Talks
Running a Fintech with Ruby
Summarized using AI
Running a Fintech with Ruby
by Aitor Garcia ReyIn the talk "Running a Fintech with Ruby," Aitor García Rey, founder and fractional CTO, shares insights into the complexities of operating a fintech company, particularly within the banking sector. Aitor emphasizes that conventional banking examples often oversimplify transactions, neglecting the intricate dynamics of real-life banking operations. He defines banking as a transnational distributed ecosystem characterized by strict regulations and diverse stakeholders, suggesting that true banking processes are far messier than they are typically portrayed. He outlines a series of key points pertaining to the transaction process:
- KYB Process: The journey begins with the Know Your Business (KYB) approach, which is critical in onboarding business clients. This thorough vetting requires detailed investigations into company structures, relationships, and financial flow.
- Transaction Checks: Once a client requests a transfer, the Payment Service Provider checks account balances and verifies against sanction lists and Politically Exposed Persons (PEPs) to mitigate risks.
- ISO 20022 Standard: Adopting the ISO 20022 protocol has streamlined communications and processing in a previously chaotic arena, enabling better global payment interactions.
- Clearing and Settlement Mechanism (CSM): The CSM plays a pivotal role in netting transfers to minimize actual cash movement between banks, enhancing operational efficiency.
- Real-Time Transfers: Aitor highlights the transition to 24/7 operations and the rise of instant transfers as a significant evolution in fintech, while also introducing new risks involving fraud and error.
- Operational Complexity: AETU, Aitor's company, shifted from a salary advance model to a payment service provider, tackling the challenges of integration and compliance in transactions, revealing the importance of rigorously defining and maintaining business logic.
- Modular Monolithic Design: Aior’s team adopted a modular monolithic approach to maintain simplicity while managing complexity, allowing for independent components that can evolve without impacting the entire system.
- Audit and Transparency: Emphasizing compliance, Aitor noted the need for robust documentation and transparency in transaction operations, reflecting the industry's complexity and highly regulated environment.
Concluding his talk, Aitor stresses the importance of a cautious and verifiable approach in fintech, advocating for transparent practices over a high-risk model of rapidity without accountability. The key takeaway is the necessity for fintech companies to understand the intricate details of banking processes and to embed compliance and verification deeply into their operations for success.
00:00:07.399
Second, I want to acknowledge that it is a beautiful day. We had a lovely lunch, and it’s probably nap time, but I will try to make this worth your while.
00:00:18.840
Also, I have been avoiding caffeine for the last 10 years because of my blood pressure, but today I have had two cups of regular black coffee, so I am really pumped to be here.
00:00:31.720
I will try to make this talk—which is kind of dense—as entertaining as possible. Third, I just want to introduce myself and I apologize if the size of the font on the slides is not the best for people in the back.
00:00:48.120
First, I want to gauge the audience's experience. How many people here have worked in the banking industry before? Okay, we see a handful of hands.
00:01:13.920
Usually, most developers encounter banking through two main experiences: primarily their own online banking for personal accounts and secondly, through processing credit cards.
00:01:30.119
However, my talk is a bit different because we don’t process credit cards; we focus on account-to-account payments, which is a different beast altogether.
00:01:46.240
When we start learning about databases, one of the key concepts is that of a transaction. Every time someone explains transactions, they do so using typical banking examples, such as transferring funds from one account to another.
00:02:05.960
But the common examples often reflect an unrealistic scenario. We become so focused on the transportation of money that we hardly envision a moment where the state of the database becomes inconsistent. It's the canonical example of wrapping everything in a transaction.
00:02:28.680
If something goes wrong with the second account, the first account should not be debited. Conversely, if the first account is debited correctly, the second must be credited accordingly. In most cases, this is what people typically think about when they hear about transfers.
00:02:50.400
But the reality is entirely different. In 99.99% of the cases, the banking system is a messy operation, with a lot of different stakeholders, each with their own priorities, skills, and capabilities.
