# Mobile Banking Research

# Mobile Payment/Banking Application - Full Research Findings

## Table of Contents

1. [Regulatory Requirements](#1-regulatory-requirements)
2. [Technical Architecture](#2-technical-architecture)
3. [Security & Compliance](#3-security--compliance)
4. [Market Analysis](#4-market-analysis)
5. [Key Success Factors](#5-key-success-factors)

---

## 1. Regulatory Requirements

### 1.1 EU Payment Services Directive (PSD2/PSD3)

#### Current State (PSD2)
PSD2 has been the governing framework since 2018, establishing:
- Strong Customer Authentication (SCA) requirements
- Open Banking mandates for API access
- Liability frameworks for unauthorized transactions
- Consumer protection standards

#### PSD3 Transition (2025-2028)

**Timeline:**
- Political agreement reached: November 2025
- Formal adoption expected: Early-Mid 2026
- Transition period: 18-24 months after adoption
- Full compliance deadline: 2027-2028

**Key Changes in PSD3:**
- **Payment Services Regulation (PSR)**: Directly applicable across EU (no local transposition needed)
- **Enhanced SCA**: Stronger identity verification, tighter exemption management
- **Fraud Prevention**: Banks liable for certain impersonation scams, mandatory "Confirmation of Payee"
- **Expanded Scope**: Covers instant payments, BNPL, cryptocurrencies, digital identity
- **API Standards**: Improved technical and performance standards for Open Banking

**Compliance Actions for 2026:**
1. Implement Confirmation of Payee systems
2. Upgrade SCA mechanisms for eIDAS 2.0 alignment
3. Establish real-time fraud monitoring
4. Prepare for API hardening requirements
5. Build recovery assurance capabilities

### 1.2 Licensing Requirements

#### Electronic Money Institution (EMI) License

**Capital Requirements:**
- Full EMI: EUR 350,000 minimum capital (must be unencumbered)
- Small EMI: Available if < EUR 5M in outstanding e-money
  - Lower requirements
  - Application fee: EUR 1,000
  - Limited to home country (no passporting)

**Application Costs by Jurisdiction:**

| Country | Application Fee | Timeline | Total Setup Cost |
|---------|----------------|----------|------------------|
| Lithuania | EUR 1,463 | 6-9 months | EUR 30K-50K |
| Malta | EUR 2,000-5,000 | ~6 months | EUR 40K-60K |
| Ireland | GBP 5,000 | 12-18 months | EUR 200K-300K+ |
| UK | GBP 5,000 | 6-12 months | EUR 100K-200K |

**Lithuania Advantages:**
- Fastest processing in EU (6-9 months)
- Strong fintech ecosystem (Revolut HQ)
- Government investment in fintech infrastructure
- Lower operational costs
- Full EU passporting rights

**Ireland Advantages:**
- Higher institutional credibility
- Better for UK/US partnerships
- Stronger for institutional clients
- More stringent = higher trust

#### Payment Institution (PI) License

Alternative to EMI if not issuing e-money:
- Lower capital requirement (EUR 20K-125K depending on services)
- Faster approval process
- Limited to payment services only

### 1.3 KYC/AML Requirements

#### EU AML Package 2025

**New Framework:**
- Anti-Money Laundering Authority (AMLA) operational late 2025
- EU Single Rulebook for harmonized requirements
- Direct supervision of selected entities from 2028

**Core KYC Requirements:**
1. **Customer Due Diligence (CDD)**
   - Identity verification (ID document + biometric)
   - Address verification
   - Source of funds verification
   - Beneficial ownership identification (UBO)

2. **Enhanced Due Diligence (EDD)**
   - Required for high-risk customers/transactions
   - PEP (Politically Exposed Persons) screening
   - Ongoing monitoring requirements

3. **eKYC Standards (2025)**
   - Mandatory electronic identification
   - eIDAS 2.0 compliance for digital identity
   - Remote verification capabilities required

**Cash Transaction Limits:**
- EU-wide cap: EUR 10,000 for cash payments
- Applies to all businesses dealing in high-value goods

