In the era of financial services’ transformation, where digitalization has become inevitable, the market is flooded with Fintech apps. It’s rare to find someone who hasn’t used at least one daily.

Whether your app is geared towards investment management or streamlining buying and selling processes, our previous experience has highlighted two crucial aspects that demand your attention. Our team recently delved into the complexity of a digital investment platform, and they successfully navigated to address both aspects thoroughly.

First and foremost is security. Coupled tightly with this is the user experience, designed with complete transparency and reliability in mind. 

Risk Mitigation in Fintech: A Security Checklist 

Security is always important, no matter what the business domain of your digital product is. But, when you add bunches of private data and sensitive financial information, it becomes even more serious. It is beyond the scope of this article to explore all security concepts within software engineering (explore our blogs section to find some captivating findings). However, we want to emphasize those that can seem obvious but could be easily overlooked. 

Legal compliances 

The most important aspects of legal compliance are data protection and industry regulations

Different data security regulations are imposed for data-at-rest and data-in-transit depending on the following:

  • region of business operations and 
  • the geolocation of the user base. 

The most known regulation for Europe-based digital products has been GDPR (General Data Protection Regulation).  In any case, the first thing to do is encrypt all data. Both in transit and at rest. There is a great whitepaper published by AWS called Navigating GDPR compliance on AWS. It contains simple guidelines for implementing the required rules to help you stay in compliance with GDPR. Furthermore, countries outside of the EU and even European Union countries can have additional requirements.

Besides this, each Fintech digital product has to clearly define the areas of financial services it offers and comply with the known regulations for these areas, such as the financial market, investment management, or digital currencies regulations. These regulations can also depend on the business and user’s geolocation.

There is a check-list to help you ensure the compliance each #fintech app desires:

  • Investigate regulations that your Fintech digital product is eligible for based on the location of your headquarters and the geolocation of your user base.
  • Study and explore these regulations to understand how they affect the architecture and functionalities of your product.
  • Understand potential collisions between the requirements and set the course of action. For example, GDPR’s “Right to be forgotten” and many regulations in the financial market that ask for audit periods can collide. Therefore, action items can include:
    • Separation of private data and transaction data inside the storage
    • The highest possible level of anonymization of transaction data (needed for further audibility regulations
  • Different combinations that can unambiguously define an individual have to be continuously monitored, with each new user’s information being ingested in storage or used in transactions. 


Regarding infrastructure, most apps today are hosted on some cloud provider’s machines. This adds another layer of complexity and potential risk. For simplicity, the terms used in this article will be related to AWS. Principles apply to other providers, but their implementation can vary.

Zero Trust Architecture

Zero trust architecture (ZTA) is a security model that focuses on providing security controls that do not depend on traditional network controls. Instead, network controls are enhanced with identity, device, or other mechanisms.

The first point is continuous verification. Users’ or other services’ access should be verified all the time for all resources. Enforcing a strong password policy, mandatory 2FA (Two-Factor Authentication), SSO (Single Sign-On), and using short-term credentials can help ensure that only authenticated and authorized users can access resources. Adopting the least privilege access principle limits the potential damage that can be caused by compromised accounts. Access policies can help implement least privilege access. A good idea is to start with a global Deny-All policy and explicitly grant only the privileges required for a user or a service to work.

Security-related events, like denied login requests, should be monitored and trigger an alert.

The production environment and supporting services should be completely isolated from development environments. This sounds like common sense, but quite often, some sort of communication is needed. In these cases, the least privilege access principle should be applied.

Data at rest

The great thing about cloud providers is that they make encrypting the data a seamless job. The first thing you need to do is identify which services have access to user data, store it, or consume it in any way. This includes but is not limited to, EBS volumes, S3 buckets, RDS, CloudWatch, or AWS Lambda. Logging services like CloudWatch can often be overlooked but can contain sensitive user data. Even though application logs should not contain private data, certain error logs can reveal sensitive information that will end up stored in CloudWatch. AWS KMS service is integrated with other AWS services and helps you encrypt data stored in these services. While AWS-managed keys automatically rotate every year, it’s recommended to use customer-managed keys. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. The customer-managed key lets you control how data is encrypted and define a specific key rotation period. It will help you better meet compliance regulations. 

Data in transit

Data sent from one service to another must be encrypted. Using TLS for “public” traffic is standard now, but connections in the same VPC shouldn’t be ignored, nor should connections between VPCs. While communication within the same VPC is isolated, there can always be a zero-day vulnerability which can lead to potential leaks. A simple service mesh can add an extra layer of protection and limit the blast area in case things go wrong. Tools like Istio service mesh or Calico CNI offer simple integration and effective protection. 

