Finlake

Financial Services — Banking, Microfinance, and Fintech

Shared Infrastructure

All six Finlake services share a common foundational architecture deployed within a single VPC (10.2.0.0/16) in the US-East-1 region, spanning two Availability Zones (us-east-1a and us-east-1b). Services can also be deployed in any AWS region that supports the required services, with a secondary region available for cross-region disaster recovery.

The shared infrastructure includes:

• Amazon RDS (PostgreSQL): Writer instance in AZ-a and Standby instance in AZ-b for automatic Multi-AZ failover across all services. Amazon Aurora PostgreSQL is also supported for customers requiring higher throughput, using cluster and reader endpoints. No superuser privileges or root access are required — all services operate within standard RDS managed-service capabilities.


• VPC Layout:
  • Public Subnets (10.2.0.0/20) — Internet Gateway, NAT Gateways, load balancers.
  • Private Application Subnets (10.2.16.0/20 in AZ-a, 10.2.48.0/20 in AZ-b) — Application compute (Lambda, Fargate, EKS).
  • Private Database Subnets (10.2.32.0/20 in AZ-a, 10.2.64.0/20 in AZ-b) — RDS instances, ElastiCache, DynamoDB endpoints. Fully isolated with no public accessibility.


• Security and Governance: IAM, KMS (customer-managed encryption keys for data at rest), Secrets Manager (credential storage and rotation — credentials are never logged or hardcoded), CloudTrail (API audit logging), and CloudWatch (monitoring and alerting) are present in every service.


• Edge and Protection: Amazon CloudFront and AWS WAF in front of all customer-facing endpoints.


• Amazon S3: Document storage, logs, and backups across all services, encrypted with SSE-KMS.


• NAT Gateways: One per AZ for outbound connectivity from private subnets.

Database Configuration

Custom DB Parameter Groups are provided for each supported PostgreSQL version, including SSL enforcement (rds.force_ssl = 1) and connection tuning. Automated backups with point-in-time recovery and Enhanced Monitoring are enabled across all deployments. Connection management varies by compute model: Fargate-based services (CIB, CBA, USSD) use container-level connection pooling that scales with task count, while Lambda-based services (KYC, LPMS, Mobile) use short-lived connections optimized for serverless execution. Application DNS TTL for the RDS endpoint is set to 5 seconds or less to support rapid failover detection.

Finlake CIB — Corporate and Institutional Banking

Handles corporate banking operations including transaction processing, batch operations, compliance reporting, and analytics dashboards.

• Compute: AWS Fargate (containerized application tier across both AZs).


• Database: Amazon RDS (PostgreSQL) Multi-AZ. Amazon DynamoDB for session and auxiliary data.


• Processing: AWS Batch for bulk and scheduled operations. Amazon SQS for asynchronous messaging. AWS Step Functions for workflow orchestration.


• Security: Amazon Cognito for user authentication. Amazon GuardDuty for threat detection. AWS Directory Service for enterprise identity integration. AWS Config for compliance monitoring.


• Traffic: Elastic Load Balancer behind CloudFront and WAF.

Finlake CBA — Core Banking Application

The core banking engine supporting account management, real-time transaction processing, and event-driven banking operations with container orchestration.

• Compute: AWS Fargate and Amazon EKS (NodeGroups) across both AZs.


• Database: Amazon RDS (PostgreSQL) Multi-AZ. Amazon DynamoDB for transactional data. Amazon ElastiCache for Redis (primary + replica) for session caching and real-time lookups. Amazon EFS for shared file storage.


• Processing: AWS Step Functions for banking workflow orchestration. Amazon Kinesis Data Streams for real-time event streaming. Amazon EventBridge for event-driven processing. Amazon SNS for notifications.


• Security: Auth Handler service for authentication. AWS X-Ray for distributed tracing.


• Traffic: Elastic Load Balancer behind CloudFront and WAF.

Finlake LPMS — Loan Portfolio Management System

Manages loan origination, portfolio analytics, credit scoring with machine learning, and financial reporting for lending institutions.

• Compute: AWS Lambda (serverless functions across both AZs).


• Database: Amazon RDS (PostgreSQL) Multi-AZ. Amazon Redshift for data warehousing and portfolio analytics.


• Processing: Amazon SageMaker for ML-based credit scoring and risk models. Amazon EventBridge for event-driven processing. Amazon SQS and SNS for messaging and notifications.


• Analytics: Amazon QuickSight for loan portfolio dashboards and reporting.


• Security: Amazon Macie for data classification and sensitive data discovery.


• Traffic: API Gateway behind CloudFront and WAF.

Finlake KYC — Know Your Customer

Automates customer identity verification, document processing, and compliance screening using AI/ML services.

• Compute: AWS Lambda (serverless functions across both AZs).


• Database: Amazon RDS (PostgreSQL) Multi-AZ. Amazon DynamoDB for verification session data.


