PoC & MVP Development
October 21, 2025
6 min read
Launching an MVP is supposed to be the fastest way to validate demand. In financial services, the word “minimal” can be misleading: you are shipping into an environment shaped by SCA/PSD2, Open Banking, UK GDPR, and the FCA’s expectations for governance and resilience. This guide turns the usual checklist into a readable playbook — so you can hire the right team in London, make the right architectural calls, and keep momentum without stumbling over compliance.
Even a slim payments or onboarding flow touches multiple regulated surfaces at once. Strong Customer Authentication (SCA) dictates how you structure two‑factor experiences and when you can legitimately avoid them via exemptions such as merchant‑initiated transactions, low‑value payments, or transaction risk analysis. Know‑Your‑Customer and anti‑money‑laundering controls influence everything from what data you collect to how you handle false positives, sanctions matches, and suspicious activity reports. Data protection runs in parallel: your lawful basis, retention policies, DPIAs and DSAR handling determine whether your product is both usable and defensible.
What happens if you under‑engineer these layers? Banks and PSPs may refuse to onboard you or shut you down after testing. The FCA can query your governance and operational resilience. Privacy missteps lead to audits and reputational damage. Worst of all, re‑architecting after a failed pilot can cost more than building it correctly the first time. The safe conclusion is not “move slowly,” but “design compliance into the product fabric from day one.”
A credible FinTech MVP treats authentication, onboarding, and privacy as product features, not as paperwork.
SCA/PSD2. Map your payment scenarios — one‑off, recurring, merchant‑initiated — and implement two‑factor authentication with a measured step‑up. Exemptions should be evaluated by a server‑side policy engine and every decision should be recorded so you can explain why SCA was, or wasn’t, applied. Recovery and retry paths must avoid duplicate charges and preserve the authorisation context.
KYC/AML. Choose providers for PEP and sanctions screening, decide when documentary evidence or non‑documentary checks are appropriate, and define thresholds that trigger manual review. Ongoing monitoring is not a later phase: set the cadence now, capture adverse media, and keep tamper‑evident evidence of what you checked and when.
FCA expectations. Decide early whether you need your own permissions (EMI, AISP, PISP) or will operate as an agent. Build your policy stack — risk, complaints, financial promotions, incident management and outsourcing — alongside the product. Operational resilience is practical: who declares an incident, what your impact tolerances are, and how you communicate with customers and partners.
Open Banking. Scope consent to the minimum necessary, explain purpose and duration in plain language, and implement token lifetimes, refresh, and revocation from the outset. Resist copying bank data you don’t need; minimise and expire.
UK GDPR & privacy. Complete a DPIA where risk is high (for example, biometrics or credit‑related processing). Record lawful basis per activity, separate consent from your terms, automate retention and deletion, and honour user rights without a support backlog.
PCI DSS (if you touch cards). Aim for zero PAN handling by pushing tokenisation and vaulting to your PSP. If card data ever crosses your boundary, scope tightly, segment networks, and keep evidence of scans and controls.
Security and accessibility. Align builds with OWASP ASVS, manage secrets properly, enforce least privilege in cloud/IAM, and maintain an audit trail that links user actions to business decisions. Accessibility is not a nice‑to‑have: authentication and payments journeys must work for keyboard and screen‑reader users, with clear focus order, contrast, and time‑outs that can be extended.
Look for teams that have shipped into this reality before. References for SCA and KYC implementations are worth more than generic portfolios; ask to see sample architectures and test evidence. Probe for FCA awareness — have they collaborated with SMF holders or an MLRO, and can they show you the artefacts?
On the engineering side, expect a secure SDLC with design reviews and threat modelling, CI gates for linting, tests and dependency checks, and an automated suite that regression‑tests authentication, onboarding, payments, and consent. Mature teams arrive with playbooks: incident response, rollback, fraud handling, and a plan for collecting evidence during the incident so audits aren’t guesswork later. Cadence matters too — short, focused iterations with a demo every one to two weeks, and explicit compliance checkpoints during discovery, build, and pre‑launch.
When you run vendor due diligence, ask for real outputs rather than promises: exemption decision logs from a previous build, a DPIA template they actually used, a working audit trail, and a redacted incident post‑mortem. The right partner will be comfortable showing you how they work, not just what they say.
Most failures rhyme. Over‑collecting personal data creates GDPR exposure without improving conversion. Skipping exemption logic bloats your SCA prompts and crushes success rates. Storing or logging PANs — even unintentionally — explodes your PCI scope. Thin or immutable audit trails make it impossible to explain KYC and payment decisions. Ignoring accessibility excludes customers and draws scrutiny. And unclear permissions with your FCA status or PSP role can stall onboarding when you can least afford it.
Disclaimer: This guide is informational and not legal advice. Engage qualified compliance counsel and coordinate with your principal firm and PSP as needed.
A typical path looks like two to four weeks of discovery and design to map data flows, choose providers, draft your DPIA and SCA policy; six to ten weeks of integration work across auth, KYC, payments, consent and logging; and a further two to four weeks for hardening — pen testing, accessibility review, game days and an evidence pack. Budget for PSP fees, KYC checks, sanctions data, fraud tooling, observability, penetration testing, accessibility audit, legal review and a contingency for iteration after PSP or FCA feedback. The secret to hitting dates is simple: tie each user story to a control or evidence item so you never scramble before launch.
Ship faster without compliance re‑work. Get an evidence‑ready MVP team versed in SCA/PSD2, KYC/AML, FCA & GDPR.
Prefer email? Write to info@sigli.com.
It depends on your regulated activities. If you provide account information or payment initiation services, or issue e‑money, you’ll typically need your own permissions or operate as an agent of an authorised firm. Decide early to avoid PSP onboarding surprises.
Exemptions such as MIT, low‑value and TRA reduce friction when the conditions are met. Evaluate them in a central policy service, record the rationale, and be ready to step up when the exemption does not apply.
If card data never touches your systems — because a PSP tokenises and vaults it for you — your scope may be minimal. The moment you store, process, or transmit PANs, expect full obligations. Default to zero PAN handling.
Start with a risk‑based baseline that matches your product and geography, then layer enhanced checks for higher‑risk cases. “Minimum” does not mean static: ongoing monitoring should exist from day one.
Keep a consent ledger with the who, what, when and why: user identity, data categories, purpose and lawful basis, timestamps, expiry, and proof of withdrawal. Make it visible to users and auditable by regulators.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.webp)
.webp)
.webp)