Mobile Banking Research
Mobile Payment/Banking Application - Full Research Findings
Table of Contents
- Regulatory Requirements
- Technical Architecture
- Security & Compliance
- Market Analysis
- Key Success Factors
1. Regulatory Requirements
1.1 EU Payment Services Directive (PSD2/PSD3)
Current State (PSD2)
PSD2 has been the governing framework since 2018, establishing:
- Strong Customer Authentication (SCA) requirements
- Open Banking mandates for API access
- Liability frameworks for unauthorized transactions
- Consumer protection standards
PSD3 Transition (2025-2028)
Timeline:
- Political agreement reached: November 2025
- Formal adoption expected: Early-Mid 2026
- Transition period: 18-24 months after adoption
- Full compliance deadline: 2027-2028
Key Changes in PSD3:
- Payment Services Regulation (PSR): Directly applicable across EU (no local transposition needed)
- Enhanced SCA: Stronger identity verification, tighter exemption management
- Fraud Prevention: Banks liable for certain impersonation scams, mandatory "Confirmation of Payee"
- Expanded Scope: Covers instant payments, BNPL, cryptocurrencies, digital identity
- API Standards: Improved technical and performance standards for Open Banking
Compliance Actions for 2026:
- Implement Confirmation of Payee systems
- Upgrade SCA mechanisms for eIDAS 2.0 alignment
- Establish real-time fraud monitoring
- Prepare for API hardening requirements
- Build recovery assurance capabilities
1.2 Licensing Requirements
Electronic Money Institution (EMI) License
Capital Requirements:
- Full EMI: EUR 350,000 minimum capital (must be unencumbered)
- Small EMI: Available if < EUR 5M in outstanding e-money
- Lower requirements
- Application fee: EUR 1,000
- Limited to home country (no passporting)
Application Costs by Jurisdiction:
| Country | Application Fee | Timeline | Total Setup Cost |
|---|---|---|---|
| Lithuania | EUR 1,463 | 6-9 months | EUR 30K-50K |
| Malta | EUR 2,000-5,000 | ~6 months | EUR 40K-60K |
| Ireland | GBP 5,000 | 12-18 months | EUR 200K-300K+ |
| UK | GBP 5,000 | 6-12 months | EUR 100K-200K |
Lithuania Advantages:
- Fastest processing in EU (6-9 months)
- Strong fintech ecosystem (Revolut HQ)
- Government investment in fintech infrastructure
- Lower operational costs
- Full EU passporting rights
Ireland Advantages:
- Higher institutional credibility
- Better for UK/US partnerships
- Stronger for institutional clients
- More stringent = higher trust
Payment Institution (PI) License
Alternative to EMI if not issuing e-money:
- Lower capital requirement (EUR 20K-125K depending on services)
- Faster approval process
- Limited to payment services only
1.3 KYC/AML Requirements
EU AML Package 2025
New Framework:
- Anti-Money Laundering Authority (AMLA) operational late 2025
- EU Single Rulebook for harmonized requirements
- Direct supervision of selected entities from 2028
Core KYC Requirements:
-
Customer Due Diligence (CDD)
- Identity verification (ID document + biometric)
- Address verification
- Source of funds verification
- Beneficial ownership identification (UBO)
-
Enhanced Due Diligence (EDD)
- Required for high-risk customers/transactions
- PEP (Politically Exposed Persons) screening
- Ongoing monitoring requirements
-
eKYC Standards (2025)
- Mandatory electronic identification
- eIDAS 2.0 compliance for digital identity
- Remote verification capabilities required
Cash Transaction Limits:
- EU-wide cap: EUR 10,000 for cash payments
- Applies to all businesses dealing in high-value goods
1.4 Data Protection (GDPR)
Key Requirements for Financial Apps:
-
Data Minimization
- Collect only necessary data
- Clear purpose limitation
- Defined retention periods
-
Privacy by Default
- Location tracking disabled by default
- Marketing communications opt-in only
- Minimal data sharing defaults
-
Consent Management
- Explicit, active consent required
- No pre-ticked boxes
- Easy withdrawal mechanism
- Granular consent options
-
Data Subject Rights
- Right to access (30-day response)
- Right to portability
- Right to erasure
- Right to rectification
-
Security Requirements
- End-to-end encryption (TLS 1.3+)
- AES-256 for data at rest
- Data breach notification within 72 hours
-
DPIA Requirements
- Required for AI-powered decisions
- Biometric authentication systems
