{ "schemaVersion": "1.0.0", "documentControl": { "metadata": { "title": "Solution Architecture Document -- Customer API Platform", "solutionName": "Customer API Platform (CAP)", "applicationId": "APP-0472", "authors": ["Fred Bloggs (Lead Solution Architect)"], "owner": "Fred Bloggs", "version": "2.1", "status": "approved", "createdDate": "2024-09-15", "lastUpdated": "2025-11-20", "classification": "restricted" }, "changeHistory": [ { "version": "0.1", "date": "2024-09-15", "author": "Fred Bloggs", "changeType": "initial-draft", "description": "Initial draft with executive summary and logical view" }, { "version": "0.2", "date": "2024-09-28", "author": "Fred Bloggs", "changeType": "minor-update", "description": "Added physical view, data view, security view" }, { "version": "0.3", "date": "2024-10-10", "author": "Joe Bloggs", "changeType": "review-revision", "description": "Security review feedback incorporated" }, { "version": "0.5", "date": "2024-10-22", "author": "Fred Bloggs, Jane Doe", "changeType": "minor-update", "description": "Added quality attributes, governance, lifecycle" }, { "version": "1.0", "date": "2024-11-05", "author": "Fred Bloggs", "changeType": "approval", "description": "First approved version following ARB review" }, { "version": "1.1", "date": "2025-01-15", "author": "Fred Bloggs", "changeType": "minor-update", "description": "Updated cost model following reserved instance purchase" }, { "version": "1.2", "date": "2025-03-20", "author": "Fred Bloggs", "changeType": "minor-update", "description": "Added fraud detection integration (Phase 2)" }, { "version": "2.0", "date": "2025-08-01", "author": "Fred Bloggs", "changeType": "major-update", "description": "Major revision: EKS upgrade to 1.29, Graviton migration, updated capacity projections" }, { "version": "2.1", "date": "2025-11-20", "author": "Fred Bloggs", "changeType": "minor-update", "description": "Updated DR testing results, refreshed cost analysis" } ], "contributors": [ { "name": "Fred Bloggs", "role": "Lead Solution Architect", "contributionType": "author" }, { "name": "Joe Bloggs", "role": "Principal Security Architect", "contributionType": "reviewer" }, { "name": "Jane Doe", "role": "Data Architect", "contributionType": "reviewer" }, { "name": "Tom Bloggs", "role": "SRE Lead", "contributionType": "reviewer" }, { "name": "Dr. Helen Zhao", "role": "CTO", "contributionType": "approver" }, { "name": "Marcus Doe", "role": "CISO", "contributionType": "approver" }, { "name": "Alice Doe", "role": "Head of Compliance", "contributionType": "approver" }, { "name": "Dave Bloggs", "role": "ARB Chair", "contributionType": "approver" } ], "purpose": "This SAD describes the architecture of the Customer API Platform (CAP), Meridian Financial Services' Open Banking and partner API solution. It replaces the legacy SOAP-based Partner Integration Layer (PIL) and provides secure, high-performance RESTful APIs exposing account information and transaction data to authorised third-party providers (TPPs) and partner fintech applications.", "scope": "In scope: API Gateway and all microservices (Account, Transaction, Auth, Notification); AWS infrastructure across all environments (dev, test, staging, production, DR); Integration with core banking system, fraud detection, and notification services; Security architecture including OAuth 2.0, mTLS, and encryption; Operational tooling (monitoring, alerting, logging, tracing). Out of scope: Core banking system internals (SAD APP-0102), Mobile banking application (SAD APP-0389), Partner onboarding business processes (OPS-0055), Detailed API specification (Swagger/OpenAPI on internal developer portal)." }, "executiveSummary": { "solutionOverview": "The Customer API Platform (CAP) is a cloud-native, microservices-based REST API platform that exposes account information and transaction data to authorised partner fintech applications and third-party providers. It is Meridian Financial Services' primary channel for Open Banking compliance and strategic partner integrations. CAP replaces the legacy SOAP-based Partner Integration Layer, which suffered from poor scalability, high latency, and an inability to meet the performance and security requirements of the UK Open Banking standard. The new platform is built on AWS using containerised microservices orchestrated by Amazon EKS, fronted by AWS API Gateway, and secured with OAuth 2.0 and mutual TLS.", "businessContext": [ { "driver": "Regulatory compliance (PSD2 / Open Banking)", "driverType": "regulatory", "description": "UK Competition and Markets Authority (CMA) mandate to provide open APIs for account information and payment initiation to authorised TPPs", "priority": "high" }, { "driver": "Legacy platform end-of-life", "driverType": "end-of-life", "description": "The existing SOAP-based Partner Integration Layer is on unsupported middleware (Oracle SOA Suite 11g) with known security vulnerabilities", "priority": "high" }, { "driver": "Partner ecosystem growth", "driverType": "new-capability", "description": "Strategic initiative to onboard 25+ fintech partners over the next 18 months, requiring a modern, scalable API platform", "priority": "high" }, { "driver": "Operational cost reduction", "driverType": "cost-reduction", "description": "Current platform requires 3 FTEs for manual operational support; target is to reduce to 1 FTE with automation", "priority": "medium" }, { "driver": "Developer experience", "driverType": "performance", "description": "Partner developers report a 4-week average onboarding time with the SOAP platform; target is under 3 days with self-service APIs", "priority": "medium" } ], "strategicAlignment": { "organisationStrategySupported": "MFS Digital Transformation Programme (DTP-2024), specifically Workstream 3: Open Banking & Partner Ecosystem", "reviewedAgainstCapabilityModel": "yes", "duplicatesExistingCapability": "no", "duplicatesJustification": "Replaces the legacy Partner Integration Layer (PIL) which will be decommissioned", "sharedServiceReuse": [ { "capability": "Identity & Access (Internal)", "sharedService": "Okta (corporate SSO)", "reused": true, "justification": "Used for internal admin and developer portal access" }, { "capability": "Identity & Access (External)", "sharedService": "ForgeRock Identity Gateway", "reused": false, "justification": "Does not support the financial-grade OAuth 2.0 profile (FAPI) required for Open Banking; using AWS API Gateway with custom authoriser" }, { "capability": "API Management", "sharedService": "AWS API Gateway", "reused": true, "justification": "Corporate-approved API management platform" }, { "capability": "Monitoring & Logging", "sharedService": "Splunk Enterprise", "reused": true, "justification": "Corporate SIEM and log aggregation platform" }, { "capability": "CI/CD", "sharedService": "GitHub Actions", "reused": true, "justification": "Corporate standard CI/CD platform" }, { "capability": "Messaging / Notifications", "sharedService": "Amazon SES", "reused": true, "justification": "Corporate-approved email notification service" }, { "capability": "Container Platform", "sharedService": "Amazon EKS", "reused": true, "justification": "Corporate-approved container orchestration platform" } ] }, "inScope": [ "Customer API Platform microservices: API Gateway configuration, Account Service, Transaction Service, Auth