Banking as a Platform (BAAP), or platformification of banks is increasingly becoming an accepted business model for several banks to cultivate, monetize, and leverage APIs. BAAP or Platform Banking is not a new concept, a World Retail Banking Report by Capgemini explains. For example, a 2021 study by the European Banking Authority found that 97% of banks in the region used platforms to market and distribute products and services, while 83% reported exploring opportunities to use platform models to diversify and expand beyond their primary geographic markets.

India’s digital banking platform market was worth USD 776.7 million in the year 2021, according to BlueWeave Consulting Study. The study underscores that the market is estimated to grow at a CAGR of 9.8%, earning revenue of around USD 1,485.5 million by the end of 2028.

This growth of Banking as a Platform is attributed largely to faster digitization in the country. Another factor is the faster adoption of growing technologies like artificial intelligence (AI), cloud computing, the Internet of Things (IoT), and the use of APIs- all of which leads to automation in finance, higher customer satisfaction, and increased business revenue.

Bank’s CMOs, CIOs, and C-Suite executives can gain usable insights from this blog for building customer-led journeys and a data- and technology-driven product or service platform. But before we dive deeper into the subject, it is essential that we know what is Banking as a Platform or BAAP.

What is Banking as a Platform?

Banking as a Platform is defined as a business model where third-party developers build products or services for banks. These developers can be from a fintech or any other software/technology company, and they embed APIs into platform functionalities, while a banking platform can itself manage data exchanges, authentication, and compliance.

Is Banking as a Platform & Banking as a Service the same?

In layman’s terms, a fintech or any other software/technology company can develop a product or service and “rent” it to a bank. Banking as a Platform cannot be used interchangeably with Banking as a Service (BAAS) because banking institutions enable fintech and non-financial businesses to provide financial services in the latter. So these are two exact opposite terms. In fact, BAAP is a business model that fits perfectly into the modern-day financial ecosystem, where fintech companies can enable banks and work in conjunction rather than as two separate bodies, to enhance customer experience.

Banking as a Platform is hence, largely being accepted to embed banking into the broader ecosystem journeys of customers to empower inclusivity and sustainability. Banking as a Platform or BAAP is also known by other names like Platform Banking, Open Banking, and Ecosystem Banking.

Speaking specifically of India, the digital banking platform market is segregated into two types- based on their deployment. These include- on-premises and cloud segments. Cloud deployment of Banking as a Platform product has more market capture due to better traffic, faster access to data, and improved efficiency. Also, cloud deployment of BAAP offers faster rectification and tracking of issues, which in turn, reduces the risks of reputation damage.

A third of retail banking customers were interested in platform services offered by their primary lender, a Deloitte survey conducted in the United States said. 34% of customers surveyed said they were willing to use platform banking service they were willing to use platform banking services, whilst 25% said they were neutral.

Younger customers, both Gen Z and Millennials are more inclined towards financial superstore app, with an overwhelming 75% and 67% approval, respectively. 54% Gen X and 33% Boomers showed interest in a digital banking platform whilst on a cumulative level, 55% of all respondents had shown interest in India.  
While prolific growth is highlighted in this business model across all geographies, there are still some reservations due to the traditional way of working. So why should banks consider BAAP?

Moving Past the Status Quo: Why Banks Must?

“The key question incumbents must ask themselves is whether banking is a destination or an enabler? As an enabler, banks can go beyond their products/ services and embed themselves within customers’ lives, paving the way for ecosystem banking,” says Christopher Young, Director, Financial Service Strategy, Adobe.

Banks that embrace Open Banking trends could profit from a potential revenue uplift of 20 percent, whereas those failing to do so risk losing 30 percent to disruption by the end of 2020, per one study from Accenture.

All parties are in a triple win-win situation when they adopt a BAAP model.

• Customers- They are still owned by banks, and by adopting a BAAP model they win because of better, newer, and tech-advanced services from banks.
• Banking as a Frontend- Banks win in this model because they can increase customer engagement, customer satisfaction, and revenue, while also saving development and support costs.
• Fintech- Fintechs are well integrated into the banking platform with the help of APIs. So, banks are powered by fintech companies. Meanwhile, fintech companies win because they can sell their product to a reputed and established institution for a profit.

Benefits of Banking as a Platform

Apart from focusing on the core business, banks can leverage platformification with major benefits as mentioned below:

• Reduced cost and time that goes into development of a product
• Maintenance costs are being borne by the fintech company or software development company
• BAAP introduces a new way of banking for customers, where they find new services
• Platform banking strengthens a bank’s position in the market
• Open banking or BAAP increases customer engagement and satisfaction

Banks can make use of the platform in a different way according to geographies, demography and market competitiveness. For example, in a highly competitive market or region, more importance is given to differentiation. So banks can have their SWOT analysis and build a platform or ecosystem around it. In a less competitive environment, BAAP can adopt the opposite strategy. It can become a one-stop shop by offering all possible services on a single platform.

RazorpayX: A Successful Use Case of India’s Neobanking Platform

RazorpayX is the neobanking platform belonging to the unicorn Razorpay. This neobank has already served more than 10,000 businesses- helping them process payroll using Opfin, paying expenses using a Corporate Card, and paying business vendors in real-time using the underlying payouts layer.

RazorpayX allows customers to open and operate fully functional current accounts, which come with standard banking features like debit cards, account statements, and cheque book. This platform has API banking capabilities, along with insightful reports, and approval workflow. RazorpayX also helps with automation in finance by refunding Cash on Delivery orders using Payout Links.

Future of Platform Banking

Embedded analytics will become the undercurrent of platform banking, along with key differentiators of AI and ML to enhance customer experience. The DNA of Banking as a Platform (BAAP) shall be defined through API strategy and how agile a bank is to fully use APIs.

While the future of BAAP or platform banking is still in a nascent phase, strong strategic planning and a roadmap can help trail retail banks’ path to a complete platform world. Hence, it’s a ripe time for the banks to consider consolidation for newer business models which would help them compete in the present business environment.

In our next blog of this two-part series, we put the idea of BAAP to the next level, explaining strategies for retail banks to compete in a platform world.
 

Banking 4.0 can be defined as the foundation of creative destruction that came through fintech companies, transitioning innovation, and traditional retail banks reorganizing their business models on new-age digital principles of platforms, apps, data intelligence, and embedded finance. This radical reordering brings a promise of platform-based banking to deliver experience-driven customer satisfaction through the optimum channel.

CIBC, the Canadian bank, for instance, has seen customer acquisition rates in three primary lines of business increase by 65% due largely to personalization efforts, a Capgemini report suggests. In the present financial ecosystem, hyper-personalized and growth-oriented digital environment, the competition for retail banks lies in customer trust, delivery channels, and data.

“Bank 4.0 is essentially embedded, ubiquitous banking built into the world around us through technology layer,” says Brett King, a global best-selling author, and a FinTech futurist, in his statement to Economic Times. Hence, banking 4.0 is essentially about shifting the financial service orbit by demolishing long-standing practices and experimenting with that which hasn’t been done yet.

At the heart of this transformation are today’s chief marketing officers (CMOs) and chief information officers (CIOs) who are also evolving in their role as chief customer strategists. This insight is for such new-defined roles in the retail banking sector that are trying to leverage technology to orchestrate unique customer experiences by coordinating technology, compliance, and data. Leaders who’re aiming at breaking data silos and ensuring that banks of the present finance ecosystem have capabilities to deliver real-time data-driven experiences will find our insight useful as we explain how banks can deliver value now, and what they can learn from fintech companies.

Why Banks Must Move From Status Quo?

In Brett King’s book entitled Bank 4.0: Banking everywhere, never at a bank, the description says that in 30-50 years when cash is gone, cards are gone and all vestiges of the traditional banking system have been re-engineered in real-time, what exactly will a bank look like? How will we reimagine a bank account, identity, value, assets, and investments?

