Payment Systems

Summarized using AI

Running a Fintech with Ruby

Aitor Garcia Rey • June 07, 2024 • Sofia, Bulgaria

In the talk "Running a Fintech with Ruby," Aitor García Rey, founder and fractional CTO, shares insights into the complexities of operating a fintech company, particularly within the banking sector. Aitor emphasizes that conventional banking examples often oversimplify transactions, neglecting the intricate dynamics of real-life banking operations. He defines banking as a transnational distributed ecosystem characterized by strict regulations and diverse stakeholders, suggesting that true banking processes are far messier than they are typically portrayed. He outlines a series of key points pertaining to the transaction process:

  • KYB Process: The journey begins with the Know Your Business (KYB) approach, which is critical in onboarding business clients. This thorough vetting requires detailed investigations into company structures, relationships, and financial flow.
  • Transaction Checks: Once a client requests a transfer, the Payment Service Provider checks account balances and verifies against sanction lists and Politically Exposed Persons (PEPs) to mitigate risks.
  • ISO 20022 Standard: Adopting the ISO 20022 protocol has streamlined communications and processing in a previously chaotic arena, enabling better global payment interactions.
  • Clearing and Settlement Mechanism (CSM): The CSM plays a pivotal role in netting transfers to minimize actual cash movement between banks, enhancing operational efficiency.
  • Real-Time Transfers: Aitor highlights the transition to 24/7 operations and the rise of instant transfers as a significant evolution in fintech, while also introducing new risks involving fraud and error.
  • Operational Complexity: AETU, Aitor's company, shifted from a salary advance model to a payment service provider, tackling the challenges of integration and compliance in transactions, revealing the importance of rigorously defining and maintaining business logic.
  • Modular Monolithic Design: Aior’s team adopted a modular monolithic approach to maintain simplicity while managing complexity, allowing for independent components that can evolve without impacting the entire system.
  • Audit and Transparency: Emphasizing compliance, Aitor noted the need for robust documentation and transparency in transaction operations, reflecting the industry's complexity and highly regulated environment.

Concluding his talk, Aitor stresses the importance of a cautious and verifiable approach in fintech, advocating for transparent practices over a high-risk model of rapidity without accountability. The key takeaway is the necessity for fintech companies to understand the intricate details of banking processes and to embed compliance and verification deeply into their operations for success.

Running a Fintech with Ruby
Aitor Garcia Rey • June 07, 2024 • Sofia, Bulgaria

Aitor García Rey is a founder, staff engineer, and fractional CTO. He has been shipping software used by small companies, VC-backed startups, and big publicly traded multinationals for over 20 years, leading and mentoring highly technical teams.