Service, Notification Service", "AWS infrastructure: EKS cluster, RDS PostgreSQL, ElastiCache Redis, S3, CloudFront, WAF, Shield", "All environments: development, test, staging, production, DR", "Integration with core banking (Oracle DB via Direct Connect), fraud detection (Featurespace ARIC), notification service (SES)", "Partner authentication and authorisation (OAuth 2.0, mTLS)", "Internal authentication (Okta SSO)", "Operational tooling: Splunk, Grafana, PagerDuty, Jaeger" ], "outOfScope": [ "Core banking system modifications (separate project PROJ-0102)", "Partner onboarding portal front-end (separate project PROJ-0115)", "Payment initiation APIs (Phase 3, planned for 2026-Q2)", "Mobile banking app integration (separate SAD APP-0389)" ], "currentState": "The current Partner Integration Layer (PIL) was built in 2016 on Oracle SOA Suite 11g, hosted on-premises in MFS' Slough data centre. It provides SOAP/XML interfaces to 8 existing partner integrations. Key limitations: Performance: average response time of 1.2 seconds (P95: 3.8 seconds), far exceeding the Open Banking 1-second mandate. Scalability: vertically scaled on two physical servers; cannot handle projected 5,000 req/s demand. Security: does not support OAuth 2.0 or mTLS as required by Open Banking security profile. Supportability: Oracle SOA Suite 11g reached end-of-support in 2022; two critical CVEs remain unpatched. Cost: annual licensing and support costs of GBP 280,000 plus 3 FTEs for manual operations. Onboarding: partner onboarding requires 4 weeks of manual configuration and testing. What is being retained: Core banking Oracle database (read replicas will be consumed via new integration layer). What is being replaced: Oracle SOA Suite middleware, SOAP/XML interfaces, on-premises hosting. What is being decommissioned: PIL application servers (post 6-month parallel-run period).", "keyDecisions": [ { "decision": "AWS as hosting platform", "constraintType": "organisational", "rationale": "Corporate cloud-first strategy mandates AWS; existing enterprise agreement" }, { "decision": "EKS for container orchestration", "constraintType": "technical", "rationale": "Existing team skills in Kubernetes; corporate-approved platform" }, { "decision": "PostgreSQL over DynamoDB", "constraintType": "technical", "rationale": "Relational data model for financial data; strong consistency requirements; team expertise" }, { "decision": "Event-driven notification pattern", "constraintType": "technical", "rationale": "Decouple notification logic from core API processing; support multiple channels" }, { "decision": "Data must remain in UK", "constraintType": "regulatory", "rationale": "FCA and data sovereignty requirements" } ], "projectDetails": { "projectName": "Customer API Platform (Open Banking)", "projectCode": "PROJ-0098", "projectManager": "Nelly Bloggs", "estimatedCapex": 1200000, "estimatedOpex": 384000, "currency": "GBP", "targetGoLive": "2025-03-01" }, "businessCriticality": "tier-1-critical" }, "stakeholders": { "register": [ { "stakeholder": "Dr. Helen Zhao", "roleType": "business-owner", "concerns": ["Strategic alignment", "Technology direction", "Cost justification"], "relevantViews": ["logical", "integration"] }, { "stakeholder": "Marcus Doe", "roleType": "security-architect", "concerns": ["Threat model", "Data protection", "PCI-DSS compliance", "Incident response"], "relevantViews": ["security"] }, { "stakeholder": "Alice Doe", "roleType": "compliance", "concerns": ["Open Banking compliance", "FCA regulations", "Audit trail", "Data sovereignty"], "relevantViews": ["security", "data"] }, { "stakeholder": "Fred Bloggs", "roleType": "solution-architect", "concerns": ["Design integrity", "Standards compliance", "Technical debt", "Scalability"], "relevantViews": ["logical", "integration", "physical", "data", "security", "scenarios"] }, { "stakeholder": "Joe Bloggs", "roleType": "security-architect", "concerns": ["Authentication", "Encryption", "Network security", "Penetration testing"], "relevantViews": ["security", "physical"] }, { "stakeholder": "Jane Doe", "roleType": "data-architect", "concerns": ["Data classification", "PII handling", "Data sovereignty", "Retention"], "relevantViews": ["data"] }, { "stakeholder": "Tom Bloggs", "roleType": "operations-sre", "concerns": ["Observability", "Incident response", "Reliability", "On-call"], "relevantViews": ["physical"] }, { "stakeholder": "Amir Doe", "roleType": "developer", "concerns": ["Component design", "API contracts", "CI/CD", "Developer experience"], "relevantViews": ["logical", "integration"] }, { "stakeholder": "Nelly Bloggs", "roleType": "project-manager", "concerns": ["Delivery timeline", "Cost", "Dependencies", "Risks"], "relevantViews": ["logical"] }, { "stakeholder": "Sally Doe", "roleType": "other", "concerns": ["Partner onboarding experience", "API availability", "SLA commitments"], "relevantViews": ["integration"] }, { "stakeholder": "External API consumers", "roleType": "external-customer", "concerns": ["API documentation", "Latency", "Uptime", "Versioning", "Error handling"], "relevantViews": ["integration"] }, { "stakeholder": "Dave Bloggs", "roleType": "enterprise-architect", "concerns": ["Architecture standards compliance", "Reuse assessment", "Governance"], "relevantViews": ["logical", "integration", "physical", "data", "security", "scenarios"] }, { "stakeholder": "Finance team", "roleType": "other", "concerns": ["Cost forecasting", "Reserved instance optimisation", "Budget adherence"], "relevantViews": ["physical"] } ], "compliance": { "supportsRegulatedActivities": "yes", "regulatedActivityDetails": "The platform supports PSD2-regulated account information services (AIS) provided to authorised third-party providers.", "regulatoryRequirements": [ { "regulation": "PSD2 / Open Banking (UK)", "regulationType": "financial-services", "applicability": "Mandatory -- MFS is a CMA-designated bank", "designImpact": "Must provide Open Banking APIs conforming to OBIE specifications; strong customer authentication (SCA) required" }, { "regulation": "PCI-DSS v4.0", "regulationType": "financial-services", "applicability": "Applicable -- platform processes cardholder transaction data", "designImpact": "Network segmentation, encryption, access controls, audit logging, vulnerability management" }, { "regulation": "UK GDPR / Data Protection Act 2018", "regulationType": "data-protection", "applicability": "Applicable -- platform processes customer PII", "designImpact": "Data minimisation, right to erasure support, DPIA completed, lawful basis documented" }, { "regulation": "FCA SYSC 13 (Operational Resilience)", "regulationType": "financial-services", "applicability": "Applicable -- platform supports important business service", "designImpact": "RTO/RPO targets, impact tolerance testing, scenario-based resilience testing" }, { "regulation": "ISO 27001", "regulationType": "security", "applicability": "MFS is certified; platform must conform", "designImpact": "Information security controls, risk assessment, access management" } ] } }, "architecturalViews": { "logicalView": { "components": [ { "name": "API Gateway", "componentType": "gateway", "description": "Entry point for all external API requests; handles rate limiting, request validation, API key management, and request routing", "technology": "AWS API Gateway (REST)", "owner": "Platform Team", "status": "new" }, { "name": "Auth Service", "componentType": "api-service", "description": "Handles OAuth 2.0 token issuance, mTLS validation, scope enforcement, and consent management for TPPs", "technology": "Java 21 (Spring Boot 3.3) on EKS", "owner": "API Team", "status": "new" }, { "name": "Account Service", "componentType": "api-service", "description": "Provides account information endpoints (balances, details, standing orders, direct debits) conforming to OBIE spec", "technology": "Java 21 (Spring Boot 3.3) on EKS", "owner": "API Team", "status": "new" }, { "name": "Transaction Service", "componentType": "api-service", "description": "Provides transaction history endpoints with filtering, pagination, and enrichment", "technology": "Java 21 (Spring Boot 3.3) on EKS", "owner": "API Team", "status": "new" }, { "name": "Notification Service", "componentType": "api-service", "description": "Processes event-driven notifications to partners (webhooks) and internal teams (email, Slack)", "technology": "Node.js 20 (Express) on EKS", "owner": "API Team", "status": "new" }, { "name": "PostgreSQL (Accounts DB)", "componentType": "database", "description": "Stores account metadata, consent records, and partner registration data", "technology": "Amazon RDS PostgreSQL 16 (Multi-AZ)", "owner": "DBA Team", "status": "new" }, { "name": "PostgreSQL (Transactions DB)", "componentType": "database", "description": "Stores transaction data replicated from core banking, plus API audit records", "technology": "Amazon RDS PostgreSQL 16 (Multi-AZ)", "owner": "DBA Team", "status": "new" }, { "name": "Redis Cache", "componentType": "cache", "description": "Caches frequently accessed account data and rate limiting state; reduces load on core banking", "technology": "Amazon ElastiCache Redis 7.x (cluster mode)", "owner": "Platform Team", "status": "new" }, { "name": "Event Bus", "componentType": "message-broker", "description": "Decouples notification and audit event processing from synchronous API flows", "technology": "Amazon EventBridge + SQS", "owner": "Platform Team", "status": "new" }, { "name": "Audit Log Store", "componentType": "file-storage", "description": "Long-term storage of API audit logs for compliance (7-year retention)", "technology": "Amazon S3 (Glacier Deep Archive for aged data)", "owner": "Platform Team", "status": "new" }, { "name": "Core Banking Adapter", "componentType": "backend-service", "description": "Reads from core banking Oracle DB read replicas via JDBC; transforms data to platform domain model", "technology": "Java 21 library within Account/Transaction Services", "owner": "API Team", "status": "new" } ], "designPatterns": [ { "pattern": "api-gateway", "whereApplied": "AWS API Gateway fronting all services", "rationale": "Centralised rate limiting, authentication, request validation, and API versioning; decouples clients from internal service topology" }, { "pattern": "microservices", "whereApplied": "Account, Transaction, Auth, Notification Services", "rationale": "Independent scaling, deployment, and failure isolation for services with different performance profiles" }, { "pattern": "event-driven", "whereApplied": "Notification Service, audit logging", "rationale": "Decouples async processing (webhooks, emails, audit writes) from synchronous API response path; improves P95 latency" }, { "pattern": "cqrs", "whereApplied": "Transaction Service", "rationale": "Read-optimised query model populated from core banking CDC stream; separates read path from authoritative write path in core banking" }, { "pattern": "circuit-breaker", "whereApplied": "Core Banking Adapter, Fraud Detection client", "rationale": "Prevents cascade failures when downstream dependencies are degraded; implemented via Resilience4j" }, { "pattern": "strangler-fig", "whereApplied": "Migration from legacy PIL", "rationale": "Gradual migration of partner traffic from SOAP to REST APIs using API Gateway routing rules" }, { "pattern": "sidecar", "whereApplied": "Envoy proxy on each pod", "rationale": "Consistent mTLS termination, observability, and traffic management across all services" }, { "pattern": "other", "whereApplied": "Account Service with Redis (Cache-Aside pattern)", "rationale": "Reduces latency and load on core banking for frequently accessed account data (balance lookups)" } ] }, "integrationView": { "internalConnectivity": [ { "source": "API Gateway", "destination": "Auth Service", "protocol": "https", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "synchronous", "purpose": "Token validation and scope checking" }, { "source": "API Gateway", "destination": "Account Service", "protocol": "https", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "synchronous", "purpose": "Route authenticated account requests" }, { "source": "API Gateway", "destination": "Transaction Service", "protocol": "https", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "synchronous", "purpose": "Route authenticated transaction requests" }, { "source": "Account Service", "destination": "PostgreSQL (Accounts DB)", "protocol": "jdbc", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "synchronous", "purpose": "Read/write account metadata and consent records" }, { "source": "Transaction Service", "destination": "PostgreSQL (Transactions DB)", "protocol": "jdbc", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "synchronous", "purpose": "Read transaction data and audit records" }, { "source": "Account Service", "destination": "ElastiCache Redis", "protocol": "tcp-tls", "encrypted": true, "authenticationMethod": "other", "synchronicity": "synchronous", "purpose": "Cache-aside for account balance lookups" }, { "source": "Account Service", "destination": "EventBridge", "protocol": "https", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "asynchronous", "purpose": "Publish audit and notification events" }, { "source": "Transaction Service", "destination": "EventBridge", "protocol": "https", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "asynchronous", "purpose": "Publish audit and notification events" }, { "source": "EventBridge", "destination": "SQS (Notification Queue)", "protocol": "https", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "event-driven", "purpose": "Route notification events to processing queue" }, { "source": "EventBridge", "destination": "SQS (Audit Queue)", "protocol": "https", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "event-driven", "purpose": "Route audit events to audit processing" }, { "source": "Notification Service", "destination": "SQS (Notification Queue)", "protocol": "https", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "asynchronous", "purpose": "Consume notification events" }, { "source": "Notification Service", "destination": "SES", "protocol": "https", "encrypted": true, "authenticationMethod": "iam-role", "synchronicity": "asynchronous", "purpose": "Send email notifications" } ], "externalIntegrations": [ { "sourceApp": "Partner fintech apps", "destinationApp": "CAP API Gateway", "integrationType": "partner", "protocol": "https", "encrypted": true, "authenticationMethod": "oauth2", "purpose": "Account and transaction API requests" }, { "sourceApp": "CAP (Core Banking Adapter)", "destinationApp": "Core Banking Oracle