“Banks have historically focused on capturing value and have forgotten about customer experience. Capturing value and profit is not contradictory if a bank focuses on long-term customer relationships,” says Alexander Weber, Chief Growth Officer of a German neobank.

95% of banking executives in The World Retail Banking Report highlight that legacy systems and outdated core banking modules inhibit efforts to optimize data- and customer-centric growth strategies.

Evolving consumer tastes, a hyper-competitive landscape, and increasing regulatory scrutiny around data usage among some other factors (Fig. 1) are critical present contests that challenge banks in their abilities to digitally grow and evolve. The report also highlights structural challenges across the customer lifecycle (Fig. 2) and data challenges (Fig. 3) that incumbent banking institutions face.

It is on the lines of these pain points that incumbent banking institutions can compete in the fintech environment with a vision of futuristic banking 4.0 and move from the status quo.

Bank 4.0: A 4-Pronged Vision of Future Banking

The last two years have been quintessential in pushing the Banking, financial services, and insurance (BFSI) sector faster into the future. With the penetration of fintech companies as we move forward, financial services will be entirely driven by virtual facilities through platform-based models, cloud data storage, blockchain technology, digital channels, and other futuristic changes. Comparing the customer acquisition cost between digital and branch shows that the former has a cost of $5 per customer, while the latter has a cost of about $350 per customer. So, the digital acquisition cost of customers is another modality that’s driving the future of retail banking towards Bank 4.0.

In the section below we explain a 4-pronged vision of how Banking 4.0 will unlock hyper-personalized engagement and drive revenues for traditional working retail banks.

The banking 4.0 vision should include recasting the business model with platform-based solutions, revamping customer perception, strengthening data capabilities, and increasing impetus between fintech and traditional banking (Fig. 4)

Recast Business Model with Platform-Based Solutions

Bank executives and customers fall in a similar bracket of expectations from the distribution channel. About 80% of both groups continue to view the website as a critical point of interaction. Mobile apps were cited by 77% of consumers, compared to 91% of executives, while branches were valued more by customers (75%) than executives (58%) in the survey done for The World Retail Banking Report 2022.

Platform-based products and services are promising for filling capacity holes and expanding retail banking revenue. However, banks are still at the cusp of technological reforms, and the executives struggle with cannibalizing products through ecosystem partners, preventing brand dilution, and maintaining ecosystem exclusivity for partners.

While new fintech players can accelerate customers’ expectations around the convenience, transparency, and speed of digital products and services, banks still have a few dominant areas where they can respond to position themselves for the future.

Revamp Customer Perception

Creating a positive brand perception on the grounds of low latency, and low friction, with an element of experience design, and ZeroOps is needed to redefine and revamp customer perception. Bank 4.0 is about capturing value by introducing relevant and low-priced innovative products, enhancing API and cloud capabilities, and strengthening internal processes for frictionless omnichannel experiences.

To change customer perception, the following recommendations can work well-

• Engage customers through VR/AR immersive experience
• Reinforce the commitment of the brand towards green banking by integrating ESG parameters into banking products
• Embrace models that bundle financial service, and non-FS together
• Drive collaboration and co-innovation to expand the banking product portfolio
• Embrace cloud and APIs for a robust digital foundation to improve internal processes
• Synchronize digital and physical channels to shift from multi-channel engagement to an omnichannel experience

As an example, Canada’s CIBC embraced a third-party experience management solution that uses first-party cookies to help build a more scalable and relevant digital platform. This platform allows it to prioritize and push targeted mobile promotions to customers and synchronize data to create models that can update product pages quickly and at scale. The platform also enables the bank’s busy customers to set up direct deposit payments, request financial relief, or apply for credit card rate reductions or mortgage payment deferrals in seconds.

Result? Mobile conversion rates increased by 50% and website conversions more than doubled. Bank leaders have credited digital investments made in 2021 and a cloud-first strategy for CIBC’s adjusted year-over-year revenue growth of 7%.

Strengthen Data Capabilities

At the turf of a retail bank brand, is the data that CIOs and CMOs can defend and use to succeed in this competitive environment. Retail banks have access to huge transactional, behavioral, and financial data, which they can use to create profitable customer relationships and understand customer behavior. But the point is- are you investing in technological capabilities to harness this data for your advantage?

The enormous volume of customer data that is supplemented by information from data ecosystems and third parties can strengthen any incumbent brand to leverage this ability and drive customer engagement and revenue. Structuring and organizing data silos with a centralized repository, such as a customer data platform (CDP) can help in generating deeper customer insights. Retail banks can also leverage large volumes of internal data to gain customer insights and a competitive advantage against fintech.

Increase Impetus between Traditional Banking and Fintech

The staggered tech shift in last few years calls for an increased partnership between traditional retail banking and fintech. Technology can be a force multiplier for a traditional bank. Hitesh Sachdeva, Head of Startup Engagement, Innovation and investments at the ICICI Bank, India, emphasized, “We realize that innovation has two broad approaches. One is you keep building a lot of innovation inside the bank. But it has its own limitations. And the other way to capture the innovation is to tap into the innovation happening in the outside ecosystem, and amalgamate it inside the bank with platforms, partnerships, and collaborations with start-ups, to create innovative products, which are in alignment with our digital roadmap, for rapid prototyping experimentation and then make it the core of the bank.” So this way, fintech companies can play an influential role as the ‘enabler’ of traditional banks, rather than the ‘competitors’.

In a Nutshell

Banks can clearly deliver value by shifting from monolithic broadcasting models to engaging interactive service delivery of fluid experiences to customers. There has to be a shift from brand custodians to brand experience custodians. Bank 4.0 innovations can hence help shape a growth trajectory around four critical areas- product, customer experience, data, and technology.

The recipe for new-age digitization lies in a coherent and integrated strategy. Bank CMOs and CIOs keen on delivering personalized experiences to customers or orchestrating bank 4.0 innovation, can get in touch with the Valuebound product engineering team to learn how we can help to convert your revenues by turning customers into brand evangelists. 

75% of customers in the World Retail Banking Report 2022 opined that they are attracted to FinTechs’ cost-effective and seamless services focussed on automation in finance. This significantly raises their digital banking expectations. Oracle's study finds that nearly 81% of customers use digital channels while interacting with banks to avoid physically going to the bank. Retail customers of nearly all banks have reported Internet and Mobile banking outages. This is because all traditional banks in India are built on the foundation of security rather than scalability, and most banks are still not comfortable with cloud migration. This is where new-age, next-gen FinTech companies are overpowering traditional retail banking in India.

For starters, technology and fintech have challenged the status quo of conventional retail banking- impacting their revenue as well. With the future of fintech in India becoming more relevant, it’s about time that automation in finance becomes a central theme across all banking services in India.

In our insight, we explain the core themes that can drive new business models in the retail banking industry in India.

The Metamorphosis of Retail Banking in India

Consumers have better expectations regarding customer service, reduced app or web downtime, and core functions like investments, savings, payment facilities, and credit across segments, but topping them all with the seamless user experience across various platforms.

Financial inclusion became a keyword a few years ago, which penetrated technology and fintech into the banking services, leaving the conventional firms wondering if their time is up. In a simple definition, financial inclusion means an act where all consumers across the length and breadth of India are included in the banking services. The digital literacy divide among the Indian audience is a major pain point among IT security, regulatory uncertainty, and differences in management and culture.

Most Gen Z and Millennial Indians have started calling fintech the primary financial service provider. Hence, it doesn’t matter whether a new product or service comes to the market or not- fintech has captured the mind share and market. Regarding the impact of fintech on Indian retail banking, fintech companies have not replaced the traditional banking model- they’ve only introduced new services and products in the market. This has fundamentally metamorphosed supply and demand for financial services. So where does that leave the traditional retail banking industry in India?

Technology and Fintech: A Game-Changer for Traditional Banking Model in India

The regulatory authorities in India realized that technology could be a game changer for financial inclusion in India. Institutes like the National Payment Corporation of India (NPCI), the Institute for Development and Research in Banking Technology (IDRBT), and the India Stack became the key pillars to set the foundation of fintech in India with the intent of driving digital transformation in finance and advancing the motive of financial inclusion.