Balkan Ruby 2024

00:00:07.399 Second, I want to acknowledge that it is a beautiful day. We had a lovely lunch, and it’s probably nap time, but I will try to make this worth your while.
00:00:18.840 Also, I have been avoiding caffeine for the last 10 years because of my blood pressure, but today I have had two cups of regular black coffee, so I am really pumped to be here.
00:00:31.720 I will try to make this talk—which is kind of dense—as entertaining as possible. Third, I just want to introduce myself and I apologize if the size of the font on the slides is not the best for people in the back.
00:00:48.120 First, I want to gauge the audience's experience. How many people here have worked in the banking industry before? Okay, we see a handful of hands.
00:01:13.920 Usually, most developers encounter banking through two main experiences: primarily their own online banking for personal accounts and secondly, through processing credit cards.
00:01:30.119 However, my talk is a bit different because we don’t process credit cards; we focus on account-to-account payments, which is a different beast altogether.
00:01:46.240 When we start learning about databases, one of the key concepts is that of a transaction. Every time someone explains transactions, they do so using typical banking examples, such as transferring funds from one account to another.
00:02:05.960 But the common examples often reflect an unrealistic scenario. We become so focused on the transportation of money that we hardly envision a moment where the state of the database becomes inconsistent. It's the canonical example of wrapping everything in a transaction.
00:02:28.680 If something goes wrong with the second account, the first account should not be debited. Conversely, if the first account is debited correctly, the second must be credited accordingly. In most cases, this is what people typically think about when they hear about transfers.
00:02:50.400 But the reality is entirely different. In 99.99% of the cases, the banking system is a messy operation, with a lot of different stakeholders, each with their own priorities, skills, and capabilities.
00:03:12.400 The technical side of the bank often acts merely as an enabler. The people who run the bank are primarily focused on compliance, dictating what should proceed and what should be halted. Above that, the structure is filled with various departments and disciplines, each with their own distinct priorities.
00:03:39.640 I would define banking—not in an official capacity, but from my perspective—as a transnational distributed ecosystem. This means that the same bank can operate in different branches across countries and jurisdictions, each subject to various laws.
00:04:08.000 The banking system is populated by a heterogeneous group of players, including large banks, small banks, pension funds, and investment funds—all playing different roles and increasingly subject to strict regulations.
00:04:20.880 It's one of the most heavily regulated industries, second only to healthcare. The compliance landscape is incredibly intricate, and there are strict reliability constraints along with low tolerance for outages in online banking.
00:04:56.160 The last thing anyone wants is to see an HTTP 500 error upon logging into online banking. Such occurrences are rare; banks are solely focused on projecting an image of reliability and stability.
00:05:14.440 Maybe because of this complexity, the definition of transactions is often not very clear. I'm asking you to join me on a small journey to understand what it takes to conduct just one bank transfer.
00:05:36.760 The first step, which I call Step 0, occurs even before the bank transfer takes place. This initial action happens when we start communicating with the customer, be it an insurance company, a logistics company, or any business client.
00:06:01.680 Before we even sign a contract, we engage in what is called a KYB—Know Your Business—process. This is similar to KYC, or Know Your Customer, which is familiar to anyone who has ever opened an account with banks like Revolut or N26.
00:06:24.479 In those cases, you must take a picture of yourself and undergo various verification steps. Our process is far more intricate because we are onboarding companies, requiring us to conduct a thorough investigation into how they operate.
00:06:44.240 The KYB process covers all sorts of aspects—company structure, client relationships, supplier networks, and the flow of money in and out of the business. We ask questions about whether they are engaged in crypto activities or provide loan services.
00:07:09.120 We also look at the ultimate beneficial owners—those who profit from the company at quarter's end—and any significant control in the company. We want to ensure we understand the complete picture before providing our services.
00:07:31.840 This complex onboarding process can take weeks or even months, especially if the company operates internationally, collecting information on everyone connected with the organization.
00:07:56.600 Once this process is completed, let’s imagine we have a client, an insurance company, with customers making claims.
00:08:11.960 Let’s say something happened to my house; I file a claim. The insurance company investigates and eventually agrees to pay out.
00:08:23.840 Now the actual transfer is about to happen. We, the Payment Service Provider (PSP), will be moving the money. The first step is to inform the PSP: 'please do a transfer to this individual.'