00:03:12.400
The technical side of the bank often acts merely as an enabler. The people who run the bank are primarily focused on compliance, dictating what should proceed and what should be halted. Above that, the structure is filled with various departments and disciplines, each with their own distinct priorities.
00:03:39.640
I would define banking—not in an official capacity, but from my perspective—as a transnational distributed ecosystem. This means that the same bank can operate in different branches across countries and jurisdictions, each subject to various laws.
00:04:08.000
The banking system is populated by a heterogeneous group of players, including large banks, small banks, pension funds, and investment funds—all playing different roles and increasingly subject to strict regulations.
00:04:20.880
It's one of the most heavily regulated industries, second only to healthcare. The compliance landscape is incredibly intricate, and there are strict reliability constraints along with low tolerance for outages in online banking.
00:04:56.160
The last thing anyone wants is to see an HTTP 500 error upon logging into online banking. Such occurrences are rare; banks are solely focused on projecting an image of reliability and stability.
00:05:14.440
Maybe because of this complexity, the definition of transactions is often not very clear. I'm asking you to join me on a small journey to understand what it takes to conduct just one bank transfer.
00:05:36.760
The first step, which I call Step 0, occurs even before the bank transfer takes place. This initial action happens when we start communicating with the customer, be it an insurance company, a logistics company, or any business client.
00:06:01.680
Before we even sign a contract, we engage in what is called a KYB—Know Your Business—process. This is similar to KYC, or Know Your Customer, which is familiar to anyone who has ever opened an account with banks like Revolut or N26.
00:06:24.479
In those cases, you must take a picture of yourself and undergo various verification steps. Our process is far more intricate because we are onboarding companies, requiring us to conduct a thorough investigation into how they operate.
00:06:44.240
The KYB process covers all sorts of aspects—company structure, client relationships, supplier networks, and the flow of money in and out of the business. We ask questions about whether they are engaged in crypto activities or provide loan services.
00:07:09.120
We also look at the ultimate beneficial owners—those who profit from the company at quarter's end—and any significant control in the company. We want to ensure we understand the complete picture before providing our services.
00:07:31.840
This complex onboarding process can take weeks or even months, especially if the company operates internationally, collecting information on everyone connected with the organization.
00:07:56.600
Once this process is completed, let’s imagine we have a client, an insurance company, with customers making claims.
00:08:11.960
Let’s say something happened to my house; I file a claim. The insurance company investigates and eventually agrees to pay out.
00:08:23.840
Now the actual transfer is about to happen. We, the Payment Service Provider (PSP), will be moving the money. The first step is to inform the PSP: 'please do a transfer to this individual.'
00:08:39.320
After we receive the request from the customer, our initial check is to verify the account balance. Checking the balance appears simple but involves significant complexity when implemented in practice.
00:08:56.880
In corporate banking, there exists not just one type of balance, but multiple balances to consider because the clearing and settlement of funds can take time.
00:09:19.760
At times, funds are in transit—moving from one account to another—before being available in the recipient's account. During this transit, part of the funds is temporarily 'blocked'.
00:09:43.840
We track three types of balances: the real balance (actual money), the available balance (money minus funds in transit), and what we call the 'bable balance' (available money plus incoming funds).
00:10:07.280
Typically, we manage the available balance the most, but keeping record of all three is essential. For instance, if you have a claim for 200, and your available balance is 1,000, we can proceed.
00:10:28.920
The next step involves what we call 'the sanction list,' which is quite a mess. Every government worldwide publishes periodic sanction lists against different individuals, organizations, or countries, like the EU sanctions imposed on Russia.
00:10:57.919
If we determine that the person receiving the funds is on one of these lists, it's not simply a rejection; we are legally mandated to block the payment and investigate.
00:11:20.399
Alongside the sanction lists, there's another classification called PEPs, or Politically Exposed Persons. These are individuals holding a public position that necessitates extra scrutiny during transactions.
