DWK PFMS — Project Deliverables

Interview Questions

15 structured questions per role, designed to elicit functional requirements, pain points, and priorities.

👤 Role 1: Standard Customer

Understanding Current Behaviour

How do you currently track your daily spending across different accounts or payment methods?
When you open your banking app, what information do you look for first?
How often do you review your transactions, and what frustrates you about the process?

Pain Points & Needs

Can you describe a time when you were surprised by how much you'd spent in a particular area?
What would help you feel more in control of your finances day-to-day?
Have you ever tried to set a budget for yourself? What made it easy or difficult to stick to?

Feature Exploration

If the app could automatically sort your spending into categories, how useful would that be?
Would you want alerts when you're approaching a spending limit? How would you prefer to receive them?
How important is it to you to see trends over time — comparing this month to last month?

Adviser Interaction & Security

If you needed financial advice, how would you expect to access that through the app?
What would make you comfortable sharing your financial data with an adviser?
What security features would you expect (biometrics, 2FA, PIN)?
How do you feel about the bank using spending data for personalised insights?

Priorities

If you could only have three features in a personal finance tool, what would they be?
Is there anything about your current banking experience you'd want us to avoid?

💼 Role 2: Financial Adviser

Current Workflow

Can you walk us through a typical day — how do you currently prepare for a client meeting?
How do you currently receive and process client financial data?
What tools or systems do you currently use to analyse spending patterns?

Pain Points & Features

What is the most time-consuming part of your current workflow?
How do you currently categorise a client's transactions — manual or automated?
When assigned a client from an unfamiliar industry, what challenges does that create?
If client transactions were automatically categorised, how would that change your workflow?
What information would you need in a client dashboard to quickly assess their financial health?
How useful would automated report generation be?

Compliance & Priorities

How do you handle consultation requests from clients? What's the typical turnaround?
Would an in-app notes system for recording client interactions be useful?
What FCA compliance considerations do you need to keep in mind?
How important is it that the system logs your actions and access to client data?
Are there specific data protection requirements that affect how you handle client information?
If this system could solve one major problem in your daily work, what would it be?

👥 Role 3: Team Manager

Current Workflow & Pain Points

How many advisers do you currently manage, and how do you monitor their performance?
How are clients currently assigned to financial advisers in your team?
What data sources do you currently use to make management decisions?
What happens when there's a mismatch between adviser expertise and client industry?
How do you currently identify when an adviser is overloaded or underperforming?
What information do you wish you had that you currently don't?

Features & Reporting

If you had a real-time dashboard, what KPIs would you want to see?
How useful would automatic industry-based matching be?
Would customer segmentation tools help your strategic planning?
What does your reporting process look like for leadership meetings?
How would you use visual analytics compared to raw data tables?
If the system flagged at-risk clients proactively, how would you want to be notified?

Security & Priorities

What level of access should you have to individual vs aggregated data?
Should the system maintain an audit trail of reassignments?
What single improvement would have the biggest impact on team effectiveness?

System Requirements Document

38 requirements across 4 sections with unique IDs, MoSCoW priority, and source traceability. Draft v1.0 — will be refined after interviews.

⚙️ General System Requirements

ID	Requirement	Type	Priority	Source
GS-001	Secure login authentication with email and password	Non-Functional	MUST	Scenario
GS-002	Two-factor authentication for all user roles	Non-Functional	MUST	Scenario
GS-003	Role-based access control (Customer, Adviser, Manager)	Non-Functional	MUST	Scenario
GS-004	Consistent interface structure and navigation across modules	Non-Functional	MUST	Scenario
GS-005	Unified export function for reports (CSV/PDF)	Functional	MUST	Scenario
GS-006	Global search and filtering across modules	Functional	SHOULD	Scenario
GS-007	Onboarding guidance for first-time users	Functional	COULD	Scenario
GS-008	Customisable dashboards and frequently used views	Functional	COULD	Scenario
GS-009	Dark mode support for all views	Non-Functional	SHOULD	Design
GS-010	Responsive — mobile-first for customers, desktop for staff	Non-Functional	MUST	Design
GS-011	Encrypt all data in transit (TLS 1.3) and at rest	Non-Functional	MUST	Standard
GS-012	UK GDPR compliance for personal data handling	Non-Functional	MUST	Standard
GS-013	Session timeout after 15 minutes inactivity	Non-Functional	SHOULD	Standard
GS-014	Audit log of sensitive actions	Non-Functional	MUST	Standard

👤 Customer Requirements

ID	Requirement	Priority
CR-001	Dashboard showing total balance, monthly income, and spending	MUST
CR-002	Transactions auto-categorised by type	MUST
CR-003	Spending breakdown by category (donut chart)	MUST
CR-004	Month-over-month spending trends (area chart)	MUST
CR-005	Set monthly budget limits per category	MUST
CR-006	Visual alerts at 80% and 100% of budget	MUST
CR-007	Search/filter transactions by date, category, merchant	SHOULD
CR-008	Export transaction history as CSV	MUST
CR-009	Financial health score based on habits	SHOULD
CR-010	Savings goals with progress visualisation	SHOULD
CR-011	One-click adviser consultation request	SHOULD
CR-012	Personalised spending insights and tips	COULD
CR-013	Push notifications for alerts	COULD

