Fintech & Data Paranoia

Working in fintech made me more paranoid about my own data—and also resigned to the fact that true privacy is a myth.

Most of what I assumed about how regulated financial apps worked was wrong…

Expectation: My ID, selfie and other sensitive info is securely processed by machines.

Reality: Multiple humans have access to all this info. At least a few humans might also review your account—and maybe even debated whether my ID photo actually looks like me.

Expectation: When an account gets flagged for fraud, it’s just this one company that’s suspicious about the account.

Reality: Many fintechs are data incestuous and share fraud & KYC data to mitigate bad actors, meaning getting flagged in one place could follow you elsewhere.

Expectation: When I hit “delete my data,” it’s wiped from existence.

Reality: Thanks to retention policies instituted by regulators, your data needs to stick around for a couple years in case reviews need to happen—sometimes even if the company goes under.

Working in fintech has given me a new appreciation for the people & rules keeping bad actors out of financial systems.

But it’s also made me more cautious about my own data—because once it’s in, it’s in the hands of many & not going anywhere anytime soon.

Before working in fintech, I was but a lonely consumer going through KYC systems and using financial apps, with many assumptions about why fintechs did specific things and how they handled my data. Now that I work in fintech, I realized I was dead wrong about those assumptions

Before : When I upload my ID or put sensitive information in KYC systems, they are kept safe, secure and away from human’s eyes, just through the automated systems.

After: Every ID or selfie you upload can pass through (several) humans.

Before: Financial companies are just annoying when they say “we can’t tell you any more information about why your account/transaction was declined.”

After: There’s a reason for the vague reasons for “account rejections” from fintech companies — they don’t want to tip off bad actors who then learn how to better bypass the kyc systems.

Before: When I request to delete my data, my data is completely wiped out of the system.

After: There are retention policies that require that data about users stick around for a minimum of 5 years after input, even if the company shuts down.