domain project / banking

Online Banking

Test strategies for account management, transfers, transaction history, security controls, and regulatory compliance in banking portals.

Account dashboardFund transfersTransaction historyMulti-factor authenticationSecurity & fraud controlsRegulatory compliance

Domain Overview

Banking is the highest-compliance domain. Every test must account for security controls, session management, and regulatory requirements (PSD2, PCI-DSS, GDPR). Functional correctness and security correctness are equally important.

Typical stack: Core banking system (Temenos, Finacle), REST API layer, React SPA, HSM for cryptography, OTP/biometric MFA, full audit logging.

Key Test Areas

AreaWhat to testRisk
AuthenticationLogin, MFA, session timeout, lockoutUnauthorised access
Account dashboardBalance accuracy, account list, real-time updatesWrong balance displayed
TransfersInternal, external (IBAN/SWIFT), beneficiary managementWrong amount, wrong account
Transaction historyPagination, filtering, date range, exportIncomplete records
Security controlsRate limiting, account lockout, CSRF, XSSFraud, data breach
AccessibilityScreen reader, keyboard nav, high contrastRegulatory (EAA/ADA)

Test Pyramid for Banking

Unit (50%):    Business rules (transfer limits, fee calculation, IBAN validation)
Integration (40%): API security (auth, rate limits), core banking API contracts
E2E (10%):     Critical journeys only — login + MFA, initiate transfer, view history

Banking E2E tests are intentionally minimal — the security and compliance layer is best tested at integration level (real API calls with auth headers, rate limit tests, MFA flow mocks).

Common Failure Scenarios

1. Session not invalidated after logout → session hijacking risk
   Test: logout, save session cookie, attempt authenticated request → 401

2. Transfer with amount at boundary (e.g., daily limit) succeeds when it should fail
   Test: transfer exactly at limit (success), at limit+1 (should reject)

3. OTP expiry: user takes >5min → OTP still accepted
   Test: mock clock, advance time past OTP TTL, attempt verification

4. Concurrent transfer requests: double payment
   Test: two simultaneous transfer API calls, same idempotency key

5. Transaction not showing in history until page refresh
   Test: initiate transfer, immediately check history (no refresh) → should appear

Security-Specific Tests

// Session timeout
test('session expires after inactivity', async ({ page }) => {
  await page.goto('/dashboard');

  // Advance time without activity (mock clock or wait if short timeout in test env)
  await page.evaluate(() => {
    Object.defineProperty(document, 'lastActivity',
      { value: Date.now() - 1000 * 60 * 16, writable: true }); // 16 min ago
  });

  await page.goto('/accounts');  // trigger session check
  await expect(page).toHaveURL(/\/login/);
  await expect(page.getByText('Your session has expired')).toBeVisible();
});

// MFA required for high-value transfer
test('transfer above threshold requires MFA confirmation', async ({ page }) => {
  await page.goto('/transfer');
  await page.getByLabel('Amount').fill('10000');  // above MFA threshold
  await page.getByRole('button', { name: 'Continue' }).click();

  await expect(page.getByRole('dialog', { name: /verification/i })).toBeVisible();
  await expect(page.getByLabel('One-time password')).toBeVisible();
});