Main thoughts
- The financial services industry is projected to grow several fold in the current decade.
- Fintech startups will be up against a host of security, compliance, scalability, data management, and other challenges that will be even more difficult to deal with than before.
- The average cost of a data breach is around $5.97 million (Statista, 2022).
- Failure to comply with any of the multiple compliance regulations (e.g., KYC, AML, PCI DSS) that are binding upon financial institutions can cost bankers and other financiers a pile of money too.
- To ensure the security of your Fintech application and its compliance with the regulations in place in your geography, one should start right with the way the code of your Fintech app is written: your development team must be using secure coding practices during the development of your app.
- It is paramount to secure access to your Fintech application, and, in some cases, to the different parts of the functionality within the application.
- All sensitive user and other data must be encrypted using an advanced encryption algorithm, like AES-256.
- Users may want to access your app via another application. To be secure, such interactions between two applications usually use API tokens for user authentication and authorization purposes.
Introduction
The Financial services industry is projected to grow several fold in the current decade. Nearly a half of the population of the world remains unbanked. Successful economies emerge worldwide, and new Fintech innovation-enabled business models (like, for example, alternative credit scoring or alternative underwriting) crop up.
Along with the diverse multiple regional differences and regulations that promote the emergence of local Fintech market players, these and other hefty factors guarantee Fintech startups will mushroom in the future. Still, they will be up against a host of security, compliance, scalability, data management, and other challenges that will likely be even more difficult to deal with than before.
As long-time Fintech software developers, we are well-familiar with these challenges. This article will tell you about them and suggest ways to deal with them and the risks they bring.
Don't have time to read?
Book a free meeting with our experts to discover how we can help you.
Book a MeetingSecurity and Compliance
The Financial Services industry is increasingly up against a mammoth number of scams. These scams are constantly becoming more diverse and sophisticated. Quite often, they result in costly data breaches. The average cost of a data breach is around $ 5.97 million (Statista, 2022), which means that the average financial institution can easily suffer yearly losses of several hundred million dollars.
However, there’ve also been incidents of much larger scale that one cannot rule out either if the right safeguards aren’t put in place. For instance, the notorious Capital One Data Breach, when an unknown individual gained unauthorized access to certain types of credit card information about Capital One’s credit card customers and individuals, who applied for the company’s credit card products. The incident that occurred in 2019 is believed to have affected 100 million people in the U.S. and around 6 million people in Canada. It has resulted in a $190 million dollar class action settlement.
By the same token, failure to comply with any of the multiple compliance regulations (e.g., KYC, AML, PCI DSS) that are binding upon financial institutions can cost bankers and other financiers a pile of money too. For example, a failure to comply with the GDPR can result in fines of up to EURO 20 million or 4% of the organization’s annual turnover.
How to ensure the security of your Fintech application and its compliance with the regulations in place in your geography?
First off, one should do this on different levels. The importance of none of these levels can be played down. One should start right with the way the code of your Fintech app is written: your development team must be using secure coding practices during the development of your app.
Next, it is paramount to secure access to your Fintech application, and, in some cases, to the different parts of the functionality within the application. For this purpose, you can use either two-factor authentication (the way most banks do nowadays), or multi-factor authentication. Please note that one can ensure the highest level of security when one of the security factors is some kind of biometrics-based Identity Verification, especially Iris Recognition.
With regards to the different functional modules and data types, it is necessary to implement Role-based access control (ROA), whereby access to sensitive data can only be gained by users with corresponding access privileges. Also, it is a must to implement timed login sessions and monitoring of unauthorized logins – the latter will help uncover at least some of the gaps that may exist in the application’s security.
One of the more crucial areas in the security of Fintech applications is data storage. All sensitive user and other data must be encrypted using an advanced encryption algorithm, like, for instance AES-256. Moreover, in many cases, it makes all the sense to store some of the more sensitive data components separately. For example, when it deals with card processing, parameters like CVV, card number, and expiration date must be stored in 3 different databases – again, encrypted and, preferably, password- or- 2FA-protected.
Another important area security-wise is the interactions of your Fintech application with external systems. Users may want to access your app via another application. To be secure, such interactions between two applications usually use API tokens for user authentication and authorization purposes. API tokens are unique, device-specific pieces of code that contain user-specific information. They allow one to securely grant users access to an application via an API. In developing this functionality for a Fintech app, it is important to implement API token rotation with 5-10 minute intervals to cut the odds of a token getting intercepted by a malicious actor.
