As I wrote in my prior blog post “IT challenges -according to CTO“, there are so many intricate challenges that I had to divide them into two seperate blog posts. So moving on from speed and reliability to even more complex issues that demand hard work to solve. Therefore, it’s inevitable to bring up regulations and compliance.
Following a couple of financial crisis, taking off with Lehman Brothers’ collapse back in 2008, the European financial regulators have really waken up driving ambitions to protect both the global financial system and the end investor. And boy, they really are ambitious! Experiencing a virtual tsunami of banking rules and regulations emerging from Brussels, the domestic FSAs in the Nordics stretch to outdo each other to be best in show. This dense regulatory landscape certainly adds challenges for us when it comes to driving tech innovation. Now, you might think “OMG, this really bores the shit out of me”, but once having perceived these boundary conditions you soon realize that you’re facing an option. You just have to be smarter than your peers to turn these burdens into competitive advantages. To tackle this, naturally we need brains that not just happily hack together plastic padding at minimum effort, but really put thought into our solutions and ensure that we are compliant enough not to break any rules, but also use all good tech stuff ever available to maximize opportunity.
Real cases: nExt API and Shareville integration
nExt API is our public financial API publishing methods for portfolio overview, order management, market data subscriptions, e.t.c. When launching this a couple of years ago, we were the first bank in the Nordics offering this service – and to my knowledge we still are. The tech dimension is pretty straight forward with a nice and easy Erlang implementation, but the regulatory one is not. Every new type of integration through nExt, especially when it comes to external parties who are not under FSA supervision, causes loads of healthy headaches among our legal department making sure we stay within legal boundaries. Interesting players lightly integrated up to now include Shareville, Infront and a couple of free riding Swedish algo cowboys. Soon the service will be offered to private investors in the rest of the Nordics.
In our Shareville integration project, we wanted to integrate a social trading platform (not under any FSA regulation) to the Nordnet platform. It would enable users who wanted to deal with real money in their social portfolios to do just that. The setup outlined retail trading accounts on Nordnet published on the Shareville site, where the accounts become public and any action operating on this account is displayed to all Shareville member who might be interested in this particular portfolio. Lots of questions arose, since we after all are a bank:
- Are we allowed to reveal bank secrecy?
- Is an external player not under FSA supervision allowed to store Nordnet customer data?
- Can Nordnet trust authentication credentials generated on another site? Etc, etc.
The answer to all these question turned out to be big NO’s. And we badly wanted to make something kick butt out of this thing. So there had to be some really serious thinking.
The problem solving
Bank secrecy was tackled by normalizing all relevant data, i.e. you cannot see how much money or volume of the positions other Shareville portfolios contain, only relative numbers are displayed. To avoid revealing the true identity of the Shareville users, a short ttm session token exchange mechanism was hacked together and integrated with our OAuth2 authentication method – that also had to be put in place to ensure a safe mutual login from Shareville to Nordnet.
To ensure that the sensitive Nordnet customer data stays on Nordnet and doesn’t leak out to Shareville servers, we had to find a way to encapsulate this data in the browser. It would prevent it from popping away elsewhere, and after some serious pondering we chose CORS as the mechanism to use.
Secure order entry was, after quite a serious battle among our different stakeholders, finally handled by old proven iFrames… bank secrecy and information security again! Sometimes the sexy high tech stuff will obviously have to stand back…
Well, the above is just to illustrate some of the additional efforts needed when being a bank hacker compared to other, less regulated and demanding, tech businesses. We really have to use quite a bit of what technology can provide to find solutions fit for the financial scene. It requires that you, as a hacker, really elaborate solutions that disrupt the banking landscape. Once there, when the stuff is deployed, bombed by intrusion, security tests and regulatory auditors, etc. and the hacks are really used by customers and proven working, THEN you end up with a cool tool kit enabling going forward as a key player. Components enabling usage of Nordnet authentication to login to other sites, export financial management tools to other players and ensuring data integrity & secrecy in web solutions together with external peers are just yummie!
Only God knows what will come next…. to be continued!