App Validation Process

The validation process provides peace of mind for the banks browsing the marketplace. In this section you learn about the validation process and what are the guidelines for acceptance criteria.

The fees and all the commercial details of the FusionFabric.cloud program are detailed in the Program Guide.

Validation Steps

All submitted apps must pass a validation process, which includes the following steps:

	Step	Details
	Legal and compliance	Due diligence review by Finastra (Legal and Risk team) to register you as a vendor.
	Product review	After the development of your app, you should organize a demo session to validate the technical integration with FusionFabric.cloud building blocks - APIs, SPIs, datasets.
	Go to Market	Sales enablement - all documentation must be provided to support sales activities. Creation of relevant records in Finastra CRM system to track opportunities and close deals.
	Security assessment	Technical review, by an independent 3rd Party. See the details in the next section.

The first three steps are conducted by Finastra.

The fourth step - the security review, is performed by Finastra’s global security partner, Synopsys. All validation costs are pre-negotiated with Synopsys, and thus, the cost of a 3rd party security assessment and report is attractive, regardless of its connection to FusionFabric.cloud.

The security review step is mandatory for signing off the contract with your app first customer.

Apps may fail the security review because of poor performance, inadequate security or other technical or user experience reasons. There are clear guidelines for acceptance criteria, so your app gets accepted through the validation process the first time through. You will be provided with feedback explaining why the app has failed the review process and the corrective action plan to be taken.

The security validation process duration can take up to one calendar month.

Onboarding Stages

The publication to FusionStore is a multi-stage process, that allows you to engage progressively.

	Stage	Details
	Coming Soon	This stage is important for building demand for your app among Finastra clients in FusionStore. At the moment of passing this stage, your app is available in FusionStore marked with a Coming soon label.
	In Store	In this stage, your app is published on FusionStore and starts to track opportunities among Finastra’s customer base
	In Market	This stage represents the final validation of your app. It is possible for you to sign a contract with customers.

Coming Soon

This stage is important for building demand for your app among Finastra clients in FusionStore.

At the moment of passing this stage, your app is available in FusionStore marked with a Coming soon label.

In Store

In this stage, your app is published on FusionStore and starts to track opportunities among Finastra’s customer base

In Market

This stage represents the final validation of your app.

It is possible for you to sign a contract with customers.

In the Coming Soon stage, your app is published in FusionStore with a Coming soon label.

An app with the Coming Soon label in FusionStore

Activities for Progressive Onboarding

Here are, briefly, the mandatory activities that you will perform to pass the validation steps for each progressive stage of your onboarding to FusionStore.

	Coming Soon	In Store	In Market
Legal and compliance	Finastra contract is signed. First level of due diligence with a general questionnaire.		Due diligence completed with all the additional documentation.
Product review	App card is published in FusionStore.	Demo session to validate the technical integration with the registered building blocks - APIs, SPIs, datasets.
Go to Market		Provide documentation - app brief, pitch deck, to support sales activities. Creation of relevant records in Finastra CRM system - vendor and product.
Security assessment			The app security assessment is completed.

To find more about Finastra’s building blocks and how to use them, check FusionCreator Applications section.

Security Assessment

App Classification

Each app requires a distinct level of access to financial institutions data, and thus, the validation levels are defined in accordance to:

the access type: read vs. update
data classification: financial data vs. Personally Identifiable Information (PII).

Apps can be classified into two levels:

Level 1	Reads financial data
Level 2	Updates financial data or reads PII

Validation Buckets

Each classified app can be bucketed into one of the three options – Standard, Advanced, and Premium.

Validation bucket	Activities
Standard	Security control assessment
Advanced	Standard Validation Static Application Security Testing Software (SAST) Composition Analysis (SCA)
Premium	Advanced Validation APIs and datasets misusage manual code review Penetration Testing

The Standard validation includes the security questionnaire, which covers many of the information security questions a financial institution would ask during a vendor risk assessment process.

The Advanced and Premium validations include more technical reviews to provide more confidence to the financial institutions during the app selection process.

Each app has a unique branding on FusionStore, which allows the financial institutions to select it based on its risk profile. Finastra recommends the financial institutions to choose the certification bucket in accordance to the app classification.

Finastra requires, at a minimum, an annual standard validation bucket for apps that fall into level 1, and an annual advanced validation for apps in level 2.

Please click here for detailed guidance on the security assessment process and questionnaire.

FusionStore Application Page Badge Qualifications

Each application page in FusionStore has badges based on the specific onboarding steps completed by fintech. This information is controlled and updated by Finastra team.

Badges

The table below illustrates badges and their details:

	Badge	Details
	Company Verified	The company has passed the due diligence performed by Finastra Legal \| and Risk Team based on the following information: General information: legal name, address, registration number, etc. Information about subsidiaries, joint ventures, and other affiliates Information about Directors/shareholders and their affiliation with Finastra, Financial institutions, or Government Officials Company registration certificate
	Security Verified	The application has done security control assessment performed by Finastra’s global security partner Synopsys and the assessment result is passed by Finastra Security Team. Please find more information on the link here.
	Commercial Model	Refer:   Application and support SLA owned by fintech Client contract owned by fintech Go-to-market primarily led by fintech, with involvement from Finastra Resell: Application owned by fintech  Client contract and support SLA owned by Finastra Go-to-market primarily led by Finastra, with support from the fintech API Consumption Only: 3rd party (service provider, fintech) integrates with Finastra using platform APIs or direct connection   3rd party is entirely responsible for go-to-market activities and client contracting Finastra Application: Application and support SLA owned by Finastra   Client contracts owned by Finastra

Company Verified

The company has passed the due diligence performed by Finastra Legal | and Risk Team based on the following information:

General information: legal name, address, registration number, etc.
Information about subsidiaries, joint ventures, and other affiliates
Information about Directors/shareholders and their affiliation with Finastra, Financial institutions, or Government Officials
Company registration certificate

Security Verified

The application has done security control assessment performed by Finastra’s global security partner Synopsys and the assessment result is passed by Finastra Security Team. Please find more information on the link here.

Commercial Model

Refer:  

Application and support SLA owned by fintech
Client contract owned by fintech
Go-to-market primarily led by fintech, with involvement from Finastra

Resell:

Application owned by fintech 
Client contract and support SLA owned by Finastra
Go-to-market primarily led by Finastra, with support from the fintech

API Consumption Only:

3rd party (service provider, fintech) integrates with Finastra using platform APIs or direct connection  
3rd party is entirely responsible for go-to-market activities and client contracting

Finastra Application:

Application and support SLA owned by Finastra  
Client contracts owned by Finastra

Release Management

Your app is subject to a lifecycle that is a continuous loop. You are expected to deliver updates to your app, as periodic releases. Each release published to FusionStore is reviewed by Finastra. Each app released into FusionStore, or a significant infrastructure change on the app developer’s side is required to pass a release validation to ensure the security controls are maintained.

Below is an overview of the release management process and applicability to the chosen buckets.

	Change Description	Activities	Applicable Validation Buckets
Low-Impact Change	Bug fixes and UI modifications. Metadata updates or integrations with newer versions of APIs or datasets. No action is required from Synopsys.	Finastra files release notes	All
Medium-Impact Change	Functionality that reads Financial Data.	Low-impact change activities Secure design review	Advanced, Premium
High-Impact Change	Functionality that updates Financial Data or assesses PII.	Medium-impact change activities Lightweight Static Application Security Testing (SAST) Software Composition Analysis	Advanced, Premium
Annual Review		Architecture changes that impact the foundations of the app - security, data residency, WAF replacement.	All