Introduction
The development of a secure FinTech application is a complex, time-consuming, and most importantly, expensive process. If you don’t have an experienced team with an awareness of the FinTech security requirements, this process is almost impossible.
Understandably, modern FinTech applications deal with lots of personal and business data every day. That’s why such solutions require the security of the highest level, starting from the idea stage, and to be present throughout the entire lifecycle of the application.
What to take into consideration while developing a FinTech application
Secure infrastructure
During the FinTech application development process, it’s very important to use a reliable and secure IT infrastructure to exclude endangering your user’s sensitive data and gain the reputation of a robust developer. If your app has to use a public cloud, think of choosing a trusted cloud service provider that meets the latest cloud computing security standards.
There are a lot of such standards, but it’s very important to mention the following:
- ISO-27001 / ISO-27002
Applications with sensitive information are highly recommended to follow these standards. ISO-27001 contains the Information Security Management System (ISMS) specification. ISO-27002 describes the controls that can be implemented in accordance with the ISO-27001 standard. Compliance with the ISO-27001 standard shows your customers that your organization is serious about information security and implements the best practices for protecting information. - ISO-27017
This is an extension to ISO-27001 that includes clauses related to information security in the context of the cloud. Compliance with ISO-27017 should be considered alongside ISO-27001. - ISO-27018
This standard refers to the protection of personally identifiable information (PII) in public clouds acting as PII handlers. This standard specifically targets public cloud providers such as AWS or Azure.
The AWS Enterprise Cloud has everything to counter massive DDOS attacks. It will also provide fast recovery in case of disruption.
For financial institutions that build their fintech apps based on cloud infrastructure, it is highly important to ensure that the cloud service providers adhere to the same standards that they use internally.
Cybersecurity requirements for FinTech applications can be different depending on the company’s location:
- For the European Union – GDPR, PSD2, eIDAS
- For the United Kingdom – GPG13, FCA
- For Japan – APPI
- For South Korea – PIPA
- Worldwide – PCI DSS, ISO/IEC 27000
Application logic security
Building secure application logic means the integration of security at every stage of the application’s performance. Every aspect of your future application needs to be protected from potential threats.
Consider the following security actions:
- Requiring users to set complex passwords;
- Complicated authentication, e.g., two-factor;
- Keeping a datalog of all the user’s actions, their geolocation, IP addresses, and device info;
- Keeping user’s information encrypted to avoid attackers getting personal data as it is;
- Monitoring of transactions and blocking the suspicious ones;
- Doing regular backups;
- Practising security rehearsals.
Secure code
FinTech application code should be easily portable between devices and include algorithms to easily detect any problems in the case of a breach or an attack. At the very least, the process of updating the code has to be simple.
The best practices for writing secure application code include input reviewing and the validation of any data that is sent to external networks. Access should be granted only to the basic functions of the application, rules have to be defined clearly, and all the necessary steps have to be taken to ensure the protection of sensitive data. And don’t forget about SQL injection protection – your FinTech app can still be hacked that way.
Web-server security
Since the webserver is the most common target for external attacks, it is now common practice to secure the data with an HTTPS SSL certificate. Most popular browsers will warn users when a website has no such certificate, so you obviously cannot skip this step and remain a worthy source.
Another common practice is using a VPN. It complicates the setup stage, but this step is worth your efforts because the access will only be given to the hardware with a valid public key.
API security
Most users run FinTech applications on mobile devices, and such applications use application programming interfaces (APIs) to interact with their backend. That’s why APIs are also regular targets of attacks, and you have to keep them secure to build a truly secure FinTech application.
Identification, authentication, authorization
The identification, authentication and authorization system should serve as a reliable barrier against any invasion or suspicious activity. Your authentication methods should not be limited to passwords. Combine them with SMS verification or one of the latest methods such as a thumbnail or retinal scan.
During authorization, the application identifies the user as a person who is either allowed or not allowed to perform certain tasks. Ideally, user rights should be limited to a certain set of actions and commands.
There is a number of different authentication technologies, including:
- One-time password system
The app automatically generates an additional password with a limited expiration date every time the user wants to log in to an account or complete a transaction. - Mandatory password change
FinTech organizations can significantly reduce security risks by forcing customers and employees to change passwords on a regular basis. Many online banking applications require you to reset user account passwords every three or six months. - Monitoring
With the help of a tracking system, you can analyze suspicious activity (for example, failed logins) to identify cases of unauthorized access. In addition, this solution can prevent data leakage by locking the account after several suspicious transactions. - Short log-in sessions
The shortened session time is useful for protecting financial data. The reason is that even if a hacker gains access to the account, he will have limited time to collect the important data. - Adaptive authentication
Multi-factor authentication is not a panacea. In fact, it can even increase the risks of data leakage (for example, if a hacker manages to clone your smartphone). But with adaptive authentication, your system will analyze user behaviour to detect suspicious activity. As a result, your platform will receive additional protection for financial data and personal information.
