Romania’s Forerunner in Blockchain-Enabled Neobanking

The Company names <Co.X and Cript.X> in this material are fictitious, in order to respect the companies’ desire for anonymity.

The Forerunner.

Co.X became a precursor of fintech in Romania after it welcomed in new shareholders and a CEO. As the country’s first electronic money (e-money) institution, it also became the first Romanian acquirer to facilitate and process payments with EEA (European Economic Area) merchants; doing so directly with Visa and Mastercard card schemes.

As COVID drove more businesses online, Co.X expanded and diversified their portfolio of clients and projects, bridging the gap between traditional finance and fintech, so that more fiat users could access virtual assets. This required them to obtain more stringent card scheme licenses that kept transaction risks in check. On the heels of this development momentum, the company’s valuation was pegged at over €52 million by the end of 2020. This opened an M&A opportunity that brought in a major shareholder, Cript.X, to pursue more innovative paths.

The Innovation.

Cript.X was a blockchain startup that wanted to be a bridge between blockchain cryptocurrency and the traditional financial rails. Co.X offered them the regulated financial company and experience they needed to do this. They also acquired a VASP (virtual assets service provider) in Portugal, licensed to swap crypto money and fiat.

Now all they had to do was turn their vision of building a fintech product into reality – one that enables their two million non-custodial crypto wallet holders to use crypto money to make payments within one banking system and one app. The users would not have to go through third parties or open different accounts, enriching their experience further. Everything would be done in-house by Co.X, who naturally assumed the driver’s seat for this new business.

The benefit to Cript.X was clearly expanded usability for their cryptocurrency towards driving up its value as a stablecoin. As for Co.X, it was an innovation that served up new transaction and revenue possibilities for customers, aside from being the first neobank to be blockchain-enabled.

There were two crucial aspects necessary for the envisioned product. The first included facilitating a seamless user experience for the online onboarding (the KYC or Know Your Customer protocol) and service activation process. The second was to ensure a robust and scalable cybersecurity compliant neobanking system that would instill regulatory and market confidence.

The Challenge.

Due to crypto’s volatility, the advancement of blockchain and the anticipation of new EU regulations, Co.X had to capitalize on a first-mover advantage and build a credible, enterprise-grade banking product. This proved to be rather complicated to define as the product had no precedents in Europe, while market and industry indicators were less than encouraging.

At the time, everything associated with blockchain and crypto had a bad reputation with close to zero chances of generating regulatory confidence. It was crucial to demonstrate to the national banking authority that everything was above board. Secondly, because the product would be the first of its kind, there was no way to accurately estimate how long it would take to build, much less prove its secure and reliable viability on paper to obtain approvals.

To Co.X CEO, a veteran in the business, instilling trust among the regulatory players was the most important priority. The intended neobanking business and product’s existence were dependent on full compliance to competitively go to market. Although he convinced the shareholders to set a timeline of three years, he estimated the real window of opportunity to be shorter to gain a competitive edge and get the needed authorization.

The third challenge and by far the most complicated, was to build a cohesive and collaborative team to make it happen. Developing and integrating the different parts into building a core digital banking system was hard enough. Add the integration of blockchain crypto systems, new physical and virtual card issuance and management systems, and combine all that with security, regulatory and operational compliance, anything that could go wrong very quickly multiplies. In fact, at any one time during the different project phases, eight to ten service providers were involved, each with their own internal and technical teams, and their own way of doing.

Co.X wanted key partners who could drive the project and work with them towards their vision, their urgency, their industry context, and their potential risks, while steering the other partners with their teams and technologies or APIs into a bigger whole. As far as the CEO was concerned, this was the make-or-break factor to go to market in the shortest time possible.

The Solution.

Co.X carried out an initial business analysis that helped them map out the entire product and its interdependencies. Following this, they decided to build an MVP (minimum viable product) pilot that would demonstrate to the national authorities its integral viability to facilitate high-volume transactions and move money around in crypto and fiat money.

Pivotal to this process and a successful roll out were two service partners that the company was careful to select – one for the frontend and one for the backend. For the frontend systems of payment processing directly with Visa or Mastercard, Co.X worked with SIBS Romania, a European reference that was plugged into the Romanian banking ecosystem. SIBS was tasked with developing Co.X’s highly customized processing platform, as well as managing the card issuing (including 3D Secure) and personalization processes.

“SIBS was a main driver for the project because the card processor is one of the most important elements to our setup. Considering that mobile devices are the most susceptible to fraud, we wanted a partner who understood security and anti-fraud measures. They also took care of card manufacturing and personalization, as well as managed our customer service call center”, explained the CEO.

For the backend system which was really the core banking system that ran and held the whole business and product operations together, Co.X awarded the project, through an RFP, to Zitec, a bespoke software engineering and digital transformation service provider.

“Although pricing and timeline were part of our selection criteria, ultimately, they were not the differentiators for our choice. We decided on Zitec for their people, their no-nonsense approach and their team’s technical maturity in dealing with a complex high-stakes project,” said the CEO.

Zitec, known for their highly flexible and technically versatile teams, also demonstrated proven experience in developing and integrating to fintech regulatory compliance and standards, clinching them the deal. They did not only bring technology and project management know-how, but they also had practical knowledge of PCI-DSS, ISO 27001 and ISO 8583, to name a few.

Zitec-flexible-technically-versatile-teams-color

The Core.

