Tinka - Responsibility, transparency and security: the fintech startup striving for more regulations

RESPONSIBILITY, TRANSPARENCY AND SECURITY: THE FINTECH STARTUP STRIVING FOR MORE REGULATIONS

RESPONSIBILITY, TRANSPARENCY AND SECURITY: THE FINTECH STARTUP STRIVING FOR MORE REGULATIONS

Daniela Lourenço, Chief Information Security Officer at Tinka on innovating the company’s security and governance framework while disrupting the deferred payment market.

BORN FROM THE DUTCH ONLINE RETAIL GIANT WEHKAMP, TINKA IS A DEFERRED PAYMENT PROVIDER BASED IN THE NETHERLANDS.

ince 1960, Tinka handled payments for Wehkamp but as of 2019 the company embarked on a new chapter as a standalone enterprise. It now serves two million customers and handles more than 90 million transactions per year.

Tinka is on a mission to become the most recommended and responsible buy-now-pay-later provider – championing security, transparency and simplicity in the process.

Tinka is here to share insights into how the company is

“WHAT WE WANT TO GUARANTEE IS TRANSPARENCY FOR THE CONSUMER”

building an innovative new security and governance framework to serve its customers’ best interests while transforming the deferred payment market in the process.

Daniela starts by explaining how deferred payment providers are not regulated like credit products –but Tinka is looking to change that situation.

“What we're striving for is to get buy now pay later products regulated,” says Daniela. “So we've been liaising with the European Commission to have a more responsible way of lending money to people and to make sure that affordability is, of course, the main criteria.”

Elaborating on the notion of responsible lending, Daniela continues, “We make sure that the products we offer, although they are not regulated now, are

presented as if they were regulated to have a sustainable way of offering credit and avoid making things difficult for people.

“With many players in the deferred payments sector, you only need an email address and telephone number, sometimes only a name and email, to secure buy now pay later credit without any background checks. They do not check if customers are actually able to repay, which in our view is very dangerous because it encourages people to get into debt.

“What we do instead is consider all the products that offer something

similar to credit to as regulated – so for us that means making affordability checks mandatory. We also want to make sure that by regulating this part of the market all the costs associated with lending are transparent. There are sometimes hidden charges or hidden interest rates with deferred payments. They accumulate and then collection agencies get involved. What we want to guarantee is transparency for the consumer. If the consumer knows how much they can borrow, what they must pay in return and any costs that are associated with the offer, laid out transparently, they can make sensible and informed decisions.”

So how do security and governance factor into the transparent, sensible deferred payment products provided by Tinka?

SECURITY

Daniela joined Tinka in 2022 to build the company’s security roadmap and posture as a standalone enterprise moving from a retail to a fintech mindset. By making this transition, Tinka needed to incorporate new regulations and requirements into its operations.

The security roadmap and governance policies at Tinka gravitate around being futureready and as robust as possible, while also keeping the company’s mission in mind.

Automation and native solutions free up the capacity to focus on the human element of cybersecurity at Tinka. Daniela reiterates that the company’s core mission has two layers: to be the most responsible and most recommended deferred payment provider. Striving towards these goals comes with responsibility, which demands high levels of security provision.

“So as a fintech provider, we always remain one step ahead in

terms of requirements and what is right for the consumer but also for all the stakeholders,” says Daniela. “This means meeting or exceeding the regulatory frameworks of the Netherlands and the EU.”

Here, Tinka is always looking ahead and anticipating new legislation, including two major regulations that will take effect in 2024.

First is the NIS2 Directive –the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. It modernises the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

The second important piece of legislation Tinka has in mind as a company is the Digital Operational Resilience Act (DORA) which will make sure the financial sector in Europe is able to stay resilient through severe operational disruptions.

After performing a gap analysis comparing regulatory and legal frameworks to the state of play at Tinka, Daniela explains how the company deploys the right framework providing a robust set of group controls from globally recognised institutions.

“I like using the NIST Cyber Security Framework which is from the US National Institute of Standards and Technology. It is very complete, very thorough and it is being used by many industry peers because it's a more proactive approach than, for example, following ISO 27002.”

Tinka is also innovating in terms of its cybersecurity by putting native solutions first and automating as many processes as possible. These measures are not only there to protect customers and stakeholders, but they are also time-saving mechanisms to focus on training colleagues and the human element of cybersecurity.

“I'm really proud to say that our employees, or our ‘Tinkans’ as we call them, are very much cyber aware,” says Daniela. “They have even spotted some really sophisticated, fraudulent attacks. Involving them has brought that maturity that unfortunately you do not see in the industry often. I'm delighted that we've built

Tinka and Levi9: The Ultimate Partnership for the Future of Payment Solutions

At Levi9, we pride ourselves on helping our customers achieve their ambitious goals with cutting-edge technology solutions.