To combat the pain point of the digital divide, schemes like NFS, UPI, Aadhar, and Digital India set the foundation for financial literacy and inclusion, which led to automation in the financial landscape of the country. Against these grounds, it might become useful to comprehend the impact of fintech on retail banking in India.

There are 6 core themes that Valuebound observes regarding the impact of fintech on Indian retail banking-

Customer Experience & Customer Engagement at the Core

Channel diversification has become the key driving factor in the retail banking sector in India. Critical reasons for this include growth in the number of mobile users. As per Deloitte's analysis, the demand for smartphones in India is expected to reach about 400 million in 2026 from 300 million in 2021. Increased use of web-based platforms is another strategic reason for channel diversification to cater to a larger audience. Mobile-first approach to reaching out to the customers, and offering mobile applications to the clients for banking-at-the-doorstep is an investment that most traditional banks are now making to enhance customer experience substantially.

Integration & Collaboration

Fintech incubation programs and captive accelerator programs have increasingly become popular among traditional banks in India to foster innovation and create a safer environment for customers. One such example is the SBI Fintech Innovation Incubation Program (SBI FIIP), which runs with an overarching purpose to promote a culture of FINTECH innovation and entrepreneurship in India.

While the traditional banking models remained upended due to the fintech ecosystem 5 years ago, they’re now actively introspecting how they can be a part of disruptive innovation. Account Aggregators under open banking architecture are another notable change in India’s retail banking ecosystem.

Establishing Win-Win Partnerships

The win-win partnership between new fintech entrants and traditional banks gives a direct benefit to the country’s financial ecosystem with customers at the center. Potential opportunities could include expanding infrastructure capabilities by banks and enhancing knowledge of product design and IT development.

Access to lending is set to be democratized, the lending models will be subject to greater regulatory scrutiny. While overall credit card penetration will increase, the role of non-banks is unclear; to be shaped by regulation, which explains the need for win-win partnerships. These developments bring banks, NBFCs, and Fintechs closer, as collaborators and not as competitors.

Building Strong IT Infrastructure

In December 2020, Shaktikanta Das, the RBI Governor urged banks to invest more in IT infrastructure and technology to remain competitive with Fintech companies. The retail banking sector in India does not lack the capital to invest in technology- there’s a lack of vision and business leads that could take strong decisions. Yet, the metamorphosis of retail banking we talked about in the previous section is visible now.

In 2021, HDFC Bank created its own Digital and Enterprise Factories to enhance the digital banking experience of customers. This enterprise factory aims at upgrading legacy infrastructure, decouple existing systems, and build its own capabilities by embracing open-source to build resilience and scale.

“The Digital and Enterprise factories will help us realize the strategy of ‘running’ the bank, while ‘building’ the bank for the future,” says Parag Rao, Group Head – Payments, Consumer Finance, Digital Banking & IT, HDFC Bank. He also adds, “we have led the digital transformation of the Indian financial services sector and continue to invest in technologies.”

Mitigating Cyber Security Risks

Cyber security risks erupt when external APIs interact with banks’ IT systems, leaving the bolt open for vulnerabilities and information breaches that transverse the positives mentioned above. The banks are now partnering with IT organizations to address such challenges. However, cloud sourcing increases risks of money laundering, data security, customer privacy, and cybercrime- all of which can be addressed with strong decision-making and advanced technologies in place.

Compliance and Regulations

Reliability of APIs and the cloud has increased interconnectedness amongst banks and third-party apps, which may not be subject to equivalent regulations and compliances. Banks cannot risk non-compliance with data privacy and security. But if vetted technically and through the right channels, traditional banks can utilize this in their favor- something where fintech companies would lag behind.

Wrapping Up

These developments bring Indian banks, NBFCs, and Fintechs closer, as collaborators and not as competitors. The success of innovation and amalgamation between retail banking and fintech largely depends on regulations and compliance. In spite of the long way to go, the impact of fintech on retail banking in India shall emerge for the highest good of digital transformation of financial services and customers. 
 

In June 2021, providers of unified payments interfaces (UPI) in India recorded a total of 2.8 billion digital payment transactions worth over five trillion Indian rupees. This was an increase compared to May 2021, according to Statista research. It also underscores that in the financial year 2022, digital payments in India reached a total of over 239 billion Indian rupees. This marks a significant increase from 20.7 billion Indian rupees in the financial year 2018. The emergence of UPI or unified payments interface is an initiative by the Government of India to introduce a standardized protocol where banks, bank-like organizations, and non-bank entities could communicate with one another so as to make India’s payment system digital native.

What is UPI or Unified Payment Interface?

Launched in 2016, UPI is a National Payments Corporation of India (NPCI) payment system that allows online payment and cashless money transfer using a simple mobile system.

UPI works on the concept of virtual payment addresses, which makes it interoperable- the greatest advantage that changed the payment landscape in India. UPI leverages the present infrastructure for authentication and enables one-click payment. By eliminating the need for sharing sensitive information like bank account numbers and One-time passwords (OTP), UPI has facilitated a safe, secure, and game-changing digital transition toward India’s nearly cashless economy. Unified Payment Interface is a platform that is both backward compatible as well as futuristic. Yet, when we speak of safety, there are a few things that are at stake.

What’s at stake during UPI Transaction?

A two-way payment transaction begins with a need for the sender or an entity that needs to transfer money to the receiver or second entity. Both entities could be either individuals or merchants or even government organizations. Three core requirements to be met for completing a payment transaction using UPI include sender authentication, receiver identification, and authorization. During these steps security at the infrastructure remains a major pain point of the UPI. Banks do not have a core competency of safely transmitting information, and placing the entire burden of two-factor authentication on the banking systems leads to insecure communication channels and non-standard authentication processes among different institutions.

So even while the reason for UPI’s success is a modern unique identifier for every individual, there are certain things that remain at stake, which are-

• Virtual payment addresses & Individual’s Digital identity
• UPI ecosystem that’s built and integrated for provisioning services
• Security of the identity, transaction information, and data over the network
• Response Time since the speed of transaction is the highest

Some of the other things also include regulatory compliance, financial and reputational aspects, and confidence of customer and market trust.

Ensuring UPI Security

Cyber security of Unified Payment Interface is targeted towards four main offerings which include process controls, functional controls, technology controls, and vulnerability detection. Across these four offerings, a product owner should consider the following points for UPI security-

• Ensure that the UPI environment and interfacing systems are secure
• Security of identity on mobile devices must be ensured
• An organization must introduce new security tools in context with the changing business model
• To ensure effective monitoring and analysis of security risks, advanced and smart analytics tools must be used
• Compliance with regulations and adopting industry standards help in further strengthening the security of UPI

OWASP Mobile Top 10 2022 for UPI Security

The Open Web Application Security Project (OWASP) is a non-profit foundation which provides remediation guidance to improve software security. OWASP Mobile Top 10 provides a ranking and most critical security risks for mobile application, alongside suggestions on how to remain protected against these attack vectors. The top 10 attack vulnerabilities OWASP Mobile Top 10 in 2022 are-

• M1: Improper Platform Usage
• M2: Insecure Data Storage
• M3: Insecure Communication
• M4: Insecure Authentication
• M5: Insufficient Cryptography
• M6: Insecure Authorization
• M7: Client Code Quality
• M8: Code Tampering
• M9: Reverse Engineering
• M10: Extraneous Functionality

Security Considerations: 5-Step Roadmap to Create Secure UPI Product

The proportion of UPI transactions in the total volume of digital transactions grew from 23% in 2018-19 to 55% in 2020-21 with an average value of ₹1,849 per transaction. The volume of UPI transactions calls for security considerations in place to create a secure UPI product that ensures customer trust and retention. Valuebound recommends following UPI security considerations to ensure benefit-realization of the product (Fig. 1).

Web Protection

This includes protection from cyber fraud and safeguarding digital identity. Google Pay, for instance, suggests prerequisites for integrating it with a site. These include-

• Ensuring that business channels are verified merchants by NBFC/ banks
• Ensuring that all details needed to accept payment using UPI ID are available
• Ensuring to have required APIs from the bank to check payment status
• Ensuring that every transaction uses a unique transaction ID

Fraud Detection

Early detection tools can reduce Mean Time to Detect (MTTD) for new-age frauds like Distributed Denial of Service (DDoS), ransomware, application vulnerability exploits, merchant frauds, spam, reconnaissance attacks, software supply chain attacks, and account takeovers.

Secure Design

Embedding security needs or adopting the DevSecOps model in the development programme helps in putting cybersecurity at the central part of the production pipeline.

Technology Design Review

Encryption and authentication strategies like public key infrastructure (PKI) and hardware security modules (HSM) help secure UPI product.  Network architecture, application program interface (API) and interface security form an integral part of technology design review.

Operations Readiness

A new UPI product should have compliance with National Payments Corporation of India (NPCI), Reserve Bank of India, and IT Act guidelines to avoid compliance and regulatory hiccups. UPI security also includes log maintenance and advanced log analytics.

Conclusion

In 2021, out of the 2.8 billion transactions, PhonePe had a share of 46 percent and GooglePay a share of 35 percent. Third big player is Paytm with a share of nearly 12 percent. The volume of UPI transactions and India’s digital ecosystem is a testimony that the scaled-up mobile banking infrastructure is here to stay and transform the economy. Creating a secure UPI ecosystem becomes more important due to the exponentially growing customer base. If you wish to learn how Valuebound processes solutions to ensure a safe and secure UPI product for you, get in touch with us.

Microservices have become a key ingredient in the successful recipe of a FinTech product. Even conventional financial services have recognized the importance of microservices in their digital transformation journey because microservices can digitize legacy systems of financial service companies and banks by re-architecting apps into newer ones. The popularity of microservices can be understood by the fact that over 37% of IT respondents said they at least “partially” used microservices in 2021, while 34% fully used them. This is almost 25% higher than that in 2020, according to the 2021 Global Survey results of the GitLab DevSecOps report.

Even though microservices involve complexity, monitoring systems, and organizations, the results and benefits of microservices in the FinTech industry are worth the efforts. Microservices can increase productivity by up to 50% and decrease overhead costs by half on average. The idea behind using microservices is simple- making a product that fits the bill of scalability, agility, and a constant change of market scenario- something that’s easier said than done. Age-old monolithic systems are not only difficult to restructure but also burn the pocket.  In this insight, we compile best practices for microservices that will help you build a winning FinTech product.

What Are Microservices?

Microservices are a cluster of interconnected, and still independent frameworks, libraries, and tools which are designed to perform their tasks. They are written to support business goals by using different languages. Microservices are built within smaller, multidisciplinary teams, which makes it easier to deploy, test, and maintain.

Best Practices for Microservices in Fintech

Have Dedicated Infrastructure to Support Business Functions

Addressing vital issues like App security, load balancing, performance, caching, and monitoring is critical. To work on these issues, it is essential to ensure quality cloud computing services or hosting, which can handle traffic load and make the product work.

Go Slow While Migrating a Monolithic App

Monolithic architectures, also known as tight coupled architectures, come with their own set of baggage, such as stack dependencies that do not allow embedding of the latest technologies. Danske Bank, for instance, worked with monolithic architecture that relies mostly on resource sharing. This prevented the bank’s processes from functioning independently. Also, such an architecture may send unencrypted user data, which accounts for a major security breach. Monolithic architectures are not computable with microservices, which is why migration must go slow. The best practice for a financial service or fintech company is to recognize its pain points and know what legacy functionalities it needs for functionality on new architecture.

Automate RESTful APIs

REST APIs are flexible and portable, allowing a company to migrate from one server to another. Also, it helps perform database changes with much flexibility. Having said that, hand-coding customer RESTful APIs for individual microservice in the architecture requires tremendous time and resources. One way could therefore be to include a feature of automatic API generation which converts any database into REST API.

Prioritize Loosely Coupled Architecture

Loosely Coupled Architecture, also known as microservices, is lean, independent, and has a single responsibility principle. This means that each microservice is dedicated to performing one particular function only. Therefore, it makes maintenance, testing, and fault rescue an easier job. Microservices are popular in fintech app development because they can be deployed independently, and also have a lot of business responsiveness due to a clean interface for communication.

Adopt DevSecOps Security Model

We have already discussed fintech API security risks and challenges and a winning security strategy. Adopting the DevSecOps model at the core of the Software Development Life Cycle (SDLC) helps in creating a secure codebase. DevSecOps focuses on embedding security at the early stages of SDLC. This methodology uses cybersecurity as the central part of the production pipeline with other phases like architectural designing, coding, and testing.

Deploy Easily With Containers

Deploying microservices in containers makes migration flexible and portable, while also helping in managing services independently. Container Architecture is popular for deploying microservices for fintech. It comes with several benefits like container-centric infrastructure orchestration, container runtime, container orchestration, self-healing mechanisms, load balancing, and service delivery. Kubernetes application deployment architecture is such an open source platform that is widely used among developers for grouping microservices in the fintech platform.

Introduce Microservices Central Logging

As basic hygiene in microservices, central logging is considered the best practice. It is a must to have a centralized logging location and add sufficient context to logs to identify the difference between useful and useless log data. Microservices central logging enables visibility for debugging issues in a better manner.

Use Case of Microservices in Fintech: Monzo Bank

London-based Monzo Bank uses more than two thousand microservices in its architecture for building its mobile-first, cloud-native digital bank while also being compliant with regulations. The fintech application uses AWS hosting for core banking, leveraging cloud computing strength to derive benefits like flexibility and scalability. Cloud eliminates hiccups around provisioning management, infrastructure, and capacity limits.

The core banking system of Monzo Bank is established on the platform using microservices with virtualized servers that have container tools like Kubernetes and Docker. The architecture of the platform is composed of smaller elements that can scale as an entire entity, including APIs, and communicate synchronously or asynchronously. For easy interoperability, the banking fintech app is platform-agnostic. Monzo Bank’s greatest benefit from microservices architecture is organizational flexibility.

Suhail Patel, the backend engineer of Monzo says, “Monzo is a fully licensed and regulated bank in the UK. We have no physical branches. We've had this API ever since we began. You can manage all of your money and finances within the Monzo app, and the bank has more than 4 million customers in the UK.” He also adds, “We build services which are granular enough to be easily understood. Ownership of services is well-defined but can be fluid based on the goals of the company.”

In Conclusion

Fintech companies and legacy financial service companies must adopt best practices while using microservices to enter new markets and position themselves rightly. With platform banking and new-age banking apps, enhanced customer experience goes a long way. In the long-term, moving to sophisticated microservices architecture-based core MVP, a fintech solution must also coordinate with service mesh. The end goal of microservices architecture in fintech or banking services is to align different services and products from multiple platforms to provide a uniform customer experience.

To know more about the use of microservices in fintech and implementing best practices, let us connect. You may also write to us at hello@valuebound.com.

Google PageRank is an essential factor that Google considers while deciding whether or not your website will show on the top Search Engine Result Pages, also known as SERPs. Appearing on top of search engine listings means that your content is easily seen by the users. While there are other search engines, Google PageRank is a gold standard for your content, and other search engines also follow similar techniques for listings. It not only becomes a significant factor to the popularity of your content but also reaps direct benefit for your product or service. Hence, tracking Google PageRank for keywords is critical analysis that must be done at the organizational level.

Google PageRank

PageRank(PR) is a Google Search algorithm that ranks websites based on how important they are. It was named after the term "web page" and co-founder Larry Page.The more important a website is, the more likely it is that it will get links from other websites.

