Spendi: Building a Secure, Compliant AWS Foundation for Fintech Operations

Consumers often approach new financial products with caution, particularly in the wake of scams and security concerns. Overcoming this distrust is crucial for success. For fintech startup Spendi, the way to build trust and ensure customer confidence was through achieving compliance with regulatory standards, powered by a strategic collaboration with DNX Solutions and AssuranceLab.

Meet Spendi: A New Era in Fintech Rewards

The idea of a finance app offering rewards through a lottery-style system can seem like it’s too good to be true. But for Spendi, the goal is not just to challenge this perception but to make finance more fun, secure and accessible. 

Spendi aims to redefine how consumers interact with banking and financial services by letting users automatically enter their expenses into a prize draw whenever they make purchases. They aim to take the traditional banking experience, make it more engaging, and introduce an element of excitement through rewards.

The Business Challenge: Creating a Compliant AWS Fintech Environment

Spendi is committed to providing customers with a secure and compliant platform — one that not only adheres to strict Australian regulations but also positions itself for rapid growth. Rather than relying on standard methods like web scraping, Spendi set out to deliver a solution that prioritised compliance and trust with their users. Exploring open banking requirements like ASAE 3150 and Consumer Data Right (CDR) compliance led Spendi to AssuranceLab, who conducted the audit and became a trusted partner on their compliance journey.

Recognising the need for specialised expertise, Spendi sought assistance from DNX Solutions and AssuranceLab to help navigate these regulatory challenges and establish a secure, compliant environment on AWS:

1. Regulatory Compliance Requirements: Spendi needed to be compliant, specifically with ASAE 3150 and Consumer Data Right (CDR). Ensuring compliance with these standards, while also preparing for future frameworks such as SOC 2 and ISO 27001, was critical to gaining customer trust and establishing credibility.
2. Security Concerns: Spendi needed robust security controls to protect sensitive customer data and ensure secure operations. 
3. Need for Scalability and Agility: Spendi recognised the need for a strong foundation on AWS to support their scalability and security needs, particularly as they prepare for future compliance standards. They needed an agile infrastructure that could accommodate rapid feature development and support ongoing expansion. 
4. Cost Optimisation: As a startup, Spendi needed to ensure cost-effective solutions without compromising on the quality of security and compliance. Optimising costs was crucial for maintaining financial stability while supporting growth.

DNX Solutions & AssuranceLab: Delivering a Scalable and Secure AWS Infrastructure for Spendi

When pursuing ASAE 3150 controls and CDR compliance, most companies already have one or two other compliance frameworks in place. But for Spendi, DNX Solutions had to build a secure, scalable AWS foundation from the ground up. This involved designing and implementing a solution that followed AWS Well-Architected best practices, with a focus on achieving compliance, enhancing security and ensuring operational efficiency—key components to support Spendi’s rapid growth and regulatory needs.

AssuranceLab worked closely with DNX and Spendi during the auditing phase, ensuring a smooth process that led to Spendi achieving compliance and demonstrating their commitment to providing a secure, trustworthy platform.

Stage 1: Project Planning and Kickoff

• Alignment of Stakeholders: DNX led a kickoff meeting to define objectives, deliverables, and timelines with all stakeholders.
• High-Level Design (HLD): DNX worked with Spendi’s team and development partner, to create a high-level design and project plan, ensuring clarity at each project stage.

Stage 2: AWS Well-Architected Foundation

• Infrastructure as Code (IaC): Leveraging IaC principles, DNX deployed a robust foundation on AWS with consistent configurations, centralised access controls and streamlined updates. This approach provided Spendi full visibility into their AWS resources and an environment that can be easily managed and scaled.
• Network Security and Access Management: Implemented multi-layer network security, including AWS VPCs with secure subnet configurations, IAM policies, and Single Sign-On (SSO) integration for fine-grained access control.
• Encryption and Monitoring: Enabled encryption for data at rest and in transit, using SSL certificates managed by AWS Certificate Manager (ACM). DNX set up CloudWatch monitoring and alerts to track usage, cost and performance metrics, ensuring continuous visibility into the environment.

Stage 3: Compliance-Focused Architecture

• Landing Zones and Account Structures: Set up AWS Landing Zones with an organised account structure that isolates environments, reducing risks of data breaches and aligning with regulatory requirements.
• Budget Control with Alarms: Established budget alarms to ensure efficient cost management, a critical aspect for Spendi as a startup managing resources tightly.

Stage 4: Knowledge Transfer and Documentation

• Knowledge Transfer Sessions: Conducted training to equip Spendi’s team with the skills to manage their AWS environment independently.
• Comprehensive Documentation: Delivered detailed documentation, including the AWS Foundation As-Built Document and high-level design diagrams.

Stage 5: Audit and Compliance Certification

• Collaborative Audit Process: AssuranceLab worked closely with DNX and Spendi to audit the app against ASAE 3150 and CDR standards, providing a collaborative and iterative approach throughout the audit. 
• Incremental Testing: AssuranceLab employed an iterative auditing process during the CDR Stage 1 audit, enabling Spendi to make meaningful progress incrementally while minimising disruption. This approach allowed Spendi to prioritise and focus on key areas, ensuring the audit process remained efficient and on track. 
• Achieving Compliance: AssuranceLab’s team of experienced auditors were on hand throughout the audit testing and reporting phases, resulting in a successful audit that demonstrated Spendi’s Consumer Data Right (CDR) system was designed and implemented in accordance with the CDR Criteria, paving the way for their launch as a trusted, government-regulated fintech.

Project Outcomes: Meeting Compliance, Enhancing Security and Supporting Growth

DNX Solutions delivered a secure, scalable AWS foundation that overcame Spendi’s challenges, meeting current compliance needs while supporting growth and operational efficiency.

• Rapid Delivery Despite Challenges: Despite navigating changes in regulations mid-compliance, DNX delivered what would typically be a 12 to 15-month project in just 5 months.
• Audit-Readiness: Leveraging our xComply solution in partnership with AssuranceLab, DNX ensured Spendi was audit-ready. AssuranceLab managed the auditing of Spendi’s compliance with ASAE 3150 and CDR requirements, positioning them for future regulatory success.
• Secure and Compliant Foundation: The DNX foundation adheres to AWS Well-Architected pillars and meets Australian regulatory standards, preparing Spendi for frameworks like SOC 2 and ISO 27001, significantly boosting security and customer trust.
• Scalability and Cost Efficiency: The Well-Architected framework ensures that Spendi’s environment is both scalable and cost-effective, allowing them to control costs while supporting growth.
• Operational Agility: With improved access control, streamlined deployment pipelines and comprehensive documentation, Spendi is well-positioned to quickly adapt to market demands, deploy new features and ensure continuous compliance.

Spendi’s Path to Growth: Security, Compliance and Beyond

Achieving ASAE 3150 and CDR compliance has provided Spendi with a competitive edge by building trust and establishing their authority as a secure, government-regulated fintech. This accreditation not only challenges the narrative of distrust in finance apps but also reinforces Spendi’s commitment to providing a transparent and reliable platform.

With their secure, compliant AWS foundation in place, Spendi is now positioned to pursue further certifications such as SOC 2 and ISO 27001, showing its ongoing commitment to security and moving towards becoming a trusted neobank. As they prepare to launch, Spendi is well-equipped to deliver an engaging, secure, and compliant user experience that redefines traditional banking, thanks to the ongoing partnership with DNX and AssuranceLab.