Ensuring trust in our cloud banking platform

Blog postby Thomas Bachmann & Tea Jioshvili
4 min read

Many Mambu customers operate in highly regulated environments. This means abiding by regulation authority’s specific rules regarding the protection of end customers’ access to services and the security of personal and financial information. We aim to arm prospective customers with knowledge about the most pressing topics related to compliance with financial regulations.

Partnership

Mambu's service approach is not just to be a service provider, but a trusted partner for our customers. When delivering our services, we always strive to provide services with at least the same quality attributes as if the service was managed in-house. Further we allow our customers to stay in control of the outsourced service. In our contracts we, therefore, define aspects of release notification procedures, timelines, and objection criteria so that our customers remain in control over changes to the service. What’s more, we offer test environments where new versions are made available prior to being promoted to production, provide support and availability SLAs, and also offer Data Processing Agreements (DPA) that clarify Mambu's role as a data processor and not controller.

Transparency

When outsourcing critical systems, regulatory authorities typically demand that a risk assessment for the outsourced activity is being performed and that regulatory obligations cannot be delegated to the outsourcer. At Mambu we support our customers’ risk assessment, due diligences and obligations to supervise outsourced activities. For instance, we provide access to documented information on internal processes and policies, contract templates, external security certifications and audit reports, service performance metrics, external assurances on disaster recovery tests, and etc. We also understand that for the financial institutions and their regulatory authorities it’s critical to have effective access to data and business premises of the material outsourcer. Therefore we provide audit and inspection rights to our, or our sub-processors business premises which are engaged/involved in the processing of customer’s personal and financial information.

Risk management and internal audits

Mambu’s risk management framework is established to help us identify existing or foresee potential pitfalls, plan and implement measures for their mitigation. Therefore, to protect our customers and their end clients’ / consumers’ information we perform regular and ad-hoc risk assessments that focus on security aspects such as confidentiality, integrity and availability of processed data, but also the availability of our internal processes, systems, people and third-parties required to deliver our services.

Mambu's risk management framework and activities are maintained and externally certified against the ISO/IEC 27001 standard as part of Mambu's Information Security Management System. This system covers all 114 organizational and technical security controls of the ISO standard ranging from employee screening, physical access control, and internal auditing to network segregation. The effectiveness of these controls is regularly tested as part of Mambu’s audit program, which along with internal system audits and external certification audits against the ISO/IEC 27001 international standard also includes external penetration tests twice a year, focusing on network and web application security of our services.

Shared responsibility

Regulated financial institutions are usually responsible and accountable for end-to-end compliance of their services. Mambu supports its customers to meet their financial and security obligations by providing a configurable solution that is highly available and secure. That is why, to deliver its services, Mambu relies on its infrastructure service providers to offer reliable (under SLA) and configurable infrastructure with monitoring capabilities built-in.

Business continuity

As a critical service provider for regulated financial institutions we understand the importance of having a strong Business Continuity Program in place. Our approach of handling outsourcing risks include developing appropriate business continuity strategies, documenting and maintaining internal business continuity and disaster recovery plans and performing regular end-to-end tests to demonstrate that we meet guaranteed Recovery Time and Recovery Point Objectives (RTO/RPO). Furthermore, as part of our business continuity program to our customers we offer backup APIs, for effective access to the data, and the source code escrow service. The latter provides assurance that our customers will have access to deposited material, which includes Mambu source code and critical documentation, along with EaaS verification test report. The report is produced by a third party and provides step-by-step guidance on how to rebuild the Mambu solution on Amazon Web Services using only deposited material.

Stay tuned as we'll publish further articles about what technical measures we apply to protect our customers’ information, what data leakage prevention mechanisms we employ, how our risk management framework and tooling works, and more.

See also: Cloud banking platform and Security and compliance for further information.

About the author

Thomas Bachmann is Mambu’s Chief Information Security Officer (CISO). He has a background in business information systems and software engineering, genuine interest in information security and privacy, and gained professional experience at IBM and Mambu by building up teams around software development, cloud operations, internal IT and lately security. Tea Jioshvili is Head of Compliance at Mambu. She has a background in business continuity and risk management and gained professional experience at FINCA International and JSC Bank of Georgia before building up Compliance at Mambu.

Thomas Bachmann & Tea Jioshvili