The Flip Sides of Outsourcing and How to Choose a Reliable Vendor with PSP Lab

Fintech companies have become important payment and e-money services providers in helping businesses and individuals manage their payments, cards, and currency exchange in their day-to-day activities. Every new technological advancement in Fintech gives birth to more and more functionality, freedom, and affordability which was not available 10 years ago. Such advancements do not come without their drawbacks. The amount of data that must be operated on a daily, hourly basis, or even within a second, can become overwhelming, leading to mistakes and inaccuracies that can bring detrimental effects to any Fintech business. 

Outsourcing provides the Fintech industry with a plethora of advantages that enable start-ups to grow quickly. The outsourcing of important applications and functions in Fintech has become an outstanding way to handle the overwhelming information technology, application development, and maintenance tasks. However, management of the outsourced functions and applications does not come without concerns, which we’ll discuss today.

200+ companies from 25 countries outsourced software development to Relevant

We provide companies with senior tech talent and product development expertise to build world-class software. Let's talk about how we can help you.

Contact us

PSP Lab is a pan-European consulting firm that provides an array of services for the Fintech industry, focusing on the regulatory authorisations and ongoing regulatory compliance. We were thrilled to sit down with Dmitrijus Apockinas, managing partner of PSP Lab, to discuss some of the techniques that Fintechs can and, in PSP’s opinion, should employ for the management of the outsourcing, the pros and cons of outsourcing, the best way to build a hybrid IT development team, and how all the challenges above can be addressed.

PSP Lab partners and associates have first-hand experience in establishing, licensing, and developing PayTech businesses, which makes them excel. Dmitrjius’s 20-year career in payments is the best illustration of their professionalism. His background includes positions such as a top manager, vice president, CEO, board member of 3 different banks and two mutual fund management companies, a chief operating officer in a NASDAQ-listed US payments company, and a director in a UK company PayTech, which he developed from scratch.

Dmitrijus, tell us about outsourcing trends in the Fintech space? 

Currently, around 70–80% of the start-ups in the payments and electronic money space outsource critical components of their information technology systems, such as card issuing and acquiring gateways, core banking/payment systems, customer biometric identification, various AML, CTF, PEP, and sanction screening solutions, as well as applications for customer and transaction risk scoring. So, the types of different software that can now be outsourced are endless. In some circumstances, we are observing electronic monetary institutions using up to ten various outsourced applications.

Why do companies rely on outsourced core payment systems? 

In 2022 most payment institutions and electronic money institutions launching their transactional banking or remittance business from scratch are opting for the best core banking software for non-bank PSPs, which usually also includes a web banking portal and mobile apps that are white-labelled to the PSPs. Opting for the white label solution allows the non-Bank PSPs to launch their products and services in a very short period, without having to spend years and millions of euros on the development of their own core payment system. Time to the market is critical; therefore, an outsourced solution is the only feasible way to launch the service quickly.

However, there are several issues we face when outsourcing. First of all, no outsource solution is perfect, and so the Fintech start-ups will have to spend time and money to tweak the outsourced solution so that it satisfies their needs. A good example would be ‘Buy Now, Pay Later’ business model as it is based around an e-commerce gateway. If the company is using an outsourced gateway, it will have to be modified so that it can recurrently charge the buyer on the pre-agreed dates. Another concern is the matter of data protection, particularly sensitive payment data protection because this data may be accessible by the members of the outsourcing vendor team.

What do you recommend companies do to ensure that they are in compliance with the law and regulatory requirements regarding keeping consumers safe? 

First and foremost, data protection must be complied with at all times. In the UK, for example, 5 years after the business relationship has been terminated, the PSP must ensure that customer data has been removed or anonymised from the outsourced vendor systems. So, imagine the difficulty it poses when using ten different systems because you’ll have to follow up with every vendor to make sure all data has been removed, which can be very difficult to carry out in some circumstances. So Fintechs, therefore, must ensure that the vendor hasn’t the means to access sensitive payment data. It is possible to limit the vendor’s access to the live database by providing them access to the testing database, but only after removing the actual payment data. 

Why do you think companies tend to outsource the core payment systems?

There are several reasons for that, but we must start with the benefits to highlight these points. The primary benefit is, without doubt, the shorter time to the market. The decision to outsource is usually taken, once a start-up realises the development of its own core payment system will take years.  If the star-up knows that their business opportunity is now, their competitive advantage is at that moment as opposed to tomorrow, it is then far better to outsource their core payment system. 

The second benefit is that developing one’s own core system is very costly and requires a highly detailed technical specification. To implement this, a start-up must have the following resources: team members or external consultants competent in product and product life cycle, operations, accounting, regulatory compliance, clearing and settlement systems, card issuance, or card acquiring. Considering the necessity of such resources, the budget for such core development can easily exceed 1.5 million euros. And so, if a start-up’s products and services can be developed on top of the existing core, I believe it is a wise decision to outsource the core. 

In regards to regulatory authorisations, the regulator will be far more convinced in a start-up’s ability to develop and roll out products and services, if a start-up uses a reputable core platform developer, as opposed to developing their own system. It will be far easier for the regulator to assess the application, where an existing core payments system is used. 

Several risks come with outsourcing, one of which is data protection concerns, as very often core platform developers will have access to the live platforms to fix the issues and bugs. Second is the speed at which new products and services are being developed and the speed of integrations with start-up third-party providers. In most cases, you will not be the only client of the core platform developer. Therefore, the number and availability of the IT engineers they can provide you with could be insufficient for your needs and, therefore, create more delays. The cost of the development of the products and services and the cost of these integrations is an additional risk. As core platform developers tend to price their services at an hourly rate, the cost can quickly get out of hand. Therefore, it is recommended to have the fixed code before commissioning any additional development.