In 2022, Tinka faced a significant challenge of separating from its parent company, Wehkamp, while also innovating the Buy Now, Pay Later (BNPL) market and diversifying its products and customers. As Tinka had a vast amount of historical Structured Query Language (SQL) data to manage, a seamless transition without affecting business continuity was vital.

Our team proposed a groundbreaking hybrid cloud setup, leveraging an existing Direct Connect line between Tinka’s data centre and Amazon Web Services (AWS), to move ~20 VMs & ~30TB of SQL data in a fast and cost-effective manner, ensuring a smooth migration in just six months. By modernising its infrastructure with a fully maintainable, resilient and reproducible setup, Tinka has unlocked new opportunities for growth and diversification.

The collaboration with Levi9 enabled Tinka to achieve several key objectives:

• Secure storage: The new account system allows Tinka to store sensitive customer data, including personal information, in a secure and compliant manner.

• Exclusivity: The system is designed specifically for Tinka and its customers, ensuring a tailored experience.

• Seamless integration: It connects securely with Tinka’s microservices and backend infrastructure, enabling streamlined operations.

• Empowering customers: Tinka’s customers can now securely view and modify their data, giving them control and transparency.

• Agent access: Tinka agents can securely view and modify customer data, improving their ability to provide exceptional support.

• System compatibility: The new account system allows for secure data modification and viewing across various systems.

• As this account system becomes the foundation for Tinka’s customer interactions, it opens up new opportunities for the company to onboard additional merchants, driving growth and success.

Our innovative approach and expertise can help your business thrive in the ever-evolving IT landscape. Reach out to us today to learn more about how we can help you achieve your goals.

“DANIELA IDENTIFIES

FOUR MAIN FACTORS: SOCIAL ENGINEERING, SUPPLY CHAIN VULNERABILITIES, CLOUD EXPLOITS AND ARTIFICIAL INTELLIGENCE (AI)”

that maturity – we understand the need for innovating and for transforming to be digital first and we get technology to work for us. However, let's not forget about the colleagues that are actually people and they are targets like any other person and I'm very proud that we've built that resilience.”

But what are some of the most pressing security concerns that Tinka considers threats to consumers and stakeholders?

Daniela identifies four main factors: social engineering, supply chain vulnerabilities, cloud exploits and artificial intelligence (AI).

“Social engineering is on the top because it can be used either towards the customer, by impersonating Tinkans somehow, trying to defraud our own

employees for immediate financial gain or they will try and get data that is for immediate financial gain or to weaponise data.

“Credit information is very sensitive and of course very profitable in underground markets, so I think that's the top threat.

“Second, correlated to that, we have supply chain vulnerability. For clarity, this is not that we fear that our supply chain will attack us, but it's the fear that attackers might

leverage our supply chain to get to us if they compromise a partner.

“Third we have cloud exploits. As we are digitally driven and cloud-first, hostile attackers might exploit the services that we work with as a company. We work with big players like Google, and we build trust relationships with those services. But it is an increasingly common way of compromising one cloud service to get to another cloud service and performing that movement across services is

something we are also cautiously concerned about.

“Lastly, something else that has been coming up, of course, is AI and deep machine learning.

“These are threats because they make the simplest attack more sophisticated. They offer ways of counteracting and evading already existing security systems. For instance, AI can learn how to evade antivirus systems because it will study how they work. So let's say an

“WITH THE BLENDING OF HIGHLY ADVANCED AI MACHINE LEARNING AND ATTACKS THAT YOUR SYSTEMS MAY NOT BE ABLE TO DETECT AND REPORT ON TIME, YOU THEN MUST RELY ON THE HUMAN TO DETECT, SPOT AND COUNTERACT IT”

attacker runs a scan and he finds out that the anti-spam system of your e-mail will block any e-mail that isn't coming for more than 50 people at night. So what the machine will do is send 49.

“So AI and deep learning are adaptive in terms of the security systems and it's allowing for more flexibility in protections and responding to new threats. But the threat actors are already two or three steps ahead. So indeed, it's both a benefit and an unknown risk that we are still experimenting with.

“If you join AI and social engineering together, you have a very powerful attack to deal with.

“You have advanced technological ways to perform an attack combined with old school delivery techniques, like a social engineering attack. Phishing, vishing, smishing, all those acronyms that mean one thing: people being deceived or being exploited by exploiting their willingness to help or because people are exhausted or people are

distracted, so it exploits what some call ‘human weakness.’”

But Daniela rejects the overused phrase ‘human weakness.’

“Some of my peers see the human as the weakest link,” says Daniela. “I personally hate that mentality because the human can actually be the strongest link. With the blending of highly advanced AI machine learning and attacks that your systems may not be able to detect and report on time, you then must rely on the human to detect, spot and counteract it.”

“So that's why I don't believe that humans are the weakest link. They may be the strongest link in fact. Humans are the only safeguard we have if we enter the age of quantum computing. We need to realise this and focus on the human element – it is very important.”