Monitoring the progress of keywords you want to rank

It becomes a tedious task to repeatedly search for the keywords you want to rank and monitor the progress. There are quite a number of expensive tools to monitor keyword rankings. This can be accomplished by using scraping libraries provided. One such tool is googlesearch, which is a Python library for searching Google, easily. googlesearch uses requests and BeautifulSoup4 to scrape Google.

In this blog, we aim to provide a tutorial on how to get Google pagerank in Google spreadsheet. The arrangement of this kind makes it easier for an organization to track and monitor the progress of their keywords. So let’s begin.

Step 1: Install googlesearch Python Library

To install googlesearch Python Library, run the following command:

python3 -m pip install googlesearch-python

Required Params of the googlesearch: Your basic requirements for googlesearch include-

• query: query string that we want to search for
• lang: Language
• TLD: TLD stands for the top-level domain which means we want to search our results on google.com or google.in or some other domain
• num: Number of result we want
• start: The first result to retrieve
• stop: The last result to retrieve. Use None to keep searching forever
• pause: Lapse to wait between HTTP requests
• Return: Generator (iterator) that yields found URLs

Python code

Follow the code below to move ahead on the process.

Step 2: Google Spreadsheet Settings

Make sure you are following along, you'll need a spreadsheet. Head over to Google Sheets and create one.

Step 3: Create a service account and OAuth2 credentials

Now, you'll need to create a service account and OAuth2 credentials from the Google API Console. Follow the simple steps below to enable the API and grab your credentials.

• Head over to the Google API Console.
• Create a new project by selecting My Project -> + button
• Search for 'Google Drive API', ‘Google Sheets API’ and enable them.
• Head over to 'Credentials' (sidebar), click 'Create Credentials' -> 'Service Account Key'
• Select Compute Engine service default, JSON, hit create.
• Save the JSON file in your system.
• Share your spreadsheet with the "XXX@XXX.gserviceaccount.com" email listed in the JSON file.

Step 4: Operations in Spreadsheet

To access spreadsheets via Google Sheets API you need to authenticate and authorize your application. Follow these steps for the same-

• oauth2client - to authorize with Google Drive API
• gspread - to interact with Google Spreadsheets

Step 5: Install Required Package

After completing the aforementioned steps, now Install required package. You will have to install gspread, oauth2client using the following code-

pip install gspread oauth2client

You can perform insert, fetch, update and delete in the spreadsheet. Let’s say you want to fetch keywords from a spreadsheet and have to update the search ranks corresponding to the keywords (Fig.1)-

 

You have every column name as a keyword in the sheet. You will fetch the keywords and update the corresponding rank to that keyword in below row.
 
Finally, import all required packages as discussed above.

 

To Conclude

Tracking Google PageRank is an essential factor in the process of search engine optimization since it measures the importance of a web page. Relevance of any web page is a critical factor that determines it’s PageRank. But tracking the progress is what matters the most to any organization's SEO efforts. Whether you’re an SEO consultant or an organization tracking the progress of your top rated keywords, a good SEO strategy with right measuring tools can go a long way.

Reach out to us if you have further questions on this tutorial on how to automate Google PageRank for your keywords in a Google spreadsheet. 
 

A resounding 94% of IT company leaders reported they have experienced API security problems in production APIs, the SALT, a leading security research firm that identifies API security vulnerabilities, report highlights. Among the critical API, security problems are vulnerability (47%), authentication (38%), data exposure (31%), and breach (19%) over a period from July 2021 to July 2022. (Fig. 1). Malicious API attack traffic surged 117% over the past year, from an average of 12.22M malicious calls per month to an average of 26.46M calls.

In a global and growing API ecosystem Postman users signed in from an impressive 234 different countries and geographies while making 855 million API requests in the year 2021 (up 56% from the prior year). Speaking specifically of India regarding the Country-by-country API growth, the country is in the third spot for the fastest growing geographies (Fig. 2).

Industry-wise, Technology (29%) represents the largest industry that makes use of APIs, followed by business/IT services (28%), banking/finance/insurance (11%), and healthcare (5%). In our previous blog, we mentioned how API attacks are causing significant security concerns among fintech companies that are heavily reliant on APIs to build applications. The result? Unfortunately, 54% of respondents indicate that they have had to slow the rollout of a new application because of an API security concern.

While the reliance on APIs is pointedly high, still unfortunately only 9% of respondents can confidently state that they have an advanced API security strategy that includes dedicated API testing and protection. Meanwhile, an alarming 61% admit that they lack any API security strategy or have only basic protections. API security is considered the most important component of web application security, but before we dig deeper into the best practices for API security posture, let us first understand what defines Application Programming Interface (API) security.

What is API Security?

Application Programming Interface or API enables software applications to communicate with each other, thus enhancing interoperability, among offering other advantages. API security, therefore, means protecting APIs from vulnerable attacks. Since Application Programming Interface, also called API, is so commonly used among industries now, they also carry sensitive software data and functions, thus becoming bait for attackers.

API security is especially critical for the fintech industry which extensively embraces the API-first philosophy. We have already written a detailed insight about Open Web Application Security Project (OWASP) top 10 challenges of API security for fintech companies. This article, therefore, extends further to present several tools, methods, and best practices for securing your APIs.

Architectural Styles Used for Modern APIs: Mitigating Security Risks

Postman’s survey underscores that as many as 94% of its respondents use REST or REpresentational State Transfer as their main architectural style. Some of the other architectural styles used for engineering APIs include webhooks, WebSockets, GraphQL, and SOAP. Among these the most commonly used is also SOAP or Simple Object Access Protocol.

Among specifications, JSON Schema (used by 47%) is the top specification in use, followed by Swagger 2.0 (54%) and OpenAPI 3.0 (40%).

While REST is considered a simpler approach (and therefore most popular) and uses HTTP/S as the transport protocol, it makes use of JSON format for transferring data. SOAP in the meanwhile is the highly structured message protocol to APIs, and supports multiple low-level protocols. Both these types of architectural styles for APIs can support HTTP requests and Secure Sockets Layer (SSL). However, the difference lies in the level of security they offer.

SOAP vs REST API: Which is more secure?

Before explaining which of the two- SOAP vs REST APIs architectural styles is more secure, let us first understand the difference through the table below.

	SOAP	REST
Organized in terms of	enveloped message structure	compliance with six architectural constraints
Format	XML only	XML, JSON, HTML, plain text
Learning curve and usage	Difficult	Easy
Preferred for Community	Small	Large
Use cases	Payment gateways, identity management CRM solution, financial and telecommunication services, legacy system support	Public APIs simple resource-driven apps

API security would remain a priority regardless of the architectural approach you choose. While REST is faster and has a simpler learning curve and ease of use than SOAP, the latter is more secure, and here’s why-

Both REST and SOAP use Secured Socket Layer or SSL for data protection during API call requests, but SOAP also supports Web Services Security. This ensures adding a double layer of protection for the API security. In the case of REST, the security must be built-in for deployment, transmission, and interaction with clients.

SOAP is based upon OASIS and W3C recommendations, and includes XML encryption and signatures, and SAML tokens. Meanwhile, REST does not have its own built-in security capabilities, and the security is based on the API itself.

SOAP supports WS-ReliableMessaging that enables built-in error handling, while REST APIs have no in-built error handling and need to resend the data in case of error.

SOAP can support Web Services (WS) specifications, which enables you to use WS-Security kind of extensions. This provides enterprise-grade security for web services. On the other hand, developers’ architectural choice is deploying REST APIs behind API gateway. So, when the clients send requests for gateway connection, it acts as a proxy and does not directly go to the REST API. This poses security concerns that must be addressed by the API gateway.

The technologies associated with APIs that are most commonly preferred now include Microservices (58%) and Kubernetes (50%), followed by containers (46%), serverless architecture (44%), and GraphQL (35%). This brings us to the segment of GraphQL, the query language that describes how clients request information through APIs.