💼 Adviser Requirements

ID	Requirement	Priority
FA-001	Portfolio view of assigned clients with key metrics	MUST
FA-002	Client detail with pre-categorised transactions	MUST
FA-003	Client spending breakdown charts	MUST
FA-004	Client income vs spending trends	MUST
FA-005	One-click professional report generation	MUST
FA-006	Add/view notes on client records	SHOULD
FA-007	View/accept consultation requests	SHOULD
FA-008	FCA compliance information panel	SHOULD
FA-009	Client industry tags for context	COULD
FA-010	RLS — only access assigned client data	MUST

👥 Manager Requirements

ID	Requirement	Priority
TM-001	Team dashboard with KPIs	MUST
TM-002	Per-adviser performance metrics	MUST
TM-003	View/manage client-adviser assignments	MUST
TM-004	Reassign clients with reason tracking	MUST
TM-005	Customer segmentation (industry, income)	SHOULD
TM-006	Visual analytics dashboards	SHOULD
TM-007	Export team reports (CSV)	SHOULD
TM-008	Industry-expertise auto-matching	COULD
TM-009	Workload balance indicators	COULD
TM-010	RLS — only access own team's data	MUST

Personas & User Stories

3 detailed personas representing each user role, plus 26 user stories with acceptance criteria.

SM

Sarah Mitchell

Software Developer, 28 • Technology • £55k/year

Goals

Understand where money goes each month
Stop overspending on food delivery
Save for a house deposit within 2 years
Get professional ISA investment advice

Frustrations

Only sees merchant names — no category breakdown
No way to set spending limits or get alerts
Contacting an adviser requires multi-step website navigation
No trend comparison month-over-month

"I earn decent money but I have no idea where it all goes. I just want a clear picture and a way to stay on track."

JW

James Wilson

Senior Financial Adviser, 35 • 8 years at DWK • 12 active clients

Goals

Less time on data entry, more time advising
Quickly understand new client's financial situation
Generate reports without hours of Excel work
Stay compliant with FCA regulations

Frustrations

Must manually input paper/electronic statements
No auto-categorisation of transactions
Report preparation takes 3-4 hours per client
Sometimes assigned unfamiliar industries

"I became an adviser to help people, not to spend half my day copying numbers into spreadsheets."

ET

Emma Thompson

Team Manager, 42 • 15 years at DWK • Oversees 8 advisers, ~60 clients

Goals

Monitor team with real data, not verbal updates
Proactively reassign before complaints
Present data-driven insights at leadership meetings
Balance workload across team fairly

Frustrations

Client-adviser matching is random
Only discovers mismatches after complaints
Data scattered across CRM, email, Excel
Cannot generate segment analysis without manual work

"I'm making decisions based on gut feeling because I don't have the dashboards to show me what's actually happening."

Cybersecurity Analysis

Threat actors, asset identification, vulnerability mapping, risk assessment, and a complete malicious campaign narrative.

🎭 Threat Actors

ID	Actor	Motivation	Capability
TA-01	External Cybercriminals	Financial gain	High
TA-02	Disgruntled Insider	Revenge, financial gain	Medium
TA-03	Hacktivist Groups	Reputational damage	Medium
TA-04	Nation-State Actors	Espionage	Very High
TA-05	Script Kiddies	Notoriety	Low
TA-06	Social Engineers	Credential theft	Medium

⚠️ Risk Assessment

Risk	Threat	Vulnerability	Impact	Level
R-01	Phishing + weak passwords	V-07, V-01	Critical	Critical
R-02	Broken access control	V-03, V-06	Critical	High
R-03	Insider data exfiltration	V-09, V-05	High	High
R-04	Social engineering	V-07	High	High
R-05	DDoS	V-08	Medium	Medium
R-06	SQL injection	V-02	Critical	Medium
R-07	XSS session theft	V-04	High	High

💀 Malicious Campaign: "FinPhish"

Credential harvesting & account takeover campaign targeting DWK PFMS users.

Phase 1: Reconnaissance

Attacker identifies PFMS via Cloudflare Pages deployment. Enumerates login flow, identifies Supabase backend via network inspection.

Phase 2: Phishing Campaign

Sends targeted emails impersonating DWK ("Verify Your Account"). Cloned login page captures credentials + intercepts 2FA codes via real-time proxy.

Phase 3: Account Takeover

Logs into victim's account. Accesses full transaction history, personal details, exported reports, adviser communications.

Phase 4: Lateral Movement

If adviser account compromised: accesses multiple client portfolios. Exploits IDOR to access other advisers' client reports.

