulnerabilities of new financial service models. I see there being 3 flavours of operational risk that would need to be pulled apart from each other in order to achieve the goal. I wondered if you’d thought of something like this and if so, whether you had come up with any way to filter for them.

  1. Risks specific to FinTech business models that could otherwise not exist in classical models. For example: Bitcoin / blockchain risk events.
  2. Risks specific to early stage financial services startups (i.e., most FinTechs) vs incumbents. For example: Not having enough capital or talent to implement industry standard cybersecurity protection.
  3. Risks common to any financial service institution. For example: Fraud, discrimination etc.

Keep up the great work!

Eytan


#11

Hi @Philippos Clinkle struck me as nothing to do with Fintech. Could have been a new dog food commerce venture with some entitled insiders thinking they are smarter than they are. But Powa, Monetise and Mozido all look show how hard it is to win in Payments. I don’t think we will see Payments disruption until Bitcoin goes mainstream.


#12

Hi @EytanB, many thanks for the feedback and your good insights.

The current classification using the regulatory (Basel II) catalog is a bit of a convenient strawman, to be replaced as we develop a better understanding of emergent risk types / sub-types applicable to the fintech landscape. Your filters would be much more natural in this updated version.

The background to this is that the regulatory framework has very good coverage for “type 3” risks, but knows nothing about early stage or emergent risks. In fact “business model risk” (the risk of a new business model failing to catch on, or - for an incumbent - that an existing business model becomes obsolete) is not covered at all by traditional regulation :grin:. This reflects the fact that regulated entities usually have well established business models that are not expected to be disrupted (…) and also because regulators usually shy away from “doing the banker’s work” - at substantially lower pay… Lately business model risk has become a hot topic (at least in Europe) but it exhausts itself in studies of spread compression due to low rates, missing entirely the big picture about the persistence (or not) of value propositions.

Our take is that:

  1. we need to do much better analysis of fintech risk at a much lower cost (forget pay-per-minute consultants, think crowdsourcing risk know how :blush:
  2. a fresh starting point is to think about vulnerabilities by stressing the “business model canvas”

Stay tuned :slight_smile: