Managing embedded finance risks

by Chad Gerhardstein, Jay Chakraborty and Eugénie Krijnsen

Embedded finance presents a compelling set of possibilities for businesses to reach customers in new ways, build operational scale, and rethink how products and services are deployed. But as is often the case, these opportunities are accompanied by risks.

As we have written about previously, success across the embedded finance spectrum—from one-off point-of-sale (POS) technology to solutions for full vertical integration with multiple third parties—requires a major shift in mindset and capabilities. Our proprietary risk framework sets out five emerging areas for participants within financial ecosystems to consider, stretching beyond existing risks that are inherent to financial products. The five areas include: interoperability, data containment, complex partnerships, vulnerable customers and distributed risks. Forming an understanding of each of these is critical to manage emerging risks in a prudent and collaborative manner.

Confronting existing risk

Despite the need to monitor the emerging risks outlined in our framework, both incumbent financial institutions and new entrants must continue to keep a close eye on a number of wider, existing risk scenarios. Traditional risks stemming from credit, liquidity, interest rates, and operations remain especially relevant, as highlighted by recent stress in US and European banking markets.

As strategic leaders tool up to operationalise embedded finance, they need to recognise and confront these broader market risks head-on if they are to compete in a shifting economic landscape. For instance, banks that occupy a utility role within ecosystems—as a licensed partner or a liquidity provider—may be left with highly regulated and capital-intensive activities that yield little in the way of customer data and returns. Smaller banks and retailers may struggle to establish themselves in the market as consolidation becomes more widespread in the face of industry headwinds. For their part, consolidation of the largest players—including “too big to fail” banks and big-tech companies—could create an insurmountable competitive advantage within ecosystems that lock customers into a handful of embedded finance providers.

Financial services CEOs cited their top risks over the next five years as economic volatility (34%), cyber risks (33%) and inflation (30%).

PwC’s 26th Annual Global CEO Survey

Risk management and technological integration

Delivering embedded finance solutions starts with well-integrated technology. In addition to existing market risks, financial institutions and new entrants are facing an evolving set of risks that are tied to upgrading tech stacks and integrating streamlined application programming interfaces (APIs) between partners. New embedded financial technologies must protect the integrity of the underlying transactions and customers’ data, provide seamless authentication and authorisation, and allow for the creation of visible audit trails.

However, ensuring embedded applications are unpinned by technology that closely adheres to regulatory and compliance rules—whilst keeping them true to their purpose of being seamlessly integrated and easy to use—represents a significant challenge within incumbent financial institutions, where legacy tech is still common. It is equally difficult for innovative fintechs competing for market access without the proper risk management capabilities, which may result in lost consumer trust due to data leaks and breaches, fraudulent activity, and inoperable products.

APIs: Delivering frictionless customer experiences

Application programming interface (API) computing tools enable the often complex communication between financial and non-financial entities across offerings in banking-as-a-service (BaaS), payments-as-a-service (PaaS) and insurance-as-a-service (IaaS). They facilitate an increasingly wide range of digital platforms and solutions, from e-commerce websites to digital wallets. Ultimately, these and other technologies enable customers to access digital financial services quickly and seamlessly, whether they are purchasing goods and services, securing a loan or managing a broad financial portfolio.

The embedded finance risk framework

We have identified five elements that consistently influence the embedded finance journey: interoperability, data containment, complex partnerships, vulnerable customers and distributed risk. New areas of focus within these topics point to important risk implications for all players, but particularly for incumbent banks, who must double down on specific priorities: tech-powered transformation, data-enabled customer focus and an entrepreneurial approach to relationship-building.

Interoperability

By its nature, embedded finance depends on interoperability, which is having the right cloud architecture, authentication services and embedded finance API technology to facilitate transactions between organisations. However, because ecosystems that underpin embedded finance necessarily involve multiple intermediary partners—such as fintech, infrastructure providers, platform providers and banks—they must be managed carefully. To do this, companies require new tech capabilities and a robust strategy that includes greater consideration of accountability and the risks related to the component interoperability between technologies, customer user experience (UX), and ecosystem partners. It must also closely define approaches to open, cloud-based architecture, given that companies are being investigated by regulators, and in some cases, issued significant fines, for third-party developer access restrictions to their open architecture platforms.