DB", "integrationType": "internal-app", "protocol": "jdbc", "encrypted": true, "authenticationMethod": "other", "purpose": "Read account and transaction data from read replicas" }, { "sourceApp": "CAP (Transaction Service)", "destinationApp": "Featurespace ARIC", "integrationType": "external-service", "protocol": "https", "encrypted": true, "authenticationMethod": "api-key", "purpose": "Fraud score requests for high-value transactions" }, { "sourceApp": "CAP (Notification Service)", "destinationApp": "Partner webhook endpoints", "integrationType": "partner", "protocol": "https", "encrypted": true, "authenticationMethod": "other", "purpose": "Event notifications to partners (HMAC-SHA256 signed payloads)" }, { "sourceApp": "Internal administrators", "destinationApp": "CAP admin APIs", "integrationType": "internal-app", "protocol": "https", "encrypted": true, "authenticationMethod": "oidc", "purpose": "Partner management, configuration, monitoring" } ], "apis": [ { "name": "Account Information API", "apiType": "rest", "direction": "exposed", "dataFormat": "json", "version": "v3.1", "authenticated": true, "rateLimited": true }, { "name": "Transaction History API", "apiType": "rest", "direction": "exposed", "dataFormat": "json", "version": "v3.1", "authenticated": true, "rateLimited": true }, { "name": "Consent Management API", "apiType": "rest", "direction": "exposed", "dataFormat": "json", "version": "v1.0", "authenticated": true, "rateLimited": true }, { "name": "Partner Webhook Notifications", "apiType": "rest", "direction": "exposed", "dataFormat": "json", "version": "v1.0", "authenticated": true, "rateLimited": false }, { "name": "Core Banking Data API", "apiType": "other", "direction": "consumed", "dataFormat": "other", "version": "N/A", "authenticated": true, "rateLimited": false }, { "name": "Featurespace ARIC Fraud API", "apiType": "rest", "direction": "consumed", "dataFormat": "json", "version": "v2.4", "authenticated": true, "rateLimited": false }, { "name": "Splunk HTTP Event Collector", "apiType": "rest", "direction": "consumed", "dataFormat": "json", "version": "N/A", "authenticated": true, "rateLimited": false }, { "name": "PagerDuty Events API", "apiType": "rest", "direction": "consumed", "dataFormat": "json", "version": "v2", "authenticated": true, "rateLimited": false } ] }, "physicalView": { "hosting": { "venueTypes": ["public-cloud", "hybrid"], "regions": ["eu-west-2", "eu-west-1"], "serviceModels": ["paas", "saas"], "cloudProviders": ["aws"] }, "compute": { "computeTypes": ["container"], "containers": { "platform": "eks", "baseImages": ["amazoncorretto:21-alpine", "node:20-alpine"], "clusterSize": "11-50-nodes" } }, "networking": { "internetFacing": true, "outboundInternet": true, "cloudToOnPrem": true, "thirdPartyConnectivity": false, "cloudPeering": true, "wirelessRequired": false, "peakEgressMbps": 500, "peakIngressMbps": 200, "trafficPattern": "burst", "latencyRequirement": "low-sub-10ms", "ddosProtection": "yes", "ddosProvider": "aws-shield", "wafEnabled": "yes", "wafProvider": "aws-waf", "rateLimiting": true }, "environments": [ { "environmentType": "development", "count": 1, "venue": "AWS eu-west-2", "autoScaleDown": true }, { "environmentType": "test", "count": 1, "venue": "AWS eu-west-2", "autoScaleDown": true }, { "environmentType": "staging", "count": 1, "venue": "AWS eu-west-2", "autoScaleDown": false }, { "environmentType": "production", "count": 1, "venue": "AWS eu-west-2 (Multi-AZ)", "autoScaleDown": false }, { "environmentType": "dr", "count": 1, "venue": "AWS eu-west-1", "autoScaleDown": true } ], "securityAgents": [ "anti-malware", "edr", "vulnerability-management", "other" ] }, "dataView": { "dataStores": [ { "name": "Account metadata", "storeType": "relational-db", "technology": "Amazon RDS PostgreSQL 16", "authoritative": false, "retentionPeriod": "months", "dataSizeCategory": "1-100gb", "classification": "restricted", "containsPersonalData": true, "containsSensitivePersonalData": false, "encryptionLevel": "field-level", "keyManagement": "customer-managed-kms" }, { "name": "Transaction data", "storeType": "relational-db", "technology": "Amazon RDS PostgreSQL 16", "authoritative": false, "retentionPeriod": "2-5-years", "dataSizeCategory": "100gb-1tb", "classification": "restricted", "containsPersonalData": true, "containsSensitivePersonalData": false, "encryptionLevel": "field-level", "keyManagement": "customer-managed-kms" }, { "name": "Consent records", "storeType": "relational-db", "technology": "Amazon RDS PostgreSQL 16", "authoritative": true, "retentionPeriod": "5-10-years", "dataSizeCategory": "1-100gb", "classification": "restricted", "containsPersonalData": true, "containsSensitivePersonalData": false, "encryptionLevel": "field-level", "keyManagement": "customer-managed-kms" }, { "name": "Partner registration data", "storeType": "relational-db", "technology": "Amazon RDS PostgreSQL 16", "authoritative": true, "retentionPeriod": "indefinite", "dataSizeCategory": "under-1gb", "classification": "internal", "containsPersonalData": false, "containsSensitivePersonalData": false, "encryptionLevel": "storage-level", "keyManagement": "customer-managed-kms" }, { "name": "Cached account balances", "storeType": "cache", "technology": "Amazon ElastiCache Redis 7.x", "authoritative": false, "retentionPeriod": "transient", "dataSizeCategory": "under-1gb", "classification": "restricted", "containsPersonalData": true, "containsSensitivePersonalData": false, "encryptionLevel": "storage-level", "keyManagement": "customer-managed-kms" }, { "name": "API audit logs", "storeType": "object-storage", "technology": "Amazon S3 (Standard, then Glacier)", "authoritative": true, "retentionPeriod": "5-10-years", "dataSizeCategory": "100gb-1tb", "classification": "restricted", "containsPersonalData": true, "containsSensitivePersonalData": false, "encryptionLevel": "storage-level", "keyManagement": "provider-managed" }, { "name": "Application logs", "storeType": "object-storage", "technology": "Amazon S3 via Fluent Bit", "authoritative": false, "retentionPeriod": "months", "dataSizeCategory": "1-100gb", "classification": "internal", "containsPersonalData": false, "containsSensitivePersonalData": false, "encryptionLevel": "storage-level", "keyManagement": "provider-managed" }, { "name": "EKS cluster metrics", "storeType": "time-series-db", "technology": "Amazon Managed Prometheus", "authoritative": false, "retentionPeriod": "months", "dataSizeCategory": "1-100gb", "classification": "internal", "containsPersonalData": false, "containsSensitivePersonalData": false, "encryptionLevel": "storage-level", "keyManagement": "provider-managed" } ], "productionDataForTesting": "masked", "dataIntegrityControls": "yes", "dataOnEndUserDevices": "no", "dataSovereigntyRequired": "yes", "dataSovereigntyDetails": "All customer data (PII and transaction data) must remain within the United Kingdom (eu-west-2 London region). The DR region (eu-west-1 Ireland) stores only non-PII operational data (metrics, redacted logs). Cross-region replication for RDS is configured to exclude PII columns.", "dataTransfers": [ { "destination": "Authorised TPPs (partner fintech apps)", "destinationType": "partner", "classification": "restricted", "transferMethod": "api", "encrypted": true }, { "destination": "Featurespace ARIC", "destinationType": "third-party", "classification": "internal", "transferMethod": "api", "encrypted": true }, { "destination": "Splunk (corporate instance)", "destinationType": "internal", "classification": "internal", "transferMethod": "api", "encrypted": true } ] }, "securityView": { "thirdPartyHosted": "no", "thirdPartyRiskAssessed": "yes", "businessImpact": { "confidentiality": "critical", "integrity": "high", "availability": "critical", "nonRepudiation": "high" }, "authentication": [ { "accessType": "end-user-internal", "method": "sso-oidc", "usesGroupWideAuth": true }, { "accessType": "it-operations", "method": "sso-oidc", "usesGroupWideAuth": true }, { "accessType": "service-account", "method": "certificate", "usesGroupWideAuth": false }, { "accessType": "api-consumer", "method": "oauth2", "usesGroupWideAuth": false } ], "authorisation": { "model": "rbac", "entitlementStore": "Okta groups mapped to Kubernetes RBAC and application roles; OAuth 2.0 token claims for external partners", "provisioningProcess": "automated-idm", "recertificationEnabled": true, "segregationOfDutiesEnforced": true }, "privilegedAccess": { "pamSolution": "CyberArk", "justInTimeAccess": true, "sessionRecording": true, "breakGlassProcess": true }, "encryptionAtRest": { "implemented": true, "level": "field-level", "keyType": "symmetric", "algorithm": "AES-256-GCM (field-level), AES-256 (storage-level)", "keyGeneration": "hsm-fips140-l3", "keyStorage": "kms", "keyRotationDays": 365 }, "secretManagement": { "secretStore": "aws-secrets-manager", "distribution": "runtime-retrieval", "rotation": "automatic" }, "securityMonitoring": { "siemIntegration": true, "siemTool": "Splunk Enterprise", "securityEventLogging": true, "intrusionDetection": true } }, "scenarios": { "useCases": [ { "id": "UC-01", "name": "Partner Retrieves Account Balance", "actors": ["Partner fintech application (authorised TPP)"], "trigger": "Partner app sends GET /accounts/{accountId}/balance request", "mainFlow": "1. Partner sends HTTPS request with Bearer token and mTLS client certificate to API Gateway. 2. API Gateway validates request structure and routes to Auth Service. 3. Auth Service validates OAuth token, verifies mTLS certificate binding, checks consent record in PostgreSQL. 4. Auth Service returns authorisation decision to API Gateway. 5. API Gateway routes to Account Service. 6. Account Service checks Redis cache for balance (60s TTL). 7. Cache hit: return cached balance. Cache miss: Account Service queries core banking read replica via JDBC, caches result, returns balance. 8. API Gateway returns JSON response to partner. 9. Audit event emitted to EventBridge.", "viewsInvolved": ["logical", "integration", "physical", "data", "security"] }, { "id": "UC-02", "name": "Rate Limit Exceeded", "actors": ["Partner fintech application"], "trigger": "Partner exceeds 100 req/s rate limit", "mainFlow": "1. Partner sends request to API Gateway. 2. API Gateway rate-limiting check identifies partner has exceeded 100 req/s quota. 3. API Gateway returns HTTP 429 Too Many Requests with Retry-After header. 4. Rate limit event logged and counted. 5. If sustained (>5 min), Splunk alert triggers notification to Partner Manager. 6. Notification Service sends email to partner's registered technical contact.", "viewsInvolved": ["logical", "integration", "security"] }, { "id": "UC-03", "name": "Fraud Alert Triggered During Transaction Retrieval", "actors": ["Partner fintech application", "Featurespace ARIC"], "trigger": "Partner requests transaction history for an account flagged for suspected fraud", "mainFlow": "1. Partner sends GET /accounts/{accountId}/transactions. 2. Request authenticated and authorised as per UC-01 flow. 3. Transaction Service queries Featurespace ARIC fraud scoring API for account risk score. 4. ARIC returns high-risk score (>0.85). 5. Transaction Service applies fraud response policy: returns limited transaction data (last 30 days only, no pending transactions), adds X-Fraud-Review: true header. 6. High-priority security event emitted to EventBridge. 7. Splunk alert fires immediately; PagerDuty pages on-call fraud analyst. 8. Notification Service sends webhook to MFS internal fraud team channel (Slack).", "viewsInvolved": ["logical", "integration", "security"] } ], "adrs": [ { "id": "ADR-001", "title": "EKS over ECS for Container Orchestration", "status": "accepted", "date": "2024-10-01", "context": "The platform requires a container orchestration solution to run microservices. Both Amazon EKS (managed Kubernetes) and Amazon ECS (AWS-native container service) were evaluated.", "decision": "Use Amazon EKS (Kubernetes).", "alternatives": "ECS Fargate: Lower operational overhead, but limited pod-level networking control and no support for Envoy sidecar injection needed for mTLS mesh. ECS on EC2: More control but still lacks Kubernetes ecosystem (Helm, Argo CD, Calico network policies). Self-managed Kubernetes on EC2: Maximum control but unacceptable operational burden for a 6-person platform team.", "consequences": "Positive: rich ecosystem (Helm, Argo CD, Calico, Prometheus), strong portability to other clouds, existing team Kubernetes skills. Negative: higher operational complexity than ECS Fargate, Kubernetes version upgrade overhead every 12-14 months.", "affectedAttributes": ["operational-excellence", "reliability", "cost-optimisation"] }, { "id": "ADR-002", "title": "PostgreSQL over DynamoDB for Primary Data Store", "status": "accepted", "date": "2024-10-05", "context": "The platform needs a primary data store for account metadata, transaction data, and consent records. The data is relational (accounts have transactions, consent links customers to TPPs and accounts) and requires strong consistency for financial accuracy.", "decision": "Use Amazon RDS PostgreSQL 16.", "alternatives": "DynamoDB: Excellent scalability and operational simplicity, but poor fit for relational queries (joins across accounts/transactions/consent), no native support for field-level encryption patterns used for PII, and team has limited DynamoDB experience. Aurora PostgreSQL: Considered, but standard RDS PostgreSQL meets performance requirements at lower cost; Aurora's distributed storage overhead is unnecessary at current data volumes.", "consequences": "Positive: strong relational model for financial data, excellent ecosystem (pg_cron, pgcrypto for field-level encryption), team expertise, straightforward backup/recovery. Negative: vertical scaling limits (mitigated by read replicas and Redis caching), operational overhead of PostgreSQL tuning.", "affectedAttributes": ["performance", "reliability", "cost-optimisation"] }, { "id": "ADR-003", "title": "Event-Driven Architecture for Notifications and Audit", "status": "accepted", "date": "2024-10-08", "context": "The platform must send notifications (partner webhooks, internal alerts, compliance emails) and write audit logs. These operations must not increase API response latency.", "decision": "Use Amazon EventBridge with SQS for asynchronous notification and audit processing.", "alternatives": "Synchronous processing: Simple but adds 50-100ms to every API response for audit writes and notification dispatch; unacceptable for P95 < 200ms target. Amazon SNS + SQS: Works but lacks EventBridge's content-based filtering and schema registry. Apache Kafka (MSK): Powerful but over-engineered for current throughput (5,000 events/s); operational overhead of