(929) 590-5818 [email protected]
en
en

Preparation of the Platform for Regulatory Audit

Client:
Mid-sized fintech company
Industry:
FinTech
Focus:
Testing of the KYC module and compliance with AML/KYC, GDPR, and PCI DSS
Main challenge:
Verification reliability testing, and preparation for a regulatory audit
Market:
International – EU and Eastern Europe
Services provided:
Web app pentest, mobile app pentest, and API pentest
Key Takeaways
  • The risk of KYC bypass was reduced from high to low.
  • Implemented rate limiting and AI-based deepfake detection.
  • A Gray-box pentest of web and mobile applications, KYC, and API was conducted.
  • 12 vulnerabilities were identified: 3 critical, 5 medium, and 4 low.
  • Critical threats were eliminated in less than 72 hours.
    • 12
    vulnerabilities identified
    80%
    increase in attack resilience
    72
    hours to eliminate threats
    Preparation of the Platform for Regulatory Audit
    Oct 19, 2025
    3 min
    The company recorded suspicious attempts to bypass KYC and turned to Datami to verify the reliability of document verification before the regulatory audit. During the pentest, 12 vulnerabilities were identified and eliminated – the platform achieved full compliance with fintech security standards.

    The fintech company operates in the international market of the EU and Eastern Europe, providing users with a platform for online payments and digital wallets.

    The security of KYC processes is critically important, as the business handles large volumes of personal and financial data and must comply with GDPR, PCI DSS, and AML/KYC standards.

    Tasks and challenges
    Before undergoing a regulatory audit, the company recorded suspicious attempts to bypass KYC, which could have caused data theft or money laundering.
    To verify the reliability of document verification and the protection of personal data, it turned to Datami for comprehensive security testing.
     
    • To check the possibility of bypassing KYC through forged documents or photos.
    • To conduct a Gray-box pentest of the KYC backend API, mobile, and web application.
    • To provide a report with PoC and recommendations for conformity to security standards.
    icon
    Verification testing
    KYC module testing: documents, selfies and videos (replay, deepfake, biometrics)
    icon
    Vulnerability discovery
    Gray-box pentest of backend API, web and mobile applications for threats
    icon
    Compliance with standards
    PoC report with risk descriptions and technical recommendations for AML, GDPR and PCI DSS
    Datami methodology: security assessment

    Our approach

    To assess the resilience of verification processes, Datami specialists conducted a targeted review of the KYC module: they examined the architecture, test accounts, and APIs using a Gray-box approach.

    For this case study, they used automated scanners and manual testing: OCR analysis, deepfake simulations, authorization, and API logic testing using Burp Suite, MobSF, and custom scripts.

    Gray-box

    Gray-Box

    Penetration testing with limited access to test accounts and documentation for realistic attack modeling.
     
    Key stages of work and solutions

    To avoid disrupting platform users, Datami specialists worked in a clear sequence. After agreeing on key details, they carried out automated and manual testing.

    Based on the assessment results, the client received a detailed PoC report with evidence of vulnerabilities, risk levels, and technical recommendations for compliance with security standards.

    • Preparation
      Analysis of the KYC architecture, agreement on rate limits, creation of test accounts and test data, and planning verification scenarios.
    • Testing
      Scanning the API, web, and mobile applications, manual modeling of KYC bypasses using forged documents, and verification of API logic.
    • PoC report
      Preparation of a report describing vulnerabilities, evidence of their exploitation, and technical recommendations to improve security.
    Cybersecurity starts with action
    How we can help you?

    Every cybersecurity case study we solve involves deep analysis, tailored solutions, and measurable results.
    Datami has already helped over 600 companies strengthen their digital defenses — and we can do the same for your business.
    Ready to take action?

    Let’s start with a free consultation!
    Results and recommendations

    Results and recommendations

    During the fintech platform pentest, the Datami team identified 12 vulnerabilities in the KYC module: 3 critical, 5 medium, and 4 low. The most serious issues – document reuse, lack of rate limiting in the KYC API, and weak video verification – were fixed within 72 hours.

