Digital banking security is a competitive space – especially since the rise of challenger banks. But how can exciting and innovative services be built and deployed without running the risk of data breaches and other security compromises?
Challenger banks are driving service innovation
Challenger banks like Monzo, Revolut, and Starling emerged partly in response to a new banking license application process that the (PRA) Prudential Regulation Authority launched in 2014, to encourage more competition in the UK banking sector.
Cloud-based infrastructure like AWS (Amazon Web Services) has helped these Challenger banks to rapidly scale their capabilities and enjoy an iterative development process – giving them a competitive advantage over traditional banks.
But which technologies and precautions do banks and other data-sensitive organizations need to consider?
Banks have to balance conflicting commercial interests
Banks and companies in other high-stakes industries like pharmaceuticals have a complex range of commercial interests to balance, across every level of their business – especially software development and testing.
Balancing digital banking security and innovation is tough
Banks and financial institutions hold data for millions of consumers, companies, and government agencies, that carries obvious and immense value.
However, they also have to deploy exciting new features that help their customers to manage their finances more easily, in order to win and retain loyalty within an increasingly competitive landscape.
Banks have a tricky balancing act:
- Data security and compliance with industry regulation.
- Creating innovative and competitive services for its customers.
Banks and financial services can’t afford to cut any corners when it comes to security and risk management. Aside from avoiding data breaches, a raft of rules and regulations also apply to the data they hold.
Key regulations and directives include:
- GDPR (EU General Data Protection Regulation)
- FSMA (Financial Services and Markets Act 2000)
- PSD2 (Second Payment Services Directive)
- PCI DSS (Payment Card Industry Data Security Standard)
Balancing security and innovation affects every stage of the development and testing process.
Waterfall development poses security challenges
In a waterfall development model, developers often work in silos and are separate from the rest of the business. Compliance and security are checked by a dedicated team at the end of the process – so they aren’t always top priorities for developers.
A waterfall model can cause problems for security-conscious organizations:
- Architectural-level problems are expensive and time-consuming to revisit and fix if they’re discovered at the end of a development process.
- Checking security with a separate team, prior to shipping, simply isn’t a scalable business model.
But the battle to protect data and comply with industry regulations continues after deployment.
Banking apps and services have to be regularly updated
Compliance and security is an ongoing process as the app receives new features; and the regulatory environment, external risks, and operating environments evolve.
PSD2 – or, the ‘open banking’ regulation – is an exciting new directive that allows customers to manage their bank accounts in third-party apps, using an open API.
Sharing data is – by nature – difficult to do without compromising security, or integrity. So how can banks develop exciting and innovative services for their customers, without compromising their core responsibility to safeguard their customers’ financial assets?
DevOps and Agile teams build security into every step
Distributing security throughout the development process is a fundamentally more secure approach than the waterfall model – which makes it a better choice for banks.
In a DevOps or Agile environment, security and compliance personnel work with development teams to build secure architecture and testing strategies from the outset.
‘Shift-left’ is also a popular strategy, which focuses on getting developers involved in testing as early in the SDLC (software development lifecycle) as possible. Ensuring that code is clean and high-quality as early as possible can minimize errors and vulnerabilities.
Test automation delivers new standards in efficiency
Traditional manual testing can be a bottleneck for organizations – with a ceiling on efficiency that’s set by the number of testing staff they have available.
Automated static code analysis can detect security flaws while code is being created and recommend fixes early in the delivery process.
‘A number of factors are driving the need for financial institutions to implement automated functional testing or increase the level of testing performed’, according to PWC’s report, ‘An Ounce of Prevention, Why Financial Institutions need Automated testing’. PWC’s report identified three key benefits of automated testing:
Improving the customer experience
Automated tests offer the speed and accuracy that banks need to deploy regular software updates and new products – which create exciting new customer experiences.
Eliminating expensive post-production errors
Defects become more expensive as a development cycle progresses – and can cost 100 times more to fix after the software has gone live. Formal testing only detects around half of all defects.
Automated testing can be used to identify more errors, earlier in the cycle – which saves cash and creates more happy customer experiences.
Adapting to evolving regulatory requirements
Modern regulatory requirements are complex and sometimes force financial institutions to make application and system changes at short notice. Agile environments with automated testing can develop and test more efficiently – so they can adapt more easily.
Enterprise-grade security offers powerful business benefits
A development and testing solution with truly enterprise-grade security delivers crucial benefits for banks, pharmaceutical companies, and other high-stakes businesses that need to react quickly to market demands while protecting customer data.
Low impact performance
A solution that can handle data at speed offers significant real-world business advantages to large organizations, in terms of efficiency.
Industry-leading encryption and deep audits are essential for a solution to demonstrate that it complies with enterprise demands.
Systems that offer API-based interconnectivity offer the flexibility that banks need to develop complex workflows which break down organizational silos and leverage the full benefits of Agile and DevOps.
Enterprise architectures should be designed for massive scale, using technologies like cloud-based infrastructure, so they can support banks as their commercial goals shift and evolve.
- Does your business struggle to balance innovation with data security?
- Are manual testing or waterfall processes restricting your ability to respond to market demands?
- Have you fully-leveraged the benefits of Agile, DevOps, and test automation?