The global mobile banking application market was valued at $26.28 billion in 2025 and is projected to reach $76.8 billion by 2035 at a CAGR of 11.32%. A broader measure of the mobile banking market — including transaction volumes — stood at $1.87 trillion in 2025 and is projected to reach $6.42 trillion by 2033. 3.6 billion people use online banking globally; 72% of banking customers worldwide use mobile banking apps regularly, and 39% name mobile apps as their primary method for managing money.
For engineering teams building banking software — whether at traditional institutions modernising their mobile channel, neobanks building mobile-first, or fintechs embedding banking features into non-financial products — understanding the complete architecture is the prerequisite to delivering. Mobile banking is not a web app on a phone. It is a heavily regulated, security-critical, high-availability system with specific compliance obligations and user trust requirements that shape every architectural decision.
The Core Architecture Layers
A production mobile banking system has four distinct architectural layers, each with different technical requirements.
1. Mobile Client Layer
The client-side application — iOS (Swift/SwiftUI) or Android (Kotlin/Jetpack Compose), plus cross-platform frameworks (React Native, Flutter) for teams that need both from a single codebase.
Cross-platform vs. native: React Native and Flutter have matured to the point where most banking applications can deliver acceptable performance from a single codebase. The exceptions: applications that require deep integration with platform-specific biometric APIs (Face ID, Android Biometric API), applications with complex animations and custom UI, or applications where regulatory requirements mandate specific platform attestation capabilities. Many mid-market banks choose Flutter for its performance and strong TypeScript interop; larger institutions tend toward native for control and performance guarantees.
Client-side security: mobile banking apps face a specific threat model — rooted/jailbroken devices, SSL certificate pinning bypass attempts, screen capture attacks in shared environments, and keylogger access on compromised devices. Required protections: certificate pinning (block traffic unless the server certificate matches the pinned certificate), root/jailbreak detection, runtime application self-protection (RASP), and secure local storage using the platform keychain (iOS Keychain, Android Keystore) rather than plain-text local files.
2. API Gateway Layer
All client-to-server communication passes through an API gateway that handles authentication, authorisation, rate limiting, and request routing. Banking API gateways must handle:
- Authentication: OAuth 2.0 with PKCE (Proof Key for Code Exchange) for mobile clients; OpenID Connect for identity federation. FAPI (Financial-grade API) — the security profile built on top of OAuth 2.0 and OIDC specifically for financial APIs — mandates mutual TLS (mTLS), pushed authorisation requests (PAR), and signed/encrypted JWT tokens. FAPI compliance is required for Open Banking APIs in the EU, UK, and Brazil.
- Rate limiting and fraud signal integration: abnormal request rates (high-frequency balance checks, rapid sequential transfers) are early fraud signals. The API gateway should expose rate-limiting events to the fraud detection system in real time.
- API versioning: banking APIs change slowly — breaking changes require months of coordinated client releases. Versioned APIs with long deprecation windows are mandatory.
3. Core Banking Integration Layer
The middle layer between modern microservices and legacy core banking systems (Temenos, Finacle, Flexcube, Jack Henry). This is typically the highest-complexity engineering challenge in banking software modernisation.
The integration pattern that works: event-driven architecture with a core banking integration layer that exposes core banking functions (account balance, transaction posting, payment instruction, statement retrieval) as domain events on a message bus (Kafka, AWS EventBridge), consumed by microservices that implement the application logic. This decouples the modern application layer from the core banking system’s batch processing model and enables real-time responsiveness without requiring core banking replacement.
FHIR for banking: unlike healthcare (FHIR for health data) or insurance, banking does not have a universal data exchange standard equivalent. Open Banking APIs (PSD2 in the EU, Open Banking Standard in the UK, CDR in Australia) define specific API schemas for account information and payment initiation — these are the interoperability standards that matter for open banking integration.
4. Service Layer
The microservices implementing banking features. Key services and their engineering characteristics:
Account and balance service: the read-heavy service accessed by every app open. Must be highly available (99.99%+ uptime); typically implements a caching layer (Redis) in front of core banking calls with cache invalidation on transaction posting events. Balance displayed must be ledger-accurate — stale cache that shows an incorrect balance is a compliance issue.
Payment and transfer service: write-heavy, must guarantee exactly-once delivery. Idempotent payment instructions (each instruction has a unique idempotency key; retrying the same key produces the same result without double posting) are essential for handling mobile client retries on network failures. Payment flows that cross banking systems use ISO 20022 — the international financial messaging standard replacing SWIFT MT formats — for interbank instruction formatting.
Notification service: push notifications for transaction alerts, security events, and account updates. Notification reliability matters — a missed fraud alert notification is a trust failure. Use FCM (Android) and APNs (iOS) directly rather than wrapper services that add latency; implement a delivery receipt loop that falls back to SMS for critical security notifications.
Security Architecture
Authentication Stack
Multi-factor authentication (MFA): required by regulators in most markets and now standard user expectation. The recommended stack in 2026:
- Primary factor: biometric (Face ID / Touch ID / Android Biometric) backed by platform hardware security (Secure Enclave on iOS, StrongBox on Android). The biometric template never leaves the device — the platform returns a cryptographic assertion, not biometric data.
