Security is at the heart of fintech operations: Highlights from Day 2 of AWS Fintech Forum

The growth of fintech in the last few years has been remarkable. According to a YourStory report, fintech and financial services was one of the most successful sectors, raising USD 8.53 billion across 278 deals in FY22 - and this is just one of the milestones that the sector has achieved so far.

In order to capture the year that was, and understand how the year 2022 will progress, the fifth edition of the two-day AWS Fintech Forum brought together different stakeholders and leaders from India’s fintech ecosystem. While Day 1 was dedicated to examining the trends, developments and the ever-evolving face of fintech, Day 2 was all about the tech that powers the finest fintechs today.

From the keynote speech to the masterclasses, Day 2 captured some of the biggest tech trends that shaped 2021 and would continue to make a difference in 2022.

The evolution of tech in fintech

In the fintech domain, challenges related to resilience and security start mounting extremely quickly. This was the crux of the keynote speech by Japan Doshi, Head of Product, Engineering and Data Science at Rupeek. Japan, who spent over a decade at Amazon in Payments, spoke about his journey with Rupeek. A journey that reflected the choices that smaller businesses must make, with regards to tech, as they stand on the cusp of growing and scaling. Rupeek - an asset-backed online gold loan company that has grown exponentially in the last 2-3 years. This growth included a wider customer base (from 1000’s to more than a lakh), disbursing about Rs 300 crore per month, growing operations to more than 35 cities, increase in onboarded lenders, banking partners and more than 100 financial products on the platform today. However, with growth and scale comes increasingly complex challenges like breaking down of the core monolith, data fragmentation, and more. Rupeek also needed to become agile, while adhering to the compliances and regulations due to increased scrutiny from regulators.

In order to face and fix these challenges, Japan spoke about the first step that growing fintechs must take - building a bold vision and bringing it to life. Next is understanding the businesses tech capabilities (which would form the foundation of the business) and creating design principles for an architecture that could truly scale. He stressed the need to keep the architecture simple, which would help companies avoid acquiring debt.

One of the key principles Rupeek followed was also leveraging the technology that exists - the company hosts its infrastructure on AWS and uses multiple AWS services in order to maintain security and extensibility. Additionally, the company also conducted RCAs (Root Cause Analysis) on each incident and outage - helping to grow the resiliency of the infrastructure. Rupeek’s journey is a study in how quickly fintechs scale and the ever-increasing challenges that come with that growth. Ultimately, investing in tech and leveraging innovative, existing, and open source tech solutions will translate into healthy unit economics for the company.

Best practices and challenges in fintech

Digital innovations, shifts, and trends in the fintech sector continue to revolutionise how financial institutions, banks, and people engage with money. However, the industry still faces challenges - be it regulations and compliances, global events like the pandemic, a spurt in malicious attacks or concerns around security and data protection. The panel featuring Jaya Manohar, Founder and CPO, Streak AI; Vivek Gupta, CTO, CoinDCX; Yashoraj Tyagi, CTO, CASHe; Shannon Murphy, Chief Technology Officer, Hyphen Group; and moderator Pandurang Nayak, Head of Solutions Architecture, Startups, AWS addressed these challenges by sharing some of the best practices they have proved successful for their businesses.

One of the greatest challenges discussed was regulatory compliance. How do organisations stay compliant but also maintain the agility that is required of today’s businesses? Shannon spoke about the need to have a dedicated person (or teams) to understand the rules, laws, regulations, as well as how they are adapted and used by customers and the institutions. The key to maintaining this balance, he said, was automation - removing all manual steps keeps companies nimble, while assuring regulators and customers that the business is compliant. On the other hand, CoinDCX’s Vivek spoke at length about how regulation could actually boost customer’s trust in the cryptocurrency sector and that smart and meaningful compliance could prove to be a growth driver, leading to an increase in cryptocurrency adoption.

Another rising concern in fintech today is that of security. With banking and financial services increasingly becoming embedded entities, data sharing is now happening at an unprecedented level. Jaya addressed these concerns, sharing how fintechs can implement security measures in a cost-efficient manner. The first practice that early-stage fintechs should do is educate their entire company about security - not just the security team. AWS’ Security Hub can provide the security team - and the company - with vital data that gives them a complete view of the company's security posture. Companies should also prioritise writing secure code in order to mitigate risks. Quality and testing teams should scan for vulnerabilities. The DevOps teams should actively embrace automation, leaving the team to supervise and build great infrastructure. She also advised that companies should conduct regular Penetration Tests -AWS customers are permitted to carry out PT tests and security assessments against their AWS infrastructure without prior approval for 8 services. Finally, she recommended that companies only use cookies if it is absolutely necessary.

The panel largely agreed that the short-term effects of the pandemic were beneficial in nature due to the digitisation of banking and financial services. However, stakeholders in the lending ecosystem did lose jobs and faced large-scale cuts. While the long-term ripples of the pandemic are unknown, it is leading to many companies developing very effective digital-only strategies, internal risk assessments, and data security policies.