When do the disadvantages outweigh the advantages? 

For a start-up that is offering a unique business model developing its own core system is far more advantageous. Often, the customization of the system will come at a huge cost, so none of the existing core payments will manage to satisfy these start-ups’ requirements. 

Another scenario is when the start-up creates a business model where the values are made primarily by the core payment system. Take for example banking-as-a-service companies Modulr or Railsbank. Their business offers are so unique that using the already existing core payment platform is rendered impossible. Therefore, their proprietary record payments platforms become an advantage in their own right. Lastly, sometimes companies have a specific intention to grow their business to a certain level in order for it to, someday, be sold to a strategic investor or a competitor. Therefore, in this case, the proprietary core payment by default becomes a significant component of the company’s value, meaning it is vital to be developed. 

What is the best way to manage the core payment system? Is an internal team the best choice? 

The developers’ expertise in the core platform is still needed, and it’s impossible to get around this. So a hybrid team formula is, in many ways, the best solution. An outsourced team maintains and improves the outsourced solution, and the internal team is developing different products and services on top of it.

What significant disadvantages do companies have whilst building an internal development team? 

Time, expertise, and money are some of the primary concerns. Suppose a start-up decides to build its own core payments platform. In that case, expertise is a component that isn’t easily acquired, and the number of specialists who have made similar systems in a compliant manner is, to say the least, limited. Imagine the cost of adding on top: accounting specialists, regulatory compliance and reporting specialists, and other required staff who are skilled in certain faster payment services. Thus, there are numerous limitations, and as a minimum, to make it work, you would need 5-10 specialists with different areas of expertise and knowledge. 

How is the safety and security of the development ensured? 

The best indication of the safety and security of the developer and their products we have found to date is that the outsourcing vendor must be compliant and follow ISO 27001 standards. The vendor should conduct periodic audits of their systems and controls and maintain compliance with ISO 27001. Additionally, a Fintech company should order vulnerability and penetration testing of outsourced applications on a recurring basis, and third-party cyber security specialists should be in charge of such testing. 

What are the golden rules of reliable outsourcing, talking about the security and management part? 

A very crucial component whenever choosing a partner is honesty and integrity. Honesty is something you can track from the first day of a new working relationship, and I always recommend that Fintech companies stick with vendors they deem honest. Even if the company hasn’t got an ISO 27001 certification, it by no means prevents you from entering into an agreement with them. It would help if you always asked for the vendor’s internal procedures and documents that can help you decide whether you can trust them. An honest vendor will always be willing to provide you with the necessary documents and evidence that their systems, controls, and applications are compliant and secure. Even in the instance of a vendor not being certified but having certain processes in place to ensure data security, it shows that the vendor possesses the right values and strategy and, therefore, can be trusted. 

Who is responsible for possible financial and data crime, and which risks are possible when hiring teams externally? 

Undoubtedly, the payment/e-money services provider bears the responsibility for this issue. At the same time, the Fintech company must ensure full control over the data, especially sensitive payment data. One must also consider the compliance and contractual obligations governed by the agreement with your vendors. The IT Security Specialist of Fintech must oversee the process and the compliance of security and financial data crime prevention. A data protection officer of Fintech should highlight the need to remove or anonymize customers’ data after its five years expiry date. There might be a need to hire external compliance consultants like PSP Lab due to the need for professionals who can meticulously follow up on all the provisions in the agreement whilst ensuring your vendor is compliant with your obligations. 

How do companies go about addressing the downsides of outsourcing risks? 

It’s a complex question as the primary concern is choosing the right outsourced solution that can address your current needs, yet one that would accommodate any future development. Therefore, the more time spent on demo testing the different software, the better because it provides a better understanding of its capabilities. For example, you may find out during the demo, that a certain core payment system is not supporting an internal accounting, resulting in the need to export that data into accounting software such as Xero, Freeagent, or QuickBooks. This must be done whilst having two systems in parallel so that you can manage your business. Also, it is very important to have a comprehensive agreement with the developers working on the outsourced core platform as this can prevent any future misunderstandings.

PSPs should insist on receiving quotes before any additional development is commissioned to ensure that IT development expenses do not exceed the budgeted targets. If a contract consists of only hourly rates, this can therefore create additional challenges to this process. Agreements should also cover any concerns over data protection and should be governed by the laws and regulations of the country in which the Fintech start-up received its authorization. It is not an easy process as different countries have different laws on data protection requirements, and additional complex factors must be considered, such as Brexit. In addition to the above, it is extremely important for a start-up to carry out due diligence on the supplier that has developed and maintains the core. This allows the start-up to ensure that there are quality control measures and assurance tools implemented by the supplier.

IT security is of utmost importance for any Fintech, so having ISO certificates and recurring recertification of ISO 27001, which is the national standard on managing information security, provides and assures the outsourcer of the quality of the developer. Therefore, investigating whether they have these must be top of the to-do list. You should also focus on developing your in-house IT team and not only rely on the outsource core platform team. If they gradually build their understanding of the system alongside the developers, the quality of any new functionality, data security, quick recovery of the systems, and prompt resolution of bugs/issues are guaranteed. Therefore, naturally, hybrid teams are the answer.

Lastly, the access to the outsource core payments platform team to the live platform must be limited. The development of the mechanism in which the copy of the live system is rolled out onto, e.g., the test server, all customer data, and their payments, are anonymized or removed completely, which, in turn, prevents any data losses, leaks, or copies. In such a scenario, the outsourced core payments platform team will have access to this test service, not providing them with the customer’s live data or payments.

Your Next Read