    Following the cybersecurity assessment, the client received recommendations to:

    • conduct an annual KYC audit;
    • implement document uniqueness verification;
    • maintain API rate limiting;
    • update security policies;
    • use AI modules for deepfake detection.

    After implementing the updates, the risk of fraud decreased from high to low, and system resilience increased by 80%. The platform achieved full compliance with AML/KYC, GDPR, and PCI DSS standards, avoiding fines and a negative audit outcome.

    CONFIRMED EXPERTISE OF DATAMI

    Our certificates

    Datami is a cybersecurity firm whose qualifications are confirmed by 26 certifications and international standards. This allows us to perform tasks of varying complexity while complying with security, confidentiality, and ethical practice requirements.
    Key project results

    For fintech companies, cybersecurity assessment is extremely important, as vulnerabilities can lead to serious losses: data leaks, fines, theft, or money laundering.

    As this case study demonstrates, the pentest allowed the client to proactively eliminate threats, enhance attack resilience, and achieve compliance with security standards. Datami’s recommendations helped the fintech company successfully pass the audit and avoid penalties.

    Direction
    Before the project
    After implementation
    Risk level
    High – possible KYC bypass, document reuse
    Low – threats eliminated, processes secured
    KYC security
    Insufficient control of documents and video verification
    Enhanced document verification, an AI module for deepfake detection added
    Vulnerabilities
    12 identified, including 3 critical
    All eliminated
    System resilience
    Vulnerable to replay attacks and forgeries
    Increased by 80%
    Standards compliance
    Partial
    Full compliance with AML/KYC, GDPR, and PCI DSS
    More success stories with Datami
    Browse other project case studies
    GCP security audit for PCI DSS readiness
    GCP security audit for PCI DSS readiness
    • PCI DSS compliance achieved.
    • Risk of unauthorized access reduced by 90%.
    Services:
    Cloud penetration testing, cloud security assessment
    Apr 25, 2026
    Azure Audit for a Government Business Platform
    Azure Audit for a Government Business Platform
    • ISO/IEC 27001 and GDPR compliance achieved
    • Infrastructure set up for the website update launch
    Services:
    Azure Security Audit (White-box)
    Mar 5, 2026
    AWS Security Audit for a Recruiting Platform
    AWS Security Audit for a Recruiting Platform
    • Threat detection time reduced to 20 minutes.
    • Full compliance with GDPR requirements ensured.
    Services:
    AWS cloud environment security assessment (White-Box)
    Mar 3, 2026
    Back to home page
    Security image
    Ready to assess your project's security?
    Contact Datami — we’ll help you identify risks, strengthen your cybersecurity, and confidently pass certification.
    Datami articles
    Top Business Cyber Security Issues Oleksandr Filipov
    Oleksandr Filipov
    Top Business Cyber Security Issues

    Which issues in cyber security do businesses face most frequently? In this article, we examine the top 9 most relevant cybersecurity issues by criticality level and provide recommendations for their remediation.

    May 4, 2026 3 min
    What is a Cybersecurity Incident? Oleksandr Filipov
    Oleksandr Filipov
    What is a Cybersecurity Incident?

    Cyber incidents have long ceased to be a headache only for large corporations and government institutions. Today, they are a common part of the digital reality faced by companies of all sizes.

    May 4, 2026 3 min
    Top 3 Industries with the Highest Number of Critical Cybersecurity Vulnerabilities from Datami Practice Oleksandr Filipov
    Oleksandr Filipov
    Top 3 Industries with the Highest Number of Critical Cybersecurity Vulnerabilities from Datami Practice

    Which industries face the highest concentration of critical cybersecurity risks? Based on an analysis of the Datami project results, we identified three sectors where the average number of critical vulnerabilities discovered per project is the highest.

    Mar 31, 2026 15 min
    Show all articles
    Order a consultation
    By submitting this form, I confirm that I have read and agree to the Privacy policy
    We value your privacy
    We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Cookie policy