In the 14th century, Chaucer used the word trust to mean "virtual certainty and well-grounded hope." Since then, psychologists have described trust as an essential ingredient for social functioning, which, in turn, affects many economic variables. So how do we define trust in the 21st century, in the age of the internet? In particular, how do fintechs, relative newcomers in the financial services industry and not yet coalesced into an industry, gain the trust of the public? Would they more effectively gain that trust by relying on banks to hold them to certain standards, or by coming together to create their own?
In 2004, social psychologists Hans-Werver Bierhoff and Bernd Vornefeld, in "The Social Psychology of Trust with Applications in the Internet," wrote about trust in relation to technology and systems. They observed that "trust and risk are complementary terms. Risk is generally based on mistrust, whereas trust is associated with less doubts about security." They further explained that trust in technology and systems is based on whether an individual believes the system's security is guaranteed. Psychologically speaking, when companies show customers they care about the security of their information, customers have increased confidence in the company and the overall system. Understanding this provides insight into the development of certification authorities, third-party verification processes, and standardized levels of security.
To understand how fintechs might gain the trust of consumers and the financial industry, it's worth taking a step back, to look at how traditional financial services, before the internet and fintechs, used principles similar to those outlined by Bierhoff and Vornefeld. Take, for example, the following list of efforts the industry has taken to garner trust (this list is by no means comprehensive):
- FDIC-insured depository institutions must advertise FDIC membership.
- All financial institutions (FI) must undergo regulator supervision and examination.
- FIs must get U.S. Patriot Act Certifications from any foreign banks that they maintain a correspondent account with.
- Organizations with payment card data must comply with the PCI Standards Council's security standards and audit requirements.
- Organizations processing ACH can have NACHA membership but must follow NACHA Operating Rules and undergo annual audits and risk assessments.
- The Accredited Standards Committee X9 Financial Industry Standards Inc. has developed international as well as domestic standards for FIs.
- The International Organization for Standardization has also developed international standards for financial services.
- The American National Standards Institute provides membership options and develops standards and accreditation for financial services.
FIs have often been an integral part of the standards creation process. To the extent that these standards and requirements also affect fintechs, shouldn't fintechs also have a seat at the table? In addition, regulatory agencies have given us an additional overarching "virtual certainty' that FIs are adhering to the agreed-upon standards. Who will provide that oversight—and virtual certainty—for the fintechs?
The issue of privacy further adds to the confusion surrounding fintechs. The Gramm-Leach-Bliley Act (GLBA) of 1999 requires companies defined under the law as "financial institutions" to ensure the security and confidentiality of customer information. Further, the Federal Trade Commission's (FTC) Safeguards Rule requires FIs to have measures in place to keep customer information secure, and to comply with certain limitations on disclosure of nonpublic personal information. It's not clear that the GLBA's and FTC's definition of "financial institution" includes fintechs.
So, how will new entrants to financial services build trust? Will fintechs adopt the same standards, certifications, and verifications so they can influence assessments of risk versus security? What oversight will provide overarching virtual certainty that new systems are secure? And in the case of privacy, will fintechs identify themselves as FIs under the law? Or will it be up to a fintech's partnering financial institution to supervise compliance? As fintechs continue to blaze new trails, we will need clear directives as to which existing trust guarantees (certifications, verifications, and standards) apply to them and who will enforce those expectations.
As Bierhoff and Vornefeld conclude, "it is an empirical question how the balance between trust and distrust relates to successful use of the Internet." Although Chaucer was born a little too soon for internet access, he might agree.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed