Security in FinTech: Q&A with Dan Kindler, co-founder & CTO of Bound
Hey Dan! Can you tell us a bit more about yourself and Bound?
Hi, I’m Dan Kindler and I’m the CTO and co-founder of Bound. We focus on making currency conversion and hedging cheap, fair, and most of all, easy. Our platforms help hundreds of businesses protect themselves from currency risk across the world. Currently, about half of our team is composed of engineers.
How is Bound positioned within the FinTech sector, and compared to the competition?
Before diving into FinTech itself, let me cover how we’re positioned against traditional financial institutions first. Traditional banks or brokers typically cater to customers with large treasury teams who value dealing over the phone and email. Their online exchanges typically only offer on-the-spot transactions. Since our aim is to make hedging easy and hassle-free, we’re offering both spot and currency hedging tools to manage and protect your international cash flows. Back in December 2022, we received our FCA authorization, a UK financial regulatory authority, allowing us to provide regulated hedging products.
When it comes to FinTech, it's safe to say we’re breaking Bound-aries (yeah) by introducing self-serve foreign exchange conversions online. Companies like Wise and Revolut have done a tremendous job of making currency conversions easy online – but they only focus on “spot” (or instant) conversions. With Bound, we focus on future cash flows, which they don’t focus as much on.
What purpose should security in FinTech serve?
Security plays a huge role in our industry. At the end of the day, we're dealing with financial transactions that could be worth hundreds of thousands of pounds/dollars/euros – if not more. At Bound, our transaction volume already exceeded hundreds of millions of dollars. If a security risk sneaks its way into our product - or any FinTech product for that matter - it's safe to say sh*'t hits the fan. And not just any fan. Legal consequences aside, hackers could steal other people’s savings, destroying businesses and lives.
Within FinTech, we can imagine regulatory instances or governmental regulatory bodies are putting more scrutiny on companies that deal with customer data. How does Aikido help you deal with this?
The pressure to stay compliant is huge. In the UK, we’re constantly navigating strict regulations like the GDPR and the FCA's guidance on data protection and security. The regulators expect us to be proactive in managing vulnerabilities, especially since we handle sensitive customer data.
Aikido has been a game-changer for us. The 9-in-1 platform allows us to comprehensively cover every aspect of our software security. This approach makes it easier to meet regulatory requirements without piecing together multiple tools. A big plus has been the false-positive reduction. In a regulatory landscape, we don’t have the luxury of wasting time chasing down non-existent vulnerabilities. Aikido’s precision means that when an alert comes in, we can trust it’s something that requires action, which is invaluable during audits or compliance reviews. Plus, the clear UX allows our team to act swiftly, avoiding the complexity that usually comes with security tools. It ensures that we stay ahead of any potential compliance issues without disrupting our development flow.
What future regulation do you see coming down the line for other engineering leads & VPs to keep an eye on?
Future UK FinTech regulations are likely to focus on expanding Open Banking and enhancing digital assets oversight. With innovations like Variable Recurring Payments and a digital regulatory sandbox, engineering teams should prepare for tighter security standards and new API integrations.
Before Aikido, what kept you up at night in terms of security? How were you addressing security?
Honestly, it was a mess trying to manage different tools for each type of security check. We were constantly worried something would get missed, and the number of false positives made it even worse. Aikido brought everything together in one place, so now we’re catching real issues without all the noise, and it’s made our lives way easier.
We saw Bound is one of our few customers that pretty much solved every open issue reported. Has Aikido helped you out with this?
Absolutely! We pride ourselves on taking security very seriously (as most companies – hopefully – do). For us, Aikido has had a tremendous impact on how we approach vulnerability management and remediation. We consider it to be our single source of truth, and the platform’s deduplication & pre-filtering of false positives features really help us see the forest through the trees. Once a real vulnerability pops up, we have a trigger appear in our issue tracker (Linear) to ensure we fix it as soon as possible. The process is pretty neat and well embedded into our development cycle, and we rely on it a lot.
What's your experience in working together with the Aikido team?
The team’s been super responsive and supportive from day 1. We’re able to share real time feedback, make requests, and receive relevant product updates through our joint Slack channel. At some point, I asked the Aikido team if they knew what they’ve gotten themselves into. We didn’t let their product team sleep once we realized we could ask all the things!
What's your favorite feature?
False-positive reduction aside, the ‘Import from GitHub’-button is very cool. I really like that all the repos automatically get assigned to a team. We can keep GitHub as the source of truth, while Aikido seamlessly maps everything out accordingly.
Any closing remarks?
We had our first penetration test and Amazon AWS security audit earlier this year, which went very well. We got nothing above a medium (and most of the mediums I didn’t entirely agree with anyway…). They probably would have found much more of interest if we hadn’t had Aikido shouting at us constantly, so thanks for that!