The Essence of Reliable Customer Experience

When sensitive data inputs, transactions, and operations are performed, users expect an impeccable feedback loop about the triggered actions, possible error states, and unexpected behavior of the application. 

When users choose apps to help them with financial services, they usually select them for longer periods. For example, if they invest, and it is not just day trading, they want to stay there for a long period.

Getting a user’s trust can take a while, and losing it can be quick. If users feel unsafe and unsure about where their assets are, have gone, or will be, they are likely to move elsewhere. 

When dealing with the #fintech domain, make sure to delve into the following aspects of user and customer experience before any others.

Error handling and bug reporting

Errors will inevitably occur in any application. They can be due to incorrect user inputs or any other possible reason, but when they do, you need to inform users timely and precisely

Example 1 shows a comparison between two different kinds of error messages.

Example 1.1: Clear explanation of the upcoming steps and potential roadblocks

Example 1.1: Clear explanation of the upcoming steps and potential roadblocks

Example 1.2: Every disabled action should be clearly explained

Example 1.2: Every disabled action should be clearly explained

Furthermore, each application strives to have fewer bugs, but some will happen. To ensure different ways for users to have easy access to report them is of the utmost importance. However, no matter how well-designed and envisioned error handling and bug reporting are, there is a slight probability that we will not catch everything.  It should be easy to access tutorials, a help desk, and live customer support to make users feel protected and heard.

Predictable outcomes for actions and triggers

The control they have over the application behavior and the level of predictability for their actions can give users a feeling of security and stability. To feel in control, users value familiar outcomes of the actions and the option to control the output by themselves.

To achieve it, start with something you should avoid and eliminate. These are dark design patterns. For some time, there has been discussion about the sophisticated design practices called dark patterns. These are generally invented to trap users into actions they can not predict or bypass. And those are precisely what every #fintech app should avoid. It could give you temporary leverage, but along the way, it will scare your users and make them leave. 

Additionally, you can take some more steps to ensure users feel comfortable to use different actions:

  • Think about “heavy” actions users have to perform in your app, such as signing documents, confirming transactions, or giving permissions.
  • Inform users about what to expect once they complete that action. You can use messages in toasts, banners, or label forms.
  • Give them extra involvement and control over details that the app can do automatically, but it will not harm to let users decide.

Example 2: Messages and clues to inform users about the steps

Example 2: Messages and clues  to inform users about the steps

Example 3: Additional involvement of users makes them feel in control

Example 3: Additional involvement of users makes them feel in control

Real-time updates

If there are real-time changes that users should know about, we must let them know as soon as possible. Keeping in mind there are financial assets users are managing through most of the fintech apps, real-time updates are very common.

There are different options to consider in order to inform users on time:

  • Real-time notifications: 
    • Push Notifications: Ideal for immediate updates. Use them judiciously to avoid overwhelming users.
    • Summaries: Daily, weekly, or monthly summaries can be sent via email, providing a less intrusive way to keep users updated.
  • A user’s dashboard featuring real or near real-time updates:
    • Engagement: It engages users with the app and lets them feel secure about what is happening. 
    • Easy-to-grasp data: Dashboards almost always contain different graphs and table data—and to learn how to choose the right ones depending on your domain, check here. Keep things on a high level with the context of users’ settings if they affect the results, and allow users to drill down and see more details to feel extra secure. 
    • Predictions: Last but not least, let users search the history and make predictions for their asset growth in light of the services they can use in your app.

However, there are cases where your app can depend on 3rd party services that don’t provide updates as frequently as you would want. In this case, it is necessary to:

  • Clearly show when the latest update was and when you expect the next update
  • Notify users when data refreshes if the period is too long
  • Let users know if there is any other way they can get the latest update (e.g., via phone call) if they need it right away

Example 4: Users are well informed about the most recent data update

Example 4: Users are well informed about the most recent data update


Software DevelopmentTech Bites
February 23, 2024

Background Jobs in Elixir – Oban

When and why do we need background jobs? Nowadays, background job processing is indispensable in the world of web development. The need for background jobs stems from the fact that synchronous execution of time-consuming and resource-intensive tasks would heavily impact an application's  performance and user experience.  Even though Elixir is…

Want to discuss this in relation to your project? Get in touch:

Leave a Reply