Encryption, Authentication, or Security Certification—How to Ensure FinTech Data Security
For FinTechs, security of their clients’ data is one of the thorniest questions. Roland Collins, CTO at InvestEdge, highlights that in the FinTech industry “data is dollars”—this is why data privacy and data management require patience and discipline to get right.
We talked to a number of technical leaders in FinTech companies to learn how they ensure data protection. Here’s an outline of their general approach.
No data, no cry
Today, hardly any FinTech startup can work autonomously. They integrate with banks, custodians, financial institutions, e-commerce and delivery services, etc. Consumers’ personal and financial data moves across multiple vendors, so it’s important to ensure that this data is not used for inappropriate purposes.
Advisor Software decided to remove all PII (personally identifiable information) from their APIs. According to Mike Granger, vice-president and product manager, this enables vendors to use the APIs without disclosing their client at the back-end.
For MyVest’s platform, security starts with strict access and authentication rules around how other application components can access data. Mark Worsey, COO, explains that they spent a lot of time progressing to an internal info security policy around how data is used, where it resides, and how it is managed. The same is true for backups for disaster recovery from a business continuity perspective.
We all understand that clients’ data should be protected from any data breach, including insider theft from software developers. At Wela, the data is protected from being copied, while payment protection insurance information is all encrypted. Hesom Parhizkar, CTO, states that they constantly monitor the back-end and APIs, and plan to add a tool for automatic API monitoring.
As you can see, strict access rules, encryptions—even taking the PII out of APIs—are used to protect clients’ data from leakage.
Cloud or noncloud?
Financial data may not only be stolen when it moves across-network—how FinTechs store data also matters. We found that financial platforms use various, often completely different ways to store data. Some are looking at cloud storage, while others prefer to have it “by their side.”
For example, InvestEdge plans to make a push for incorporating cloud services, although most customers are not ready for it. Roland Collins, CTO, believes that this may have to do with the perceived freedom of the cloud, with data flowing in and out of computers and servers, so it may take time until clients are comfortable with the security and stability of the cloud. Instead of using a public cloud, Roland is pursuing private cloud technology to change the way that InvestEdge delivers infrastructure.
Mark Worsey from MyVest feels that running everything in the cloud is a huge advantage, as it enables horizontally scaling in real time, making the deployment process much easier and more cost-effective compared to the capital-intense methods of building data centers and acquiring hardware. However, he says:
“Sometimes there is an emotional or irrational security fear of running a financial application in the cloud.”
Due to the requirements of HNWIs who are not yet ready to store data in the cloud, Evolute operates its own data center, which is located in Switzerland. Martin Polasek, CTO, admits that this was a significant investment. In addition, they have internal firewalls that segregate the database from the application servers. Their software developers don’t access the production environment with real client data. The production environment itself has various security levels, from authorization to authentication, etc.
So, having local data storage is expensive, but seems to be more accepted generally because wealthy clients still don’t believe in the security of the cloud.
Such multilayered protection as used by Evolute is not unique.
Borys Harmaty, ex-CIO of FOLIOfn, states that through Folio’s platform, data and cyber security measures are implemented and managed by software engineers who hold CISSP certification. Their security approach includes:
- Two-factor authentication;
- NIST encryption standards;
- Real-time threat intelligence;
- Firewalls and antivirus solutions.
In addition to a number of IT security certifications that software developers may hold—CISSP, SSCP, CCSP, CAP, CSSLP, etc.—in order to ensure the reliability of financial platforms and the safety of personal and financial data, FinTechs also may pursue certification of regulators.
For example, the Securities and Exchange Commission, the federal regulator that covers investment securities in the US, has certified WealthBar as meeting the highest standards of privacy and security. Chris Nicola, CTO, says that to ensure the safety of clients’ data and funds they implement measures such as advanced login, encryption, and security testing.