A recent challenging and exciting project assignment was ' the need for developing a financial platform that enabled employees easy access to their own retirement plan' . The application could register employers and employee (individual) as a part of an organisation , and independent workers(individual) to exist outside an organisation . The concept of the 'individual' as the owner of his account was introduced for portability , meaning he still has control over his/her account irrespective of the number of job switches he/she does .
The application would carve out its niche in the retirement planning market by offering a powerful, easy-to-use web app that offers savers portability and affordability and employers a risk, and hassle-free solution for its staff. The platform would offer individuals the ability to easily and quickly set up an independent, portable Individual Retirement Account(IRA) that can travel with them no matter where they work- at an extremely low cost. It also offers employers an extremely attractive, risk-free package.
In order, to achieve its growth plans the client would focus on developing relationships with payroll providers so that they can automate the onboarding of employees and with employers and gig economy marketplaces that can benefit from the flexible, portable IRA plan that the client offers.
IRA is an acronym of Individual Retirement Account and it refers to as an individual retirement arrangement, because investments held in IRAs can encompass a range of financial products, including stocks, bonds, ETFs, and mutual funds. Many organizations are offering Retirement Management solutions across the globe to help retirement and financial services companies seamlessly transfer their services to individual retirement accounts (IRAs) of all sizes. The prime focus of this project was to develop an Individual Retirement Platform for those workers who did not have their own retirement plan.
The product required building a new platform for maintaining the individual and employer accounts , adding authorised personnel to handle the role on behalf of the employer . The employee could choose his IRA plan . The Banking Services required for the platform would be handled using integration with the Synapse banking platform in North America.
Hence the proposed financial platform consists of the following three layers:
- User Interface Layer
- API Layer
- Banking Integration
Developing an application for banking, can be seriously challenging. Cybersecurity, online payment solutions, authentication, UX/UI and many other elements must integrate seamlessly for a banking app to be both functional and competitive. One of the major challenges in building a financial platform is security. Several researchers had examined many financial apps and found security vulnerabilities such as lack of binary protections, insecure data storage, unintended data leakage, and weak encryption. It is possible to reverse engineer or decompile the apps exposing source code to analysis and tampering for those applications lacking binary protections. Unintended data leakage means exposing the data from the financial app into other applications on the device. Some applications have weak encryption allowing the hackers to decrypt sensitive information. Another weakness is that many of the banking applications are storing data insecurely sometimes in the device's local system, providing a gift to cyber attackers.
User Interface Layer & API Layer has developed for the financial platform. We have used the following technologies for building the financial platform. Frontend layer is built using React JS. We have used MongoDB as the database. API Layer is developed using Node JS. State Management is handled by using Redux.
Prior to the development of API Layer, the team separated the APIs into Banking & Non-Banking APIs.
Non-Banking APIs were developed using GraphQL. GraphQL is a query language for API, and a server-side runtime for executing queries by using a type system you define for your data. Selecting GraphQL allows an easy to design and amazing to consume API. GraphQL API can access datastores directly but for most use cases it act as Data Aggregator and Abstraction Layer that improves velocity of development, performance and developer experience. Another benefit is that it offers enhanced security over JSON RESTful APIs for two main reasons: a strongly typed schema (e.g., data validation and no SQL injections due to a wrong type) and an ability to define precisely the data clients need (no unintentionally leaked data). The APIs written in GraphQL can be tested using GraphQL Playground, a graphical, interactive and in-browser IDE for exploring GraphQL.
We used the SynapseFI for developing Banking services of the financial platform. SynapseFI is a banking platform that enables companies to provide financial products to their customers for a fraction of the cost of traditional banks. The platform provides payment, deposit, lending, and investment services as APIs to financial technology companies, which in turn launch consumer-facing financial services. Synapse places a heavy emphasis on adherence to security and compliance standards. They currently help in maintaining compliance by making sure that (1) Our platform has proper authorizations and disclosures in place; (2) Our application has a strong Customer Identification Program; and (3) The flow of funds managed by our application is legitimate and acceptable to regulatory standards.
For providing additional security to Banking APIs, we have ensured there would be no direct API calls from User Interface Layer to Banking API Layer. To access Banking APIs, we have developed an API wrapper layer which would act as an intermediate between Frontend and Banking APIs. The frontend layer will call Backend APIs i.e. Non-Banking APIs for accessing financial data. Backend APIs will then call Synapse APIs. This method of API call increases the security of the financial platform.
Implementing Security for Financial Platform
The following section details the ways of implementing security for our application. It describes the security measures we have implemented on all sides.
1. Data at Rest
For preventing SQL Injection while storing data in the Database, we have used SQL querying using ORM modules. We encoded Backend & Functionalities using AES 256. We are also keeping Audit Trails.
2. Data in Transit
- While transmitting data, the entire JSON is encrypted using AES 256.
- JWT Authentication for API Authentication and server-to-server authorization
- SSL Certification
3. Client-Side
- AES 256 is used for API encryption
- For Session Management we are using JWT
- We are not using any Cookies for the financial platform
4. Code
Cabot has followed OWASP Security Standards while developing the financial platform. We have validated the inputs to the system and encoded the outputs from the system. Authentication is done for all pages and resources, except those specifically intended to be public. Password Management and Session Management are implemented by following OWASP Security Standards.
Conclusion
As a leading Custom Software Development Company, Cabot develops innovative solutions for aiding organizations to develop secure banking applications. At Cabot, we focus on building robust applications that ensure the security of customer data and financial transactions.
Want to deliver the Best Banking Application Experience? We have the perfect solution for you! Contact Us Today!