- Step-up authentication: for high-risk actions (large transfers, new payee setup, profile changes), step-up to FIDO2/WebAuthn passkey or TOTP. Passkeys are the 2026 standard — phishing-resistant, hardware-bound, no shared secrets.
- Fallback: SMS OTP as a fallback only (vulnerable to SIM-swap attacks; treat as lowest-assurance factor).
Session management: short-lived access tokens (15–60 minute expiry) with refresh token rotation. Refresh tokens must be stored in the platform keychain (never in app storage). Implement forced re-authentication on session anomalies: device change, IP geolocation jump, or extended inactivity.
Encryption and Data Protection
- In transit: TLS 1.3 with certificate pinning. FAPI requires mTLS for API-level authentication (client certificate authentication proves the client identity at the transport layer, not just the application layer).
- At rest: AES-256 for all PII and financial data. Encryption keys managed via a hardware security module (HSM) or cloud KMS — never embedded in application code or configuration.
- Tokenisation: payment card numbers and account identifiers are tokenised — the raw value is stored in a vault; the application works with tokens that are meaningless outside the vault context. Reduces the blast radius of a database breach.
Fraud Detection Integration
Real-time fraud scoring must run on every high-risk transaction event. The integration pattern: the payment service publishes a payment request event to the fraud detection service before authorising the transaction. The fraud service returns a risk score (and optionally blocks the transaction) within a latency budget — typically under 200ms for seamless user experience. Fraud models use transaction graph analysis, behavioural biometrics (typing rhythm, device motion patterns), geolocation velocity checks, and device fingerprinting as features.
AI and Personalisation Features
The 2026 mobile banking app is differentiated by AI-driven features that legacy institutions cannot easily replicate:
AI financial assistant: conversational interfaces (LLM-backed chatbots) that answer balance queries, explain transactions, categorise spending, and provide forward-looking insights (“You’re on pace to exceed your dining budget by £140 this month”). These require integration between the LLM and real-time account data via structured function calling — the LLM calls account data APIs rather than ingesting raw transaction data.
Spending categorisation and insights: ML models that classify transactions by merchant category, identify recurring subscriptions, and surface anomalies. Training requires labelled transaction datasets; production systems use a combination of merchant category codes (MCC) from the card network and NLP on merchant names for uncategorised transactions.
Smart push notifications: ML models that predict which notifications a user will engage with and suppress low-value alerts. Notification fatigue is a retention risk — a user who disables notifications because they are too frequent misses fraud alerts. Models trained on open rate data by user segment, time of day, and notification type improve engagement without increasing volume.
Embedded finance features: lending, insurance, and investment products embedded in the banking app’s natural user flows. A user who just made a large purchase sees a relevant personal loan offer; a user with a travel booking in their transactions sees travel insurance. The architecture: a product recommendation engine that subscribes to transaction events and evaluates eligibility and relevance in real time, triggering targeted offers via the notification and in-app surface system.
Regulatory and Compliance Requirements
PSD2 and Open Banking (EU)
The EU’s Payment Services Directive 2 (PSD2) mandates that banks expose account information and payment initiation capabilities to licensed third-party providers (TPPs) via open APIs. The technical requirements: FAPI-compliant API endpoints for account information (AIS) and payment initiation (PIS); strong customer authentication (SCA) for payment transactions above defined thresholds; transaction monitoring for fraud prevention that does not introduce friction below the SCA threshold.
PSD3 is in development and expected to further harmonise open banking requirements across the EU, expanding data access and tightening API standards.
GDPR and Data Minimisation
Financial data is special category data under GDPR. Mobile banking apps must: collect only data necessary for the stated purpose; retain data only as long as required; provide users with access, correction, and deletion rights; and maintain records of processing activities. The engineering implication: data minimisation must be a design constraint, not a compliance review afterthought. Each data field in the user model requires a documented legal basis.
PCI DSS (Payment Card Data)
If the application stores, processes, or transmits payment card data, PCI DSS applies. The standard approach: tokenise all card data through a PCI-compliant vault so that the application itself never handles raw PANs. The vault handles PCI scope; the application is de-scoped.
How we approach this at Insoftex
The API architecture, fraud detection, and compliance patterns that mobile banking requires are ones we have built in production fintech contexts. Our lending risk assessment platform uses real-time event-driven decision infrastructure — the same architectural requirement as mobile banking’s fraud detection layer, where transaction scoring latency directly determines whether a fraudulent transaction is blocked before it clears. The critical design decision in both cases: the scoring model must operate on a separate path from the core transaction flow, with deterministic fallback behaviour when the model is unavailable, so that model latency or availability issues do not degrade the core banking function.
The compliance architecture for mobile banking — PSD2 open banking APIs, FAPI security profiles, PCI DSS tokenisation, GDPR data minimisation — requires the same scoping-before-architecture discipline we apply to every regulated financial services engagement. FAPI compliance, specifically, is one where we encounter the most planning gaps: teams select an OAuth 2.0 library before confirming it supports pushed authorisation requests and mutual TLS, then discover mid-build that the library requires a fork or replacement. We review the full regulatory requirement set against the proposed technology stack before the architecture is finalised.