### 1.4 Data Protection (GDPR)

**Key Requirements for Financial Apps:**

1. **Data Minimization**
   - Collect only necessary data
   - Clear purpose limitation
   - Defined retention periods

2. **Privacy by Default**
   - Location tracking disabled by default
   - Marketing communications opt-in only
   - Minimal data sharing defaults

3. **Consent Management**
   - Explicit, active consent required
   - No pre-ticked boxes
   - Easy withdrawal mechanism
   - Granular consent options

4. **Data Subject Rights**
   - Right to access (30-day response)
   - Right to portability
   - Right to erasure
   - Right to rectification

5. **Security Requirements**
   - End-to-end encryption (TLS 1.3+)
   - AES-256 for data at rest
   - Data breach notification within 72 hours

6. **DPIA Requirements**
   - Required for AI-powered decisions
   - Biometric authentication systems
   - Large-scale customer analytics

**Penalties:**
- Up to EUR 20 million or 4% of global annual turnover

---

## 2. Technical Architecture

### 2.1 System Architecture Overview

Modern mobile banking requires a **layered, microservices-based architecture**:

```
┌─────────────────────────────────────────────────────────────┐
│                    PRESENTATION LAYER                        │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │  iOS App    │  │ Android App │  │    Web Dashboard    │  │
│  │  (Swift)    │  │  (Kotlin)   │  │     (React)         │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
│         OR Cross-Platform: Flutter / React Native            │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                      API GATEWAY                             │
│  (Authentication, Rate Limiting, Load Balancing)             │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                   MICROSERVICES LAYER                        │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐   │
│  │   Auth   │ │ Accounts │ │ Payments │ │    Cards     │   │
│  │ Service  │ │ Service  │ │ Service  │ │   Service    │   │
│  └──────────┘ └──────────┘ └──────────┘ └──────────────┘   │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐   │
│  │   KYC    │ │   AML    │ │  Ledger  │ │ Notification │   │
│  │ Service  │ │ Service  │ │ Service  │ │   Service    │   │
│  └──────────┘ └──────────┘ └──────────┘ └──────────────┘   │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                    DATA LAYER                                │
│  ┌──────────────┐  ┌───────────┐  ┌─────────────────────┐   │
│  │  PostgreSQL  │  │   Redis   │  │   Event Stream      │   │
│  │  (Primary)   │  │  (Cache)  │  │   (Kafka/RabbitMQ)  │   │
│  └──────────────┘  └───────────┘  └─────────────────────┘   │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                 EXTERNAL INTEGRATIONS                        │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐   │
│  │  BaaS    │ │   Card   │ │   KYC    │ │   Payment    │   │
│  │ Provider │ │ Issuer   │ │ Provider │ │   Rails      │   │
│  └──────────┘ └──────────┘ └──────────┘ └──────────────┘   │
└─────────────────────────────────────────────────────────────┘
```

### 2.2 Payment Processing Flow

```
1. User Initiates Payment
         │
         ▼
2. Mobile App → API Gateway
         │
         ▼
3. Authentication Service (verify session, 2FA if required)
         │
         ▼
4. Payment Service
   ├── Validate request
   ├── Check balance/limits
   ├── AML screening (real-time)
   └── Create payment intent
         │
         ▼
5. Ledger Service
   ├── Reserve funds (pending state)
   └── Create audit trail
         │
         ▼
6. External Payment Rail (SEPA, SWIFT, card network)
         │
         ▼
7. Confirmation
   ├── Ledger finalization
   ├── User notification
   └── Transaction record
```

### 2.3 Mobile Wallet Architecture

**Core Components:**

1. **Wallet Container**
   - Multi-currency support
   - Real-time balance tracking
   - Transaction history
   - Spending analytics

2. **Card Management**
   - Virtual card generation
   - Physical card ordering
   - Card controls (freeze, limits)
   - Push provisioning (Apple/Google Pay)

3. **Payment Methods**
   - NFC tap-to-pay
   - QR code payments
   - P2P transfers
   - Scheduled payments
   - Bill payments

4. **Security Layer**
   - Biometric authentication
   - Device binding
   - Transaction signing
   - Tokenization

