In the UK, FinTech apps should be handled in a way similar to banking institutions, both from the legal and technological point of view. It obviously imposes a lot of responsibility and work to ensure the system is 100% secure, so users can trust it with their money. But what does it mean in practice? Let’s take a deeper look at the FinTech security standards you’ll need to deal with in order to abide by the rules, while still being able to offer the most to your customers.
FinTech security requirements: legal perspective
No matter if there’s more fin or more tech in a FinTech app, there is no way to escape the regulations. Since there are no special laws regarding this type of products, they are all subject to the existing body of UK financial regulatory perimeter. This fact places FinTechs among institutions providing consumer credits, insurance services, crowdfunding and banking, and, as a result, ensures that the final customer can actually feel safe.
Moreover, there is a plethora of cyber security rules, which in the UK are mostly compatible with their counterparts in the EU. Top 3 are:
- personal data protection (including breach notification)
- mandatory security measures (their absence can cause the FCA to take action)
- the Computer Misuse Act 1990 (amended in 2015, as a part of the EU Cybercrime Directive)
The major difference between the UK and EU in terms of legal regulations regarding FinTech is that the UK’s Network and Information Systems Regulations 2018 don’t apply to banks and financial institutions (although they should, according to the Network and Information Systems Directive, (EU) 2016/1148). However, the reason for excluding the finance sector from this law is that it was considered sufficiently regulated in the first place.
FinTech security standards: technology perspective
Besides the binding law, cyber security is a number one priority for every business in the financial sector for a number of reasons. And while minimizing the risk of losing funds to hackers is a must, maintaining a good reputation, is almost as important. In fact, information about security breaches going public often end up as stock market disasters. Probably the worst one happened in 2016, when Yahoo was sold in, what the media called, “the saddest $5 billion deal in tech history.”
Basic FinTech security solutions
In order to make sure your business is as safe and responsible as possible, you should start with five essentials:
1. Dedicated cyber security team
Internal or obtained via team augmentation, cyber security experts are necessary on every step of the Software/System Development Life Cycle (SDLC) in order to create an app that is free of vulnerabilities from the very beginning. Later on, when the product is already on the market, your security team is still vital to work on updates and monitor the hacking world for potential threats.
Pro tip: a lot of work in this area can be automated with a security information and event management system (SIEM), which monitors data in real time to prevent any suspicious activity.
2. ISO 27001
In order to be regarded as a trustworthy partner, you need to be 100% certain that your product meets all FinTech data security standards. The best way to do it, is to get the ISO 27001 certification, which focuses on ISMS (information security management system). There are quite a few steps to meet this standard but they all boil down to conducting proper risk assessment, identifying and fixing flaws, implementing security controls and keeping them reviewed regularly.
3. Penetration testing
Penetration testing is basically a simulation of a hacker’s attack performed by a skilled specialist (an ethical hacker, also called a white hat). What’s important, such experts have access to a full array of weaponry that real criminals use to breach security, so they can identify the flaws in the system before the actual villains use them to harm your business and your customers. However, pentesters (short for penetration testers) are usually external experts only hired for one job and have no deep insight into the systems they work with. They simply cannot replace an internal cyber security team.
Thanks to regular reports from ethical hackers, you can keep your FinTech data security first-class at all times, maintain the ISO 20071 certification and boost your brand’s credibility.
4. Cautious employees
It may seem odd, but many hacking attacks happen without actually breaching any technological barriers. Remember how celebrities promised free Bitcoins on Twitter in July? In fact, Twitter’s cyber security wasn’t breached due to infrastructure vulnerabilities. On the contrary, the attack was possible, because some employees hadn’t followed the procedures carefully enough. Or maybe the problem was the procedures themselves? However we describe it, hackers managed to access the firm’s internal systems and tools by manipulating the staff with high-level access.
The company called the incident a “coordinated social engineering attack”. Most probably, it could have been avoided if the organization had hired an ethical social engineering hacker to verify its internal procedures and had raised staff awareness on a regular basis.
5. Swift reaction
When it comes to the worst and your company falls victim to a hacker’s attack, you’ll need to keep a stiff upper lip. There are three basic rules every organization needs to follow in order to react properly after discovering a security breach:
- Inform your customers and business partners about the situation. Spare no details and make sure to state exactly what data was compromised. Also, advise your users to block their credit cards and change their passwords as soon as possible.
- Always cooperate closely with the local information commissioner. In the UK it’s the Information Commissioner’s Office and each EU country has its own equivalent body (they’re all listed by the European Data Protection Board.)
- Conduct a security audit to understand the attack’s background and make sure you implement better security measures to avoid a similar situation in the future.
What happens if FinTech security is breached? Finastra attack case study
In FinTech apps development, security and regulatory compliance are essential and any mistake can lead to a disaster. Even the largest financial services providers can get punished by the FCA or fall prey to hackers, just like Finastra did in March. What’s the most unsettling in this case, is the fact that Finastra works with dozens of leading banks and the company’s problems can affect millions of customers.
One update too late
Seemingly minor human errors are one of the most common causes of attacks. In the case of Finastra, somebody forgot to check whether the VPN (Pulse Secure VPN) had been patched to the latest version. Hackers made use of a vulnerability discovered back in 2019 (known as CVE-2019-11510) to trigger a further chain of events and, eventually, breach the security system and write arbitrary files to the host.
As a result, the FinTech giant, which employs over 10,000 people and reported $2 billion in revenues for 2019, had to disconnect all its systems from the Internet to perform a thorough investigation. Moreover, vital data about top banks from over 40 countries might have been stolen. And all Finastra had to do was stick to the basic FinTech security solutions…
Is creating a FinTech app that can operate in a legal and secure way – while still being user-friendly – a challenge? Sure it is, but there’s no need to feel overwhelmed. Success might be a matter of choosing the right technology partner, who will make sure your app meets the key FinTech security standards and works like a charm at all times.