In a world where we can stream crystal clear video from one side of the planet to the other in real time, why can it take hours or days for money to move between bank accounts? One reason is that close to half of U.S. banks run their core banking infrastructure on code that dates back decades, making modernization both risky and expensive.

But it doesn’t have to be that way. London fintech company Yobota built a modern core banking platform on Heroku that licensed banks are already using to create innovative customer offerings. Thanks to Heroku’s managed platform and developer pipeline tooling, the Yobota team has shaved years off the development process while maintaining the strict audit and security standards demanded of financial institutions.

Replacing legacy systems with a modern platform

Banks have been using computer software far longer than most industries. And no wonder. Limited as they were, that first generation of room-sized computers was perfectly suited to maintaining customer ledgers, calculating interest, and enacting transactions. But that leaves many financial service providers with a legacy of inflexible core systems built using the 1950s programming language COBOL.

Up until now, banks have made do by developing middleware to deliver additional functionality on top of that offered by their aging mainframes. The result is multiple layers of software that have built up over time, often introducing their own incompatibilities, complications, and bugs. That complexity not only makes it hard to add new functionality, but it can also be difficult to know how a change in one system might affect another. According to the U.K’.s financial regulator, half of banks delay critical upgrades due to the expense, fragility, and complexity of working with such delicately balanced systems. That reluctance affects not only product development but, crucially, it also poses a security risk, as it becomes harder to find and patch vulnerabilities due to the intricacy of the many moving parts.

Enter Yobota to bring modern, agile development to banking

In 2016, two banking industry veterans recognized that there was an opportunity to do things differently. The result was Yobota. Their vision was to modernize the software that underpins financial products, such as loans, credit cards, and checking accounts. Known as core banking software, it delivers day-to-day services, such as maintaining account balance, keeping an immutable ledger of transactions, and interacting with other financial institutions to enable payments.

Until recently, the strict regulation of such core banking systems was seen as an insurmountable barrier to entry for new providers. However, the Yobota team believed that product innovation was entirely possible within a regulated industry, especially as people and businesses increasingly expect their banks to perform and evolve just like any other service. If other regulated industries such as healthcare could innovate using cloud services, then why not banking?

Starting out as a small team, Yobota’s engineers built a suite of systems to deliver core banking functionality using modern languages, cloud technologies, and development methods. Crucially, the Yobota offering could meet financial regulators’ compliance requirements while remaining agile enough to allow banks to create innovative new products.

Soon after launch, the Yobota vision was put into action as the newly licensed U.K. bank, Chetwood Financial, engaged the startup to provide their core banking systems.

Heroku has been the ideal platform to create a core banking suite for the 21st century. It is secure, accelerates our ability to deliver, and is backed by Salesforce, a name that our clients trust. Ammar Akhtar, Founder & CEO, Yobota

Heroku’s managed service helps engineers stay focused and efficient

Entering one of the most heavily regulated industries would be a challenge, even for a large company. In Yobota’s early days, though, it was essential that their lean software development team was able to deliver their new product to market as quickly and efficiently as possible.

From the outset, Yobota has taken a two-part approach to ensuring that every line of code counts. First, they decided that the traditional path of creating disposable proofs of concept was too wasteful. Instead, they would maintain the momentum of their development by viewing every prototype and MVP as the basis for the next iteration.

Secondly, they selected technologies that allowed the team to focus their efforts on delivering customer value while minimizing administration. That put unmanaged cloud platforms out of the running, as they would require that Yobota dedicate significant early investment towards DevOps and maintenance.

Having evaluated the market, Yobota decided on a hybrid platform approach. Heroku could enable them to maximize their software engineering efforts with a managed platform that would integrate easily with their primary data stores in Amazon RDS.

Heroku simplifies the path to regulatory compliance

Although Yobota as a company is not regulated, its banking clients are. This means that every new client conversation quickly turns to security, compliance, and audit. Running their platform on Heroku has simplified the path to regulatory compliance for Yobota and its clients.

Had they chosen an unmanaged cloud platform, Yobota would need to not only build their own secure app infrastructure, but also demonstrate that compliance to customers and investors. As it is, the Yobota team can point to Heroku’s own documentation to show compliance with security and data protection standards, such as those specified by ISO and SOC.