• AI/ML Services: Amazon Bedrock for generative AI capabilities. Amazon Rekognition for facial recognition and identity matching. Amazon Textract for document text extraction and ID processing.


• Processing: Amazon SQS for verification queue management. AWS PrivateLink for secure service-to-service connectivity.


• Security: Amazon Macie for sensitive data detection. AWS X-Ray for tracing verification workflows.


• Traffic: API Gateway behind CloudFront and WAF.

Finlake Mobile — Mobile Banking

Provides mobile banking capabilities including account access, payments, fund transfers, and real-time fraud detection.

• Compute: AWS Lambda (serverless functions across both AZs).


• Database: Amazon RDS (PostgreSQL) Multi-AZ. Amazon DynamoDB for mobile session and device data.


• Processing: Amazon AppSync for real-time GraphQL APIs. Amazon DataSync for data synchronization. Amazon FraudDetector for real-time transaction fraud analysis.


• Security: Amazon Cognito for mobile user authentication and authorization.


• Analytics: Amazon QuickSight for mobile banking usage and transaction analytics.


• Traffic: API Gateway behind CloudFront and WAF.

Finlake USSD — Unstructured Supplementary Service Data

Enables banking services over USSD channels for feature phones, supporting account inquiries, transfers, airtime purchases, and bill payments.

• Compute: AWS Fargate and AWS Lambda (hybrid compute across both AZs).


• Database: Amazon RDS (PostgreSQL) Multi-AZ. Amazon DynamoDB for USSD session state. Amazon ElastiCache for Redis (primary + replica) for low-latency session caching.


• Processing: Amazon SQS for USSD request queuing. Amazon SNS for SMS and push notifications.


• Traffic: API Gateway behind CloudFront and WAF.

Finlake implements a multi-layered security architecture across all six services:

• Network Isolation: All database instances are deployed exclusively in private subnets with no public accessibility. Database security groups restrict inbound traffic to the application tier only — no 0.0.0.0/0 ingress rules are permitted on any database resource.


• Encryption at Rest: All data stores — RDS, DynamoDB, S3, EBS, EFS, ElastiCache, and Redshift — are encrypted using customer-managed KMS keys.


• Encryption in Transit: TLS 1.2+ is enforced for all external and internal communications including application-to-database connections.


• Credential Management: AWS Secrets Manager stores all database and service credentials. Applications retrieve credentials via IAM roles at runtime. Credentials are never logged, never hardcoded, and automatic rotation is supported.


• Identity and Access: IAM roles follow the principle of least privilege. Cross-account access uses IAM roles with external ID where applicable. Services requiring user authentication use Amazon Cognito (CIB, Mobile) or dedicated auth handlers (CBA).


• Audit and Compliance: AWS CloudTrail is enabled on every service for API-level audit logging. AWS Config (CIB) and Amazon Macie (LPMS, KYC) provide additional compliance and data classification capabilities. Amazon GuardDuty (CIB) monitors for threat activity.


• Edge Protection: AWS WAF and Amazon CloudFront are deployed in front of all customer-facing endpoints across all six services.

Every Finlake service is architected for high availability across two Availability Zones. All database resources use Multi-AZ deployment with automatic failover. When a failover event occurs, the standby RDS instance is promoted automatically, application DNS TTL of 5 seconds or less ensures rapid endpoint resolution, and the application layer reconnects with exponential backoff — requiring minimal manual intervention.

Cross-region disaster recovery is supported for customers requiring geographic redundancy, including cross-region backups, standby infrastructure activation, and DNS failover procedures.

• Response time target of under 2 seconds for 95% of requests across all services.


• Auto-scaling is configured per service — Fargate task scaling for CIB, CBA, and USSD; Lambda concurrency scaling for KYC, LPMS, and Mobile; EKS node scaling for CBA.


• Read replicas distribute read operations to reduce primary database load where applicable.


• Asynchronous processing via SQS, SNS, EventBridge, Kinesis, and Batch reduces direct database connection pressure across the platform.


• Services with caching layers (CBA and USSD use ElastiCache for Redis) further reduce database read load.


• Performance impact documentation and testing is provided for each deployment tier.

• Maximum concurrent users scale with deployment tier, from 500 (Small) to 50,000 (Enterprise) per service.


• Database connection limits are determined by the selected RDS instance class.


• Storage capacity ranges from 500 GB to 5 TB depending on deployment size, within AWS service limits.


• Lambda-based services (KYC, LPMS, Mobile) are subject to Lambda concurrency limits per region.


• Fargate-based services (CIB, CBA, USSD) are subject to ECS service quotas.

AWS Business Support (or greater) is required on all production AWS accounts running Finlake services. This provides access to AWS Trusted Advisor for resource optimization, AWS Personal Health Dashboard for proactive monitoring, and faster response times for production issues. A complete deployment guide and runbook is available for each Finlake service covering step-by-step installation, configuration, monitoring, backup, disaster recovery, and performance validation.