Mitigating GraphQL Security Risks

Some of the strategies that can help pacify the API security risks arising from GraphQL include-

• Timeout: It can help you secure against large query requests. Among the simplest of all strategies, in this case, the server only needs to understand the maximum time set for a query and not the details about incoming queries.
• Maximum Query Depth: Analysis of abstract syntax tree (AST of query document to understand what is acceptable is called the maximum query depth, and it can help in preventing clients from abusing a query depth. GraphQL server can make use of Maximum Query Depth to function requests by either accepting or rejecting them.  
• Query Complexity- It can be used as a strategy to define the complexity level of certain schema fields which may be more complex to compute. By defining query complexity, you can also restrict those queries which do not fit into the complexity threshold bill.
• Throttling- It can be an ideal strategy for stopping clients requesting medium-sized queries. By estimating the required server time for completing each query type, throttling can be done.

API Security Best Practices

For improving the overall API security the following best practices can be implemented-

• Understand and Identify Vulnerabilities- Even while this could be a complex process, the only way one can effectively secure APIs is by understanding the risks at the API lifecycle steps. Organizations, especially fintech companies, must treat APIs as software artifacts that must also pass through the security stage during their own SDLC.
• Access Control- Non-public REST services must perform access control at each API endpoint. Web services in monolithic applications implement this by means of user authentication, authorization logic, and session management. OAuth, the token-based authentication framework, could be a powerful tool for controlling API access. OAuth does not expose user credentials and also completes third-party service requests for information.
• Encrypt Data for Database Security- Sensitive data, especially personally identifiable information or PII- all of which is managed by APIs- must be protected by way of encryption, by also considering regulations and compliance. Data encryption during rest, and also in transit, with the help of Transport Layer Security (TLS) can ensure that attackers do not compromise with API servers.
• Consider Anti-DoS Approach- With denial of service (DoS) attacks becoming primary in API security leak, it's necessary to involve different profiles within your organization to assess the actual situation and to apply countermeasures accordingly. The core essence of a DoS is to affect the availability of instances or objects and eventually render them inaccessible. Thus, for any information system to serve its purpose, it must be available at any time. Hence why every computing system within the interoperability flow must function correctly to achieve that.
• Use Service Mesh- With the increase in the use of microservices, the importance of using a service mesh has increased too. Similar to the API gateways, service mesh uses different layers of control and management while routing requests. It is an ideal way for the service communication layer. In API security, service meshes can be used for automation and providing security for larger projects that require deploying multiple APIs.

Test Your API Security

It is suggested to adopt a DevSecOps approach to test web applications, with a critical focus on testing API security. With a range of API architectures, you should test your legacy or contemporary applications including REST API, GraphQL, and SOAP.

Leveraging various discovery mechanisms and tools to ensure dynamic API security, Valuebound has helped multiple fintech clients in deploying secure apps.

If you need to discuss API security with us, drop us a hello and let us wrap our head around your query to develop a feasible solution.

Over the last 5 years, there has been a substantial increase in the digitalization of the world economy and Fintech APIs (application programming interfaces) have a major contribution to this digital upscaling. Financial services are increasingly adopting the use of APIs, which has resulted in a rapid burst of new super fintech apps, business models, and financial services. APIs in the digital payments landscape have been a driving factor for the fintech industry. 49% of respondents said that more than half of the organization's development effort is spent on APIs in 2021—compared to just over 40% in 2020, says Postman’s 2021 State of the API Report. The same report also underscores that it appears organizations will continue investing in APIs: 94% of respondents stated that investment of time and resources into APIs will increase or stay the same even in 2022.

There has also been a significant rise in the deployment of payment touchpoints driven by the implementation of PIDF. The total number of digital payments has also risen by 216% and 10% in terms of volume and value, respectively for the month of March 2022 when compared to March 2019, says Reserve Bank of India (RBI).

RBI data shows an increase of more than 500% in merchants accepting digital modes of payments during the half-year ended September 2021 as compared to the half-year ended March 2019. Looking at the UPI alone, there is an increase of more than 1200% over the same period.

But what does it mean for fintech companies? Let us first understand what fintech APIs are before diving deeper into the subject.

What are Fintech APIs?

Application programming interface or API is a set of codes and protocols which allow different systems to interact with one another. Fintech API or financial technology API is a technology that allows data access across different parties involved in a financial transaction. These parties could be banks, websites or apps, third-party providers, and consumers or end users.

Moreover, fintech API is at the core of seamless customer experience since it renders a seamless checkout experience while also displaying transaction details across the app and on the bank’s website.

There are three types of APIs:

• Public API- Only used by an organization or internal team (58%)
• Private API- Shared only with integration partner (27%)
• Partner API- Openly available on the web (17%)

API Exposure, Open Banking & Digital Payments

In the wake of new regulations for electronic payment services (PSD2), European and the Asia Pacific nations have put pressing importance on the API-driven collaboration between fintech companies and conventional financial services. These regulations make it mandatory for the banks to create and expose APIs which enable third parties to use customer data with their consent.

Three parties that are inherently reliant on API (Fig. 1), viz. banks which need to be a part of an open banking system, merchants which must let customers have a preferred choice for payments, and consumers, who want to be able to perform transactions by transferring funds through apps, share data amongst one another. Hence, the increasing dominance of Application Programming Interfaces or API in the fintech ecosystem is easy to understand.

 Despite being popular, API security threat is a critical concern among fintech organizations. In this insight, we aim to comprehensively discuss these challenges of API security posture.

API- Most-Frequent Attack Vector

90% of applications will have more surface area for the attack in the form of exposed API rather than the user interface, suggests Gartner. This has become a huge security concern for financial institutions and fintech companies, both of which must maintain competitiveness and customers’ trust to thrive.

Some of the most critical API security risks include insufficient logging and monitoring, broken object level, excessive data exposure, user- and function-level authorization, and security misconfiguration.

Types of Fintech API Security Incidents

• Data Exfiltration- Vulnerable APIs can be exposed to gain access to sensitive data of customer accounts and other PII.
• Account Takeover (ATO)- Attackers can target authenticated APIs to takeover customer accounts. ATOs can appear in the form of brute force attacks and credential stuffing.
• Service Disruption- DDoS attacks on business logic tend to slow down services.

Critical Challenges of Fintech API Security

By 2025, there will be less than 50% of APIs that could be managed since explosive growth in APIs is surpassing the capabilities of API management tools. This increase in the number of API security threats prompted the Open Web Application Security Project (OWASP) to list the top 10  most serious API security issues, which are discussed below.

1. Broken Object-Level Authorization- APIs can unintentionally expose endpoints that are delegated to handle object identifiers. This can create an issue of wide attack surface Level Access Control.
2. Broken User Authentication- Incorrect implementation of authentication mechanism tens to allow authentication token compromise or exploiting implementation flaws. In such scenarios, attackers can steal others’ identities either permanently, or temporarily. API security is hence compromised when a system cannot identify a client or user due to identity theft.
3. Excessive Data Exposure- When developers expose all object properties during generic implementations without paying attention to individual sensitivity, it can lead to a major API security breach. Clients shouldn’t be left to perform data filtering before it is available to a user.
4. Lack of Resources & Rate Limiting- A client or user may request certain numbers or sizes of resources. But, APIs do not restrict this number or size. This can in turn impact the performance of the API server, while also causing Denial of Service (DoS); hence leaving an open invitation to authentical flaws like brute force.
5. Broken Function Level Authorization- Authorization flaws can occur due to complexity in access control policies within an organization. Attackers tend to exploit these issues to gain access to administrative functions or users’ resources.
6. Mass Assignment- When a client’s data (eg. JSON) is bound to data models without considering proper properties filtering on the basis of allow-list, it can lead to mass assignment. This allows attackers to make amendments in object properties because it opens various vulnerable points like exploring other API endpoints, guessing object properties, providing additional object properties, or reading the documentation.
7. Security Misconfiguration- This could be a result of ad-hoc configurations, insecure or incomplete default configurations, unnecessary HTTP methods, misconfigured HTTP headers, CORS, or Cross-Origin resource sharing, and verbose error messages that contain sensitive information.
8. Injection- Some instances of injection flaws include Command Injection, NoSQL, and SQL. These incidents are a result of sending untrusted data to an interpreter in response to a query or command. Malicious data of attackers can con interpreters in executing uncalled-for commands or accessing data without authorization.
9. Improper Assets Management- APIs can expose several endpoints to attackers more than conventional web applications. There could also be issues like exposed debug endpoints and deprecated API versions. This lays high value on updated documentation and deploying API version inventory.
10. Insufficient Logging & Monitoring- When this issue is accompanied by ineffective or missing integration alongside incident response, it leaves a door open for attackers to pivot more systems. It allows attackers to tamper with data, which can either be extracted or destroyed- both of which can further attack the system. It could take well over 200 days to detect an API security breach of this kind.