- Large-scale customer analytics
Penalties:
- Up to EUR 20 million or 4% of global annual turnover
2. Technical Architecture
2.1 System Architecture Overview
Modern mobile banking requires a layered, microservices-based architecture:
┌─────────────────────────────────────────────────────────────┐
│ PRESENTATION LAYER │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ iOS App │ │ Android App │ │ Web Dashboard │ │
│ │ (Swift) │ │ (Kotlin) │ │ (React) │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
│ OR Cross-Platform: Flutter / React Native │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ API GATEWAY │
│ (Authentication, Rate Limiting, Load Balancing) │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ MICROSERVICES LAYER │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │
│ │ Auth │ │ Accounts │ │ Payments │ │ Cards │ │
│ │ Service │ │ Service │ │ Service │ │ Service │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────────┘ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │
│ │ KYC │ │ AML │ │ Ledger │ │ Notification │ │
│ │ Service │ │ Service │ │ Service │ │ Service │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ DATA LAYER │
│ ┌──────────────┐ ┌───────────┐ ┌─────────────────────┐ │
│ │ PostgreSQL │ │ Redis │ │ Event Stream │ │
│ │ (Primary) │ │ (Cache) │ │ (Kafka/RabbitMQ) │ │
│ └──────────────┘ └───────────┘ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ EXTERNAL INTEGRATIONS │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │
│ │ BaaS │ │ Card │ │ KYC │ │ Payment │ │
│ │ Provider │ │ Issuer │ │ Provider │ │ Rails │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────┘
2.2 Payment Processing Flow
1. User Initiates Payment
│
▼
2. Mobile App → API Gateway
│
▼
3. Authentication Service (verify session, 2FA if required)
│
▼
4. Payment Service
├── Validate request
├── Check balance/limits
├── AML screening (real-time)
└── Create payment intent
│
▼
5. Ledger Service
├── Reserve funds (pending state)
└── Create audit trail
│
▼
6. External Payment Rail (SEPA, SWIFT, card network)
│
▼
7. Confirmation
├── Ledger finalization
├── User notification
└── Transaction record
2.3 Mobile Wallet Architecture
Core Components:
-
Wallet Container
- Multi-currency support
- Real-time balance tracking
- Transaction history
- Spending analytics
-
Card Management
- Virtual card generation
- Physical card ordering
- Card controls (freeze, limits)
- Push provisioning (Apple/Google Pay)
-
Payment Methods
- NFC tap-to-pay
- QR code payments
- P2P transfers
- Scheduled payments
- Bill payments
-
Security Layer
- Biometric authentication
- Device binding
- Transaction signing
- Tokenization
2.4 Core Banking Integration Options
Option 1: Full BaaS
- Use provider's complete stack
- Fastest time to market
- Limited customization
- Higher per-transaction costs
Option 2: Modular Integration
- Core banking from BaaS
- Own card program
- Custom payment rails
- Balanced approach
Option 3: Custom Build
- Own core banking system
- Maximum flexibility
- Highest development cost
- Longest timeline
2.5 API-First Design Principles
- RESTful APIs for standard operations
- WebSocket for real-time updates
- GraphQL for complex data queries (optional)
- Idempotency for payment operations
- Versioning for backward compatibility
- Rate limiting for security and stability
3. Security & Compliance
3.1 PCI DSS Compliance
Compliance Levels:
- Level 1: >6M transactions/year (QSA audit required)
- Level 2: 1-6M transactions/year
- Level 3: 20K-1M transactions/year
- Level 4: <20K transactions/year (self-assessment)
Key Requirements (v4.0.1):
| Requirement | Description |
|---|---|
| Req 3 | Protect stored cardholder data |
| Req 4 | Encrypt transmission of cardholder data |
| Req 6 | Develop and maintain secure systems |
| Req 8 | Identify users and authenticate access |
| Req 10 | Log and monitor all access |
| Req 11 | Regularly test security systems |
| Req 12 | Maintain information security policy |
Mobile-Specific Requirements:
- Runtime Application Self-Protection (RASP)
- Code obfuscation
- White-box cryptography
- Secure key management
- Certificate pinning
Non-Compliance Penalties:
- EUR 5,000 - 100,000 per month
- Increased transaction fees
- Loss of payment processing capability