Ultimately, financial institutions need to update their technology stack and take steps towards open-ended architecture by building up their digital capabilities and talent, whilst enhancing their risk management. The same is true for product-led fintechs, which are not accustomed to incorporating risk practices into their operations to the extent that is required for embedded finance governance and delivery. New entrants that demonstrate a credible risk management function, tailored to handle unique and emerging operational and compliance risks, will be winners within competitive markets.

A fully articulated interoperability strategy can also reduce costs and unlock enhanced revenue and new business opportunities. Open architecture lays the foundation for banks to develop technological capabilities, service offerings, and innovative financial solutions that are compatible and customisable across platforms. This can lead to a competitive edge when banks are recognised as software- and technology-enabling partners—rather than solely traditional providers of regulated financial services. These supporting capabilities also increase the scope of services that banks, and other financial institutions, can provide to customer-facing platforms, including the integration of existing products and services into embedded finance ecosystems.

Data containment

Data allows companies to retain customer loyalty in specific ecosystems and underpins the provision of seamless customer experiences—that don’t interrupt their purchases. However, the complexities of open architectures lead to an increase in the partial ownership and usage of data. Customer data is typically exchanged by multiple players in an ecosystem, from the formulation of privacy and data sharing agreements, to obtaining consent for data capture and sharing.

Indeed, broader questions about data acquisition, ownership, usage, retention and disposal practices pose significant risks, alongside security concerns such as data theft, breaches and cyberattacks. Recent class action lawsuits have been brought, for example, against fintechs for negligent data security practices and for harvesting and selling customer data without consent. On the incumbent side, established financial institutions have been fined for data leaks via their online platforms and the improper disposal of hardware via third-party providers.

Data privacy regulations and scrutiny from consumer watchdog agencies will increase pressure on risk functions. Customers are at risk from both intentionally misused data and unintentional, improper data handling. Regulators such as the Consumer Financial Protection Bureau in the US have published new guidelines that aim to provide embedded finance consumers, such as those using buy-now-pay-later applications, the same protections as credit card users. To counter these data containment risks and ensure strong controls on data security, privacy, and consumer protection, organisations in embedded finance networks require more sophisticated data governance and technology risk management programmes than are currently in place.

What’s more, sharing customer data among financial organisations, digital platforms and product-led fintechs creates new vulnerabilities. Smaller or newer entrants in particular often lack the knowledge, operating effectiveness or even organisational stability to conduct diligent risk analysis for data. Larger banks and other incumbent financial institutions, which have built reputations as stewards of customer data, now need to do more through collective and coordinated efforts to maintain customer confidence, trust, and loyalty.

Organisations will also need to be attuned to emerging risks from new models and algorithms that consume and transform alternative data. These can lead to challenges such as data (and data analytics) being used in ways that are unfair, discriminatory or non-transparent to both consumers and regulators.

Ultimately, the proliferation of APIs requires strong inventory and change management, as well as documentation controls, to mitigate data leakage and risks. When the right protections are in place, financial institutions can access customer information beyond financial data, including purchasing behaviours and preferences, which can be used to tailor new products and services, as well as empower cross-selling opportunities across ecosystem partners.

Complex partnerships

In embedded finance, partnership risks are much broader, owing to the complexities of open architecture, new monetisation strategies and the need to shift from a liabilities management mindset to a more entrepreneurial approach.

Take, for example, the case of a large retailer looking to offer banking services to its customers. The retailer is adept at managing its partnerships with distributors, suppliers and shipping companies, as well as the attendant operational, product and financial risks. However, their capabilities do not naturally extend to partnerships with banks, fintechs and other financial vendors. For the retailer’s risk managers, working effectively with financial institutions will involve building up a certain degree of internal knowledge in areas such as new risk taxonomies, liquidity, regulatory scrutiny, know-your-customer (KYC), terms and conditions communications, and more. Conversely, financial institutions must enhance their capabilities to help them understand and integrate with practices in non-financial companies.

Another example is the two-way partnership that needs to exist between fintechs and a sponsor organisation, such as a big bank or insurer. It is necessary for the bank to understand how fintechs manage risks and obligations in an effective manner, without just transferring the underlying risks back to them. Fintechs need access to the bank’s technology stack, and they must also understand how any supporting services are being performed, such as credit underwriting, KYC and transaction monitoring.

When approaching these partnerships strategically, companies not only diversify their risk exposure but create a resilient business process and IT ecosystem that allows them to be agile. With the right partnerships, companies can break into new embedded finance markets, building innovative products and services within the ever-changing fintech environment.

