As banks push more customer-facing services onto cloud platforms, QA and software testing teams are being asked to balance faster delivery with tighter controls around resilience, security and regulatory compliance.
NatWest Group has detailed how it addressed this tension by building a DevSecOps ecosystem around its Amazon Connect contact centre platform, explicitly designed to strengthen testing practices while reducing operational risk at scale.
The initiative was driven by the realities of operating a shared contact centre platform across multiple teams and use cases. Running Amazon Connect as a common service introduced challenges around consistency, environment control, security assurance and release coordination, issues that often surface first in QA and testing functions.
According to Abhay Kumar, director of engineering at NatWest Group, the programme was framed around elevating both customer experience and engineering quality.
“As organisations across industries seek to elevate their customer service capabilities, the adoption of cloud-based contact centre solutions like Amazon Connect has emerged as a strategic priority,” he explained.
From the outset, NatWest treated testing as an architectural concern rather than a final gate.
The DevSecOps model introduced clearly defined sandbox, development, testing, pre-production and disaster recovery environments, allowing teams to validate changes progressively and reduce the risk of late-stage defects.
This multi-environment strategy is particularly relevant for QA teams in regulated sectors, where separation of duties and traceability between environments are critical.
Kumar’s remit explicitly spanned testing and quality alongside engineering and security. He described his responsibility as covering “architecture, development, maintenance, quality and security of the Contact Centre Platform,” reflecting a deliberate move away from siloed ownership.
For QA teams, this signals a shift towards shared accountability, where testing outcomes directly inform design and deployment decisions.
A key reason for adopting Infrastructure as Code was to eliminate configuration drift and manual inconsistencies that undermine test reliability.
By using Terraform modules to define Amazon Connect resources and associated services, NatWest enforced consistent standards across teams while still allowing independent development and release cycles.
This modular approach reduces the risk of environment-specific defects and enables more predictable automated testing.
The bank also extended automation into components that traditionally introduce testing complexity, such as conversational interfaces and analytics.
Amazon Lex bots and reporting assets are deployed through CI/CD pipelines rather than manual configuration, enabling repeatable validation and easier regression testing as changes are introduced.
For QA teams, this supports a move from reactive testing to continuous verification embedded in delivery workflows.
Functional quality controls
Security testing is tightly coupled with functional quality controls. Static analysis and policy enforcement are used to prevent insecure or non-compliant changes from progressing, while continuous monitoring detects issues that escape earlier stages.
These controls act as automated quality gates, aligning security assurance with broader testing objectives rather than treating it as a parallel process.
Kumar noted that the outcome has been a more disciplined and scalable delivery model, citing “a standardised and consistent approach to managing Amazon Connect resources, an improved security posture, and faster development and deployment cycles.”
For financial institutions, this combination is significant: improved velocity is achieved not by relaxing controls, but by embedding testing, security and quality checks into the platform itself.
For QA and software testing teams in banking, NatWest’s experience underlines why DevSecOps is increasingly less about tooling and more about structural design.
By addressing the root causes of testing friction, environment inconsistency, manual change, and late-stage validation, the bank has shown how cloud contact centre platforms can be engineered to support regulatory-grade quality without slowing delivery.
COMING IN 2026
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Inside banking’s shift to smarter QA to tackle complexity and risk
- SmartBear CPTO on AI in banking QA: ‘Impressive metrics but no critical scenarios’
- Banks push beyond traditional QA as resilience testing gains ground
- Banking QA professionals warn AI still doesn’t know ‘where the bodies are buried’
- RECAP: The QA Financial Healthcare & Insurance Forum Philadelphia 2026
WATCH NOW
QA FINANCIAL PODCASTS