API Security Attacks can be Ruthless and Relentless

Increase in the usage and traffic of APIs has led to more attacks, which leave Fintech companies vulnerable. 34% of the SALT (leading security research firm that identifies API security vulnerabilities) customer accounts have experienced over 100 attacks per month in July 2022, reveals data. And another 15% have experienced 500 or more attempted attacks per month, up from 11% a year ago.

Nearly half (47%) of the respondents indicate that they have identified vulnerabilities in production APIs, 38% have experienced authentication problems, and 31% have seen sensitive data exposure and privacy incidents.

These numbers call for an urgent and immediate need to mitigate API security challenges and risks mentioned above. In the following insight, we are suggesting a technology roadmap for a winning fintech API security platform.

If you need to discuss API security with us, drop us a hello and let us wrap our head around your query to develop a feasible solution.
 

990 million compromised and exposed data records over a period of one year across the globe sound alarming, doesn’t it? That’s the number that IBM X-Force research gives us when it examines security breaches in the firms, and finds misconfigured cloud workloads as the primary reason for cybersecurity threats. Additionally, there is a 20% year-over-year increase in the number of publicly disclosed incidents attributed to cloud misconfiguration. This blog aims at helping Chief Information Security Officers (CISOs) and Chief Technology Officers (CTOs) of the fintech companies in solving a critical challenge of such misconfigurations and how they can protect their infrastructures. We also discuss how fintech companies like Cred solved the challenge of cloud misconfiguration.

What is Cloud Misconfiguration?

Cloud misconfiguration is a major compliance risk that can unknowingly expose a company’s unencrypted data to the public without authentication set up. When a company doesn’t configure the cloud-based platform or system in a correct way and leads the door open to attackers and hackers, it is called cloud misconfiguration. It can take many forms, such as-

• Improper network functionality
• Storing encryption keys and passwords in open repositories
• Creating public accessibility to storage buckets
• Unrestricted access to exposed data stored on the cloud

Examples of data and security breaches are countless, but one that’s worth taking notice of is the FedEx security breach in 2018. The company unknowingly exposed thousands of scanned documents including drivers’ licenses, passports, and delivery mail forms due to the company’s inability to secure its AWS cloud storage server.

Cloud Misconfiguration: A Critical Security Threat for FinTech

Cloud-native platforms have become bait for fintech companies to build resilient and agile application architectures, but the truth is that compromised cloud security is the biggest threat that would stop established players in financial services and fintech companies from using cloud capabilities to their full potential. And, 62% of the IT and cybersecurity professionals surveyed by Crowd Research Partners identified cloud misconfiguration as the most critical threat to data and security.

Classic cloud misconfiguration reasons include-

• Unrestricted Outbound Access
• Unrestricted Access To Non-HTTP/HTTPS Ports
• Unrestricted Inbound Access On Uncommon Ports
• Unrestricted ICMP (Internet Control Message Protocol) Access

While the cloud assets are on a rise, the attackers are increasingly using cloud-based messaging and storage services to blend into legitimate traffic. And some groups are experimenting with new techniques in encryption and code obfuscation to go unnoticed. The more time attackers have inside the compromised security environment of an organization, the higher the cost of a breach- $5 trillion to be precise, industry research says, and a vast majority of these breaches are a result of cloud misconfiguration. Also, longer periods of undetected attacks give hackers access to more accounts, devices, and data pieces.

This has raised many alarms across Information Security teams of the fintech companies, while also posing some serious questions- how effectively are they protecting their customers’ data and securing their own digital assets? What are they doing to overcome this challenge? One of the critical questions is also about the Mean Time to Detect (MTTD) for such attacks.

How to Eliminate Cloud Misconfiguration Challenge?

When it comes to protecting digital identities, and securing valuable data some steps can help businesses in avoiding data breaches. Valuebound suggests the following methods on how FinTech companies can eliminate cloud misconfiguration challenges (Fig. 1)

Adopt Cloud Security Posture Assurance Software

Cloud helps with standardization and automation. Hence, the conventional security assessment methods with required manual auditing can be done away with. Cloud security posture assurance software is the answer because by calling cloud platform APIs, it retrieves real-time and actual configurations of cloud resources that have been consumed. Thereafter, the software compares it with the set standard, which allows organizations to understand baseline deviations through reports and dashboards. Such software and products can typically facilitate compliance reporting for various regulations, laws, and frameworks including PCI, HIPAA, CIS, and NIST.

Adopt DevSecOps Operating Model

Many fintech executives are already recognizing a trending security shift towards DevSecOps operating model. If your organization is adopting security assessment methods, it is also essential to understand that integration of security in the process of continuous governance is a must. At the focal point of the DevSecOps operating model is setting up a security baseline which acts as a yardstick for monitoring and tracking actual status or issues through resolution. DevSecOps also implement continuous compliance assurance to check risk exposure and actual status of compliance.

Adopt Minimalist Authority Principle

Outbound traffic must use the minimalist authority principle to combat the challenge of unrestricted outbound access. A common practice among the majority of AWS users is to configure inbound ports in the security groups while forgoing outbound ports. Imposing limitations on outbound traffic can direct traffic only to servers and applications which need to communicate. This helps in bringing down the risk of data exfiltration, internal network scans, and lateral movement. The servers may also require RDP (Remote Desktop Protocol) or SSH (Secure Socket Shell) inbound ports in managing them.

Restrict High-Level Ports to Necessary Systems Only

Many services use TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) internet protocol suites and ports to obfuscate what’s running in their cloud environment, but this is not enough. It will not protect your organization from random internet scans or a smart hacker. Some of the services can open uncommon ports too, which often go off the radar. In such a case, you must ask if your web server has a statistics page or PHPMyAdmin functioning on port 8443, or Apache Tomcat services leak on port 8080. High-level ports are ideal to be restricted only to necessary systems.

Block ICMP

ICMP (Internet Control Message Protocol) is among the most important protocol, and leaving it unattended on the internet can expose your fintech company to vulnerable attacks. ICMP’s most common practice is using ICMP Echo for verifying is the servers are responsive and online. ICMP Echo, therefore, acts as a top-notch diagnostic tool for security professionals. But here’s a catch. It is also an excellent tool for hackers who can use Nmap or Fping to ensure that your server is indeed online. So what’s your best bet? Block ICMP!

Setup Robust Network Detection And Response (NDR) Mechanism

Until the most recent times, it was very difficult to parse and capture network traffic in the cloud, which was one of the critical reasons why cloud security lagged behind conventional security. But with the network detection and response (NDR) mechanism monitoring network communication in real-time became possible. It is hence seen as the easiest and quickest way to stay ahead of hackers in a dynamic and complex ecosystem. NDR enables rapid threat detection and deep visibility on-premises, in real-time. The gap is also closing in with the advent of Azure and AWS traffic mirroring solutions.

How Fintech Firms Solve Cloud Misconfiguration Challenge?

