Financial software operates under constraints that other industries don’t face. A bug in a social media app annoys users. A bug in a payment processing system loses money, triggers regulatory scrutiny, and potentially ends companies.
This reality shapes every engineering decision: the architecture must accommodate compliance requirements that change by jurisdiction and product type, the security model must withstand adversarial attack, the data handling must satisfy auditors who think in checklists and evidence, and the system must be reliable enough that a merchant can trust it with their revenue stream.
This guide covers the architectural and engineering decisions specific to fintech — the ones that differentiate building financial software from building any other kind of software.
The Compliance Landscape
Before writing code, understand which regulations govern your product. The answer depends on what your product does, who it serves, and where it operates.
The Regulatory Map
| Regulation | What It Governs | Who It Affects | Key Engineering Requirements |
|---|---|---|---|
| PCI DSS | Credit/debit card data handling | Any company that stores, processes, or transmits cardholder data | Network segmentation, encryption, access controls, vulnerability management, logging, annual assessment |
| SOC 2 Type II | Organizational security controls | SaaS companies handling sensitive customer data (often required by enterprise buyers) | Access controls, change management, monitoring, incident response, evidence collection |
| PSD2 / Open Banking | Payment services in the EU/UK | Payment institutions, AISPs, PISPs | Strong Customer Authentication (SCA), secure API design, consent management |
| KYC/AML | Customer identity and anti-money laundering | Banks, money transmitters, exchanges, lending platforms | Identity verification workflows, sanctions screening, suspicious activity reporting |
| GDPR | Data privacy (EU) | Any company processing EU personal data | Consent management, data minimization, right to erasure, data portability |
| State money transmitter licenses (US) | Money movement | Companies that hold, transfer, or exchange money in the US | Per-state licensing (47+ states), surety bonds, net worth requirements |
The first engineering decision in fintech isn’t technical — it’s regulatory. Identify every regulation that applies to your product before designing the architecture. Regulations add engineering requirements (encryption, audit logging, access controls) that are far cheaper to build in from the start than to retrofit.
Architecture Decision 1: Minimize Your Compliance Scope
The most expensive compliance mistake in fintech is taking on more compliance scope than necessary. Every system that touches regulated data must be assessed, audited, and maintained to compliance standards. Fewer systems in scope = lower compliance cost.
PCI DSS Scope Reduction
If your product processes card payments, PCI DSS applies. But the scope of your assessment depends on how you handle cardholder data.
Maximum scope (avoid): Your servers receive, process, and store card numbers. Every server, network, and process that touches card data is in scope for PCI assessment. Annual cost: $50K–$200K+ for the assessment alone.
Reduced scope (recommended): Use Stripe, Adyen, or a similar PCI-compliant processor. Card numbers never touch your servers — they’re collected by the processor’s JavaScript widget (Stripe Elements, Stripe Checkout) and sent directly to the processor’s PCI-certified infrastructure. Your servers receive only tokens that represent the card, not the card itself.
Engineering impact of tokenization:
- Your database stores
stripe_customer_idandstripe_payment_method_id, never card numbers - Card collection UI uses the processor’s embedded components, not your own form fields
- Server-side payment operations use tokens:
stripe.charges.create({ customer: 'cus_xxx', ... }) - Your PCI assessment scope drops from “everything” to SAQ-A or SAQ-A-EP — dramatically simpler and cheaper
This single architecture decision — using tokenization via Stripe/Adyen instead of handling card data directly — can reduce PCI compliance costs by 80% or more. It’s the highest-leverage compliance decision in payment platform engineering.
SOC 2 Scope Definition
For SOC 2, you define the scope: which systems, which processes, which team members are included. Keep the scope as focused as possible while covering the systems your customers care about.
In scope: Production infrastructure, application code deployment, customer data access, incident response, and change management for the production environment.
