Non-financial risk management in fintechs, neobanks and payment service providers: From startup spirit to regulatory maturity

Valentin Stalf, co-founder of N26, reflected on this in an interview with Handelsblatt after resigning from his position on the Management Board.

FinTechs and neobanks have revolutionized the financial sector. With lean structures, cloud-based platforms and user-centric products, they are setting new standards in terms of speed and innovation. Customer growth, investor interest and regulatory attention are increasing in equal measure.

However, as success grows, so does complexity: processes are becoming more complex, regulatory requirements stricter and dependence on technology is increasing. Risks no longer only arise from market movements or lending, but also from system failures, cyber attacks, compliance breaches and operational errors. Prominent examples of special audits at well-known fintechs, neobanks and payment service providers show that a lack of structures in both risk management and IT processes can quickly lead to massive requirements, e.g. a ban on new product processes, the appointment of a special auditor and, not infrequently, the replacement of individual members of management.

While established banks often have mature documentation, risk management processes and IT processes that have been tested several times and continuously improved, NFR management at FinTechs is often still in its infancy and fragmented: different methodologies, different models in Excel lists, manual processes and controls as well as a lack of systematic or even inconsistent recording dominate.

FinTechs are particularly challenged by their digital infrastructure and regulatory requirements. Experience from the industry speaks for itself: special audits often take months, sometimes even years, to coordinate the processing of the necessary measures to close the findings in a structured and verifiable manner. These projects quickly cost six- to seven-figure sums and often lead to a halt in growth.

From reacting to controlling – how financial companies can manage NFR professionally

The good news: FinTechs, neobanks and payment service providers can also establish resilient, regulatory-compliant and agile non-financial risk management if they set the right course early on.

An integrated approach, tailored to the specific challenges of FinTechs, neobanks and payment service providers, includes:

Regulatory requirements with a sense of proportion: simplified requirements for young companies

In addition to establishing a robust NFR framework, young financial companies can also rely on graduated requirements when implementing regulatory requirements.

When establishing FinTechs, neobanks and payment service providers, it is first necessary to prepare various documents for the license application with the respective national supervisory authority. In Germany, this is BaFin. Business operations may only commence once the license has been issued. Once the application documents have been submitted to the supervisory authority, a well thought-out and structured approach must be established for setting up appropriate compliance in the business and IT environment by the day business operations commence.

During implementation, simplifications can be made in the application of the applicable regulations depending on the risk, size and complexity of the company. Graduated requirements therefore apply to so-called micro-enterprises (e.g. with few employees or low transaction volumes). The company carries out an analysis and determines whether the simplified risk management framework can be applied in accordance with Art. 16 DORA and the RTS RMF. The simplifications include: No digital resilience strategy, no assignment of responsibility to a control function, no annual documentation and review requirement, no ICT business continuity guideline, no requirement for redundant ICT capabilities. Further simplifications relate to more flexible documentation requirements, no fixed reporting intervals, simplified requirements in third-party management (e.g. no separate strategy or central staff unit required).

Simplifications are also being discussed in the context of annual audits. BaFin has announced that there will be transitional arrangements for the first-time audit of DORA requirements. For example, no detailed reporting obligation for deficiencies remedied during the year and a shortened effectiveness test in the first year.

Despite various simplifications, the obligation to implement the DORA requirements remains in place, albeit with simplified means. ICT risk management and the selection of IT service providers remain the main focus of supervision, and contracts with third-party providers must be DORA-compliant (e.g. with clear security and reporting obligations).

It is therefore worthwhile for young companies to work with specialized consultants in order to implement the requirements in a structured and resource-saving manner from the outset – without unnecessary bureaucracy.

Growth with built-in compliance: pragmatically scaling regulatory requirements

Particularly in the start-up and early scaling phase, speed counts: product development, customer acquisition and funding set the pace. It is normal for governance and compliance structures to be kept lean at first – but it is crucial to allow them to grow in a targeted and verifiable manner. In this way, regulatory maturity gradually emerges from the start-up spirit without overloading the organization.

Instead of building “everything at once”, FinTechs start with a lean control set and expand it along product and volume milestones. In reality, expansion often cannot keep pace with growth – as the volume of business increases, so does the need for auditing and documentation. A structured but lightweight NFR setup prevents unnecessary rework in audits and facilitates constructive supervisory dialog – without taking the focus away from the core business.

Modular expert support as an accelerator – until your own team is in place

A practical solution is to have experienced external specialists take over central regulatory functions on a modular and temporary basis during the transition period. Depending on requirements, tasks in risk management, compliance, outsourcing management, information security or other control functions can be covered. The integration takes place directly in the existing systems and processes, whereby immediate effectiveness is achieved and internal know-how is built up in parallel.

This approach is characterized by complete integration (no black box outsourcing), a time limit and a consistent focus on a structured handover to the resulting in-house team. Operational relief in the start-up and scale-up phase, accompanying coaching, audit-proof documentation and a clear handover structure are at the forefront.

Mastering regulatory requirements, enabling growth

It creates trust among investors, customers and regulators, reduces operational risks and enables sustainable growth. Investing early saves time, money and nerves later on.