Kafka cluster management not justified.", "consequences": "Positive: API response latency unaffected by notification/audit processing, natural decoupling enables independent scaling of Notification Service, EventBridge schema registry aids contract evolution. Negative: eventual consistency for audit logs (acceptable: audit logs are written within seconds), added infrastructure complexity.", "affectedAttributes": ["performance", "reliability", "operational-excellence", "cost-optimisation"] } ] } }, "qualityAttributes": { "operationalExcellence": { "loggingCentralised": true, "loggingTool": "Splunk Enterprise", "monitoringTool": "Grafana (with Prometheus data source) + Amazon CloudWatch", "tracingEnabled": true, "alertingConfigured": true, "runbooksDocumented": true }, "reliability": { "drStrategy": "pilot-light", "multiVenueDeployment": true, "rtoTarget": "PT1H", "rpoTarget": "PT15M", "scalability": "full-auto-scaling", "faultToleranceDesigned": true, "chaosTestingPractised": true, "backupEnabled": true, "backupType": "continuous", "backupFrequency": "daily", "backupImmutable": true, "backupEncrypted": true }, "performance": { "p95ResponseTimeMs": 200, "targetThroughputRps": 5000, "performanceTestingApproach": "load-testing", "cachingUsed": true, "cdnUsed": false, "growthProjections": { "currentUsers": 25, "year1Users": 50, "year3Users": 80, "year5Users": 120, "currentDataVolume": "560 GB", "year1DataVolume": "740 GB", "year3DataVolume": "1.2 TB", "year5DataVolume": "2.0 TB", "designScalesToProjectedGrowth": true, "seasonalDemandPatterns": true, "seasonalDetails": "30% traffic increase on salary payment dates (25th-28th of month), 50% increase in January (financial year activities), and 20% reduction during UK bank holidays. Auto-scaling handles these patterns." } }, "costOptimisation": { "costAnalysisPerformed": true, "designConstrainedByCost": false, "reservedCapacity": true, "costMonitoringEnabled": true, "taggingStrategy": true }, "sustainability": { "hostingLocationOptimisedForCarbon": false, "nonProdAutoShutdown": true, "resourcesRightsized": true, "workloadPattern": "variable-predictable", "continuousAvailabilityRequired": true }, "tradeoffs": [ { "attributesInvolved": ["reliability", "cost-optimisation"], "description": "Multi-AZ RDS and Redis cluster mode chosen for reliability over single-AZ, incurring a 30% cost premium", "chosenPriority": "reliability", "rationale": "Tier 1 Critical platform with 99.95% SLA commitment to partners; cost premium justified by regulatory obligation and revenue impact of downtime" }, { "attributesInvolved": ["performance", "operational-excellence"], "description": "EKS chosen over ECS Fargate for richer ecosystem despite higher operational complexity", "chosenPriority": "performance", "rationale": "Kubernetes ecosystem provides superior observability, networking control (Calico, Envoy), and portability; team has existing Kubernetes skills" } ] }, "lifecycleManagement": { "internallyDeveloped": true, "sourceControl": "github", "cicdPlatform": "github-actions", "sast": "sonarqube", "dast": "yes", "sca": "snyk", "containerScanning": "yes", "migration": { "classification": "replace", "deploymentStrategy": "strangler-fig", "dataMigrationMode": "continuous-sync", "dataMigrationMethod": "CDC (Change Data Capture) from Oracle GoldenGate to PostgreSQL via Debezium + Kafka Connect", "dataVolume": "0 GB (no data migrated from PIL; CAP builds its own data store from core banking source)", "endUserCutover": "phased", "externalSystemCutover": "phased", "maxAcceptableDowntime": "zero", "rollbackPlan": "API Gateway routing rules can redirect traffic back to legacy PIL within 5 minutes; partner-specific rollback possible without affecting other partners", "transientInfrastructureNeeded": true }, "resourcing": { "cloudPlatform": "high", "infrastructureAsCode": "high", "cicdManagement": "high", "applicationStack": "high", "databaseAdministration": "medium", "securityCompliance": "medium", "operationalReadiness": "a-fully-capable" }, "releaseFrequency": "weekly", "supportModel": "internal-team", "supportHours": "24x7", "intendedLifespan": "5-10-years", "exitPlanDocumented": true, "vendorLockInLevel": "moderate" }, "riskGovernance": { "constraints": [ { "id": "C-001", "constraint": "Must comply with PCI-DSS v4.0 for transaction data handling", "category": "regulatory", "impactOnDesign": "Network segmentation, encryption at rest and in transit, access controls, vulnerability management, audit logging -- all mandated by PCI-DSS", "lastAssessed": "2025-11-01" }, { "id": "C-002", "constraint": "All customer PII must reside within the UK (data sovereignty)", "category": "regulatory", "impactOnDesign": "Primary region must be eu-west-2 (London); DR region (eu-west-1) restricted to non-PII data only; cross-region replication must filter PII", "lastAssessed": "2025-11-01" }, { "id": "C-003", "constraint": "Must integrate with existing core banking Oracle database via read replicas", "category": "technical", "impactOnDesign": "Cannot replace core banking data source; must maintain JDBC connectivity via Direct Connect; data model constrained by Oracle schema", "lastAssessed": "2025-06-15" }, { "id": "C-004", "constraint": "99.95% monthly availability SLA committed to partners", "category": "commercial", "impactOnDesign": "Multi-AZ deployment mandatory; active-passive DR required; auto-scaling and fault tolerance must support SLA; monthly SLA reporting to partners", "lastAssessed": "2025-11-01" } ], "assumptions": [ { "id": "A-001", "assumption": "Core banking Oracle read replicas will support 15,000 queries/s at peak", "impactIfFalse": "Platform cannot meet performance targets; would require caching redesign or additional read replicas", "certainty": "high", "status": "closed", "owner": "Jane Doe", "evidence": "Load test results (TEST-2025-031) confirmed 18,000 queries/s sustained" }, { "id": "A-002", "assumption": "Featurespace ARIC API will maintain <100ms P95 latency under our projected load", "impactIfFalse": "Fraud checking would increase API response time beyond P95 target; circuit breaker would bypass fraud checks more frequently", "certainty": "medium", "status": "open", "owner": "Fred Bloggs", "evidence": "Featurespace SLA contractually commits to 100ms P95 at 10,000 req/s; no independent verification at projected 3-year volume" }, { "id": "A-003", "assumption": "Partner adoption will grow linearly to 80 partners over 3 years", "impactIfFalse": "Non-linear growth could exceed capacity plans; under-adoption would mean over-provisioned infrastructure (cost waste)", "certainty": "medium", "status": "open", "owner": "Sally Doe", "evidence": "Business development pipeline shows 50 partners in negotiation; growth rate tracking to plan" } ], "risks": [ { "id": "R-001", "riskEvent": "Core banking Oracle DB upgrade causes schema changes that break data replication", "riskCategory": "technical", "severity": "high", "likelihood": "medium", "mitigationStrategy": "mitigate", "mitigationPlan": "Contract testing against core banking schema (Pact); advance notification agreement with DBA team (60-day notice for schema changes); schema compatibility layer in Core Banking Adapter", "residualRisk": "medium", "owner": "Jane Doe", "lastAssessed": "2025-11-01" }, { "id": "R-002", "riskEvent": "Partner onboarding volume exceeds forecast, overwhelming