Towards Improved Certification of Complex FinTech Systems – A Requirements-based Approach

Abstract

Context: Financial Technology (FinTech) systems, especially those involving custody of digital assets such as cryptocurrencies, are quickly emerging as a new class of software systems with associated high risks. So far, incidents involving such systems have costed billions of dollars. Problem: Providing regulators and insurers with certification cannot simply rely on simple reports generated by auditors. Current practices require a more rigorous and systematic approach for capturing and communicating the design rationale in order to certify such systems. Method: The User Requirements Notation (URN) is used to model and analyze the requirements of a FinTech system and capture its design rationale. Then, the Systems Theoretic Process Analysis (STPA) method is applied to the URN model to evaluate system hazards and introduce safety constraints/requirements that aim to avoid bad situations from happening (e.g., loss of assets, private data, or reputation). The results augment the URN model and are conveyed to the stakeholders (especially regulators, auditors, and insurers) in the form of assurance cases. Results: Guidelines are now available to model the requirements of FinTech systems and produce assurance cases for certification. The guidelines are illustrated with a real digital asset custodian example. Conclusion: This work provides new requirements-based guidelines exploiting URN and STPA that can potentially facilitate the certification process of FinTech systems.