Serverless Customer Portal for a Private Trust Services Provider
The customer offers a wide range of private trust services to its clients, targeting historically underserved retail and smaller institutional sectors.
The core pillar of the customer’s business strategy lies in pursuing the vast and underserved U.S. retail market (1.3 million medium and high net worth households). To enable seamless and effective customer engagement at scale, the company needed an online customer portal that would automate manual processing of customer liquidity requests. Additionally, the portal needed to be able to integrate with third party solutions, to offer whitelabeling capabilities, and even possibly support trading of alternative assets in the future.
To meet the desired timeline for the launch of its business, the customer needed a software engineering partner to accelerate the delivery of the new portal. This partner would bring the expertise in application design and development on AWS, combined with a strong track record of delivering solutions to financial services clients. The company engaged DataArt, an AWS Advanced Consulting Partner, as the lead software development partner on in mid-2019.
Meeting the Challenge
Right from the start, the customer’s strategy was to build its new technology in the cloud, and AWS was chosen as the leading provider of the most diverse and advanced cloud services. The system was designed and implemented as a collection of microservices, to deliver a highly extensible architecture. This flexibility was a key business requirement to support further evolution of the company’s business model, including the ability to integrate with potential future partners and vendors. Given the low volume, high value nature of the future transactions, serverless first was adopted as the main architectural approach.
The customer portal was designed and implemented by DataArt. It is seamlessly integrated with the customer’s existing software solutions that enable other core business processes, including account administration, underwriting and liquidity services.
In order to meet key business requirements, the portal incorporated the following functionality:
- Multitenancy support. All data belonging to a specific tenant is stored in a separate database instance, with a dedicated AWS Cognito user pool per tenant, which is not accessible by other tenants. Password and other security policies as well as identities, identity management, and authentication are maintainable and configurable per tenant.
- White-labelling opportunities. All static files with customized resources are stored in separate Amazon S3 buckets. Different types of CloudFront distributions are used for each white label.
- Roles and permissions hierarchy. A ramified hierarchy of user roles, with a different set of «read-only» or «read and update» permissions, was implemented to serve different types of clients: individual and institutional investors, and authorized financial advisors acting on their behalf. Custom UI elements are available for each user, depending on their role and set of permissions. With an audit service, each user action in the system is logged.
- User impersonation. This feature was implemented with a custom authorizer for AWS Cognito. It allows back-office staff to access the portal as if they were logged in as a user and operate it on the user’s behalf (with read-only permissions). For example, if a user has encountered an issue, a back-office rep can use the impersonation feature to help the user navigate through the portal or troubleshoot the issue.
- PII sensitive data tokenization. The solution is designed to work with personally identifiable information (PII) data and is fully compliant with the client’s stringent security requirements and industry standards. With a third-party tokenization service, TokenEx (https://www.tokenex.com/), PII is encrypted at rest, transfers over the network rely on SSL/TLS encryption. For back-office staff convenience, a portal user could be searched for by his/her initial letters.
At production launch, the application consisted of over 100 AWS Lambda functions that implement the microservices architecture and enable incremental updates, deployments, and other benefits of this approach. To improve customer experience, provisioned concurrency was enabled for Lambda functions as a way to address the cold start latency.
AWS Parameter Store
S3, DynamoDB, Aurora Serverless
User management and identity layer
Cognito + Custom authorization layer
CloudWatch, AWS X-Ray, custom ELK-based solution
CDN/CloudFront, API Gateway
KMS, IAM, Secrets Manager, TokenEx
The production launch of the customer portal enabled the company to open the doors of its retail business to the customers. A culmination of months of development, the launch was coordinated with the comprehensive go-to-market campaign. The customer portal offers rich online experience, including sign-up, onboarding and profile management; self-service loan initiation; sharing and signing of legal documents; and ultimately the liquidity execution.
Based on the business vision of the company’s leadership, the solution was purposefully designed as a platform, with flexibility, extensibility and ease of integration as primary design goals. The solution incorporates architectural best practices for cloud-native development and state-of-the-art cloud technology from AWS. Its flexible and extensible architecture is able to support a rich product roadmap and a variety of business models the company may pursue in the future, including partnerships and integrations with large institutional players or alternative asset platform and service providers, to bring liquidity solutions to new market segments.