One must grant access to the personal data your financial institution holds only to those of your employees, who really need this access in accordance with their work duties. To secure employee access to personal data, you can use 2FA, or, even, multi-factor authentication.
To dramatically mitigate the compliance risks, one can use several best practices that help preempt unwanted scenarios here. We’ll take the example of GDPR to look at the more important of these approaches.
First and foremost, it makes sense to make it a governing principle within your financial institution to import as little personal data as possible from your business partners. This means that you should discuss this matter with them and arrange for remote access to such data if you need it.
Secondly, use data scrambling for all the personal client data you hold. You can use fictitious data or scramble the data otherwise – just make it unreadable and unusable when it is at rest. Besides, one must robustly firewall all your data storages that hold personal data.
Security-wise, it is also a lot better to store personal data in a Cloud from a well-established provider than use some hosting service: serious Cloud server providers take a number of effective measures to protect their Clouds.
Next, your IT infrastructure must contain a scanning and deletion capability that automatically deletes the data that starts meeting certain configurable criteria. This functionality must be flexible enough to adopt any possible future changes in the GDPR legislation. You must also be able to easily locate and delete all data that pertains to a specific customer in response to their request.
Lastly, it is impossible to enforce GDPR compliance at a financial institution without including it in your working relationships with your employees and business partners. Because of this, make sure that your agreements with them are GDPR-compliant too.
Scalability
No Fintech solution can be considered viable if scalability is not embedded in it from the outset. A Fintech must always be able to support a growing amount of business and the knowledge and resources needed to handle the resulting workload.
Financial Services is an industry that is extremely high on competition. New products come into being all the time. Customer feedback arrives daily, entailing a diverse number of changes and adjustments. Fintechs that are built without this in mind simply die in the bud or wither away in the longer run.
Imagine a Fintech solution that supports only a single local set of compliance parameters one can either expand, nor configure. A Fintech like this can encounter serious difficulties in case of an even minor change in legislation. In some cases, it may also be unable to go international. A payment Fintech that was initially planned as a local one and can process only a limited set of currencies and a limited volume of transactions is unlikely to be able to avail themselves of any new economic trends that arise beyond the bounds of their initial geography.
However, the consequences of low scalability can sometimes be lots worse than a Fintech’s inability to expand. A quite recent and illustrative example would be the Robinhood outage that took place in 2020 and has resulted in a major class action. The California-based Robinhood offers a trading app that suffered several outages in early March of 2020, failing to provide traders with the ability to trade during a massive rally that occurred back then. In April, 2023, the company reportedly reached a $10.2 settlement on the outage.
It is possible to solve scalability issues of practically any scale by employing Load Balancing or Cloud Computing.
Load balancing is a technique that allows you to use several backend instances instead of just one. You can add one or more of these instances as the number of users and load on your system increase and the capacity of your first backend instance begins to fall short. This way it is possible to increase the capacity of your Fintech application severalfold.
Cloud Computing makes it possible for you to scale your application virtually limitlessly by using the calculation capacity (or, in other words, the virtual servers) of a Cloud provider.
It should be mentioned that while both the techniques can be quite effective in solving scalability problems, Cloud Computing is generally a more hassle-free one. You don’t need to have the hardware needed for adding more backend instances, conduct load testing to determine the amount of capacity a new instance will add, or actually add these instances when this is required – either manually or automatically.
Integration with Legacy Systems
As business entities, present-day banks date back more than 500 years. Quite often, they are very major business entities, whose business processes are about as ancient. In a vast number of instances, these business processes came to be automated several decades ago, and the banks that use them are still operating on the legacy department-specific systems adopted at that time.
The data used by the different departments of a bank resides in their department’s data silos. It is managed for various business purposes mostly within these data silos. Hence, is the poor integration ability of most of the legacy banking applications. This poor integration ability prevents legacy banking apps from freely exchanging data with other systems, both external and internal ones. Thus, unable to freely exchange data, banking institutions are stripped of two abilities that are critical nowadays: the ability to adopt innovation like AI or Blockchain, and the ability to start providing modern services with the help of external Fintech providers.
Besides, it sometimes becomes vastly difficult and costly to support Mergers & Acquisitions by integrating the corresponding software solutions. In this context, what comes to mind is the TSB Bank’s bungled migration of 5.2 million customers to the system’s of Bank Sabadell that bought TSB in 2015. The migration that took place in 2018 eventually cost TSB Bank £ 350 million in problem resolution and customer compensation payments.