Right tools for the right use cases

In a session titled ‘Use-case based Databases for Fintechs’, Suresh Seetharaman, Senior Database Specialist took the audience through modern applications, purpose-built databases for modern applications, and modernisation paths.

IT architecture has come a long way in the last few decades. Between the 70s and 2000s we’ve seen a change in architecture - from mainframes to client servers to three-tier architecture. It is said that during the 70s and the 80s, the size of a gigabyte of storage used to be as big as a truck and it cost USD 50,000. Today, we carry several gigabytes of storage in our pockets. Modern applications too, have a evolved set of requirements - They must cater to a few million users globally, the database sizes are typically between terabytes and petabytes, they have a performance expectation for a million I/O requests per second and should have latencies of milliseconds/ microseconds to ensure consistent throughput for transactions. In order to deliver these internet scale applications with the best performance, scale and availability, microservices with purpose-built databases are the need of the day.

When companies want to innovate faster, improve performance and scale, and offload and obtain superior ROIs, they turn to purpose-built databases for modern applications. Today, most databases share a few common characteristics - they are secure, scalable, performant, available, and fully managed. Many global customers, across industries, have built internet scale applications that have leveraged these features. For instance, when customers wanted the performance of commercial grade databases with the pricing and friendliness of open-source database engines, Amazon built the Amazon Aurora with MySQL and PostGreSQL compatibility. For key value database services, high throughput, unlimited scale, asset transaction, and extremely low latency, customers can opt for Amazon DynamoDB. To address latency, AWS offers a service called Amazon ElastiCache which is compatible with open-source MemcacheD and Redis in-memory databases.

Keeping your fintech infrastructure secure

A common theme experts discussed during the forum was security. As many panellists and guest speakers emphasised, security continues to be an afterthought for many fintechs. According to Ashish Anantharaman, CTO and Co-founder of ZestMoney, 50 billion is invested every year in fintech, 500+ fintechs are created annually, and two out of every three financial transactions are done online these days. These numbers speak as to why security should be made a priority in every fintech. And the earlier it is done, the better. Essentially, anything that involves financial transactions or exchange of money requires security from day 1.

Some of the biggest risks and challenges faced by fintechs in terms of security are identity management, cybersecurity, and regional compliance. By putting off these problems for later, or not addressing them, companies can amass damages in millions.

Ashish advocated many different solutions that fintechs can incorporate into their security strategies. First, he spoke about the importance of data encryption and how companies must build policies around encryption and tokenisation (as well as a hybrid of both), so that the damage from attempted data theft would be limited. The second was Role Based Access Control. Anything related to access, or granting access to the network (be it the data, application or dashboard) should have access restrictions in place - this can be done through AWS Identity and Access Management (IAM). The third step is to secure application logic through solutions like authentication technologies and adaptive authentication, by making the DevSecOps methodology a part of the production pipeline, and by setting up a team that is continuously testing for security. Companies must also conduct regular audits, Penetration Testing, simulations, and security training.

According to Lalit Kumar, Security Architect at AWS, Service Control Policies (SCP) are the most efficient security mechanism because they define a company’s guardrails. He also suggested using cryptography services like AWS Key Management Services (AWS KMS), AWS CloudTrail, AWS Secrets Manager, and AWS Encryption SDK.

Automating lending with ML

New technologies are rapidly emerging and making changes in the financial sector, enabling the transformation of manual processes, streamlining decisions and changing the way financial institutions interact with customers. Although the financial and banking industry has recognised the importance of AI in improving the efficiency of current processes, implementing it remains a difficult task. In this stead, Alok Kumar, Co-founder and CTO of Karza - a data analytics, automation, and decisioning solution provider - and Neil D'Cruz, Solutions Architect, AWS spoke about Karza’s automated KYC onboarding journey. Alok shared that by using Karza’s range of Deeplearning and NLP models, they could look at unstructured data sources (different financial statements, KYC documents, GST income tax returns, MCF filings) and convert that into easy-to-consume, easy-to-interpret structured data points.

Karza also looks into more than 850 alternate sources, enabling the authentication of information which the applicant has provided. Having these kinds of data points and additional signals creates a sense of assurance around background checks and doing due-diligence on the applicant’s entire network. With Karza’s KYC onboarding product, the first step is capturing the live image of the applicant. After verification, the user is then prompted to upload the KYC documents. Next, the OCR engine comes into play and extracts the relevant data points. Using RPA technologies or RPA techniques, Karza connects with the corresponding official common source to verify the authenticity of the documents. Then they match the data points from the documents to what is on comment data records. For a majority of these services, Karza leverages different AWS solutions. For instance, they leverage AWS serverless solutions for their APIs. Today, serverless services allow them to scale effortlessly and provide support to help them adhere to strict security and compliance standards. The crucial step of image verification is done by leveraging Amazon Rekognition, a serverless computer vision service. Finally, by utilising Amazon SageMaker, they seamlessly enforce best-in-class MLOps practices.