Developing a Mobile App for Microlending
Microloan app operates at intersection of financial regulation, real-time scoring, and UX where user makes financial decision in 2 minutes. Technical complexity isn't "write CRUD" — each error in scoring, signing, or verification is legal and financial risk.
What Makes This More Complex Than Regular Fintech
Regulatory requirements. Depending on jurisdiction — microfinance license, KYC requirements, document storage, APR (full credit cost) calculation. In Russia — Federal Law #353 "On Consumer Credit," NBKI/BKI requirement for scoring. In Ukraine — NBU licensing. These aren't implementation details, they're architectural constraints: what data collect, how store, how transmit.
Scoring and decision-making. Simple option — REST call to own scoring model or BKI integrator (e.g., NBKI via SOAP, EQUIFAX via REST). Complex — ML model on backend with feature engineering from app behavior. Mobile handles data collection: application completion time, field corrections, attempt count — these are scoring features.
Key Technical Blocks
Onboarding and KYC. Passport photo → OCR → data verification. For Russian market — integration with ID.ME, Tinkoff ID, Sber ID, or GISMT via ESIA. For European — eIDAS, Jumio, Onfido SDK. On mobile: AVCaptureSession (iOS) / CameraX (Android) for document capture, backend OCR, liveness check — SDK (FaceSDK, iDenfy) or custom via ARKit / ARCore.
SDK liveness fastest. Custom via AR — more expensive but no vendor lock-in.
Contract signing. Qualified or simple digital signature per requirements. For simple ER — SMS OTP + consent, legally sufficient in many jurisdictions for loans below certain amount. Document — PDF generated server-side with loan params, delivered to device for viewing, user signs with OTP. Signed PDF storage — S3-compatible, link in Keychain.
Disbursement and repayment. Loan payment — transfer to card via payment gateway (YuKassa, CloudPayments, Stripe). Repayment — same infrastructure or SBP (Russia). Push 3/1 day before payment — standard regulator requirement.
Mobile Architecture
Onboarding Flow
├── Phone verification (OTP)
├── Document scan (CameraX)
├── Liveness check (SDK)
└── KYC status polling
Loan Application
├── Amount/term selector
├── Scoring request
├── Decision screen
└── Contract signing (OTP)
Account / Repayment
├── Active loans list
├── Payment schedule
├── Repayment (card / SBP)
└── Push reminders
React Native — reasonable choice for cross-platform. Need native modules for camera (CameraX via React Native Camera or custom) and liveness SDK. Flutter also good but fewer ready plugins for Russian payment gateways.
Security and Data Storage
Passport data, phone, financial history — PII, Federal Law #152 requires storage on Russian servers. App doesn't store PII locally beyond session. Keychain / KeyStore — only auth token and biometric binding.
Certificate pinning mandatory for financial app — MITM intercept shouldn't give API access. TrustKit (iOS) or OkHttp CertificatePinner (Android). Root detection — RootBeer (Android), IOSSecuritySuite (iOS) — block or warn.
Process and Timeline
| Stage | Content | Timeline |
|---|---|---|
| Requirements audit | Jurisdiction, regulator, scoring model, payment gateways | 1 week |
| Design | Architecture, API contracts, SDK selection | 1 week |
| MVP development | Onboarding + KYC + application + scoring + contract | 4–6 weeks |
| Integrations | Payment gateway, SMS, push | 1–2 weeks |
| QA | QA, basic security audit | 1–2 weeks |
Full cycle — 2 months for simple MVP without liveness check to 3 months for production with KYC, scoring, payments, document signing. Custom pricing after requirements analysis.