The rise of fintech was more like an explosion – thousands of new apps suddenly sprung onto the market and fundamentally changed how we interact with our finances and the financial institutions we put in charge of them. While there’s never been a question about whether fintech requires first-rate security, scale has made it a focus now more than ever for fintech startups and innovators. As fintech increases its footprint in the financial ecosystem, it requires responsible innovation to protect consumers and financial institutions as they engage with new applications and platforms.
Innovators today are under tremendous pressure to perform. Investment monies, whether self-funded, crowd-sourced or via venture capital channels, must be used wisely and focus first and foremost on getting the product or service to the market. This can inadvertently limit the ability for innovators to engage security experts until well after developing the code and deploying the platform. At this point, it is often difficult to add security controls and, when it is possible, their effectiveness may be less than optimal.
As stewards of personal financial data, fintech companies have a duty to do everything in their power to secure their platforms. This requires taking a “security by design” approach and building security directly into their platforms from day one – not on top of them. Security by design ensures that consumer protection and experience are addressed early on in the requirement and code phases, that regulatory and compliance obligations are fully met and that these controls can operate at scale.
Security by design also fits prefectly with innovation, especially for today’s financial services landscape. Traditionally, consumers’ financial data was stored in stationary vaults – just like their money. Now, financial data – data with very real security and privacy implications – is portable, shared and processed by multiple third parties. The fortress has been breached by its own citizens and the protections need to follow the data to determine who has access, where it comes from and where any potential vulnerabilities lie.
The best way to build security by design is to map the data flows from day one when defining the requirements for the application or service. Developers need to take a holistic view, looking at the entire chain to inventory the data elements involved, the system assets used and the actors who participate in the delivery of the service. This insight allows for a thorough understanding of the inherent risks and threats, the applicable regulations and standards and the necessary security controls.
Inherent risks are not just technical vulnerabilities in the code or platform that can be exploited by hackers. The customer experience must also be considered, including customers’ devices (e.g., mobile, browsers and tablets), their level of security awareness and their ability to detect, prevent and respond to threats. Third-party involvement also comes into play, especially for those systems integrated into the experience, such as authentication providers, performance monitors and social-media connectors.
Finally, it’s critical to understand how security controls will impact the experience for users. For example, when using a mobile finance app to help them decide on an impulse buy, will consumers see multi-factor authentication as a helpful feature or as a hindrance?
Balance is key between function and security. Beyond just an idea, value proposition and platform, fintech innovators need a 360-degree security approach and visibility into the data flows, the risks, the threats and regulatory requirements. Security by design helps find the right balance because all of these considerations are identified, discussed, vetted and addressed during the ideation and development stages. There is very little opportunity to layer on security once these critical stages are complete.
With breach after breach hitting the news daily, it’s clear that the “let’s build it, then build a fortress around it” security strategy will not suffice for fintech. By prioritizing security along with features and functionality when evaluating the threats and the business requirements, fintech startups can reduce the likelihood of security issues before their features are in production. Most importantly, they can build fintech applications and services that not only could transform the way we manage our finances, but also ensure our most sensitive, personal information stays private.
With the nature of today’s connected world, security by design is not only increasingly important for fintech, but also applies broadly to all developers across industries. Whether building tomorrow’s fintech applications or the next big thing in health tech, social media or IoT, the need for security by design extends across the board. With a holistic, integrated approach, fintech and other innovators can truly understand the necessary controls, stich them together and ultimately ensure end-to-end protection for consumers.