SCALABILITYPARTNERS

With these innovative and robust security policies and governance

systems in place, Tinka is now looking to scale its operations.

Some immediate priorities at Tinka include scaling its human resources and technical assets to complement their work from anywhere policy.

Crucial to these endeavours is Levi9.

“Levi9 provides us with expertise for SMEs especially in the development area throughout the organisation and with their human resources we can maintain Tinka as an assetlight organisation,” says Daniela.

“We have benefitted from the expertise and resources that are available from Levi9 and the relationship works very well. Sometimes it is difficult to understand where Tinka ends and Levi9 begins because we work so well together that it is hard to understand who is internal and who is external. We have a five-year relationship with them, and it is not common to have that informal and very close collaboration for so long.

“WE HAVE BENEFITTED FROM THE EXPERTISE AND RESOURCES THAT ARE AVAILABLE FROM LEVI9 AND THE RELATIONSHIP WORKS VERY WELL”

Fasttrack Modernisation: Unleashing the Power

of Cloud-Native Architecture with Levi9

Is your business grappling with an inefficient and overly complicated hybrid cloud infrastructure? Are you curious about the benefits of cloud-native architecture but unsure if it applies to your organisation? Enter Levi9’s Fasttrack Modernisation Assessment –a three-week review designed to help you unlock the potential of your IT landscape.

Levi9’s comprehensive assessment is tailored for companies with legacy IT systems or complex hybrid cloud infrastructures. If you find that your applications are monolithic, difficult to change and prone to breaking unexpectedly, Levi9 can help you identify the right time and approach for a massive transformation.

The Fasttrack Modernisation Assessment begins with a one-hour intake meeting to discuss your business objectives, technical challenges and scope of work. Levi9’s experts will walk you through the critical factors to consider when modernising your IT landscape.

The assessment, carried out iteratively in 2-4 weeks, evaluates your workloads, current architecture and codebase. Levi9 will analyse the benefits and costs of moving to a cloud-native architecture and create a tailor-made approach for migration and modernisation in case of a positive business case.

By leveraging Levi9’s 18+ years of experience in designing and using cloud architectures, you can transform your IT landscape into a nimble, microservices-oriented modularised architecture. The outcome of the Fasttrack Modernisation Assessment includes independent expert advice, a modernisation plan, high-level timelines, proposed architectural design, cost estimation and an approach to transition from the as-is to the target situation.

Levi9 has successfully migrated and modernised complex application landscapes for clients such as Essent, Volkswagen Pon Financial Services, PVH and Tinka. Their pragmatic approach has resulted in running cost reductions of over 25 per cent, a 100 per cent increase in the velocity of development teams and a 30 per cent reduction in the cost-to-change.

Don’t let your legacy IT systems hold you back – choose Levi9 to help you embrace innovation, increase productivity and unlock the true potential of your IT landscape.

The ultimate goal at Tinka is to use its influence as a responsible and transparent deferred payments provider to make the buy now pay later markets regulated.

For 2023, this means looking inwards to review the company’s products and confirm or verify if they remain the best, most affordable and responsible choices for consumers in the Netherlands.

But Daniela explains that Tinka’s strategies for scaling their operations, with partners like Levi9 onboard, arose from the context of becoming a standalone company from Wehkamp in 2019.

“We need to build up on what we left behind, most mostly in terms of architecture and ICT assets. We need to learn, as I say, to walk on our own. Although we've been doing this for 60 years, now it is under Tinka's name, with our rules, our principles and virtues,” summarises Daniela.

Added Value

Company culture

Working at a fintech startup 60 years in the making with a clear mission and virtues is refreshing for Daniela and she celebrates the company culture at Tinka.

“In terms of the culture at Tinka, we don't go by the values because they can seem like something that is static or on paper – but we do live by our virtues. These are captured in the Tinka initials: it’s about being truthful, intrepid, nurturing, knowledgeable, and all in.”

Bigger picture

Daniela’s background is not in IT – her alma mater was in communication and cultural studies, topped up with an executive master's degree in cyber security.

For more information visit the Tinka website at tinka.nl

Her academic and postgraduate training influences her passion for educating people on cyber security because it not only improves awareness for Tinka as a company but society more broadly.

“It is vital to understand the culture you are in to communicate your message in a way that it can be understood,” elaborates Daniela.

“That is where the cybersecurity industry fails sometimes because

approaching, we have many people that still do not know how to handle a computer or phone and we have this huge discrepancy between what we are able to do and what people, in general, are able to do. And this discrepancy creates vulnerability.

“So what I really would like to see is for the industry, in terms of cybersecurity practitioners, to learn how to communicate and not forget who is involved and in the trenches.

“Maybe this involves a customised approach to understanding the risks that people actually face on the ground. In security, there is no onesize-fits-all. So you need to engage, it's our responsibility as practitioners to verify if the audience understands the message, that we look out for what is important to them and how we can help protect them – not the other way around.”