00:11:37.440
Conflicts can arise where, for instance, someone might attempt to bribe a public figure or engage in suspicious activities associated with government individuals.
00:11:52.799
The conclusion of this preliminary phase, in which both the sanction list and PEP checks are verified, happens within moments at the early stages of transaction processing.
00:12:05.400
Afterwards, we must communicate with the beneficiary's bank, which is also a PSP. We use a standard protocol called ISO 20022 to communicate and process payments in a manageable way.
00:12:20.399
Historically, exchanges between PSPs were many times unstandardized and chaotic. However, since 2007, the ISO committee introduced this standard, which allows for a more seamless global payment process.
00:12:38.440
Unlike in the past, now we have a standard schema in place for numerous payment types, covering everything from initiatives to standard transactions.
00:13:00.440
This is crucial as we prepare to initiate the bank transfer, a process that generally takes several steps. I will do my best to keep it from being boring, but understanding this is essential.
00:13:18.480
The first step is the originator PSP requesting the transfer. They will send a credit transfer, also known as SCT, that must be submitted to what is termed as the Clearing and Settlement Mechanism (CSM). This system efficiently processes fund transfers between banks.
00:13:50.440
Let’s visualize two banks—Bank A and Bank B. If Bank A generates 2,000 transfers worth 1 million euros, while Bank B issues 2,000 transactions equating to half a million, the CSM nets these operations and consolidates the funds.
00:14:05.440
This operational efficiency minimizes the movement of actual cash, effectively a netting of transactions across banks, and links separate clusters of services involved in this process.
00:14:25.360
After submitting the transaction from the originator PSP, the CSM relays it to the beneficiary PSP, which must replicate the same compliance checks completed by the originator.
00:14:37.759
The beneficiary bank must ensure that the transaction adheres to its sanction and PEP lists, and affirm the ability to deposit the funds in the appropriate account. This culminates in either an acknowledgement of the transaction or a rejection.
00:15:25.679
If approved, the CSM will signal confirmation to both parties, indicating the funds are settled into the recipient's account. What might seem like a simple ten-euro transfer entails a convoluted series of internal steps and processes.
00:15:52.159
There are several constraints at play. For instance, once we initiate the transaction from the timestamp of step 2 to step 6, a maximum of 10 seconds must occur.
00:16:12.360
Although ten seconds might feel lengthy for those from a web development background, it’s a reasonable delay among various independent systems involved in processing the transaction.
00:16:34.000
Most transactions typically take four or five seconds to complete, but factors like the bank's size and infrastructure capabilities can impact time.
00:16:54.239
Additionally, recent limits for transfers have increased; the maximum is now 100,000 euros, although it was previously 25,000 euros as of 2017.
00:17:10.560
Another significant adjustment has been the target to operate 24/7 every single day, a departure from traditional banking practices of batch processing and scheduled downtimes.
00:17:26.040
What I have described up to this point is just one scheme, known as the SEPA Instant Transfer, which operates instantaneously.
00:17:40.479
In reality, many other transfer schemes exist and similar steps occur in batch modes. For instance, a new standard called Request to Pay is set to revolutionize the way payments are requested.
00:18:06.320
This innovative process could effectively replace debit cards as a means of payment, allowing for straightforward peer-to-peer transactions with minimal reliance on intermediaries.
00:18:21.760
With this shift to instant transactions, the risk of fraud and mistakes rises, prompting regulators to consider measures such as verifying the identity of beneficiaries before payments are processed.
00:18:41.520
In this current landscape, it's clear that banking operations require more than just systems; they demand constant vigilance and stringent controls to prevent errors and fraudulent activity.
00:19:05.640
Moving on, I’d like to introduce my company, AETU. We started in 2019 as a salary advance provider, aiming to alleviate the burdens workers face when relying on payday loans and high-interest debts.
00:19:21.040
The premise is simple: workers could access their earned wages rather than waiting until payday. Using an app, they could request funds they had already earned.
