

Ask HN: Would you use AWS for a primary infrastructure if you're a bank? - mattquiros

I'm exploring the idea of starting up a bank and am still in the process of learning how and how they really work (so I'm not sure this is the right question to ask, but I'll try anyway). I could imagine online/mobile banking as one of the priority features because that'll be my USP (our local banks suck at those, really. I want to make software that'll eliminate the need for people to personally go to banks for transactions other than depositing money). That said, I'm thinking of using AWS for the back-end and storage of pretty much all of the data the bank will be processing--customer info, transactions, balances, etc. Is that safe? Or should I just go with in-house servers which require a huge upfront investment?<p>ADD: My country's near the equator, almost 100 Fahrenheit everyday. Not so sure having our own data center here is a good idea.
======
dsl
The FDIC is where most of your IT security requirements will come from. Below
I have listed a few items which make the cloud a non-starter. In summary, it
costs $20+ million dollars to start a bank. The reason every small bank has
the same crappy online banking and digital services is because everyone except
large institutional banks has to outsource everything to a handful of third
party providers who can maintain these requirements.

As far as your business idea, you should check out simple.com. They have been
working on the problem for years and have just barely managed to cut enough
red tape to provide a not terrible user experience for a handful of tasks.

Have a full accounting and audit of every VoIP device, VPN device, wireless
device, switch, router, modem, firewall, and proxy server connected to the
network.

Demonstrate physical access controls for employees, vendors, and anyone else
who may have access your equipment.

Every single person with physical access to customer information devices must
have a 10-year criminal background check performed (this is actually a federal
law that applies to the Finance, public education, public transportation, etc
industries).

Formal configuration and patch management procedures for all devices
(including upstream routers and switches).

Diagrams of physical and logical network topologies.

The Fair and Accurate Credit Transactions Act of 2003 requires physical
destruction of devices storing customer data.

Reporting of all physical security incidents to FDIC IT examination.

~~~
mattquiros
This is really valuable info, thanks!

~~~
argonaut
Not really; that info is for the US. Your country will have different
regulations.

------
mikiem
Are you opening a US bank under a US charter and US law and with US insurance?
Each type of institution (eg: national bank or credit union) has its own rules
and covered or rfulated by a different governmental institution

------
t0
Almost all major datacenters have pretty high security. Your main concern
should probably be securing the software, not the physical servers.

------
brudgers
Problem = banks offer poor online service

Solution option A = Start a bank and create infrastructure to offer better
online service

Solution option B = Create infrastructure to offer better online service and
sell it to banks

Which one scales?

------
dear
Maybe start a bitcoin bank? No regulation. A bitcoin loan shark.

~~~
mattquiros
Interesting idea to add on later, thanks. Bitcoin's not popular yet in my
country.

------
lifeisstillgood
I believe it is not even legal. Whilst I am sure some could correct me, PIC
regulations for credit card storeage expects you to have your own boxen. There
must be others.

On top of that, it is highly highly unlikely that the range of software a bank
uses will install cleanly on say Ubuntu 12.04.

And the reason mobile sucks for almost all banks is

A) their back end software is twenty years old and was written before the
Internet was even considered - the APIs are mostly screenscrapers

B) mobile security is hard

~~~
mattquiros
Thanks for the tip on legalities. I know bank laws differ in every country but
now I'll look into that.

Totally agree with A. What do you mean by B though? As in secure wireless
transactions and maybe the crackability of Android phones?

*update, just started reading on mobile security now

------
stray
I wouldn't use it for anything that can't break.

~~~
mattquiros
I've actually thought of this too but I have a (weird?) issue with maintenance
--our country's near the equator, and on really bad summers (which is almost
half a year long), it's almost 100 degrees Fahrenheit everyday. I'm not so
sure it's a great idea to have our own data center here. Also I'm asking this
because I know Facebook got their own near the North Pole to keep maintenance
costs low.