Vulnerable customers

Embedded finance applications allow non-banking organisations in virtually any industry to break into financial services without taking on the significant regulatory burden associated with the sector. This creates a unique risk around customer ownership for all parties, and particularly for incumbent financial organisations.

As an example, a manufacturing company offers customers a credit card that allows them to access special financing when used at the organisation. To enable the manufacturer to recognise some of the interchange revenue from the spend on those cards, it creates a new company by leveraging a financial institution as the servicer and financier of the accounts. It also engages with a global payment processor as the intermediary between that servicer and the customer’s bank to maximise the end points where those cards can be used.

Questions for each party in this ecosystem abound: Who owns which piece of the customer relationship? Does the bank own the right to cross-sell to that customer for lending and other credit opportunities? Who is responsible for the duty of care of customers who are being incentivised to spend—and could do so beyond their means?

A manufacturing company doesn’t usually need to consider customer ownership when its products are purchased, but an embedded finance venture must do so pre-emptively—giving partners sufficient rights to the customer relationship to make it worthwhile for them too. Additionally, organisations must manage the risks associated with how they, and their partners, communicate with customers and generate brand loyalty to their products and services.

Distributed risk

Distributed risk—the increase in risk transfer across complex ecosystems—is the culmination of all the risks we have outlined up to this point. This type of risk, which is shared among many players, has existed within financial relationships for decades, an example being how a bank may white label its services through a credit card provider and a payment processor. However, the risk has become exponentially greater within embedded ecosystems that involve more players touching the same data and transactions, often at the same time.

Regulated banks and financial institutions, which are accountable and liable for securing customer data as it passes through the multiplayer distributed ecosystem, therefore take on additional data protection responsibilities with open-banking relationships. Lack of awareness and knowledge around security and risk management practices of their third-, fourth- and fifth-party vendors can quickly spiral out of hand. Risks exist across multiple points of failure for security, data privacy, money laundering, and other unsafe practices and vulnerabilities. Regulators and watchdog groups are increasing their scrutiny of these areas; a recent case involved US regulators ordering a bank to improve its supervision of third-party fintech partnerships (after an advocacy group voiced concerns over the bank’s practices).

Other complicating factors include increased ambiguity around risk insights and ownership, extensive and non-transparent fourth- and fifth-party relationships, and convoluted or “mixed type” transaction flows, both domestically and internationally. Looking ahead, emerging technologies, including Web 3.0, metaverse and decentralised finance (DeFi), are likely to increase distributed risks by further widening the number of players and partners within embedded finance ecosystems. A compounding factor at this stage is the lack of regulatory frameworks for alternative payments, financial instruments, or digital assets like stablecoins, cryptocurrencies and non-fungible tokens (NFTs).

When tackling distributed risk, traditional risk management practices remain effective, but companies must bolster them with new techniques and approaches to ensure effective oversight and mitigation where appropriate. Implementing risk management frameworks and operationalising periodic third-party risk assessment programmes can help identify distributed risks among the various vendor parties. Instituting identity and access management (IAM) policies, including zero trust and least-privilege access control, can avert severe consequences such as data theft, denial of service attacks and malware injection attacks, to name a few. Well-known practices, such as transference, avoidance and acceptance, are still appropriate to help mitigate risks. But it is crucial to consistently challenge historical organisational biases and experiences—especially as distributed risks evolve with the growing adoption of embedded finance.

As the conversation shifts away from pure risk and resilience to value preservation—and eventually to the value created through revenues from the embedded finance market—complacency is not an option. Throughout ecosystems within this space, growth for organisations will depend on their ability to reconceive and adapt their business models—and anticipate and manage the new and emerging risks that lie ahead.

Authors

Chad Gerhardstein is a leading practitioner in PwC’s cyber risk and regulation practice, focusing on serving companies in the fintech, payments, and digital assets sectors. Based in Cincinnati, he is a principal with PwC US.

Jay Chakraborty specialises in digital and emerging risks for banking and capital markets clients in PwC’s consulting solutions practice. Based in New Jersey, he is a principal with PwC US.

Eugénie Krijnsen is PwC's global financial services advisory leader and the financial sector industry leader in the Netherlands. She advises global executives on innovation and leadership strategies, as well as transformational and regulatory challenges. Based in Amsterdam, she is a partner with PwC Netherlands.

With contributions from Rupashree Banerji, Eric Rice and Sufyan Qteishat

Managing risks in the transition to integrated financial services

The competitive landscape of embedded finance is evolving. Players must expand their risk awareness to grow and remain resilient.