00:19:39.040
We built a Rails API, developed several native apps, and undertook many custom integrations with payroll systems—a task that proved to be especially challenging due to the lack of standardization in the payroll software market.
00:19:58.560
At the start of 2020, the pandemic struck, causing a temporary setback. Nevertheless, we experienced rapid growth as we collaborated with both big companies and established networks.
00:20:17.760
After two years, we recognized that the integration efforts required were unsustainable and we were not evolving into a flexible product company.
00:20:37.520
Our onboarding process could take anywhere from three months to six months, depending on the complexity of our client, which obstructed our scalability.
00:20:58.440
This realization prompted us to transition from a salary advance company to a payment service provider in early 2022, focusing on real-time account-to-account payments, particularly in the EU.
00:21:18.560
We remain a small company, currently comprised of only seven developers. Nonetheless, we are successfully processing hundreds of thousands of transactions each month, amounting to several million euros.
00:21:36.240
Our goal is to obtain a proper PSP license this summer after three years of effort and regulatory hurdles.
00:21:51.840
From the outset, we recognized the operational complexities of this environment would demand rigorous business logic, much of which is dictated by regulatory requirements.
00:22:05.360
Because of the diversity of our client base, we must tailor our approaches to meet different business needs across sectors like insurance and crypto, reflecting varying regulatory risks.
00:22:20.640
Employing Ruby on Rails has proven beneficial, especially as it provides us with flexibility when confronting unique business challenges. When transitioning to serve various companies, we quickly learned that traditional Rails patterns didn't always serve us well.
00:22:46.920
In 2019, Shopify published articles discussing modular monolithic designs, which emphasized breaking business logic into manageable components while maintaining clear boundaries between them.
00:23:02.640
This approach allows us to ensure modularity without the overhead of deploying microservices. Hence, combining modular design thinking with the practical benefits of simplicity has been our focus.
00:23:21.360
With a modular monolith, complexities are contained, enabling us to make changes to independent components, minimizing the risks for our overall system.
00:23:39.760
We still had to regularly remind our team about the gravity of dealing with money, prompting practices around defensive programming. For instance, if we receive an unexpected response from a payment service provider, we don’t act before we investigate further.
00:24:00.640
In scenarios where something goes awry during a payment request, we take a cautious approach to avoid duplicate transactions—establishing unique IDs that can only be processed once during a defined time window.
00:24:17.360
Every activity within our system is audited. This is not merely for redundancy; as mandated by regulatory bodies, we need to provide transparency related to any specific payment to ensure compliance.
00:24:51.680
Having the right systems in place allows for thorough oversight while also creating a culture of responsibility among the team member to navigate their roles within compliance.
00:25:09.840
With significant transaction volume, even small error rates can translate to significant discrepancies, driving us to develop domain-specific languages (DSLs) to handle various scenarios efficiently.
00:25:31.360
An example includes crafting responses to timing out among various parties involved in transactions—allocating certain retry strategies or fall-back mechanisms.
00:25:50.800
Ruby gives us an edge in creating these DSLs, providing an unmatched capability to encapsulate business logic clearly and understandably.
00:26:09.520
Ultimately, documentation is a vital part of our operations. Our clients primarily interact with our API through clear documentation, which serves as their main source of understanding about our services.
00:26:29.840
We take pride in ensuring our documentation is accurate and maintain that it is continuously tested against our live environments to reflect reality.
00:26:48.480
In summary, the principles of banking require caution and clarity. Instead of a mantra of 'move fast and break things,' we prioritize robust, verifiable practices.
00:27:06.720
We embrace a model of trust, but also emphasize the importance of verification, continuously monitoring our systems and processes to ensure the highest standards of accountability.
00:27:25.600
Thank you all for your time. I hope you found the talk enlightening and understand the complexities of running a fintech company.
Explore all talks recorded at Balkan Ruby 2024
+1