Case study: Zepto

Zepto is a rapidly growing FinTech company on a mission to deliver innovative products that empower merchants to redefine the payment experience through automation, consent, data, and open exchange of information.

In line with their mission, Zepto engaged RSM to assist with gaining Consumer Data Right (CDR) accreditation for Open Banking.


Leveraging the latest technology to enhance the payment experienceIn line with their mission, Zepto engaged RSM to assist with gaining Consumer Data Right (CDR) accreditation for Open Banking.

Zepto was founded in 2016 by a passionate team of merchants with a payments problem.

Having experienced first-hand the challenges associated with traditional banking methods, Zepto’s leaders knew what was needed to deliver a truly innovative payments product that solved real-world problems.

The company developed a suite of products that make it easy for merchants to send, receive, collect, refund, and manage payments in real time. Their cloud-native solution is backed by the latest technology, enabling advanced automation and data insights for decision making.

“The payments space hasn’t changed much in the past 50 years, yet businesses are crying out for new solutions that make getting paid, and paying their customers, much simpler, faster and safer,” says Trevor Wistaff, co-founder and CTO of Zepto.


“We wanted to leverage the latest technology to facilitate that change and have since developed a broad range of innovative cloud-based financial products, which customers can assemble as a total solution to manage payments across their business. ”


As an innovative financial solutions provider (not a financial institution), Zepto needed to access customer data via their online banking portal. While initial methods of gaining access to customer data worked when the business was a startup, they soon proved unsustainable.

“Early on we used screen scraping. This is where our customers grant us access to their account and we copy transactional information to facilitate our service.”

“But we couldn’t achieve the level of speed we were after, and it wasn’t sustainable once we reached over 100,000 transactions a day. With the introduction of open banking, we wanted to gain accreditation which would ultimately allow us to collaborate directly with banks to access account data much faster and more securely.”


Zepto applies for CDR accreditation

The accreditation Zepto needed is called Consumer Data Right (CDR) accreditation – a legislative framework developed to protect consumer data when open banking was introduced.In line with their mission, Zepto engaged RSM to assist with gaining Consumer Data Right (CDR) accreditation for Open Banking.

With banks now required to share consenting customer’s data, there had to be protections in place for who they could share it with.  

By becoming an unrestricted accredited data recipient, Zepto could receive data directly from a bank or other financial institution with their customer’s consent.

“We believe in regulation and want to be compliant,” says Trevor. “And because CDR accreditation would also enable data standardisation, it was a no-brainer for us. It meant we could continue to innovate and scale with our merchants.”

“Without accreditation, it’s hard to imagine what barriers we might encounter. The opportunity to be one of the earliest accredited data recipients was also exciting, as we hoped it would allow us to provide feedback to the CDR and potentially influence the future of the space to bring about more use cases. We’ve really only scratched the surface in terms of what’s possible.”

In search of support to assist with the accreditation process, Trevor reached out to Darren Booth – RSM’s National Head of Cyber Security and Privacy Risk Services.


When we first started interacting with Darren and his team, we knew we were in the right place. It wasn’t their first rodeo; they had helped others through the process and knew the CDR rules intimately, including what was required and what issues we might encounter.”


“They were also very happy to work in an agile way which, for a business like ours, is very important. We wanted to ask questions and get fast, accurate answers.”

RSM provided independent assurance and advice to ensure Zepto’s systems and processes were secure and compliant. This culminated in an independent audit report for Zepto to submit with their accreditation application, which independently verifies that they meet the accreditation requirements.

“The accreditation process wasn’t without its challenges!” adds Trevor. “We’re renowned for delivering solutions really fast and using feedback to iterate, so it was quite an adjustment to shift focus from building solutions to documenting business processes and demonstrating evidence of compliance.”

“But what I enjoyed most was the collegial approach to working through the requirements with Darren and his team. It felt like a true partnership and made everything very pleasant. We’re glad we went through it, and I believe we’ve come out as a stronger and more secure business because of it.”


Zepto cements its position as a Fintech leader

Gaining CDR accreditation has since paid off big time, when Zepto became the first non-bank to be accredited as a New Payments Platform (NPP) Connected Institution.

“When we said we had CDR accreditation, it changed the whole discussion. Becoming an NPP Connected Institution means we can now connect to the payment rails directly which opens up a whole new playing field.”

“Moving forward, we’re already looking to how we can work with RSM’s team again. They were very supportive and have definitely helped us reach a new level of cyber security maturity.”

Of working with Zepto, Darren from RSM says “Zepto are a very knowledgeable and fast-paced organisation. We were in awe of their passion to leverage CDR to help customers save time and money. This accreditation will enable them to lead in the field of open banking and deliver on their vision to take payment technology into the future.”


Looking for further information?

If you would like further information on gaining Consumer Data Right accreditation, please contact Darren Booth, National Head of Cyber Security and Privacy Risk Services at RSM.

Authors

Darren Booth
National Head of Cyber Security and Privacy Risk Services