### 2.4 Core Banking Integration Options

**Option 1: Full BaaS**
- Use provider's complete stack
- Fastest time to market
- Limited customization
- Higher per-transaction costs

**Option 2: Modular Integration**
- Core banking from BaaS
- Own card program
- Custom payment rails
- Balanced approach

**Option 3: Custom Build**
- Own core banking system
- Maximum flexibility
- Highest development cost
- Longest timeline

### 2.5 API-First Design Principles

1. **RESTful APIs** for standard operations
2. **WebSocket** for real-time updates
3. **GraphQL** for complex data queries (optional)
4. **Idempotency** for payment operations
5. **Versioning** for backward compatibility
6. **Rate limiting** for security and stability

---

## 3. Security & Compliance

### 3.1 PCI DSS Compliance

**Compliance Levels:**
- Level 1: >6M transactions/year (QSA audit required)
- Level 2: 1-6M transactions/year
- Level 3: 20K-1M transactions/year
- Level 4: <20K transactions/year (self-assessment)

**Key Requirements (v4.0.1):**

| Requirement | Description |
|-------------|-------------|
| Req 3 | Protect stored cardholder data |
| Req 4 | Encrypt transmission of cardholder data |
| Req 6 | Develop and maintain secure systems |
| Req 8 | Identify users and authenticate access |
| Req 10 | Log and monitor all access |
| Req 11 | Regularly test security systems |
| Req 12 | Maintain information security policy |

**Mobile-Specific Requirements:**
- Runtime Application Self-Protection (RASP)
- Code obfuscation
- White-box cryptography
- Secure key management
- Certificate pinning

**Non-Compliance Penalties:**
- EUR 5,000 - 100,000 per month
- Increased transaction fees
- Loss of payment processing capability

### 3.2 Strong Customer Authentication (SCA)

**Two of Three Factors Required:**
1. **Knowledge**: PIN, password
2. **Possession**: Phone, token, card
3. **Inherence**: Biometrics (fingerprint, face)

**SCA Exemptions:**
- Low-value transactions (<EUR 30)
- Recurring payments (same amount, same merchant)
- Trusted beneficiaries
- Low-risk transactions (based on fraud analysis)

### 3.3 Security Architecture

```
┌─────────────────────────────────────────────────────┐
│              SECURITY LAYERS                         │
├─────────────────────────────────────────────────────┤
│ Application Security                                 │
│ ├── Input validation                                │
│ ├── Output encoding                                 │
│ ├── Session management                              │
│ └── OWASP MASVS compliance                          │
├─────────────────────────────────────────────────────┤
│ Data Security                                        │
│ ├── AES-256 encryption (at rest)                    │
│ ├── TLS 1.3 (in transit)                            │
│ ├── Tokenization (sensitive data)                   │
│ └── Key management (HSM)                            │
├─────────────────────────────────────────────────────┤
│ Infrastructure Security                              │
│ ├── WAF (Web Application Firewall)                  │
│ ├── DDoS protection                                 │
│ ├── Network segmentation                            │
│ └── Intrusion detection                             │
├─────────────────────────────────────────────────────┤
│ Operational Security                                 │
│ ├── 24/7 monitoring                                 │
│ ├── Incident response                               │
│ ├── Penetration testing                             │
│ └── Vulnerability management                        │
└─────────────────────────────────────────────────────┘
```

### 3.4 Fraud Prevention

**Real-Time Monitoring:**
- Transaction velocity checks
- Geographic anomaly detection
- Device fingerprinting
- Behavioral biometrics
- ML-based risk scoring

**Required Capabilities (PSD3):**
- Confirmation of Payee (name matching)
- Real-time fraud data sharing between PSPs
- Impersonation scam detection
- Social engineering prevention

---

## 4. Market Analysis

### 4.1 European Digital Banking Market

**Market Size:**
- Digital banking users: 500M+ in Europe
- Mobile banking penetration: 70%+ in Western Europe
- Neobank market share growing at 25%+ annually

