Mobile Dev

How We Built a Fintech App That Processes Millions Daily

March 1, 2025|8 min read
How We Built a Fintech App That Processes Millions Daily

The NaqdiPay Challenge

When NaqdiPay approached us to build a digital wallet for the Kuwaiti market, the brief was deceptively simple: let users send money, pay bills, and transact with merchants. In reality, building a fintech app that handles $2M+ in daily transactions while maintaining 99.99% uptime and full Central Bank compliance is one of the most complex engineering challenges we have undertaken.

This is the story of how we built it: the architecture, the security decisions, the regulatory hurdles, and the hard-won lessons.

Architecture: Designing for Trust

In fintech, architecture is not just a technical concern. It is a trust concern. Every design decision impacts whether users feel safe putting their money in your platform. Here is how we approached it:

Microservices with Clear Boundaries We decomposed NaqdiPay into seven core services:

  • Identity Service: KYC verification, biometric authentication, session management
  • Wallet Service: Balance management, ledger operations, multi-currency support
  • Transaction Service: Payment processing, transfers, reversals
  • Notification Service: Push notifications, SMS OTP, email alerts
  • Compliance Service: AML screening, transaction monitoring, regulatory reporting
  • Merchant Service: QR payments, settlement, merchant onboarding
  • Gateway Service: KNET integration, bank API connections, card processing

Each service owns its own database and communicates through asynchronous events (Apache Kafka) for reliability. Synchronous calls are used only where real-time response is essential.

The Ledger: Getting It Right

The most critical component in any fintech system is the ledger. We implemented a double-entry accounting system where every transaction creates two entries, a debit and a credit, ensuring the books always balance. Key design decisions:

  • Immutable append-only log: Entries are never modified or deleted. Corrections are made with compensating entries
  • Idempotency keys: Every transaction carries a unique key to prevent duplicate processing, even if a request is retried
  • Optimistic locking: Concurrent balance updates are handled with version-based optimistic locking, avoiding the performance cost of pessimistic locks
  • Event sourcing: The full history of every wallet is reconstructable from the event log, which proved invaluable for debugging and auditing

Security: Layers Upon Layers

Fintech security is not a single feature. It is a mindset that permeates every layer of the stack:

Authentication & Authorization - **Biometric authentication** (fingerprint and face recognition) as the primary login method - **Multi-factor authentication** for sensitive operations (transfers above threshold, password changes) - **Device binding**: Each account is bound to registered devices; new device login requires full re-verification - **Token-based sessions** with short-lived JWTs (15-minute expiry) and secure refresh token rotation

Data Protection - **End-to-end encryption** for all data in transit (TLS 1.3) and at rest (AES-256) - **HSM integration** (Hardware Security Module) for cryptographic key management: private keys never exist in application memory - **PCI-DSS Level 1 compliance**: Card data is tokenized at the edge and never stored in our systems - **Field-level encryption** for PII (national ID numbers, phone numbers) in the database

Fraud Prevention - **Real-time transaction scoring** using a rules engine that evaluates velocity, geography, device fingerprint, and behavioral patterns - **Machine learning anomaly detection** trained on transaction patterns to flag unusual activity - **Automated account freezing** when risk thresholds are exceeded, with manual review workflow for operations team

Regulatory Compliance: The Hidden Complexity

Obtaining and maintaining Central Bank of Kuwait approval was arguably harder than building the technology itself. Here is what we navigated:

  • KYC/AML requirements: Three-tiered verification system (basic, standard, enhanced) with increasing transaction limits at each level
  • Transaction limits: Daily, weekly, and monthly limits enforced at the wallet level with real-time monitoring
  • Suspicious Activity Reports (SARs): Automated generation and submission to Kuwait's Financial Intelligence Unit
  • Data residency: All user data must reside within Kuwait's borders, requiring local infrastructure deployment
  • Quarterly audits: External security audits with penetration testing and code review by certified auditors
  • Disaster recovery: Documented and tested DR plan with RPO of 1 minute and RTO of 15 minutes

We built a dedicated compliance dashboard that gives the operations team real-time visibility into all regulatory metrics and automates report generation.

Performance Under Pressure

Processing financial transactions demands both speed and reliability. Our performance targets and results:

  • Transaction processing time: Target <500ms, achieved P99 of 320ms
  • API availability: Target 99.99%, achieved 99.995% over 12 months
  • Concurrent users: Designed for 50,000 simultaneous connections
  • Daily transaction volume: Currently processing $2M+ across 80,000+ transactions daily

Key performance strategies: - Read replicas for database queries that do not require real-time consistency - Redis caching for frequently accessed data (balance lookups, merchant info) - Connection pooling with PgBouncer to handle traffic spikes without exhausting database connections - Circuit breakers on all external service calls (KNET, bank APIs) to prevent cascade failures

Lessons Learned

After 18 months of building and operating NaqdiPay, here are our most valuable takeaways:

1. Start compliance early: We began Central Bank discussions 6 months before launch. In hindsight, we should have started even earlier. Regulatory approval is the longest lead-time item in any fintech project 2. Invest in observability: We deployed comprehensive logging, distributed tracing (Jaeger), and custom metrics from day one. When a transaction fails at 2 AM, you need to know exactly what happened within minutes 3. Test with real money: Our staging environment processes real (small) transactions through actual banking infrastructure. Mocked payment gateways hide integration bugs that only appear with real money 4. Plan for failure: Every external dependency will fail. Our system handles KNET outages, bank API timeouts, and SMS provider failures gracefully, with automatic retries and user-friendly error messages 5. Localization is non-negotiable: In Kuwait, Arabic is not a nice-to-have. Our entire UX, from onboarding flows to transaction receipts, was designed Arabic-first

What We Would Build Differently

No project is perfect. If we were starting NaqdiPay today:

  • We would use event sourcing from the start for all services, not just the wallet. Retrofitting event sourcing was painful
  • We would invest in contract testing earlier. Integration test suites became slow and brittle as the number of services grew
  • We would choose Kubernetes from day one instead of migrating to it mid-project. The migration was a significant engineering effort

Build Your Fintech Product with Alyaqeen Tech

If you are planning a fintech product for the Gulf market, we have walked this path and can help you avoid the pitfalls. From architecture design to Central Bank compliance, our team brings hands-on experience building production fintech systems that handle real money at scale.

Share this article
LinkedInTwitterWhatsApp

Related Posts

Why Flutter Is the Future of Mobile Development in 2025
Mobile Dev
January 15, 2025|8 min read

Why Flutter Is the Future of Mobile Development in 2025

Flutter has evolved from a promising framework to the industry standard for cross-platform mobile development. Here's why we bet on Flutter for our clients' projects, and why you should too.

Read More
Building Scalable SaaS Products from Jordan: Lessons Learned
SaaS
February 20, 2025|10 min read

Building Scalable SaaS Products from Jordan: Lessons Learned

Jordan's tech ecosystem is producing world-class SaaS products. Here's what we've learned building multi-tenant platforms that serve thousands of users across the MENA region and beyond.

Read More
The Rise of SaaS in the Gulf: Opportunities for Entrepreneurs
SaaS
February 28, 2025|9 min read

The Rise of SaaS in the Gulf: Opportunities for Entrepreneurs

The Gulf Cooperation Council countries are undergoing a massive digital transformation, creating unprecedented demand for SaaS products. Here's where the biggest opportunities lie and how to seize them.

Read More