The full extent of fintech intricacies is rarely visible or simple. Contrary to what most people expect, transaction speed is not a top criterion. Precision and predictability are.

Fintech customers don’t expect to lose money, nor do they expect to approximate money, e.g. no sum is rounded up to the closest decimal point when it comes to an account holder’s money. The accuracy in moving or manipulating the exact sum that’s needed may sound easy enough to understand. However, when it is translated into moving volumes across a web of digital networks, held up by layers of complex software and cloud computing applications, and integrated into different system languages, the risks multiply.

The system is built on purpose to not create a different result even when it receives repetitive signals or actions. This prevents double charging a consumer or duplicating payments to a merchant. In parallel, the system or systems have to be able to handle transaction volumes that might fluctuate and surge under millions of active users within seconds. Any round-the-clock, high-volume, and highly regulated type of online transactions will need to ensure systems resilience for this, and for withstanding downtimes or cybersecurity threats.

Zitec worked hand in hand with Co.X to manage the different integrations and build necessary workarounds, particularly in three strategic areas to keep the project on track.

System Integrations, Simulations and Testing

Dealing with novelty required that the Co.X - Zitec team implement with high levels of abstraction, while being flexible enough to pivot with constantly moving targets. The fully automated digital process required business decisions at every turn that impacted multiple layers of interdependencies. They ranged from how many currencies and which, what range and types of transactions, to ways for evaluating or checking user accounts, vetting procedures for onboarding users and what the risk matrix would look like, and so on.

It was also necessary to simulate the workings of the frontend systems and app by SIBS that was to be crypto-enabled and be integrated later to formulate a working hypothesis for the core. Capitalizing on Node.JS’ competency among others, Zitec was able to simulate a high-scale application that could support interoperability from several concurrent requests as though the service was really running. Meeting SIBS’ product specifications, fully aligned with PCI/mc/v standards, tests were carried out against standards like ISO 8583 that looked at electronic transactions exchanges initiated by multiple cardholders using payment cards.

Another aspect of testing that Zitec handled was PCI-DSS compliant penetration testing (pen test) for cybersecurity. Co.X broke with the norm and wanted two pen tests, one for Romania and one for the UK to be extra safe. Typically, PCI-DSS compliance requires only one test per year, and not for a newly deployed MVP.

Ensuring Digital Layers Serve the Business

Co.X’s operational expectations was to be able to handle 1.7 million active users and three million card transactions, whereby 99% of them could be served in less than a second. These were met and exceeded to hold up under transaction volumes, back-ups and redundancies, service level speeds, performance uptime and multichannel system resilience.

The entire core system was ensured to run on an uptime of over 99.95%, capable of withstanding multiple degrees of machine failures. For example, if the data center that included a Kubernetes cluster went down, the mobile app and payment systems would continue to run. Security aspects such as KYC and AML compliance integration for user onboarding were incorporated and applied to the administrative interface that included essential multi-factor authentication.

Meeting Regulatory Demands

Being the first of its kind in Romania, much of the reporting for regulatory compliance had to be learnt while doing. There were no direct interconnections with the national regulator and all expected reports had to be carried out manually.

Additionally, when digital user onboarding happens, the assumption is to share the KYC with other interdependent systems like those of SIBS. In this case, the local regulator stepped in and required that a native KYC protocol be developed in the core system itself for each user onboarding and be incorporated into the reporting.

Zitec, in collaboration with SIBS, handled and simplified this by building into the system the ability to generate daily reporting of transactions for communicating to the authorities.

Zitec-collaboration-SIBS

The Results.

Co.X’s neobanking product was rolled out officially in 12 months, cutting all expected timelines by more than half. For one, Co.X was ready to notify the National Bank of Romania after a mere seven months to kick start the pilot. The CEO considered this to be a huge milestone as “banking MVPs typically take about 18 months on average even when investments are 10 times more”.

Within five months of launch, Co.X had garnered over 40,000 customer accounts, proving system scalability and resilience despite high traffic of simultaneous user onboardings. Reviews on Google Play and Apple have shown stellar customer experience, giving it 4.8 to 4.9 stars respectively.

The single KYC (Know Your Customer) onboarding protocol shared within the group for all users ensured that a customer can instantly create an account, be issued a card and activate swaps – all within two minutes. Additionally, the last pen test appeared to have withstood 99% of cyber-attacks.

Concluding Observations.

The project’s conclusion can perhaps be summed up through this observation by Co.X CEO.

“I’m usually an avid supporter of digital products built in-house, but in this case, what Zitec brought to the project was far more valuable and cost-effective than anything we could have pulled together on our own. It wasn’t just programming skills we needed, but infrastructure teams and competencies, product management and testing, as well as a ready and experienced team who understood our urgency without unrealistic promises.

Even with the best CVs and recommendations, it would have taken time and money to ramp up a team with no guarantees of team cohesion, let alone be capable of hitting the ground running with all the different partners.

From firsthand experience, full control and anticipation of difficulties that arise in a high-stakes project are near impossible. The discrepancies between theory and practice tend to show up at the worst moments. Zitec understood this and made their role part of our solution as much as being our service partner. What they built has become a cybersecurity compliant backbone that our internal teams can take full control of and confidently scale to grow our neobanking business.” CEO

With over two decades of experience in building bespoke on-time and on-target digital solutions that address companies' complex digital transformation needs in Financial Services, we're dedicated to revolutionizing the fintech landscape by addressing the industry's most pressing challenges. Choose us as your Fintech growth partner of choice.