It is also important to remember that legacy applications dictate legacy and rather ineffective integration methods like peer connection integration.
Basically, while dealing with legacy systems, you are facing only two options: build one or several microservices (or middleware) and an API to be able to continue using your legacy app, or build the application anew – here, the decision is always specifics-based. As a rule, one should still regard the former option as a temporary one even though it is likely to allow you to continue using the software for a very extensive period of time.
Complex Business Logic
Fintech is a realm where most of the software functionality is either moderately or significantly complex. Such functionality can include:
- Calculation functionality, including dynamic calculation.
- Validation functionality (e.g. merchant validation, transaction validation, or the validation of the correspondence of search criteria to the user profile).
- Verification functionality (e.g. client verification functionality).
- Various Fraud detection functionality.
- Assessment functionality (e.g. risk assessment functionality in lending and other apps),
and multiple other types of Fintech functionality.
While complex Fintech functionality remains quite demanding to implement at all times, there are several strategies and approaches that can help make it more robust, efficient and easy-to-use.
First off, it is advisable to use microservices in implementing complex Fintech functionality. This approach has proven to be extremely productive in the case of a large number of Fintech applications. Furthermore, to optimize application performance, it’s best to develop a separate microservice for each of the operations your functionality is intended to perform. This will also facilitate the addition of any new business logic in the future – something you must necessarily factor in in Fintech.
In order to better tailor Fintech functionality to one’s business needs, it can make sense to use the domain-driven approach, whereby it is your exact business needs that become the starting point and foundation for the development of your Fintech app.
One more approach that can greatly improve the performance of your Fintech application is using Machine Learning for any data-intensive routine operations, where the data to be retrieved and displayed must meet some specified criteria. ML learning can significantly speed up such operations and make your app a lot more user-friendly.
In regard to the calculation functionality, your Fintech app must perform any data-intensive calculations in the background and beforehand, and not just as the user accesses the corresponding page.
Overall, it should be said that in developing Fintech functionality one should try to automate any operations and steps that can be automated.
User Experience Design
Fintech is an extremely complex and data-intensive business domain. It is known for intricate and complex calculation and other operations, complex dynamic functionality, and complicated user flows. This is added to by a great deal of industry jargon, a large part of which is not understandable to the average user.
The complexity of Fintech business logic and operations cannot but tend to make Fintech GUIs overloaded with information and hard to use. Frequently, the need to make a Fintech GUI more user-friendly and personalized results in a redesign, for example, the way it’s happened with Google Wallet. It is important to understand that not paying enough attention to, and not investing enough in the UI/UX of your Fintech app is likely to immensely raise the entry threshold for your new users. This can critically impact your app’s popularity and audience.
The UI/UX design and development of a Fintech application must be preceded by a thorough research of your user audience. To make Fintech functionality easier-to-use, one should try to organize lengthy and complex workflows into more gradual ones by breaking them into a sufficient number of logical units or steps.
It is imperative that the amount of industry jargon in the UI inscriptions be kept to the minimum. Of the industry jargon that simply has to be used – and in Fintech it is unavoidable – one should use the more common synonyms and abbreviations. To help the user, one can implement a brief built-in glossary that must be easily accessible to the user on the same screen throughout the application.
As figures carry a lot of weight in Fintech, the numeric fields of your UI must allow the user to enter fractional digits. This must be allowed for from the start lest you have to redesign the GUI later: in some types of Fintech solutions, this may be important enough to put off most of your users when implemented the wrong way.
Technical Debt
Poor code quality, deadline-driven stilted solutions, the wrong choice of technologies, and other technical issues result in a sizable amount of the so-called technical debt that starts affecting the performance, availability, and evolvability of a software solution.
In other words, past mistakes, unprofessionalism, forced solutions, and negligence begin to create current and future costs, performance issues, and time losses. It also becomes difficult to perform bug-fixing and expand the software by adding new features.
In Fintech, examples of technical debt are galore. For example, technical debt in the form of legacy systems’ outdated functionality creates mission-critical problems by getting in the way of banking institutions that want to introduce mobile banking, benefit from AI/ML, or make their different departments seamlessly interact with one another.
To cope with technical debt, one can use several approaches and techniques:
- Performing Code Refactoring – Software engineers review legacy code and try to improve its quality. You can apply this technique in relation to legacy code that is in poor quality and in need of improvement.
- Performing a Code Review – Several engineers, who are not involved in developing this part of the system functionality, check the different parts of the code by reading it.