support capacity", "riskCategory": "operational", "severity": "medium", "likelihood": "medium", "mitigationStrategy": "mitigate", "mitigationPlan": "Self-service partner onboarding portal (Phase 2, delivered); automated API key provisioning; partner onboarding runbook; escalation to additional support resource if queue > 5 partners", "residualRisk": "low", "owner": "Sally Doe", "lastAssessed": "2025-11-01" }, { "id": "R-003", "riskEvent": "Critical vulnerability discovered in base container image requiring emergency patching across all services", "riskCategory": "security", "severity": "high", "likelihood": "high", "mitigationStrategy": "mitigate", "mitigationPlan": "Snyk continuous monitoring with P1 alert on critical CVEs; pre-built patched base images maintained in ECR; emergency deployment pipeline (bypasses staging for security patches); rollback capability", "residualRisk": "medium", "owner": "Joe Bloggs", "lastAssessed": "2025-11-01" }, { "id": "R-004", "riskEvent": "AWS eu-west-2 region experiences prolonged outage exceeding DR activation threshold", "riskCategory": "operational", "severity": "critical", "likelihood": "low", "mitigationStrategy": "accept", "mitigationPlan": "Active-passive DR in eu-west-1; quarterly DR drills; RTO 1 hour validated through testing; accept 15-minute RPO for async replication lag", "residualRisk": "low", "owner": "Tom Bloggs", "lastAssessed": "2025-11-01" } ], "dependencies": [ { "id": "D-001", "dependency": "Core banking Oracle DB read replicas provisioned in eu-west-2 via Direct Connect", "direction": "inbound", "status": "resolved", "owner": "DBA team", "evidence": "Direct Connect live; read replicas operational since 2025-01-15", "lastAssessed": "2025-11-01" }, { "id": "D-002", "dependency": "Featurespace ARIC API available and contracted for CAP usage", "direction": "inbound", "status": "committed", "owner": "Procurement", "evidence": "Contract MFS-VENDOR-2024-089 signed; API access provisioned", "lastAssessed": "2025-09-01" }, { "id": "D-003", "dependency": "Partner Onboarding Portal (APP-0456) consuming Auth Service APIs for partner registration", "direction": "outbound", "status": "resolved", "owner": "Partner Portal team", "evidence": "Integration live since 2025-06-01", "lastAssessed": "2025-11-01" } ], "issues": [ { "id": "I-001", "issue": "Redis cluster failover caused 45-second cache miss spike during October maintenance window", "category": "operational", "impact": "low", "owner": "Tom Bloggs", "resolutionPlan": "Updated maintenance procedure to pre-warm cache before failover; implemented dual-write to new primary during planned failover", "status": "resolved", "lastAssessed": "2025-11-01" }, { "id": "I-002", "issue": "Three partners have not completed mTLS certificate renewal (certificates expiring in 60 days)", "category": "operational", "impact": "medium", "owner": "Sally Doe", "resolutionPlan": "Automated renewal reminders sent at 90/60/30/7 days; partner manager directly contacting non-responsive partners; contingency: temporary API key fallback (with CISO approval)", "status": "in-progress", "lastAssessed": "2025-11-15" } ], "policyExceptions": "no", "policyExceptionsAccepted": "not-applicable", "processExceptions": "no", "riskProfileImpact": "no", "complianceTraceability": [ { "standard": "PCI-DSS v4.0 Req 1", "requirement": "Install and maintain network security controls", "howSatisfied": "VPC segmentation, security groups, NACLs, WAF, Shield", "evidenceSection": "3.3 Physical View, 3.5 Security View", "complianceStatus": "compliant" }, { "standard": "PCI-DSS v4.0 Req 3", "requirement": "Protect stored account data", "howSatisfied": "AES-256 encryption at rest, field-level encryption for PII, KMS key management", "evidenceSection": "3.4 Data View, 3.5 Security View", "complianceStatus": "compliant" }, { "standard": "PCI-DSS v4.0 Req 4", "requirement": "Protect cardholder data with strong cryptography during transmission", "howSatisfied": "TLS 1.3 enforced for all external connections; TLS 1.2 minimum for all internal", "evidenceSection": "3.2 Integration & Data Flow, 3.5 Security View", "complianceStatus": "compliant" }, { "standard": "PCI-DSS v4.0 Req 7", "requirement": "Restrict access to system components and cardholder data by business need to know", "howSatisfied": "RBAC + ABAC via OAuth scopes, Kubernetes RBAC, IAM least privilege", "evidenceSection": "3.5 Security View", "complianceStatus": "compliant" }, { "standard": "PCI-DSS v4.0 Req 10", "requirement": "Log and monitor all access to system components and cardholder data", "howSatisfied": "Comprehensive audit logging, Splunk SIEM integration, 7-year retention", "evidenceSection": "4.1 Operational Excellence, 3.5 Security View", "complianceStatus": "compliant" }, { "standard": "OBIE Standard 3.1.11", "requirement": "API conformance for Account Information Services", "howSatisfied": "REST APIs conform to OBIE specification; contract tests validate compliance", "evidenceSection": "3.2 Integration & Data Flow, 3.6 Scenarios", "complianceStatus": "compliant" }, { "standard": "UK GDPR Art 5(1)(f)", "requirement": "Integrity and confidentiality of personal data", "howSatisfied": "Field-level encryption, mTLS, access controls, audit trail, DPIA completed", "evidenceSection": "3.4 Data View, 3.5 Security View", "complianceStatus": "compliant" }, { "standard": "UK GDPR Art 17", "requirement": "Right to erasure", "howSatisfied": "Consent revocation endpoint; data deletion job for expired consents; audit trail of deletions", "evidenceSection": "3.4 Data View, 3.6 Scenarios", "complianceStatus": "compliant" }, { "standard": "FCA SYSC 13", "requirement": "Operational resilience for important business services", "howSatisfied": "Multi-AZ, DR strategy, impact tolerance testing, chaos testing, quarterly DR drills", "evidenceSection": "4.2 Reliability", "complianceStatus": "compliant" }, { "standard": "MFS Cloud Security Standard 1.3", "requirement": "Encryption, access management, monitoring for cloud workloads", "howSatisfied": "KMS encryption, IAM least privilege, GuardDuty, CloudTrail, Splunk integration", "evidenceSection": "3.3 Physical View, 3.5 Security View", "complianceStatus": "compliant" } ] }, "appendices": { "glossary": [ { "term": "ARIC", "definition": "Adaptive, Real-time, Individual, Contextual -- Featurespace's fraud detection platform" }, { "term": "CAP", "definition": "Customer API Platform -- the solution described in this SAD" }, { "term": "CDC", "definition": "Change Data Capture -- a pattern for capturing and replicating data changes" }, { "term": "CMA", "definition": "Competition and Markets Authority -- UK regulator that mandated Open Banking" }, { "term": "EKS", "definition": "Elastic Kubernetes Service -- AWS managed Kubernetes" }, { "term": "FAPI", "definition": "Financial-grade API -- an OAuth 2.0 security profile for financial services" }, { "term": "HPA", "definition": "Horizontal Pod Autoscaler -- Kubernetes auto-scaling mechanism" }, { "term": "IRSA", "definition": "IAM Roles for Service Accounts -- EKS feature for pod-level IAM" }, { "term": "MFS", "definition": "Meridian Financial Services -- the fictional organisation in this example" }, { "term": "mTLS", "definition": "Mutual TLS -- two-way TLS authentication where both client and server present certificates" }, { "term": "OBIE", "definition": "Open