At QCon London, Greg Hawkins presented "Building and Trusting a Cloud Bank" in which he discussed how the Starling Bank team has created a UK Bank running on the AWS public cloud. InfoQ caught up with Hawkins at a recent StarlingDev Hackathon, and discussed Open Banking and PSD2, the challenges of legacy applications, and what the future holds for online banking.
Hawkins began the discussion by stating that Open Banking provides Open API Standards for UK Banking, and PSD2 is a European directive which contains measures aimed at security and innovation in the sector. The key impact is that it will force all banks to expose functionality and data via APIs.
Many existing banks struggle when attempting to innovative with technology, Hawkins suggested, as they are hamstrung by the fact that many of their existing systems and organisational process were defined before the age of TDD, CD, DevOps and microservices. Starling Bank utilises cross-skilled teams that can move autonomously, and iOS, Android, backend, infrastructure, UX, product expertise all work collaboratively together on a team. All platform engineers are on the on-call rota, not just "ops", and the team try to live Werner Vogel's "you build it, you run it" philosophy.
The full transcript of the interview with Greg Hawkins can be found below.
InfoQ: Could you explain to the InfoQ readers what PSD2 and Open Banking will offer them, both as developers of applications that integrate with payment systems, and also as end-users of banking?
Greg Hawkins: For a technical audience, you can think of this as OAuth 2.0 for your bank account. For end users, the sort of integration you get when you allow other tools access to your GitHub account, you'll get by allowing other tools access to data in your bank account. And for developers you get to deliver exciting tools and products built on people's account data. Ultimately, we believe our customers own their data and have the right to decide who can use it for what and our marketplace platform makes this delegation possible.
Actually, PSD2 is a European directive which contains all sorts of measures aimed at security and innovation in the sector, but the key impact is that it will force all banks to offer these sorts of APIs. We're a bit ahead of the game because this is important to us and we'd be doing even without PSD2 but it's coming for everyone.
InfoQ: How much of an advantage (or disadvantage) do new entrants to the banking sector, like Starling Bank, have in comparison to existing organisations? At first glance, the obvious advantage appears to be the absence of legacy systems, and the disadvantage all of the regulatory red-tape, but is it as simple as this?
Hawkins: To a degree, yes it is that simple! At least on the legacy systems thing... Despite the innovation going on around the edges in big banks, they're hamstrung by the fact that many of their systems are these large hulking monoliths that were written before the age of TDD, CD, DevOps and microservices.
The systems have become too important to throw away, too fragile to change and too entangled to hack little pieces off. So, of course building from scratch means we can move faster and evolve more quickly and we can even optimise our architecture for throwing things away instead of being stuck with them! We can skip the whole "agile transformation" which is creaking along in the bigger organisations and just do things the way technology companies do them.
On the regulatory front the story is a bit different because we're subject to the same regulation as any other UK bank, and that can be hard at times. We do have a strong dialogue with the regulator and with auditors on how we manage risk but our approach is modern rather than traditional - for instance we minimise risk of release by releasing frequent small increments rather than by turning each release into a big song and dance...
We do have other advantages too:
We've got a tremendous emphasis on customer-centric design that means we've already delivered an app that's generating real excitement despite the fact we have a backlog of really exciting features that we haven't even delivered yet. It's too common in our industry to see apps which haven't been designed with such sensitivity and have ended up being very faithful representations of all the mess in the back-end... So for us simple features like temporary card-lock, self-controlled overdraft slider, the friendly merchant naming and suchlike, they really pay off in the context of this small, simple, elegant application, and that's really just the starting point.
And then the business model can be leaner and more focused. At Starling Bank we want to build the world's best current account - we're not interested in mortgages or insurance. So this PSD2-enabled marketplace becomes a strength for us - we will integrate with fintechs from across the market and customers will be able to search and use other products in their Starling app. For the customer there is more choice and more transparency and for us we get to keep our engineering effort concentrated on where we can deliver the most value.
InfoQ: Many large organisations talk about the value of migrating to a "DevOps" way of working. Has this impacted the formation and development processes used within the Starling Bank team?
Hawkins: Definitely. We're very keen on cross-skilled teams and teams that can move autonomously, so that means iOS, Android, Back End, infrastructure, UX, product expertise all together on a team. We want developers to be directly connected to the health of their features in production so we have monitors up in the office where everyone can see how things are going in the production environment. All platform engineers are on the on-call rota, not just "ops", and we try to live the "you build it, you run it" philosophy and tighten all the feedback cycles.
On the tech side, being cloud-based from the start has allowed us to use immutable infrastructure, infrastructure as code, and to leverage Docker and the DevOps tooling ecosystem to deliver the resilience and (touch wood!) the scalability the world demands of us.
InfoQ: How much value did you get from the recent Hackathon? What were the key learnings for the Starling Bank team?
Hawkins: It was just immense. I had no idea the hunger out there for this sort of thing. Every hint of a new endpoint in the API and people were jumping on it, working out what it could do, where the bugs were! People were throwing ideas around, implementing some of the stuff we haven't had time to and it was all moving so fast.
The marketplace team was getting great feedback on how the APIs should evolve and what people need, and I was taking in a lot on what we need to think about in the back-end for scaling out some of these things, because you know when people are using the API the traffic is probably not simply proportional to the number of users like it is with the mobile apps, and we discovered quite a few use-cases that we weren't ready with that we've now implemented.
We implemented MFA-reset for developer accounts during the hackathon itself because one participant smashed his phone! We're definitely looking to repeat this sort of thing on a more regular basis.
The video and slides for Hawkins' recent QCon London presentation "Building and Trusting a Cloud Bank" can be found on InfoQ, and the Starling Developer Portal contains additional information for developers wanting to utilise the current APIs available. Megan Caywood has also published "Starling Hackathon: The Roundup" on the Starling Bank blog, which contains a summary and key learning points from the recent StarlingDev Hackathon.