Globally, more than 7,500 FinTech firms, combined, have raised over USD 109.8 billion. Yet most will likely fail because: they could not find the right product-market fit, the high cost of scaling up, inability to find the right partner, and the struggle to create, launch, and quickly gain market share for a differentiated product that cannot be replicated.

Our software engineers have cooperated with many fintechs including Currencycloud and Cleverbridge, and a few NDA blockchain projects. We are constantly researching the fintech market trends and challenges, aggregating the information and enhancing the strategy of fintech software development. Thus, we’ve talked with our specialists and outlined 15+ time-tested rules of fintech app development.

We’ve grouped those rules according to four key principles of fintech app development:

  • Security and compliance
  • API-led connectivity
  • Software infrastructure scalability
  • Specific domain expertise

In Part One, we will focus on Security and Compliance, and API-led connectivity.

Security and compliance in fintech app development

That is a hard and absolute rule for all financial services companies, and there is no place for compromise. The topic got even hotter in the light of GDPR, the growing number of API integrations with banks, transactions, users, and the increasing number of vulnerabilities.

ThreatMetrix research showed 80% increase in digital wallet transactions year-on-year as well as a 180% increase in associated bot attacks, that are used to mass test identity credentials.

fintech app development

Source: ThreatMetrix research

It is vital to keep close tabs on what is happening in the ‘security world’, as it is dynamically changing. Some tools may get not resistant to vulnerabilities, or new security risks may arise and call for a more innovative approach.

Key security and compliance rules that we follow when building fintech applications:

1.Detecting and eliminating OWASP 10 vulnerabilities

When building a fintech app, developers should set up tools (either open source or proprietary ones) to detect top OWASP 10 vulnerabilities. The list is updated each year. For instance, you can tune up the tool so that it will automatically start code analysis to detect the application security risks after each commitment of a build.

2. Compliance with information security policies

Here are the key guidelines fintechs must follow to comply with information security:

  • Following certain password security policies ( e.g. demands for strong passwords, monthly password resetting, etc. )
  • Following policies of storing passwords and other sensitive user information. For instance, storing only hashed passwords as encrypted ones may be too easy to decrypt.
  • Using Multi-Factor Authentication. There are different types of MFA’s, and some of them are more secure yet more complicated. Besides SMS authentication, which is not a very secure one, there is also Google authentication, hardware tokens, Yubikeys, and more. However, they are more complex than mobile apps.
  • Compliance with PCI DSS. A fintech company that accepts card payments and stores, processes and transmits cardholder data, must ensure it hosts their data securely with a PCI compliant hosting provider.

To ensure compliance with information security, fintechs can go two ways: either build their own tools or integrate with 3rd party services and agencies that specialize in identity management and identity brokers.

3. Financial monitoring and addressing KYC issues

Fintechs must integrate with third parties and ensure monitoring and blocking of suspicious transactions, preventing smurfing, detecting money laundering, and blocking people or organizations on blacklists.

To prevent illegal activities, fintechs must establish the identity of their customers. You can either write your own code, integrate with third parties or work with compliance agencies that can do this manually. There are many mobile and Biometric Identity Authentication apps. Also, there is a new solution to the problem – blockchain-based KYC and trade transaction solutions. It’s already being experimented with Ripple, Ethereum, and other Distributed Ledger platforms. Blockchain can provide an effective way to make identity duplication and forgery virtually impossible.

4. Detection of fraud behaviour

Many companies use machine learning to detect patterns of fraud behaviour. For instance, such type of Machine learning as GAN is frequently used.

GAN is a type of deep learning system that operates as two rival neural networks: a generator and a discriminator. The generator network creates fraud data that looks identical to the real data. Whereas, the discriminator network analyses both fake data and the authentic datasets. Over time, both networks learn from each other and enhance their results.

Key API design guidelines in fintech app development

Another important aspect of fintech software development is API design. A fintech transaction comprises several operations and may go through several internal and external applications connected by APIs. What’s more, completion of transactions must be guaranteed.

Thus, we must follow such rules of API design:

5. Make API calls idempotent whenever you can make them idempotent

That means, If I want to get the info about a specific payment – I make the same query 5 times, and each time I get the result that was processed the same way. This way we can guarantee that if an API call fails on the side of an API server, no unwanted side effects occur.

6.  Otherwise, create an API call with a specific ID

If we can’t make API calls idempotent (for instance, in case of a payment), create an API call with a specific ID. This way if one API server fails, and another one backs it up and accepts the payment, the transaction won’t pass twice after the failed server recovers. Thus, the same payment call won’t be able to pass more than once.

7. Don’t expose any tech information when designing APIs

Another important practice of API design – to design it in the way that you don’t expose any tech details in it. For instance, don’t do auto-incrementing of IDs in records. If you do auto incrementing, each new record will automatically add 1 to the ID of the record, and an attacker will know the number of records, and other info that may do damage to your security.

Also, If an error occurs – don’t expose the tech details of the failure. Otherwise, an attacker will be able to see the data and use it against you.  

8.  In case of a distributed architecture, always generate a unique ID

Since request goes through different nodes in the network or several services in a microservices architecture, it is a good practice to always generate a unique ID at the beginning of a query. This way we can trace it from the beginning to the end of its way. Thus, if it fails at a certain stage, we can trace the query back to the very start.


Fintechs currently face the challenges of growing and scaling. And to overcome those hurdles, they, first of all, need a reliable and robust platform built in compliance with the best industry practices. We’ve collected top 20 rules of efficient fintech app development and grouped them according to 4 underlying principles. In Part 1, we are dwelling on security and compliance, and API-led connectivity. In part 2, we are going to explore the rules related to software infrastructure scalability, and specific domain expertise.

Have a question?

Speak to an expert

Required fields*

Table of contents