Banking Implementation Entity -- the UK body governing Open Banking standards" }, { "term": "PIL", "definition": "Partner Integration Layer -- the legacy SOAP-based system being replaced" }, { "term": "PSD2", "definition": "Payment Services Directive 2 -- EU directive mandating open banking" }, { "term": "SCA", "definition": "Strong Customer Authentication -- PSD2 requirement for multi-factor authentication" }, { "term": "TPP", "definition": "Third-Party Provider -- an authorised fintech that accesses bank APIs under Open Banking" } ], "references": [ { "title": "OBIE Account and Transaction API Specification", "version": "3.1.11", "url": "https://openbankinguk.github.io/read-write-api-site3/", "description": "Open Banking UK API specification for AIS" }, { "title": "PCI-DSS", "version": "4.0", "url": "https://www.pcisecuritystandards.org/", "description": "Payment Card Industry Data Security Standard" }, { "title": "MFS Information Security Policy", "version": "4.2", "description": "Corporate information security policy" }, { "title": "MFS Cloud Security Standard", "version": "1.3", "description": "Security controls for AWS workloads" }, { "title": "MFS Data Classification Standard", "version": "2.0", "description": "Data classification scheme and handling requirements" }, { "title": "AWS Well-Architected Framework", "version": "2024", "url": "https://aws.amazon.com/architecture/well-architected/", "description": "AWS architecture best practices" }, { "title": "NIST Cybersecurity Framework", "version": "2.0", "url": "https://www.nist.gov/cyberframework", "description": "Cybersecurity risk management framework" }, { "title": "CAP Threat Model", "version": "SEC-TM-2024-019", "description": "STRIDE-based threat model for the Customer API Platform" }, { "title": "DPIA - Customer API Platform", "version": "DPIA-2024-047", "description": "Data Protection Impact Assessment" } ], "approvals": [ { "role": "Lead Solution Architect", "name": "Fred Bloggs", "date": "2025-11-20", "decision": "approved" }, { "role": "Principal Security Architect", "name": "Joe Bloggs", "date": "2025-11-18", "decision": "approved" }, { "role": "Data Architect", "name": "Jane Doe", "date": "2025-11-15", "decision": "approved" }, { "role": "Head of Compliance", "name": "Alice Doe", "date": "2025-11-19", "decision": "approved" }, { "role": "CISO", "name": "Marcus Doe", "date": "2025-11-19", "decision": "approved" }, { "role": "CTO", "name": "Dr. Helen Zhao", "date": "2025-11-20", "decision": "approved" }, { "role": "ARB Chair", "name": "Dave Bloggs", "date": "2025-11-20", "decision": "approved" } ] }, "organisationProfile": { "organisationName": "Meridian Financial Services", "internalStandards": [ { "id": "SEC-POL-001", "name": "MFS Information Security Policy", "version": "4.2", "mappedSections": ["3.5", "6.8"] }, { "id": "DATA-STD-001", "name": "MFS Data Classification Standard", "version": "2.0", "mappedSections": ["3.4"] }, { "id": "CLOUD-STD-001", "name": "MFS Cloud Security Standard", "version": "1.3", "mappedSections": ["3.3", "3.5"] } ], "tooling": { "cicd": "GitHub Actions + Argo CD", "monitoring": "Grafana + Amazon CloudWatch + Amazon Managed Prometheus", "siem": "Splunk Enterprise", "secretStore": "AWS Secrets Manager" } }, "complianceScoring": { "assessments": [ { "section": "0. Document Control", "score": 5, "notes": "Full version history, multiple contributors and approvers, clear scope, related documents referenced" }, { "section": "1. Executive Summary", "score": 5, "notes": "Clear business drivers with priority, strategic alignment with reuse assessment, current-state architecture documented, business criticality justified with revenue impact" }, { "section": "2. Stakeholders & Concerns", "score": 5, "notes": "Comprehensive stakeholder register including external parties, concerns matrix fully mapped to sections, regulatory context with five applicable regulations" }, { "section": "3.1 Logical View", "score": 5, "notes": "Full component decomposition with technology choices, design patterns documented with rationale, vendor lock-in assessed for all components, service-to-capability mapping complete" }, { "section": "3.2 Integration & Data Flow", "score": 5, "notes": "All internal and external integrations documented with protocols and authentication, API contracts versioned, end user access patterns documented, SLAs defined per interface" }, { "section": "3.3 Physical View", "score": 5, "notes": "Deployment diagram described, compute fully specified (Graviton instances, pod sizing), full networking documented including Direct Connect, environments listed with sizing, security agents deployed" }, { "section": "3.4 Data View", "score": 5, "notes": "All data stores classified with retention and encryption, field-level encryption for PII, data sovereignty addressed with cross-region filtering, DPIA completed, data integrity controls evidenced" }, { "section": "3.5 Security View", "score": 5, "notes": "STRIDE threat model with 7 threats and mitigations, comprehensive IAM (internal + external + privileged), mTLS and OAuth 2.0 FAPI, HSM-backed encryption, SIEM integration with correlation rules" }, { "section": "3.6 Scenarios", "score": 5, "notes": "Three architecturally significant use cases crossing all views, three ADRs with alternatives and quality attribute tradeoffs" }, { "section": "4.1 Operational Excellence", "score": 5, "notes": "Centralised logging with Splunk, Grafana dashboards, PagerDuty alerting with escalation, Jaeger distributed tracing, comprehensive runbooks, capacity planning process" }, { "section": "4.2 Reliability", "score": 5, "notes": "Multi-AZ with active-passive DR, RTO 1hr / RPO 15min validated through quarterly testing, chaos testing with Gremlin, fault tolerance with circuit breakers, immutable backups" }, { "section": "4.3 Performance", "score": 5, "notes": "P50/P95/P99 targets defined, 5,000 req/s throughput target, automated performance testing with k6, caching strategy documented, 3-year growth projections" }, { "section": "4.4 Cost Optimisation", "score": 5, "notes": "Detailed monthly cost breakdown by component, reserved instance analysis, CloudHealth monitoring, FinOps practices documented, tagging strategy, rightsizing reviews" }, { "section": "4.5 Sustainability", "score": 4, "notes": "Graviton instances for energy efficiency, non-prod auto-shutdown, auto-scaling for demand matching. Score reduced from 5: no carbon metrics baselined, no formal sustainability KPIs." }, { "section": "5. Lifecycle", "score": 5, "notes": "Full CI/CD with security scanning, Strangler Fig migration plan, test strategy covering all types, weekly releases with blue-green and canary, team skills assessed, exit plan documented" }, { "section": "6. Governance", "score": 5, "notes": "4 constraints, 3 assumptions (with evidence), 4 risks with mitigation plans, 3 dependencies tracked to resolution, 2 issues tracked, compliance traceability table mapping 10 requirements" }, { "section": "7. Appendices", "score": 5, "notes": "Domain-specific glossary, 9 reference documents, 6 standards/patterns referenced, full approval sign-off with JIRA references" } ], "overallScore": 5, "overallNotes": "Comprehensive depth achieved across all sections. Exemplary documentation for a Tier 1 Critical regulated platform. Overall weighted score: 4.9/5." } }