Data encryption techniques
You have to encrypt your user’s personal information (name, address, social security number) and their financial data such as credit card numbers and payment history, as well as any other information that may be obtained upon receipt of a particular financial service.
Encryption is essential to protect data during transmission when it is highly vulnerable and can be easily snapped up. Secure data transmission involves the use of various encryption algorithms; for example, the US federal government uses AES, which is currently considered the most secure.
You can protect critical data with complex encryption algorithms, such as:
- RSA
A highly secure asymmetric algorithm with a private encryption key and a public encryption key. - Twofish
A freeware algorithm that encrypts data into 128-bit blocks. - 3DES
The preferred encryption method to secure credit card PINs. Triple DES divides data into 64-bit blocks and cyphers each one three times.
Payment blocking feature
One way to prevent fraud is to point out suspicious activity. Use something that will be significantly different from the usual user activity, for example, unusually large amounts of money transferred from unusual locations.
To protect the user from possible fraud, implement a payment blocking function in your application. This feature will provide immediate blocking of payments after something unlike the user’s normal activity is detected.
Security testing
Needless to say, creating secure FinTech solutions requires meticulous testing at each of the development stages (see the picture below).
It is common practice to conduct “penetration testing” – launching your own simulated attacks to discover vulnerabilities in your application. There’s always an available option to hire QA Engineers for security testing in order to create high-quality, attack-resistant code.
Also, one of the best practices is to simulate potential emergencies and create ways of handling them for the personnel. Establish clear and consistent access rights to prevent data leakage at every stage of the development process, ask your employees to sign an NDA and use corporate equipment in your premises.
Today, many financial companies are ISO-27001-certified to meet the high-security standards. The certification and confirmation process is complex, but having that certificate will mean that your company is using truly top-notch security practices.
What to expect in the future?
Regulatory sandboxes
Many countries have created regulatory sandboxes – test environments where FinTech companies can conduct experiments under regulatory supervision. Some countries’ regulators (particularly the FCA in the UK) allow FinTech companies to conduct these experiments with real customers.
Currently, there is no such structure at the federal level in the United States, but attempts have been made to create one. Particularly, in 2018, some companies made sandbox proposals. These tools do exist in some states, such as Arizona and Wyoming. Meanwhile, Washington is actively considering a law like that.
In 2019, four US regulators joined the Global Financial Innovation Network (GFIN), an international alliance of government regulators led by the UK Financial Conduct Authority that aims to strengthen the future of FinTech. Their participation in the network enables federal regulators to fulfil GFIN’s mission to develop a global sandbox for financial innovation.
Finance-as-a-service regulations
The catalogue of APIs is growing and new regulations are emerging with every advancement in FinTech. Therefore, the Finance-as-a-Service movement will grow significantly in 2021. Like other X-aaS products, Finance-as-a-Service is provided by unregulated organizations that offer regulated financial products.
There are three main verticals of finance-as-a-service that are expected to grow in 2021:
- Banking-as-a-Service (BaaS)
BaaS allows such industries as eCommerce, travel, and the gig economy to offer financial services (loans and e-wallets, for example). - Regulation-as-a-Service (RaaS)
Like BaaS, RaaS lets non-financial companies access certain regulated financial products with the help of a third-party’s banking license. RaaS helps companies build new fintech products without quick regulatory authorization. - Brokerage-as-a-Service (BraaS)
Traditional banking involves wealth management. BraaS enables innovators to build products for investment management on top of a licensed brokerage’s APIs.
Regulations of open banking
Open banking will be a top priority for 2021, and industry leaders note that the data-sharing framework will become integral to the countries that are introducing it. Open banking has already established itself in Europe and is making significant headway in countries such as Australia and Canada. However, the United States is in no hurry to enact such regulations.
The Consumer Financial Protection Bureau (CFPB) has issued an Advance Notice of Proposed Rulemaking (ANPR) that solicits information from the public on how consumers’ access to their financial records should be regulated. ANPR is considered to be the first step towards establishing the formal regulation of open banking in the United States.
Looking at this progress, governments and regulators will continue to enact laws and frameworks for open banking. In turn, banking data will continue to fall into the hands of financial innovators worldwide.
Regulations of Online Payments and SCA
Online payments will undoubtedly become the largest financial technology to focus on in 2021. Since January 1, 2021, online card payments in the EU must go through the Secure Customer Authentication (SCA) protocol of the second Payment Services Directive (PSD2). While this security feature is good news for consumers, merchants may have to struggle, as the SCA could increase their shopping cart bounce rate. As a result, merchants and other online retailers will seek alternative payment methods to process transactions securely without compromising the user experience.
Conclusion
As you can see, ensuring FinTech app security is a complex process requiring very specific knowledge and skills to deal with highly sensitive data. And it is highly important to have the help of qualified and experienced professionals when developing such a solution. When looking for a partner like that, consider Bamboo Agile. The development team has great experience in developing secure FinTech applications and knows how to meet all the requirements firsthand.
