Working in fintech made me more paranoid about my own data—and also resigned to the fact that true privacy is a myth.
Most of what I assumed about how regulated financial apps worked was wrong…
Expectation: My ID, selfie and other sensitive info is securely processed by machines.
Reality: Multiple humans have access to all this info. At least a few humans might also review your account—and maybe even debated whether my ID photo actually looks like me.
—
Expectation: When an account gets flagged for fraud, it’s just this one company that’s suspicious about the account.
Reality: Many fintechs are data incestuous and share fraud & KYC data to mitigate bad actors, meaning getting flagged in one place could follow you elsewhere.
—
Expectation: When I hit “delete my data,” it’s wiped from existence.
Reality: Thanks to retention policies instituted by regulators, your data needs to stick around for a couple years in case reviews need to happen—sometimes even if the company goes under.
—
Working in fintech has given me a new appreciation for the people & rules keeping bad actors out of financial systems.
But it’s also made me more cautious about my own data—because once it’s in, it’s in the hands of many & not going anywhere anytime soon.
Before working in fintech, I was but a lonely consumer going through KYC systems and using financial apps, with many assumptions about why fintechs did specific things and how they handled my data. Now that I work in fintech, I realized I was dead wrong about those assumptions
Before : When I upload my ID or put sensitive information in KYC systems, they are kept safe, secure and away from human’s eyes, just through the automated systems.
After: Every ID or selfie you upload can pass through (several) humans.
Before: Financial companies are just annoying when they say “we can’t tell you any more information about why your account/transaction was declined.”
After: There’s a reason for the vague reasons for “account rejections” from fintech companies — they don’t want to tip off bad actors who then learn how to better bypass the kyc systems.
Before: When I request to delete my data, my data is completely wiped out of the system.
After: There are retention policies that require that data about users stick around for a minimum of 5 years after input, even if the company shuts down.