00:08:39.320 After we receive the request from the customer, our initial check is to verify the account balance. Checking the balance appears simple but involves significant complexity when implemented in practice.
00:08:56.880 In corporate banking, there exists not just one type of balance, but multiple balances to consider because the clearing and settlement of funds can take time.
00:09:19.760 At times, funds are in transit—moving from one account to another—before being available in the recipient's account. During this transit, part of the funds is temporarily 'blocked'.
00:09:43.840 We track three types of balances: the real balance (actual money), the available balance (money minus funds in transit), and what we call the 'bable balance' (available money plus incoming funds).
00:10:07.280 Typically, we manage the available balance the most, but keeping record of all three is essential. For instance, if you have a claim for 200, and your available balance is 1,000, we can proceed.
00:10:28.920 The next step involves what we call 'the sanction list,' which is quite a mess. Every government worldwide publishes periodic sanction lists against different individuals, organizations, or countries, like the EU sanctions imposed on Russia.
00:10:57.919 If we determine that the person receiving the funds is on one of these lists, it's not simply a rejection; we are legally mandated to block the payment and investigate.
00:11:20.399 Alongside the sanction lists, there's another classification called PEPs, or Politically Exposed Persons. These are individuals holding a public position that necessitates extra scrutiny during transactions.
00:11:37.440 Conflicts can arise where, for instance, someone might attempt to bribe a public figure or engage in suspicious activities associated with government individuals.
00:11:52.799 The conclusion of this preliminary phase, in which both the sanction list and PEP checks are verified, happens within moments at the early stages of transaction processing.
00:12:05.400 Afterwards, we must communicate with the beneficiary's bank, which is also a PSP. We use a standard protocol called ISO 20022 to communicate and process payments in a manageable way.
00:12:20.399 Historically, exchanges between PSPs were many times unstandardized and chaotic. However, since 2007, the ISO committee introduced this standard, which allows for a more seamless global payment process.
00:12:38.440 Unlike in the past, now we have a standard schema in place for numerous payment types, covering everything from initiatives to standard transactions.
00:13:00.440 This is crucial as we prepare to initiate the bank transfer, a process that generally takes several steps. I will do my best to keep it from being boring, but understanding this is essential.
00:13:18.480 The first step is the originator PSP requesting the transfer. They will send a credit transfer, also known as SCT, that must be submitted to what is termed as the Clearing and Settlement Mechanism (CSM). This system efficiently processes fund transfers between banks.
00:13:50.440 Let’s visualize two banks—Bank A and Bank B. If Bank A generates 2,000 transfers worth 1 million euros, while Bank B issues 2,000 transactions equating to half a million, the CSM nets these operations and consolidates the funds.
00:14:05.440 This operational efficiency minimizes the movement of actual cash, effectively a netting of transactions across banks, and links separate clusters of services involved in this process.
00:14:25.360 After submitting the transaction from the originator PSP, the CSM relays it to the beneficiary PSP, which must replicate the same compliance checks completed by the originator.
00:14:37.759 The beneficiary bank must ensure that the transaction adheres to its sanction and PEP lists, and affirm the ability to deposit the funds in the appropriate account. This culminates in either an acknowledgement of the transaction or a rejection.
00:15:25.679 If approved, the CSM will signal confirmation to both parties, indicating the funds are settled into the recipient's account. What might seem like a simple ten-euro transfer entails a convoluted series of internal steps and processes.
00:15:52.159 There are several constraints at play. For instance, once we initiate the transaction from the timestamp of step 2 to step 6, a maximum of 10 seconds must occur.
00:16:12.360 Although ten seconds might feel lengthy for those from a web development background, it’s a reasonable delay among various independent systems involved in processing the transaction.
00:16:34.000 Most transactions typically take four or five seconds to complete, but factors like the bank's size and infrastructure capabilities can impact time.
00:16:54.239 Additionally, recent limits for transfers have increased; the maximum is now 100,000 euros, although it was previously 25,000 euros as of 2017.
00:17:10.560 Another significant adjustment has been the target to operate 24/7 every single day, a departure from traditional banking practices of batch processing and scheduled downtimes.
00:17:26.040 What I have described up to this point is just one scheme, known as the SEPA Instant Transfer, which operates instantaneously.
00:17:40.479 In reality, many other transfer schemes exist and similar steps occur in batch modes. For instance, a new standard called Request to Pay is set to revolutionize the way payments are requested.
00:18:06.320 This innovative process could effectively replace debit cards as a means of payment, allowing for straightforward peer-to-peer transactions with minimal reliance on intermediaries.
