The dangerous contractor in fintech is usually visible before the first sprint. Not in Jira. In the sales process. By the time a delivery partner disappoints you in sprint 3, the real damage is already done. Wrong staffing model, drifting architecture, code in the wrong environment, vague security, and a hidden subcontracting chain. This article is a practical operator checklist for CTOs, product leads, and engineering managers who want to catch those problems early.
Most teams start vendor selection with rates, CVs, and demo velocity. That is the wrong order.
In fintech, the product is about money movement, identity, customer trust, and regulatory accountability. Regulators treat third-party risk as a lifecycle problem, not a procurement checkbox. DORA, applied in the EU since 17 January 2025, pushes that risk upstream with ex-ante assessments, audit rights, and documented exit plans. The PRA expects equivalent rigour for material outsourcing. The EBA is explicit that management remains responsible and outsourcing must not turn a financial institution into an empty shell.
So the pre-sprint question is not “Can they code?” It is “Will this delivery model let us keep control?”
A polished presales team tells you almost nothing about the people who will actually ship the product.
Before you sign, meet the named delivery lead. Not “someone from engineering”. The person who will own trade-offs, escalation, staffing quality, and release judgment. Then ask who owns security, QA, and environment decisions. If the answers are vague, the operating model is vague too.
DORA requires due diligence on provider capability, human resources, and organisational structure. The PRA says due diligence should examine the provider’s business model, expertise, and any subcontracted providers involved. In practice, that means verifying the team you are buying, not the team that pitched.
Red flags at this stage:
No named delivery lead before contract
“We finalise the team after kickoff”
One strong architect in the pitch, an anonymous bench behind the slide
No clear owner for incidents, release approvals, or non-functional trade-offs
Let's start a conversation and develop a solution for your campany that will allow you to expand and scale your customer experience.
Role inflation is one of the oldest and most expensive tricks in software outsourcing. If juniors are sold as mids and mids as seniors, the client pays twice. First in rate. Then in leadership bandwidth, rework, and delay.
Do not calibrate seniority on a CV pack. Run a real working session instead. Give the proposed team one bounded task before sprint 1.
Good calibration exercises:
A good team gets sharper under pressure. A weak team gets generic. If the vendor resists a paid discovery task or calibration workshop, that tells you how they expect the relationship to work.
Subcontracting is the other hidden variable. You should know who writes the code, who runs the environments, and who touches production data. DORA requires due diligence on whether the provider uses subcontractors for critical functions. The EBA and PRA go further and expect contractual rights to be informed of planned sub-outsourcing, to object where risks increase, and to preserve audit rights through the chain.
Ask for a supply-chain view before kickoff. Direct team, subcontractors, hosting dependencies, support roles, and jurisdictions involved. If the vendor will not disclose this before signing, treat it as a red flag, not a negotiation detail.
In fintech outsourcing, the real risk is not slow delivery. It is losing control over code, environments, knowledge, and regulatory accountability.
If the code, pipeline, observability, and runbooks live entirely in the vendor’s environment, you do not have delivery leverage. You have a dependency. That can be acceptable for a narrow commodity service. It is dangerous for a regulated product or a core fintech capability.
A surprising number of vendor conversations treat security as something that becomes concrete after discovery. In fintech, that is too late.
DORA requires an ex-ante risk assessment covering operational, legal, ICT, reputational, and data protection risks. The PRA expects firms to assess identity and access management, encryption, logging, incident response, and data segregation. NIST’s Secure Software Development Framework provides a practical vocabulary for evaluating how a vendor builds security into the development lifecycle.
Before sprint 1, ask the vendor to explain:
You are looking for operational clarity, not perfect documents. If the vendor can only show generic policy names, or nobody can explain how secrets move through the pipeline, or incident response sounds like a support mailbox, the security model is not ready for regulated delivery.
Certifications like ISO 27001 are useful signals. They are not a substitute for control.
| Metric | What it reveals |
|---|---|
| Lead time | How quickly value moves from idea to production |
| Deployment frequency | How often the team ships working software |
| Change failure rate | How stable each release is |
| Time to restore | How fast the team recovers from failure |
| Defect escape rate | How much escapes testing into production |
| Cycle time by story type | Where bottlenecks sit in the delivery flow |
Run a bounded working session with the proposed team rather than relying on CV packs. Give them a real task like reviewing architecture trade-offs, proposing test cases for a payment failure, or triaging a simulated incident. A strong team gets sharper under that kind of pressure, while a weak team defaults to generic answers.
Viacheslav Kostin is the CEO of WislaCode. Former C-level banker with 20+ years in fintech, digital strategy and IT. He led transformation at major banks across Europe and Asia, building super apps, launching online lending, and scaling mobile platforms to millions of users.
Executive MBA from IMD Business School (Switzerland). Now helps banks and lenders go fully digital - faster, safer, smarter.