**Key Players:**
- Revolut (35M+ users)
- N26 (8M+ users)
- Monzo (9M+ users, UK)
- Bunq (12M+ users)

### 4.2 Competitive Landscape

**Neobank Industry Statistics (2025):**
- 76% of neobanks remain unprofitable
- Only 18% projected to break even by 2025
- Customer acquisition costs remain high
- Revenue diversification is key to profitability

**Success Factors:**
1. Differentiated value proposition
2. Superior user experience
3. Cost-efficient operations
4. Multiple revenue streams
5. Strong unit economics

### 4.3 Revenue Models

**Primary Revenue Streams:**
1. **Interchange fees**: 0.2-0.3% of card transactions
2. **FX markup**: 0.5-2% on currency conversion
3. **Subscription tiers**: EUR 5-15/month premium plans
4. **Interest income**: On deposits (if banking license)
5. **Lending**: Personal loans, BNPL, overdrafts

**Emerging Revenue:**
- Insurance products
- Investment/trading fees
- Business accounts (higher margins)
- Crypto services

---

## 5. Key Success Factors

### 5.1 Time to Market

**Critical Milestones:**
1. **Month 1-3**: Legal structure, licensing strategy
2. **Month 3-6**: BaaS integration, MVP development
3. **Month 6-9**: Beta testing, compliance audit
4. **Month 9-12**: Public launch, scaling

**Accelerators:**
- Use BaaS provider (vs. own license initially)
- Cross-platform mobile development
- Pre-built KYC/AML integrations
- Cloud-native infrastructure

### 5.2 User Acquisition

**Strategies:**
1. **Referral programs**: Proven effective for neobanks
2. **Niche targeting**: Specific customer segments
3. **Feature differentiation**: Unique value proposition
4. **Partnership distribution**: Through platforms/employers

**Metrics to Track:**
- Customer Acquisition Cost (CAC)
- Lifetime Value (LTV)
- LTV:CAC ratio (target >3:1)
- Activation rate (target >25%)
- Monthly active users (MAU)

### 5.3 Operational Excellence

**Key Capabilities:**
1. **Customer support**: 24/7, multi-channel
2. **Fraud management**: Real-time, ML-powered
3. **Compliance**: Continuous monitoring
4. **Engineering**: Rapid iteration, reliability

**Cost Optimization:**
- AI chatbots (reduce support costs 60%)
- Automated KYC (reduce onboarding costs)
- Cloud-native (elastic scaling)
- Outsourced development (40-60% savings)

---

## Sources and References

### Regulatory
- [PSD3 & PSR Overview - Flagright](https://www.flagright.com/post/impact-of-payment-services-directive-3-psr-on-payment-processors)
- [PSD3 - J.P. Morgan](https://www.jpmorgan.com/insights/payments/operations-optimization/psd3)
- [EMI License Guide - InnReg](https://www.innreg.com/blog/payment-and-electronic-money-pi-licenses-emi-licenses-europe-the-definitive-guide)
- [AML 2025 - Moody's](https://www.moodys.com/web/en/us/kyc/resources/insights/aml-in-2025.html)
- [GDPR for Financial Services - InnReg](https://www.innreg.com/blog/gdpr-for-financial-services)

### Technical
- [Mobile Banking Architecture - Crassula](https://crassula.io/blog/mobile-banking-architecture/)
- [Digital Wallet Guide 2025 - Scalefocus](https://www.scalefocus.com/blog/how-to-build-a-digital-wallet-in-2025)
- [PCI DSS Mobile App Compliance - Promon](https://promon.io/resources/downloads/pci-compliance-checklist)
- [Mobile Banking App Development - Leanware](https://www.leanware.co/insights/mobile-banking-app-development-a-complete-guide-for-2025)

### Market
- [Neobank Industry Statistics 2025 - Coinlaw](https://coinlaw.io/neobank-industry-statistics/)
- [BaaS Market Overview - FinTech Magazine](https://fintechmagazine.com/articles/top-10-banking-as-a-service-providers)
- [Digital Wallet Development - ITU Technical Report](https://www.itu.int/epublications/publication/itu-t-tr-dw-lasf-2025-04-digital-wallet-landscape-analysis-and-security-features)