Cloud Native Open Banking: HSBC’s PayMe for Business app | How we built it on Azure

In this video Alessio Basso, the Chief Architect of PayMe from HSBC, provides an executive overview of how the intelligent and digital payment platform for the app was built on Azure.

It’s often been said that they highly regulated nature of the financial services industry has precluded them from using the public Cloud, but this case study shows that it is possible to still adhere to those requirements while harnessing it’s power.

At 1:22 Alessio states that the Cloud now provides for information security and risk management tools to ensure compliance for HSBC. They own a massive footprint of legacy data centres but plan to transition entirely to the Cloud within the next five to ten years, driven by a mobile-first strategy, with this transformation presenting them the opportunity to entirely rethink the customers banking experience.

Social P2p payments and Open Banking

From 2:35 he explains that at first it started with a cashless P2P strategy, with the HSBC PayMe app launched for customers in 2017, gaining popularity in a very rapid fashion. 1.5m people in Hong Kong use the app, one in five of the population.

PayMe is a social payment application which allows the users to send money to their friends and family without asking for their phone number or the bank account, all for free. It’s widely used in social situations, such as when friends and family share a meal.

At 3:05 he highlights that the users can avail themselves of all the bank-grade securities that HSBC provides. In addition he describes that the best part of the application is it’s speed, explaining at 4:00 the statistic that 98% of the transactions terminate within 500ms.

It also allows merchants to collect payments, with the critical differentiation to traditional methods like credit cards, it is transferred in real-time. The integration of analytics tools means there are value add services, like enabling merchants to analyze sales trends, giving them the data needed to grow their business.

There is also an API for integrating with e-commerce stores and POS units.

Cloud Native architecture

From 4:15 they move on to exploring the architecture of how the app was built.

Alessio begins by saying their first decision was to go Cloud Native and build it using a microservices architecture. The app consists of a dozen or so microservices each performing a specific function, such as a user and business profile service, payments and reporting.

At 4:55 he highlights the security authentication microservice which regulates the level of authentication which is required to perform different functions within the app. There is an OCR microservice that scans and extracts the users identity information to validate their enrollment.

At 6:00, he demonstrates the payment process, showing that when the merchant needs to collect a payment, the amount is typed into the app, which then calls the QR code payment service. The consumer then takes his or her PayMe for a consumer app, scans the QR code and confirms the payment confirmation. The confirmation can be made by either fingerprint or face id, and then the payment microservice processes the transaction.

Achieving scalability

From 6:55 Alessio explains how a critical feature of the architecture is that each microservice is entirely self-contained and operates independently of the others. Each has its own instance copies and each makes use of its own Azure resources, such as databases, Event Hub and Key Vault.

This approach makes security easier and also the ability to rapidly scale out the app.

At times like the Chinese New Year festivities there is peaks in demand where people like to go out more and share gifts, and at 8:18 Alessio describes how they can scale out only some of the microservices that are needed such as payments but not enrollment.

At the same time, the database layer also gets scaled by obtaining direct replicas of the MySQL databases. At 10:20, he emphasizes that the secure model of the cloud is still followed to connect every transaction. In their performance testing they went up to 500 million transactions per day.

Key Vault security

From 9:00 Alession walks through how HSBC use Key Vault for secrets management. Each microservice runs in its own subnet and communicate with Azure services like databases and caches via service principles and credentials stored in Key Vault.

They also use VNet service endpoints, so that microservices are making calls to local endpoints within the same vnet. This is a design feature critical to security on the public Cloud.

They use a network security group with a base rule that denies all incoming and outgoing traffic, and then add specific rules that allow only the traffic needed for their services. Importantly they also automate the deployment of these rules to eliminate the risk of human error. They also make use of Azure features like Advanced Threat Protection for proactively alerting of security risks – Alessio demonstrates this at 12:05.

At 12:35 he points out a scenario where a security alert mail is obtained when the user signs in the app from the place which is different from their usual place. These get flagged for further investigation.

Data analytics

From 13:30 the interview focuses in on HSBC’s use of data analytics. Alessio reveals that while the initial strategy was one of facilitating payments, as adoption took off it became apparent that the resulting network effect of the social payments was yielding a significant data asset.

So they structured the data as a graph and imported it into Azure Cosmos, what they use for their analytics store.

At 14:07 Alessio adds that on top of this they also use Databricks as the data platform which would stitch together all the data interactions and perform all the data engineering and data science workloads. They use a combination of ingesting data, such as transaction classifications, as well as keeping some in place such as click stream data which is kept in storage and viewed remotely.

This capability enables value add services for customers such as proactively identifying suspicious transactions. The transaction classification can be used to power financial reporting like identifying ‘taxi fares’.

Lessons Learned

In conclusion HSBC define the key benefits of this approach as:

• Managed services – With only a small team the use of Cloud services meant they could focus on building value add functionality not managing infrastructure, enabling them to go from ideation to launch in just a few months.
• Isolated microservices – The model of independent microservices makes security and scalability much more effective.