The fintech sector across Asia has grown at extraordinary speed, with Singapore, Indonesia, and Vietnam each recording double-digit growth in digital financial services over the past three years. Behind the customer-facing apps and trading platforms sits a layer of enterprise software that rarely makes headlines. It quietly determines whether a company stays compliant or drifts into serious risk.
Enterprise Resource Planning systems, particularly Microsoft Dynamics 365 Business Central, are widely adopted by mid-sized fintech operations to manage finance, procurement, and reporting. Many organisations configure user access once during implementation and then barely revisit it. Staff roles change, teams expand across borders, and before long a single employee may hold permissions that create conflicts of interest no auditor would approve.
This is exactly the kind of challenge that the 2-Controlware team has been addressing for over 17 years from their base in Breda, the Netherlands. Their authorisation software, built specifically for Business Central and older NAV versions, enables organisations to design, manage, and continuously monitor who can do what inside the system. For fintech companies handling sensitive financial data across jurisdictions like Singapore, Indonesia, and Hong Kong, that kind of granular access management directly addresses audit requirements.
Rapid Growth Exposes Gaps in Internal Access Management
When a fintech company scales from 50 to 500 employees in under three years, its ERP permissions rarely keep pace. Segregation-of-duties conflicts, where one person holds incompatible permissions, are among the most common findings in ERP audits across the financial services sector. In fast-moving fintech environments, these gaps tend to be wider still.
The risk is tangible. An employee in accounts payable who also has access to vendor master data can theoretically create fictitious suppliers and approve payments to them. Without systematic checks on role assignments and function separation, these vulnerabilities remain invisible until an external audit flags them or until actual fraud occurs.
Fintech firms operating across multiple Asian markets face additional complexity. A team member in Ho Chi Minh City may need different system access than a colleague in Singapore, yet both work within the same Business Central environment. Managing these distinctions manually through spreadsheets or ad hoc permission changes introduces the kind of inconsistency that regulators specifically look for.
Compliance Pressure from Multiple Jurisdictions
Asia’s regulatory landscape for financial technology is anything but uniform. The Monetary Authority of Singapore enforces strict technology risk management under its TRM Guidelines, while Hong Kong’s SFC maintains its own requirements for licensed corporations. Japan’s Financial Services Agency updated its cybersecurity expectations in early 2024, placing greater emphasis on internal access controls.
Organisations subject to SOx requirements through US-listed parent entities face even higher stakes. SOx Section 404 demands that management assess and report on the effectiveness of internal controls over financial reporting. Segregation of duties within ERP systems sits at the heart of that assessment, and tools like Authorization Box from 2-Controlware provide conflict detection and continuous monitoring features that directly support this compliance work.
Regional data protection laws add another dimension. Thailand’s PDPA, which came into full effect in June 2022, and Indonesia’s Personal Data Protection Law (Law No. 27 of 2022) both require organisations to restrict access to personal data on a need-to-know basis. Properly configured ERP authorisations remain one of the most practical ways to demonstrate compliance with these provisions during regulatory inspections.
Continuous Monitoring Changes the Game
Traditional approaches to ERP access control tend to be periodic. A company runs an access review once per quarter, identifies issues, remediates them, and waits another three months. In an industry where new employees are onboarded weekly and roles shift constantly, quarterly reviews leave dangerous blind spots.
Continuous monitoring flips that model entirely. Instead of reviewing permissions after the fact, the system flags conflicts and anomalies as they arise. The 2-Controlware team built this capability into their platform specifically because retroactive detection proved consistently too slow for clients managing fast-changing teams across multiple offices.
For fintech operations in Asia, where speed of execution is a competitive advantage but regulatory scrutiny keeps intensifying, always-on oversight is becoming a baseline expectation. Firms across Singapore, Hong Kong, and Tokyo are channelling more resources into automated compliance tooling each year to match the pace of both headcount growth and evolving local regulation.
Building Authorisation into the Foundation
The most effective approach treats authorisation design as a foundational element of ERP implementation rather than something to address later. This means defining organisational roles, mapping them to system permissions, and establishing segregation-of-duties rules before the first user logs in. Field-level security, which restricts access to specific data fields rather than entire modules, adds further precision for sensitive financial records.
Fintech companies planning expansion into new Asian markets will find that building robust access architecture from day one avoids costly remediation later. Retrofitting controls onto a live system with hundreds of active users across three or four countries typically requires dedicated project teams working for several months. Getting the permission structure right during the initial rollout keeps audit preparation manageable and reduces the operational disruption that comes with large-scale access reviews after go-live.
