The UK is a very demanding market for everybody. Including FinTech, which must operate similarly to regular banking institutions. Both legal and technological requirements are there to protect customers’ money. Applied FinTech security standards benefit
customers and FinTech organizations and please regulators. What regulations should you take care of while entering this market and what do they mean for your business?
Security requirements from a legal perspective
It can be surprising at a first glance but the United Kingdom, the FinTech hub of Europe and the world for that matter, doesn’t have special laws for the sector. FinTech products are all subject to the existing body of the UK financial regulatory perimeter.
This single fact places apps alongside institutions providing consumer credits, insurance services, crowdfunding, and high-street, traditional banking.
There are also many cyber security laws that for the most part are
compatible with the law made in European Union.
The most important ones are:
- personal data protection (including breach notification)
- mandatory security measures (their absence can cause the FCA to take action)
- the Computer Misuse Act 1990 (amended in 2015, as a part of the EU Cybercrime Directive)
The important difference between the UK and EU when it comes to regulating the FinTech sector is that the UK’s Network and Information Systems Regulations of 2018 don’t apply to banks and financial institutions. According to the
Network and Information Systems Directive, (EU) 2016/1148 they should but that’s another issue. The reason for excluding the finance sector from this law is that it was considered sufficiently
regulated in the first place.
Security standards from a technology point of view
Many startupers and managers would say that obeying the law is the most important factor for any FinTech company out there. True but there are other important factors. Such as security and reputation in a market which is paramount for the clients. It’s important
for public and private companies alike. No matter if your company offers stock or you own it in 100%. There’s always a matter of public perception, which can derail even the best business and marketing plans.
The memorable market disaster happened in 2016 and is known as “the saddest $5 billion deal in tech history”.
Basic security solutions for FinTech
If you want your business to be safe and resistant to potential disaster, think about and implement these five steps:
A dedicated cyber security team
To spot vulnerabilities and make the app resistant to potential attacks and other types of threats, you need cyber security experts. And not for a single occurrence but available on demands. They worked on every step of the System/Software Development Life
Cycle (SDLC). They are not cheap, so you can think about team augmentation for filling the blanks. Their role doesn’t end when the product is done. They will support the app with updates and monitor the market for potential threats.
This doesn’t mean specialists will sleep in your office. A lot of their work can be automated with a security information and event management system (SIEM). It monitors data in real-time and can prevent any suspicious activity.
1. ISO 27001
The ISO 27001 certification is a great way to make sure that your product meets all FinTech data security standards. It focuses on an information security management system or ISMS. There are multiple steps to acquire certification but it’s worth it. You
will have proof that strengthens the product’s market transparency. You will also go through a proper process of risk assessment, identification and fixing the app’s flaws. It will also teach you ways to properly implement security valves and ways to review
them on a regular basis.
2. Penetration testing
Penetrating testing is a simulation of a hacker’s attack. Done by an ethical hacker called a “white hat” it will expose your product to a skilled specialist that will turn it upside down and look for security flaws. Experts like these use a full range of
weapons available to real-life hackers; they can breach your system in all ways possible, finding holes and proposing ways to manage and fix them.
The problem with that is the nature of their work. They are usually external testers hired for a job. They come, perform, leave a report and go. They can’t replace an internal cyber security team. What is important, however, is that they keep your data safe
and maintain the ISO 27001 standards, while boosting products and brand’s market credibility.
3. Trained and professional employees
Unfortunately, many attacks happen without actually breaching any technological barriers. It’s possible because many employees don’t follow procedures carefully enough or even at all. In some cases, the problem lay in faulty procedures which can and should
be changed or entirely replaced. Manipulating the staff with high-level access through phishing emails or other types of internet scams is nothing extraordinary.
A good example is Twitter, which fell victim to, as the company called it, “coordinated social engineering attack”. This could be avoided by raising
staff awareness.
4. Quick and efficient responses
When the worst already happened and you fall victim to an unethical breach, you need to think about the next step. Actually, steps, since nothing is easy after this type of unfortunate occurrence. There are three basic rules every organization needs to follow.
With them, you can properly react to a security breach.
What you need to do:
- Inform your customers and business partners about the situation. Be as detailed and possible. Transparency is the key. You are not the first, and certainly won’t be the last who got hacked in some way. Inform about the state of the product – what data was
compromised, how it affects the product and customer’s safety. Advise your users to block their credit cards and change passwords as soon as possible. This is a very easy step but if mishandled, can backfire. Especially in the transparency part, that is very
important. Attacks and internal misbehaviour happen. Instead of assigning blame, act.
- Cooperate with the local information commissioner. In the United Kingdom, it’s the
Information Commissioner’s Office. Each country has its own body that’s basically treated as an equivalent. You can find the full list on the
European Data Protection Board.
- Conduct a professional (both internal and especially external) security audit. With it, you will be able to understand the nature of the situation. What exactly happened, how it was possible and what to do in the future to prevent this type of breach.
When security is breached… Finastra case study
FinTech app development is tricky. You need to include factors like security and regulatory compliance. They are essential for your business and determine the entire process of creating a product. Even the largest and established financial services providers
can get punished or fall prey to hackers. Just like
Finastra did last year. What’s important in this particular case is that Finastra works with leading banks and the company’s problems can impact millions of customers across the board.
What can you do to avoid or mitigate risks?
The weakest link – invariably human
Human errors are the most common cause of attacks. When it comes to Finastra, someone simply forgot to patch the VPN to the latest version. It’s a perfect situation for hackers; they can make use of already known exploits and breach fairly easily. That was
the case this time around. Hackers used a vulnerability known as
CVE-2019-11510 and triggered chains of events that eventually broke the security system. The attack also wrote arbitrary files to the host.
Results of the attack
As a consequence, a company employing over 10.000 people and with a reported $2 billion revenue for 2019, was forced to disconnect all systems from the internet and perform an investigation. What’s worse, vital data about top banks from over 40 countries
might fell prey and be sold on a black market. If it wasn’t for a simple mistake and an even simpler update…
Security breaches are preventable
All you have to do is cherry-pick the right technology partner to build and maintain your product. Security begins… well, in the beginning, when you and the development team choose the right technology stack and architecture for the app.
FinTech app development is not something we can all treat lightly. Data and credibility are at stake.