Privacy and security are not optional in MVPs

 Catalina Munteanu photo
Catalina Munteanu Engineering Manager
3min read

Software has been around for some time, but it was the explosion of mobile phones that changed the dynamic and timeline of building new products. In Europe alone, fintech app usage is up 72% since the start of the pandemic.

This is taken from our Unfiltered newsletter. Subscribe now for a no BS, uncensored analysis of fintech news and hot topics delivered to your inbox each fortnight.

Since the 2010s it has become clear that mobile applications can reach more customers and offer better time exposure. Early on it was a territory for social apps, but it quickly branched into established, heavy regulated markets like finance.

In these markets technology has run behind for decades. Anyone that can quickly spin up something and release it into the world to see if it sorts an issue has the potential to tap into billions.

When security takes second place to quality

We are in the middle of a revolution, neobanks like Monzo and Chime are growing, Coinbase is normalising cryptocurrency purchases, Robinhood opens the doors for retail investors and Lemonade is knocking at the door of insurance.

there is real pressure to deliver a prototype to the market very fast

Everybody wants in and there is real pressure to deliver a prototype to the market very fast. This type of pressure is what causes our news feed to buzz with reports of data breaches, privacy infringements and security concerns. Anyone remember the Dave banking app 3rd party data breach from last summer? Or the Capital One major breach in the summer of 2019? Or how surprised we were to find out that the Ring app exposed the location and home addresses of their users?

Most of the names mentioned above are new products or new technology used in established companies. They are born as MVPs rushed to market to see if “they catch”. To achieve this speed, companies cut all sorts of corners and if the prototype is successful, suddenly they have no time to uncut those corners.

A recent study by ImmuniWeb reveals that, despite being well-funded, 98% of the world’s top 100 fintech startups are vulnerable to web and mobile application attacks. 100% of them have security, privacy, and compliance issues relating to abandoned or forgotten web applications, application programming interfaces (APIs) and sub-domains. All of the fintech mobile apps tested in the research contained at least one security vulnerability of medium risk, while 97% have at least two medium or high-risk vulnerabilities.

trust in the tech industry declined by 6% in 2020 alone

The issue of reputation

We can’t pretend the only perception issue here is with the companies that appear in the news. It’s impacting the industry as a whole. In a recent 11:FS report (in association with Mitek) the issue of trust in digital interactions is unpacked. It shows that trust in the tech industry declined by 6% in 2020 alone, in no small part, due to just the type of security breaches we’re talking about here.

The financial services industry is, perhaps surprisingly, in a better position with trust having risen 8% in recent years. But the industry is sure to lose the trust, even faster than it was gained if businesses don’t take active steps to prioritise security in their MVPs.

My unfiltered opinion

My experience of building MVPs for highly regulated markets is that there are corners you never cut.

Teams skip the investigation prior to choosing their 3rd party integrations. This is something so basic and so deeply rooted into a product that getting it wrong at the beginning means later you will have to rewrite most of the systems to correct it.

Compliance often is not considered. A lack of compliance cannot be hidden and correcting the already finished product is going to be two times more costly.

Accessibility gets ignored for no good reason other than lack of understanding of the consequences. If it is not baked in from the beginning, it will be close to impossible to add it later.

Security, encrypting traffic, developers' access to production data and ways of working around mitigating that are also fundamental elements of an MVP.

Companies need to stop acting like they can get away with it because recent history has proven them wrong. MVPs need to have basic elements and that is not negotiable.