In addition, Yobota relies on Heroku’s dedicated operational expertise to ensure that their deployment stack is protected from vulnerabilities such as data leakages and brute force attacks in a way that would be difficult for them to manage in-house. This, combined with the trust and reputation of Salesforce, provides solid reassurance that the platform underlying Yobota is both operationally secure and able to meet growing demand.

Heroku’s architecture and 12 Factor Application philosophy has also proven to be naturally inclined towards secure methods of development as it is biased towards creating stateless systems. Rather than building systems around a handful of named, well tended machines, the Heroku approach encourages system architects to think of their compute power as a pool of resources where individual dynos are ephemeral. That way, long-term data must always be persisted to a specialized data store rather than being held on potentially insecure local storage.

Using Heroku greatly simplifies security conversations with investors and customers. They know that the underlying platform is rock solid. Ammar Akhtar, Founder & CEO, Yobota

Third-party add-ons provide one-click access to vital functionality

For Yobota, Heroku’s operational value is about more than maintaining operating systems, libraries, and tooling. The wealth of additional functionality available through Heroku Add-ons has been invaluable in accelerating Yobota’s time to market.

The Librato, Papertrail, and Coralogix Logging add-ons have given the team deep insights into the performance of their code, while QuotaGuard delivers load balancing and static IPs. Crucially, though, it is the simplicity with which Yobota has been able to integrate these tools that has been most valuable. Rather than the usual planning, risk assessment, data transformation, and challenges common to working with third party tooling, Yobota’s engineers are able to deploy new functionality through Heroku Add-ons in seconds.

Similarly, Heroku Data for Redis and Heroku Postgres have given Yobota access to a sophisticated data layer without the need for additional operational overhead. While AWS RDS is the primary data store, Heroku Postgres is a vital part of the company’s development process. The managed data service enables engineers to take control of their development and test data without the need for specialized DevOps assistance.

Heroku Add-ons give us in one click what could take weeks to implement. We can use that time to build our product instead. That’s a real competitive advantage. James Maidment, Head of Technical Operations, Yobota

Collaboration tools are part of a larger software development audit trail

Traceability is one of the fundamental requirements that financial regulators place on software providers. That is, every code change must have an audit trail of who was involved, what tests were performed along with their outcomes, and when that code was promoted to production.

Yobota takes a hybrid approach to ensuring that their code is not only traceable, but that the necessary testing is repeatable and automated. Automated tests run on the codebase, while Heroku Pipelines simplifies promotion for human review as needed. Once merged into the main codebase, Heroku Pipelines then pushes the newly updated code to a staging environment for final checks before deployment to production. This greatly reduces the operational burden of both performing testing and keeping records required by regulation, all within Heroku environments that match a production setup.

Beyond Heroku Pipelines, the Heroku platform logs change metadata, which is vital to maintaining an audit trail as required by Yobota’s customers.

Team management tools ensure the principle of least privilege

As the Yobota engineering team grows, the company needs to maintain fine grained control over individual access to Heroku. In particular, Yobota works to the principle of least privilege, meaning that team members only have the access necessary to fulfil their roles.

Permissions are also granular down to the individual app level, meaning that each engineer has access only to the functionality necessary to their work. Perhaps most importantly, offboarding former team members is handled centrally with all permissions removed as soon as the individual’s account is disabled in the SSO system. Every change to permissions is recorded in an audit trail, essential for Yobota as a provider of regulated financial software.

A banking-grade platform for the 21st century on Heroku

Thanks to Heroku’s managed platform, Yobota has built an agile, modern, and compliant platform that enables their banking customers to deliver innovative financial products to end customers. What would have taken a much larger organization, including a dedicated DevOps team, has been possible with a lean and product focused group of engineers.

Inside Yobota on Heroku

Yobota uses Heroku Pipelines and Heroku Review Apps to help automate the testing necessary to meet financial regulations, while Heroku Add-ons including Papertrail, Librato,and Coralogix Logging provide platform insights, and QuotaGuard provides static IP addresses. Heroku Data for Redis is Yobota’s primary data cache and Heroku Postgres is used for data storage during development and test. Their primary data stores use Amazon RDS.

Listen to the Code[ish] podcast featuring Ammar Akhtar and James Maidment: “The Challenges of Bespoke Solutions in a Regulated World.”