“One of the crucial Key Performance Questions (KPQ) for any incident response process is to continuously improve and reduce Mean Time to Detect (MTTD) from days to seconds,” says CRED. To solve the critical challenge of cloud misconfiguration, CRED uses the tool DIAL (Did I Alert a Lambda?).
DIAL is an automated tool that monitors, detects, and alerts cloud misconfigurations across all its AWS accounts. DIAL overview (Fig. 2) shows how its inbuilt detection mechanism works to prevent common misconfiguration mistakes that can jeopardize AWS infrastructure.

Composed of a bundle of AWS services like EventBridge, API Gateway, and LAMBDA, DIAL is deployed in  Master-Worker architecture and is ideal for use in AWS organization. With DIAL’s deployment, CRED’s MTTD is anywhere between 4 seconds to 10 seconds only. That is how CRED uses DIAL’s capabilities to reduce average detection time, and scale at large.

Select a vendor with proven product capabilities

Bringing managers at infrastructure management, security operations centers, information security, and DevOps to have a common understanding of cloud misconfiguration can help an organization implement best practices for cybersecurity for the cloud.

A vendor with proven product capabilities and best practices in implementing such cloud security assurance processes, along with introducing newer opportunities can transform your product into an integrated digital asset with high-level, unbreachable security. If you are looking to partner with one such vendor, drop us a hello and we would be happy to engineer solutions for your challenges.
 

Between 2019 and 2020, reportage of Phishing and Distributed Denial of Service (DDoS) grew by 40%, while identity theft, merchant fraud, malware, and cyber espionage grew by 20%, as per CERT-In study. With such increasing trends, Cybersecurity in fintech has become one of the most critical pain points of the industry, especially in a growing economy like India which is at the cusp of digitalization. With an increasing number of financial services hopping on to the technology bandwagon and more patrons choosing digital modes of payments, the risks of online fraud, information theft, virus attacks, and identity cloning are only going to further increase in the coming days.

Attackers’ playbook includes applications and web portals with compromised cybersecurity; and cyberattacks appear in the form of Distributed Denial of Service (DDoS), ransomware, application vulnerability exploits, merchant frauds, spam, and reconnaissance attacks. Other examples of cybersecurity threats include software supply chain attacks and account takeovers (Fig. 1)

Not only can such attacks cause serious financial loss, but also lead to a dent in the brand’s value apart from paralyzing infrastructure and critical customer-oriented services. Therefore, along with the diverse and deep digital experience, there is also a critical need to secure a business and its customers from damaging, costly, and frequent cybersecurity incidents. Software Supply Chain Security (SSCS) or third-party security risk management is at the core of every fintech’s agenda. Cybersecurity is now given high priority status at product design and decision-making levels across Information Security Professionals and fintech companies’ leadership teams. But what are the fintech security challenges that companies face?

Some of the current fintech risks and challenges concerning cybersecurity

• Identity Management- When a user subscribes or registers to an app, a fintech company gathers data, which creates digital identity management and data ownership concerns. But what happens to a customer’s data after they’ve canceled a subscription? Data deletion mechanisms, therefore, need to be in place, the absence of which can cause compliance issues and data stealing by attackers. This takes us to the next pain point of cybersecurity, i.e., data security.
• Data Security- $18.5 million approximately! That is the annual cost spent by capital market firms and banks on combating cybercrimes, underscores the Accenture study. Hackers target system weaknesses to exploit information like financial data, contact, and personally identifiable information. 64% of the fintech companies are aware of such data breaches only until it’s too late.
• Regional Security Requirements- Fintech companies must follow regulations concerning regional data protection and KYC (Know Your Customer) practices. Privacy legislation at a regional level limits FinTech software on the data that it can collect and process. Fintech companies also need to make an understanding of how different countries can interpret the same legislative concepts. FinTech apps therefore must be built with practical tools and an understanding of the local regulations. In the absence of this, a FinTech company may isolate itself from certain markets.

Apart from the aforementioned challenges, Deloitte mentions the following challenges in managing cybersecurity as well (Fig. 2).

But, what are the factors or underlying reasons that can cause such security threats as far as cybersecurity and data protection are concerned?

Factors attributing to cybersecurity threats

A lot of attacks mentioned above are caused due to factors like:

• Inadequate security on devices of end-users
• Unpatched and vulnerable operating systems
• Installing cracked applications on devices
• Incomprehensive designing of security controls for products that digital payment products
• API exposure to untrusted and untested interfaces due to multiple data interface across product

All the aforementioned challenges can be tackled with the software development vendor and engineering partner who understands these concerns in and out. Valuebound has helped FinTech companies worldwide in building secure products with careful methodologies and frameworks. We suggest following FinTech cybersecurity solutions to make your platform safer and secure.

Cybersecurity Solutions for FinTech Companies

Companies that give due importance to financial well-being and brand value must also leverage the latest data security techniques and methodologies. What can a FinTech company do for data protection and cybersecurity?

Let’s consider some of the industry best practices for building FinTech products with robust security.

Data Encryption

Encryption is a process of encoding critical information into codes that need special keys for deciphering it in an understandable and readable format. FinTech companies can secure data with complex technologies and encryption algorithms like RSA (highly secure algorithm with private and public encryption keys), Twofish (freeware algorithm encrypting data into 128-bit blocks), 3DES (encryption method preferred for credit card PINs encryption), P2PE and EMV.

“Technologies that devalue data such as– Tokenization, P2PE, EMV & 3DS can play a critical role in helping prevent theft incidents from becoming breaches,” says Nitin Bhatnagar, Associate Director, India, PCI SSC. The goal behind data encryption is the elimination of persistent value in data that is used to perform a transaction. Hence, if an attacker tries to steal information or data, the merchant, consumer, and system still remain secure.

Tokenization

The process of replacing sensitive information with a generated number or token is called tokenization. Unique databases or token vaults may be used to decrypt original data into readable formats. To make a FinTech app even more secure, companies can also encrypt a token vault.

Today, tokenization has emerged as a real game changer, especially in the payments ecosystem. It must be adopted to ensure payment security, improve payment data security, and also address consumer privacy concerns.

Role-Based Access Control

A FinTech app typically can include the roles of an IT Specialist, admin, manager, support staff and the customer. Role based access control (RBAC) can then be used to restrict access to a network depending upon the user’s association with the FinTech company. This ensures restricted or varying access or regular employees and end-users who then cannot use corporate information. Conclusively, it reduces security threats, both internally as well as externally. RBAC-enabled product development requires solid engineering capabilities and robust technical expertise.

Implementing Authentication Technologies

One-Time Passwords (OTPs), mandatory change of passwords, monitoring suspicious activities like failed logins, short log-in sessions, and multi-factor authentication are some of the authentication methodologies that help in securing data by understanding and analyzing user behavior. Dynamix extra layers of protection can help users in completing their transactions safely and securely.

DevSecOps

DevOps is the common practice among most software development companies, but now with cybersecurity being at the core of the Software Development Life Cycle (SDLC), DevSecOps has become the new vogue. What’s the difference? DevSecOps means the prioritization of developing a secure codebase with the same DevOps principles, i.e., CI/CD (Continuous Integration/ Continuous Development), collaboration, automation, and communication. DevSecOps only shifts its focus on embedding security at the early stages of SDLC. DevSecOps methodology uses cybersecurity at the central part of the production pipeline with other phases like architectural designing, coding, and testing.

Building secure FinTech products and solutions

The average data breach costs in 2021 is $4.24 million, a 10% rise from 2020 findings, according to IBM and Ponemon Institute report, and the most common initial attack vector is compromised credentials. This speaks volumes about the concerns of FinTech companies in developing a secure FinTech solution. So how do you plan to build a secure app with limited resources? Valuebound’s product engineering team builds a secure platform and high-grade product with all regulations and security concerns under consideration.

Our team sprints with clients to create a validated hypothesis with a security roadmap, analysis and risk log, cloud assessment, AWS Security Maturity document, and budget. If you wish to develop a secure FinTech solution or have a compliant concern, speak to us to learn more about our software development and product engineering services for FinTech cybersecurity.