Building a Secure FinTech MVP

Mobile penetration changed the way we do things and build new products, and finance management is not an exception. In Europe alone, fintech app usage is up 72% since the beginning of the pandemic in 2020. Neobanks like Monzo and Revolut are quickly expanding their user base, Coinbase becomes a public company, Robinhood opens the doors for retail investors and Lemonade is knocking at the door of insurance. Furthermore, the Global Fintech Market is projected to grow by a CAGR of 23.58% by 2025. 

Being such a promising and still undisrupted industry, FinTech attracts hundreds of entrepreneurs who rush to deliver an MVP to the market to see if “they catch”. To get to the pace, companies on this stage often cut all sorts of corners including security and compliance concerns. Once the product is released, the company starts getting even more pressure from user requests and feedback. No one asks to improve the back office by implementing an extra layer of security. The teams are facing product roadmap dilemmas, on one side there are clients and on the other one there are security features that will take months to build and none of the clients will ever notice this enhancement. This way, security and compliance concerns remain either underestimated or ignored. 

The study by ImmuniWeb reveals that, despite being well-funded, 98% of the world’s top 100 fintech startups are vulnerable to web and mobile application attacks. 100% of them have security, privacy, and compliance issues relating to applications and application programming interfaces (APIs). All of the fintech mobile apps tested in the research contained at least one security vulnerability of medium risk, while 97% have at least two medium or high-risk vulnerabilities.

There is a playbook for app security I’ve prepared based on my experience working with startups in this space. It is critical for early-stage products to find a balance between making secure solutions and improving other areas such as app features, UX, offerings, etc. Furthermore, it is important to find the right time for implementing more advanced security policies such as the CSF NIST framework. When starting a new product, teams should build system architecture and operations in such a way that it scales as the product grows. Things worth paying more attention to from Day 1:

• Strong Customer Authentication

• Role-Based Access Control

• Audit Trail

• Maker-Checker Operations

• Data Encryption

This is of course not a complete list but something we always build before going into production with MVPs. Each company should apply its strategy keeping in mind that security builds trust, and trust is the only thing that matters in financial services, even nowadays.