Phase 5: Exfiltration

PII sold on dark web. Financial patterns used for identity theft, targeted fraud, loan applications in victims' names.

🛡️ Mitigation Strategies

Risk	Mitigation
Phishing	Strong passwords (12+ chars), FIDO2 hardware 2FA, phishing-resistant auth
Broken Access	Strict Supabase RLS, server-side validation, never trust client role claims
Insider Threat	Comprehensive audit logging, least privilege, anomaly detection
DDoS	Cloudflare DDoS protection, rate limiting, failover
XSS	CSP headers, HttpOnly+Secure+SameSite cookies, output encoding
Injection	Parameterised queries (Supabase), input validation, WAF

Design Evidence

Architecture diagrams, ERD, sequence diagrams, and component hierarchy showing system design decisions.

🏗️ System Architecture

┌─────────────────────────────────────────────────┐ │ CLIENT LAYER │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │Customer │ │Adviser │ │Manager │ │ │ │(Mobile) │ │(Desktop)│ │(Desktop)│ │ │ └────┬────┘ └────┬────┘ └────┬────┘ │ │ └─────────────┼───────────┘ │ │ ┌──────▼──────┐ │ │ │ React SPA │ │ │ │ (Vite + TS) │ │ │ └──────┬──────┘ │ └─────────────────────┼───────────────────────────┘ │ HTTPS ┌─────────────────────┼───────────────────────────┐ │ ┌──────▼──────┐ │ │ │ Cloudflare │ CDN + WAF + DDoS │ │ │ Pages │ │ │ └──────┬──────┘ │ └─────────────────────┼───────────────────────────┘ │ HTTPS ┌─────────────────────┼───────────────────────────┐ │ ┌──────▼──────┐ │ │ │ Supabase │ │ │ │ ┌──────────┐│ │ │ │ │ Auth ││ JWT + 2FA │ │ │ ├──────────┤│ │ │ │ │PostgreSQL││ RLS Policies │ │ │ ├──────────┤│ │ │ │ │ Storage ││ Report PDFs │ │ │ └──────────┘│ │ │ └─────────────┘ │ └─────────────────────────────────────────────────┘

🗂️ Component Hierarchy

App ├── Login │ ├── Role Selector (Customer / Adviser / Manager) │ ├── Email + Password Form │ └── 2FA Verification (6-digit code) │ ├── Layout │ ├── Sidebar (role-aware nav links) │ └── TopNav (search, notifications, dark mode, profile) │ ├── Customer Pages │ ├── Dashboard (KPI cards, TrendLine, DonutChart, HealthGauge) │ ├── Transactions (searchable table, category badges, CSV export) │ ├── Budgets (progress bars, alerts at 80%/100%, create form) │ ├── Goals (progress cards, deadline tracking, create form) │ └── Insights (bar chart, health score, AI tips, adviser request) │ ├── Adviser Pages │ ├── Dashboard (client list, pending consultations, metrics) │ ├── ClientDetail (trends, categories, transactions, notes) │ └── Reports (generate form, report list, FCA compliance) │ └── Manager Pages ├── Dashboard (KPIs, workload chart, industry distribution) ├── Assignments (table, match scores, reassignment panel) └── Analytics (satisfaction, growth, comparison, income dist)

🔄 Design Iterations

Iteration	Decision	Rationale
1	Code prototype over Figma	Interactive demo with real data flow is more convincing at exhibition
2	React + TypeScript + Vite	Type safety, fast builds, excellent ecosystem for rapid development
3	Supabase for backend	Managed auth + PostgreSQL + RLS — no server to maintain
4	Tailwind CSS + shadcn patterns	Consistent styling, accessible components, rapid iteration
5	Recharts for visualisation	React-native composable charts, easier than D3 for team
6	Mobile-first customer, desktop staff	Matches real usage — customers on phones, advisers on workstations
7	Mock data with realistic patterns	Credible demo without requiring real bank data or APIs

DWK PFMSProject Deliverables

Interview Questions

👤 Role 1: Standard Customer

💼 Role 2: Financial Adviser

👥 Role 3: Team Manager

System Requirements Document

⚙️ General System Requirements

👤 Customer Requirements

💼 Adviser Requirements

👥 Manager Requirements

Personas & User Stories

Sarah Mitchell

Goals

Frustrations

James Wilson

Goals

Frustrations

Emma Thompson

Goals

Frustrations

Cybersecurity Analysis

🎭 Threat Actors

⚠️ Risk Assessment

💀 Malicious Campaign: "FinPhish"

Phase 1: Reconnaissance

Phase 2: Phishing Campaign

Phase 3: Account Takeover

Phase 4: Lateral Movement

Phase 5: Exfiltration

🛡️ Mitigation Strategies

Design Evidence

🏗️ System Architecture

🗂️ Component Hierarchy

🔄 Design Iterations

DWK PFMS
Project Deliverables