00:18:21.760 With this shift to instant transactions, the risk of fraud and mistakes rises, prompting regulators to consider measures such as verifying the identity of beneficiaries before payments are processed.
00:18:41.520 In this current landscape, it's clear that banking operations require more than just systems; they demand constant vigilance and stringent controls to prevent errors and fraudulent activity.
00:19:05.640 Moving on, I’d like to introduce my company, AETU. We started in 2019 as a salary advance provider, aiming to alleviate the burdens workers face when relying on payday loans and high-interest debts.
00:19:21.040 The premise is simple: workers could access their earned wages rather than waiting until payday. Using an app, they could request funds they had already earned.
00:19:39.040 We built a Rails API, developed several native apps, and undertook many custom integrations with payroll systems—a task that proved to be especially challenging due to the lack of standardization in the payroll software market.
00:19:58.560 At the start of 2020, the pandemic struck, causing a temporary setback. Nevertheless, we experienced rapid growth as we collaborated with both big companies and established networks.
00:20:17.760 After two years, we recognized that the integration efforts required were unsustainable and we were not evolving into a flexible product company.
00:20:37.520 Our onboarding process could take anywhere from three months to six months, depending on the complexity of our client, which obstructed our scalability.
00:20:58.440 This realization prompted us to transition from a salary advance company to a payment service provider in early 2022, focusing on real-time account-to-account payments, particularly in the EU.
00:21:18.560 We remain a small company, currently comprised of only seven developers. Nonetheless, we are successfully processing hundreds of thousands of transactions each month, amounting to several million euros.
00:21:36.240 Our goal is to obtain a proper PSP license this summer after three years of effort and regulatory hurdles.
00:21:51.840 From the outset, we recognized the operational complexities of this environment would demand rigorous business logic, much of which is dictated by regulatory requirements.
00:22:05.360 Because of the diversity of our client base, we must tailor our approaches to meet different business needs across sectors like insurance and crypto, reflecting varying regulatory risks.
00:22:20.640 Employing Ruby on Rails has proven beneficial, especially as it provides us with flexibility when confronting unique business challenges. When transitioning to serve various companies, we quickly learned that traditional Rails patterns didn't always serve us well.
00:22:46.920 In 2019, Shopify published articles discussing modular monolithic designs, which emphasized breaking business logic into manageable components while maintaining clear boundaries between them.
00:23:02.640 This approach allows us to ensure modularity without the overhead of deploying microservices. Hence, combining modular design thinking with the practical benefits of simplicity has been our focus.
00:23:21.360 With a modular monolith, complexities are contained, enabling us to make changes to independent components, minimizing the risks for our overall system.
00:23:39.760 We still had to regularly remind our team about the gravity of dealing with money, prompting practices around defensive programming. For instance, if we receive an unexpected response from a payment service provider, we don’t act before we investigate further.
00:24:00.640 In scenarios where something goes awry during a payment request, we take a cautious approach to avoid duplicate transactions—establishing unique IDs that can only be processed once during a defined time window.
00:24:17.360 Every activity within our system is audited. This is not merely for redundancy; as mandated by regulatory bodies, we need to provide transparency related to any specific payment to ensure compliance.
00:24:51.680 Having the right systems in place allows for thorough oversight while also creating a culture of responsibility among the team member to navigate their roles within compliance.
00:25:09.840 With significant transaction volume, even small error rates can translate to significant discrepancies, driving us to develop domain-specific languages (DSLs) to handle various scenarios efficiently.
00:25:31.360 An example includes crafting responses to timing out among various parties involved in transactions—allocating certain retry strategies or fall-back mechanisms.
00:25:50.800 Ruby gives us an edge in creating these DSLs, providing an unmatched capability to encapsulate business logic clearly and understandably.
00:26:09.520 Ultimately, documentation is a vital part of our operations. Our clients primarily interact with our API through clear documentation, which serves as their main source of understanding about our services.
00:26:29.840 We take pride in ensuring our documentation is accurate and maintain that it is continuously tested against our live environments to reflect reality.
00:26:48.480 In summary, the principles of banking require caution and clarity. Instead of a mantra of 'move fast and break things,' we prioritize robust, verifiable practices.
00:27:06.720 We embrace a model of trust, but also emphasize the importance of verification, continuously monitoring our systems and processes to ensure the highest standards of accountability.
00:27:25.600 Thank you all for your time. I hope you found the talk enlightening and understand the complexities of running a fintech company.
Explore all talks recorded at Balkan Ruby 2024
+5