Besides actually solving problems for customers and thus maintaining relevance, security is undoubtedly the most important factor for any bank considering the launch of a new direction, solution, product or system.
The below five points are intended to help banks make the right choices when partnering with a fintech. For the examples provided, we look at launching a new mobile payments solution.
Choose your partner wisely
If you decide to partner with a consultant or financial technology company, check whether they tick the following boxes:
Are they FSA/FCA regulated?
Most software providers to banks aren’t FSA/FCA regulated and that’s not necessarily a bad thing on its own. If they are, it probably means that they have gone direct to consumers with their offering in the past (or currently still do). If they are regulated themselves then of course the bank has the assurance that the products comply with the FCA’s code of conduct. This reduces the strain on internal compliance and vendor assessment, as your partner already has to adhere to the same strict rules as you.
However, if they aren’t regulated, it’s important to check whether the company has worked with other FSA/FCA regulated companies before. Or, whether they are currently providing software to such companies.
Partnering with a fintech who doesn’t have this experience could come with a cost. The risk for the bank is that the fintech’s operational methods are shady. But further, as a bank, you’ll have to spend a lot more time ensuring your new product is compliant prior to launch.
Are they PCI compliant?
PCI stands for Payment Card Industry. PCI compliance means that an entity has been assessed by a QSA (Qualified Security Assessor) to determine that they meet specific information security education requirements as well as stringent data security requirements.
If your proposed fintech is going to be touching card data in any way, this is an important check. If not, it’s still a definite nice to have.
Are they ready for GDPR?
In early 2016, the EU Parliament approved the new General Data Protection Regulation and agreed it would replace the existing Data Protection Directive 95/46/EC. It comes into effect and will be enforced from 25 May 2018.
Organisations who do not comply have been warned they’ll face heavy fines.
The regulation has been created in response to the phenomenal amounts of data that have been created and are stored – about everything but specifically about individuals – since the original directive governing personal data in the EU was adopted way back in 1995. This original directive was designed to “regulate the processing of personal data, regardless of whether such processing is automated or not”.
Read more about the effect of GDPR on European banks here.
Thinking five, ten, 20 years down the track about what may have changed will help guide the direction of what platform, for example, you decide to run your new solutions on. We firmly believe that in order to quickly scale, remain secure and be the first to learn about innovations which can help make a product better, banks must invest in solutions which are hosted in the cloud.
Click here to listen to Auka CEO Daniel Döderlein talking about the future of finance and the cloud.
Click here to read about the top five reasons we run Auka in Google cloud.
The pressure test
It’s not enough to merely claim best in show when it comes to security – how does your intended partner’s solution fare under pressure? Auka is regularly subjected to audits and penetration tests and these are considered valuable activities as a means to improve platform security further.
Auka platform customers are free to do their own audit and technical due diligence, which often includes penetration tests. As part of the PCI compliance, card handling infrastructure is subject to penetration test at least once a year.
We currently collaborate with security researchers at the University of Bergen on analysis of the security of the Auka platform. This has resulted in several security reports and improvements both in code and internal best practices and guidelines for secure system development.
The security room
Think of the four core pillars, server side application security, client side application security, communication security and operational security, as the four walls of a room.
Does your chosen fintech partner have the doors and windows to all four walls covered?
Two of the key questions to ask and then stress-test, include:
- Do they have operational routes in place to handle a critical situation?
- Will they be able to respond to you and your customers need for information when things go sideways?
When your chosen partner has satisfactorily checked off the boxes above, it’s likely they’ll have the appropriate legal frameworks in place. But to be certain, you should always conduct lightweight legal due diligence when you are partnering with a fintech.
Check at least the following; (i) Who is running the company (board of directors and management), (ii) If they have licenses (check them) and (iii) Who owns the company.
Auka was the first mobile payments technology company in the Nordics. We were also the first fintech to obtain a license under PSD1, the first to launch mobile payments in Norway and the first fully licensed financial services company to run entirely in the cloud.
Being first is fun but it’s also challenging, as you need to set the precedence – especially on security.
Auka is fully licensed and regulated. We are PCI compliant (we are one of the few non-card based fintechs to have achieved this), FCA regulated and PSD2 and GDPR-ready.
Read more: Fintech partnerships: from buzzword to reality
Want to know more? Get in touch.