One of the most important shifts of the past few years in finance and banking was the movement from primarily branch-based banks to mobile-first banks. While these innovative products simplify the end-user experience, they also bring up more security concerns, since digital channels expose a number of vulnerabilities. These apps deal with sensitive user data, such as private financial or personal information, which means that the prevention of any type of breach is of utmost importance.
The level of security of a finance app is primarily judged on how well digital transactions and personal data are protected online. Even the smallest security concern can mean that users lose confidence in the app and immediately switch to another provider, often leaving negative reviews in the app stores while doing so and damaging the reputation of the company. It does not come as a surprise that the finance industry is one of the most regulated industries in the world: finance apps are required to fulfill the strictest security requirements and offer the latest functionalities at the same time.
Regulatory concerns in the finance and banking industry
Not only do finance app companies have to comply with traditional finance regulations, but they are also subject to international and local privacy laws. One example is the EU’s General Data Protection Regulation (GDPR) that came into effect in May 2018, requiring companies with ties to the European market to update their data and privacy policies. This affects the finance and banking industry in a number of ways, especially when it comes to getting consent before processing the personal data of users, the right of the clients’ to request their data to be erased, additional penalties for data breaches, and for failing to comply with such regulations.
Another recent example of changing regulations affecting the finance and banking industry in Europe is the Strong Customer Authentication requirement (SCA), implemented in September 2019. According to this regulation, a secure finance app requires at least two forms of independent authentication elements from its users. These can either be a knowledge element: something only the user knows, like a password; a possession element: something only the user possesses, like their smartphone; or an inherence element: something the user is, like their fingerprint.
Meanwhile, in the United States, the number of potentially applicable regulations make this an even more complex issue. Here, finance app companies might be subjected to a plethora of federal or state licensing or registration requirements and thereby may have to adhere to laws and regulations on both levels — depending on their activity. Providing fintech services in the United States often requires licensing and registration with multiple state regulators. These might include consumer lending, money transmission, and virtual currency licenses.
These examples show the additional challenges finance app companies are facing throughout the already challenging mobile development process. Things can be further complicated when developers have to build an app for a global audience with different requirements per country or region. Such companies often have codebases running in multiple different countries — having to manage this complexity while following a variety of regulations can even cause delays in important product releases.
Growing customer expectations require a new approach
Continuously improving features, maintaining app quality, and responding to constantly changing requirements can be a daily challenge for product managers and developers. To tackle these issues, it’s necessary to implement a set of security processes from as early as the planning phase all the way to release — in other words, to create a DevSecOps environment. This can be facilitated by integrating regular information security checks and core security tasks into the software development lifecycle to remove previously existing bottlenecks between developers, the security team, and the rest of the organization. This approach also helps mitigate risks and allow all contributors to take more ownership and avoid security-related failures.
Ideally, a DevSecOps environment also enables teams to have full control over their stacks and access management and to be able to monitor any and all access, within and outside of their environment at all times. Another step forward is shifting the responsibility of security maintenance from the team to a secure and scalable cloud-based CI/CD platform. Early-on automation helps developers focus on what matters the most: optimizing their product and developing new features without having to worry about security-related maintenance tasks. It also leaves more time for parts of the process that are essential for safeguarding quality, such as checking code dependencies, threat modeling, and detecting flaws before a release.
Building the future’s successful apps in this rapidly changing and heavily regulated space will require adopting an agile, technology-forward mindset and organizational change at the same pace. In this industry, it’s especially important to make not only DevOps but also DevSecOps integral parts of the software development lifecycle. Only this way can vulnerabilities be minimized across all applications and the different parts of the organization. Fintech, finance, and banking apps can only remain competitive if they have solid structural support that enables them to securely connect to — and protect — their users.
If you — or anyone in your team — would like to have a conversation about how Bitrise can help you build apps safely, feel free to request a call by filling out the form on our website.
This article was originally published on DevOps.com.
If you'd like to learn more about building better mobile apps in the heavily regulated finance and banking space, download our latest report, Mobile product success in finance and banking, 2022 or sign up for our upcoming webinar How to win in mobile finance: A panel discussion.