3.2 Strong Customer Authentication (SCA)
Two of Three Factors Required:
- Knowledge: PIN, password
- Possession: Phone, token, card
- Inherence: Biometrics (fingerprint, face)
SCA Exemptions:
- Low-value transactions (<EUR 30)
- Recurring payments (same amount, same merchant)
- Trusted beneficiaries
- Low-risk transactions (based on fraud analysis)
3.3 Security Architecture
┌─────────────────────────────────────────────────────┐
│ SECURITY LAYERS │
├─────────────────────────────────────────────────────┤
│ Application Security │
│ ├── Input validation │
│ ├── Output encoding │
│ ├── Session management │
│ └── OWASP MASVS compliance │
├─────────────────────────────────────────────────────┤
│ Data Security │
│ ├── AES-256 encryption (at rest) │
│ ├── TLS 1.3 (in transit) │
│ ├── Tokenization (sensitive data) │
│ └── Key management (HSM) │
├─────────────────────────────────────────────────────┤
│ Infrastructure Security │
│ ├── WAF (Web Application Firewall) │
│ ├── DDoS protection │
│ ├── Network segmentation │
│ └── Intrusion detection │
├─────────────────────────────────────────────────────┤
│ Operational Security │
│ ├── 24/7 monitoring │
│ ├── Incident response │
│ ├── Penetration testing │
│ └── Vulnerability management │
└─────────────────────────────────────────────────────┘
3.4 Fraud Prevention
Real-Time Monitoring:
- Transaction velocity checks
- Geographic anomaly detection
- Device fingerprinting
- Behavioral biometrics
- ML-based risk scoring
Required Capabilities (PSD3):
- Confirmation of Payee (name matching)
- Real-time fraud data sharing between PSPs
- Impersonation scam detection
- Social engineering prevention
4. Market Analysis
4.1 European Digital Banking Market
Market Size:
- Digital banking users: 500M+ in Europe
- Mobile banking penetration: 70%+ in Western Europe
- Neobank market share growing at 25%+ annually
Key Players:
- Revolut (35M+ users)
- N26 (8M+ users)
- Monzo (9M+ users, UK)
- Bunq (12M+ users)
4.2 Competitive Landscape
Neobank Industry Statistics (2025):
- 76% of neobanks remain unprofitable
- Only 18% projected to break even by 2025
- Customer acquisition costs remain high
- Revenue diversification is key to profitability
Success Factors:
- Differentiated value proposition
- Superior user experience
- Cost-efficient operations
- Multiple revenue streams
- Strong unit economics
4.3 Revenue Models
Primary Revenue Streams:
- Interchange fees: 0.2-0.3% of card transactions
- FX markup: 0.5-2% on currency conversion
- Subscription tiers: EUR 5-15/month premium plans
- Interest income: On deposits (if banking license)
- Lending: Personal loans, BNPL, overdrafts
Emerging Revenue:
- Insurance products
- Investment/trading fees
- Business accounts (higher margins)
- Crypto services
5. Key Success Factors
5.1 Time to Market
Critical Milestones:
- Month 1-3: Legal structure, licensing strategy
- Month 3-6: BaaS integration, MVP development
- Month 6-9: Beta testing, compliance audit
- Month 9-12: Public launch, scaling
Accelerators:
- Use BaaS provider (vs. own license initially)
- Cross-platform mobile development
- Pre-built KYC/AML integrations
- Cloud-native infrastructure
5.2 User Acquisition
Strategies:
- Referral programs: Proven effective for neobanks
- Niche targeting: Specific customer segments
- Feature differentiation: Unique value proposition
- Partnership distribution: Through platforms/employers
Metrics to Track:
- Customer Acquisition Cost (CAC)
- Lifetime Value (LTV)
- LTV:CAC ratio (target >3:1)
- Activation rate (target >25%)
- Monthly active users (MAU)
5.3 Operational Excellence
Key Capabilities:
- Customer support: 24/7, multi-channel
- Fraud management: Real-time, ML-powered
- Compliance: Continuous monitoring
- Engineering: Rapid iteration, reliability
Cost Optimization:
- AI chatbots (reduce support costs 60%)
- Automated KYC (reduce onboarding costs)
- Cloud-native (elastic scaling)
- Outsourced development (40-60% savings)
Sources and References
Regulatory
- PSD3 & PSR Overview - Flagright
- PSD3 - J.P. Morgan
- EMI License Guide - InnReg
- AML 2025 - Moody's
- GDPR for Financial Services - InnReg
Technical
- Mobile Banking Architecture - Crassula
- Digital Wallet Guide 2025 - Scalefocus
- PCI DSS Mobile App Compliance - Promon
- Mobile Banking App Development - Leanware