Neobanks help innovate payments, but there's also a security risk

Register now

One of the industry’s responses to a decade of fast-paced technological growth, neobanks defy traditional banking by foregoing physical branches and betting everything on digital.

These customer-centric banks focus on delivering a holistic service for payments and money management to consumers who value the convenience of managing their finances and payments on the go and at a glance.

For a long time neobanks were still lagging behind traditional banks when it comes to payments. However, these fintechs have evolved rapidly on this dimension, adding features that enable users to pay people nearby, send payment requests, and offer support for services like Apple Pay and Google Pay. This progress has enabled neobanks to match incumbents on the payments front while staying ahead on several others.
Today, 73% of all consumer interactions with banks are done digitally. While traditional banks have invested in their own web and mobile platforms, they still fail to catch up with the capability of their neo-counterparts. On average, neobanking apps are adding nearly double the number of new features and deliver almost three times more app updates per year when compared with traditional banking apps. They also excel in terms of performance, running 42% faster than incumbents. It’s not at all surprising that this focus on the customer experience has resulted in the user satisfaction ratings for neobanks in the US (90%) being much higher than that of traditional banks (66%).

The technological flexibility of neobanks derives from not having to rely on legacy banking systems, which typically equate to 70% of IT budget spending on traditional banks. By instead investing in cloud-based infrastructure and relying on highly advanced web and mobile applications using modern JavaScript frameworks such as React Native, Neobanks bring product development cost and time down, paving the way for rapid iteration and innovation. This is greatly aided by relying on third-party integrations instead of having to develop every piece of code in-house.

There’s no denying that this flexibility becomes one of the biggest assets for neobanks; however, in software development, we know that pursuing agility and speed often means wider security gaps. In fact, neobanks’ IT approach leads to two sobering attack dimensions: attacks to JavaScript code and client-side security threats.

Attacks to JavaScript are especially relevant to neobanks because, as mentioned, their web and mobile apps constitute a key business asset. By exploiting the exposed nature of client-side JavaScript, malicious users have a free pass to analyze the whole code and explore its functionalities to their benefit. This can mean a competitor uncovering proprietary business logic or an attacker tampering with web forms to trick users and steal their credentials and data.

Every single institution with a web banking platform is ultimately making a priority of client-side security. Several of these neobanks at a very incipient phase of the business gravitate to JavaScript-powered applications, causing management to push development teams to ensure that the code is protected from day one.

Main concerns include preventing code tampering and making sure that important algorithms are concealed and can’t be accessed. EU-based neobanks must also address PSD2 compliance. Working with these fintechs from early product development and into public release, we’ve found that the JavaScript protection process turns out to be seamless and actually brings an additional competitive advantage to these companies that seem to continuously focus on the next funding round. Keen fintech investors have come to realize that exposed JavaScript is a liability that must be addressed pre-launch and protecting JavaScript becomes a required step of the application build process.

By protecting their JavaScript and monitoring their client-side, these neobanks expanded their security playbook beyond their well-built and secure servers, secure network communications, and airtight web application firewalls.

For reprint and licensing requests for this article, click here.
Fintech Digital payments Payment processing Banking Apple Google ISO and agent