The biometric authentication and step-up authentication design is where mobile banking adds complexity beyond the backend compliance requirements. The session model must handle silent re-authentication for ambient monitoring, explicit biometric challenge for high-value transactions, and fallback paths for users whose biometric enrolment fails — all within the FAPI client authentication model. We scope the authentication flow as an explicit deliverable in the Product Pilot for mobile banking engagements, because the authentication design affects the API contract, the session management architecture, and the compliance evidence that supports the regulatory posture.
Building a mobile banking app or embedded financial product? Our fintech engineering team builds mobile banking, payments, and compliance-critical platforms. Start with a Product Pilot for architecture design, security stack, and regulatory mapping in three weeks.
Frequently Asked Questions
What is FAPI and why does it matter for banking APIs?
FAPI (Financial-grade API) is a security profile for REST APIs developed by the OpenID Foundation specifically for financial services. It builds on top of OAuth 2.0 and OpenID Connect, adding requirements that address the specific threat model of financial APIs: high-value transactions, regulatory accountability, and sophisticated attackers. FAPI's key additions over standard OAuth 2.0 include: mutual TLS (mTLS) for client authentication — the API client proves its identity via a client certificate at the transport layer, not just via a client secret; pushed authorisation requests (PAR) — the client sends authorisation parameters directly to the authorisation server before redirecting the user, preventing authorisation request tampering; signed request objects — authorisation parameters are packaged in a signed JWT, preventing parameter injection; and JARM (JWT Secured Authorisation Response Mode) — the authorisation response is also signed, preventing response tampering. FAPI compliance is mandatory for Open Banking API implementations in the EU (PSD2), UK (Open Banking Standard), Australia (CDR), and Brazil (Open Finance Brazil). For banks building APIs that will be consumed by third-party fintechs, FAPI compliance is the technical prerequisite for regulatory approval.
How does ISO 20022 affect mobile banking development?
ISO 20022 is the international financial messaging standard replacing SWIFT MT formats for interbank payment instructions. The transition has been underway since 2022 and is largely complete for major payment systems (SWIFT, SEPA, UK Faster Payments, US FedWire) by 2026. For mobile banking development teams, ISO 20022 matters at two levels. At the integration level: if your banking platform communicates with correspondent banks, payment systems, or core banking systems that use ISO 20022, your payment instruction formatting must conform to the standard's XML schema (MX message format). ISO 20022 messages carry significantly more structured data than MT messages — sender/receiver information, purpose codes, remittance data — enabling richer transaction categorisation and improved fraud detection. At the UI level: ISO 20022's richer remittance data creates the opportunity to display better transaction information to users — a transfer reference, a payment purpose description, a structured invoice reference. Applications that surface this data to users deliver meaningfully better UX than those that show only a legacy transaction description field. Teams building against modern banking APIs should use ISO 20022 MX message formats natively rather than mapping from legacy MT formats.
What is embedded finance and what APIs does a mobile banking app need to support it?
Embedded finance is the integration of financial services (banking, lending, insurance, payments) into non-financial applications. From a mobile banking perspective, it works in both directions: a banking app can embed non-banking services (travel, insurance, investment products from partners) within the banking experience; and a banking app can expose its financial capabilities (account data, payment initiation) as APIs consumed by third-party apps. Supporting embedded finance within a banking app requires: (1) A product catalogue API that exposes partner products with eligibility logic — the app queries eligibility at transaction time and surfaces relevant offers contextually. (2) A consent management system that captures user consent for data sharing with specific partners, manages consent lifecycle, and enforces data access permissions per consent scope. (3) A unified event stream that shares relevant transaction events with the product recommendation engine — lending pre-approval at large purchase, insurance at travel booking, investment opportunity at recurring surplus detection. (4) A partner SDK or white-label UI component system that allows partners to embed their product flows natively within the banking app without custom integration per partner. The regulatory complexity: embedded finance partnerships require clear data sharing agreements, documented legal basis for data processing, and TPP licensing verification — all of which must be captured in the consent management system before data flows.
How should mobile banking apps handle offline functionality and sync?
Mobile banking apps face a fundamental tension: financial data must be accurate and authoritative, but mobile users frequently operate in low-connectivity environments. The resolution is careful definition of which functions can operate offline and which cannot, with explicit user communication about data currency. Functions that can work offline with cached data: balance display (with clear 'as of [timestamp]' indication), transaction history (read-only, from local cache), payment templates and payee list (read from last-sync state). Functions that must be online: payment initiation and submission (requires authoritative core banking write); real-time fraud validation; new payee setup; and any action that modifies account state. The caching architecture: a local SQLite database (with iOS SQLite or Android Room ORM) stores the last-synced account state with timestamps. The sync layer implements conflict-free replicated data type (CRDT) patterns for read data and optimistic locking for write-back operations. The UX requirement: never show financial data without clearly indicating its timestamp. A balance that is 4 hours stale during a high-connectivity period is acceptable; a balance that appears current when the device is offline is a trust and potentially compliance failure.