Banks have changed operating efficiencies by leveraging multiple customer interfacing channels. Banks introduced ATM’s in 1970’s, Call Centers in 1980’s and Internet Banking in 1990’s and since 2010, there was a huge plunge in mobile banking activity, with close to 30 million customers in the US.
This advancement in technology allowed banks to introduce many services over mobile devices securely. With newer services getting added to online mobile banking, there are new security concerns which IT departments at these banks need to follow religiously.
Here are some ways in which customers can use banking services:
- Online banking on desktop web browser
- Banking by using SMS (a.k.a. Text Banking)
- Online banking on phone (a.k.a. Phone Banking)
- Banking on ATM’s (ATMs)
- Mobile Banking on smart phones with web browsers and applications
Application testing for the software vertical continues to mature with a new set of automated tools such as Selenium, QTP for mobile and Perfecto Mobile
1. Integrated Channel Testing of Features (Signup, Alerts, Notifications, etc)
With more customers diverting to online banking, more online features are introduced some of the most popular features are:
1. Signup for online banking with terms and conditions
2. Account preview with details for account balance, transactions, check image and deposit slip
3. Money transfers
4. Changes to account profile
5. Request for services such as money order, cashier’s check, traveler checks
6. Bill payments
7. Electronic bill notifications
8. Reporting tools – to get the account summary / activity report
9. Linked accounts – such as brokerage, teen cash etc.
Software testing was focused on various banking channels to verify feature implementation across a wide customer base. Now, the testing solutions have matured to undertake integrations with various financial institutes like Bill Pay etc.
2. Data conditioning (setting up base condition, tear down setup, cleaning, etc.)
Recent data breaches in the banking sector have increased the need for strict regulations to test data. One of the key indicators which banking solutions had to focus on was improved risk management and compliance to regulatory guidelines. This can be achieved by using high quality, rich re-usable and secure data for testing banking solutions.
Banks can’t use live data in non-production environments as it is against industry standards. Even data masking (de-identify production data) is not sufficient to meet the security needs of the banking sector.
Hence, there is a need to plan for test data management which will help to create a data model with referential and relational integrity of production environments. Test data should also cover various banking categories such as retail, corporate, credit cards and investment banking.
The test data includes but is not limited to:
- bank accounts
- Customers holding the accounts
- Restrictions on accounts and customers
- Account types based on state and federal regulations
3. Validation of test steps across multiple systems
With modern online banking solutions, test steps design and development will be based on following characteristics:
a) Large scale Integration with various banking applications/ institutions (integration testing)
b) Complex business rules / workflows (continuity / functionality testing)
c) Real time transactions and batch processing (load testing)
d) Number of transactions per second (performance testing)
e) Transaction security (security testing)
f) Transaction reporting (audit trail / logging testing)
g) Storage /archival system (Data management / storage testing)
h) Audit (system / transaction audit testing)
i) Disaster management (disaster recovery testing)
Validation of test steps will be performed across online website and mobile applications. The test steps should be focused on business workflows which follows complex banking rules and regulations. The test steps will also cover various mobile platforms like iOS, Android, BlackBerry and Microsoft technologies.
4. Monitor the heath of applications across regions and different network carriers
With more number of customers using Online Banking Solutions (@30 million), there is a great need to monitor the mobile banking solution system for uninterrupted availability. This requirement also adds challenges because of frequent changes to mobile environments, additions of mobile handsets/platforms followed by load on wireless networks. The application health monitoring is done by advanced monitoring and testing network which provides object level performance across mobile web sites and mobile applications.
The monitoring systems provide data that should help:
a) Organizations to leverage performance management skills and best practices to improve productivity and operational efficiencies.
b) Quickly identify, diagnose, and resolve issues associated with mobile websites and applications.
Network testing is done to determine what happens when different network latency is applied when using the application. It can uncover possible problems with slow network links, etc. This testing focuses on scenarios when mobile carrier network goes down while banking transaction is in progress.
5. Verification and monitoring of apps validity in the app store
The application validation and monitoring process should be easy and quick to pre-publish the application on app store, reducing time to market. It should include best practices to submit the application following defined criteria, application attributes (such as app name, version, and type) and perform pre-defined validation / certification checks.
Mobile application certification testing focuses on analyzing the application, and verifies whether the mandatory attributes are provided and that all required information is complete. Incomplete submission should prevent application to be available on app store.
The Application validation includes following:
a) Credential checks: The system validates publisher ID, application UID, vendor ID if coming from a company, package file UID from the developer making the submission, etc.
b) Descriptor attributes: Critical descriptor attributes are checked against the application content.
c) Specific API analysis: The APIs of an application are analyzed and information is provided if unsafe APIs are used by the application, or if unauthorized third-party service providers’ APIs are used by the application.
d) List of supported devices: The list of devices claimed to be supported by the application is checked against the devices’ attributes that the application is supported on all the specified devices.
If there are any inconsistencies detected, the submission is flagged and depending on the severity level, is either rejected or triggers a manual review process for further examination. Applications developers can view their submitted content and track their status in the content workflow through the content submission tools and receive tracking alerts when their content is changing states.