One can use this technique both during the development and when it is complete. - Performing a Code Audit – One invites the members of another team, or hires an external party to check the quality of the code.
- Using good coding practices – One obligates the software engineers on the development team to follow a set of development practices that ensure a good quality of the code.
- Outsourcing non-core tasks – One outsources the development and development-related tasks in which the project team doesn’t specialize to a party that is conversant with these tasks.
- Including software architects and DevOps engineers in the development process early enough – One includes software architects and DevOps engineers prior to, or at the very start of the development effort to prevent any makeshift solutions that result in technical debt.
- Keeping a roster of all technical debt – One keeps a roster of all the instances of the technical debt the project team has had to create during the development process.
Using these techniques can help both mitigate the impact of the current technical debt and prevent the bulk of any future technical debt arising.
Data Management
Finance is all about data. Financial services firms and banking institutions deal with colossal amounts of data that is changing dynamically all the time.
The need to manage this blue ocean of ever changing data is further exacerbated by several more high-scale data-related challenges. One of such challenges is adhering to stringent external regulatory compliance in an evolving compliance landscape. Two more significant data management challenges are ensuring data security and ensuring the integrity of data that needs to be retrieved from different sources.
To aggravate, many banking institutions also have to deal with data that is distributed across several legacy data silos.
Fortunately, there are several techniques that can help one mitigate or solve these data management challenges. They include:
- Implementing data governance policies and data quality monitoring standards.
- Designing the software architecture of your application with the ETL (Extract, Transform, Load) process in mind. Taking this process into account this early in the development lifecycle will help correctly store, retrieve, convert, and visualize data.
- Developing a single data silo that will allow managing all your data centrally and promote data integrity.
- Using advanced data integration,analytics and visualization tools to enable better executive decision-making.
Testing and Quality Assurance
Financial services is an industry where software quality is of utmost importance. The cost of what would otherwise be considered as a minor bug can skyrocket here.
For example, imagine a calculation capability that incorrectly calculates the fractional part of amounts for a very large number of customers, or a risk assessment capability that doesn’t take into account one of the more important risk assessment criteria.
Even more damaging and costly can be various security breaches – take the example of the Equifax security breach that took place in 2017. The breach compromised the personal data of 147.9 million American citizens, 15.2 million British citizens, and 19000 Canadian ones, resulting in a $ 575 million dollar settlement.
It is also essential to ensure some more mundane things, like the app’s correct functioning in relation to the more complex use cases and its compatibility with different devices and browsers.
To ensure better software quality in Fintech applications, one should:
- Use as much automated testing as possible. This will allow covering one’s Fintech app with tests a lot more thoroughly.
- Use a sufficient amount of acceptance testing, especially for the more complicated use cases and user workflows.
It is also advisable to use a great deal of penetration testing with a view to discovering and eliminating any possible security vulnerabilities.
Project Management
In most instances, Fintech app development is a complex and often complicated process. Achieving good project outcomes here hinges not only on the ability to deliver some complex functionality, but also on the ability to deal with several industry-specific Project Management challenges.
In particular, red tape frequently hampers banks’ management, interdepartmental, and external interactions. Also, exchanging information in the process of Fintech app development becomes difficult due to the high and stringent security requirements.
These and other PM-related challenges can significantly affect a Fintech app development project. To better deal with them, one should pay more attention to Stakeholder Management. One must determine the kinds of information each of the project stakeholders needs, the required degree of detail and form of this information for each project stakeholder, and the time intervals at which this information is to be provided to them.
To expedite the information exchange and remove some of the related hindrances, one can use an external data encryption provider, a reliable B2B multi-tenant legal solution, or a technology like Blockchain.
Using Agile methodologies and regular status meetings can help with meeting those challenges that are related to Fintech software development and delivery per se.
Conclusion
Developing a software solution for virtually any of the Fintech business niches bears additional attention to detail and requires a significant amount of industry-specific expertise and experience.
Being aware of the challenges your development team is likely to come across in developing your Fintech application can help you as a client organize the interactions with it a lot more optimally. It can help you proactively explore the various implementation options and knowledgeably control the implementation of your project.
If you would like to know more about some aspect of the Fintech app development process, you are welcome to get in touch with us – we have years of experience in developing complex Fintech apps for an array of Fintech business niches.
Just contact us and we will shortly reply.
Ready to speed up your Software Development?
Explore the solutions we offer to see how we can assist you!
Schedule a Call