Out of scope (when possible): Internal corporate IT, marketing systems, HR systems, development environments (unless they access production data). The narrower the scope, the fewer controls you need to implement and evidence you need to collect.
Architecture Decision 2: Financial Data Integrity
Financial systems have zero tolerance for data inconsistency. If your payment platform records a charge that didn’t happen, a settlement that’s $0.01 off, or a refund that was processed but not recorded — the consequences range from customer complaints to regulatory action.
Idempotency (Non-Negotiable)
Every financial operation must be idempotent — processing the same request twice produces the same result, not a double charge. Network retries, webhook redelivery, and user double-clicks are common causes of duplicate operations.
Implementation pattern:
Every financial API request includes a client-generated idempotency key. The server checks whether this key has been processed before. If yes, return the original result without re-executing the operation.
POST /api/payments
Idempotency-Key: payment_abc123_attempt_1
{
"amount": 4999,
"currency": "usd",
"customer_id": "cust_xyz"
}
Server-side: before processing, check idempotency_keys table. If the key exists, return the stored result. If not, process the payment, store the result with the key, and return.
Store idempotency records for at least 24 hours (Stripe stores them for 24 hours). For your own internal operations, store indefinitely — the storage cost is negligible compared to the cost of a duplicate transaction.
Double-Entry Bookkeeping
For any system that tracks money (wallets, balances, ledgers), implement double-entry accounting at the data layer. Every transaction creates two entries: a debit from one account and a credit to another. The sum of all debits must always equal the sum of all credits.
This isn’t just accounting convention — it’s an engineering safeguard. If your database has a state where debits ≠ credits, you have a data integrity bug. A scheduled reconciliation job that checks this invariant catches corruption before it compounds.
Audit Trail
Every financial operation must be logged with: who initiated it, when, what changed, the previous value, the new value, and the authorization context (which API key, which user session, which IP address). These logs must be immutable — no one should be able to delete or modify audit records.
Implementation: Write audit records to an append-only table (or a separate audit database). Use database triggers or application-level middleware to ensure every write to a financial table generates an audit record. Store audit logs for the retention period required by your regulations (typically 5–7 years for financial data).
Architecture Decision 3: Payment Processing Architecture
The Payment Flow
A well-designed payment flow has clear stages with defined states and error handling at each transition:
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Intent │────▶│ Authorize│────▶│ Capture │────▶│ Settle │
│ Created │ │ │ │ │ │ │
└──────────┘ └─────┬────┘ └─────┬────┘ └──────────┘
│ │
┌────▼────┐ ┌────▼────┐
│ Declined│ │ Void │
└─────────┘ └─────────┘
Intent: Customer initiates a payment. Your system creates a payment record with status: pending.
Authorize: The payment processor validates the card and reserves the funds. The charge appears on the customer’s statement but money hasn’t moved. If authorization fails, the payment status becomes declined and you handle the failure gracefully.
Capture: You confirm the charge, and the processor moves the authorized funds. For immediate purchases, authorization and capture happen in one step. For businesses that ship physical goods, authorization happens at checkout and capture happens at shipment.
Settlement: The processor transfers captured funds to your bank account, minus fees. Settlement typically takes 2–3 business days.
Each state transition must be atomic and logged. If a capture fails mid-processing, the system must not lose track of the authorization — otherwise you have authorized funds you can’t capture and can’t void.
Handling Payment Failures Gracefully
Payment failures are not exceptional — they’re a normal part of payment processing. 5–10% of recurring charges fail on first attempt.
Categories of failure and handling:
| Failure | Cause | Handling |
|---|---|---|
| Hard decline | Card cancelled, fraud block, invalid number | Don’t retry. Ask customer to use a different card. |
| Soft decline | Insufficient funds, temporary hold, issuer unavailable | Retry 2–3 times over 7 days with exponential backoff. |
| Network error | Timeout, processor unavailable | Retry immediately with idempotency key. Check payment status before retrying. |
| 3DS challenge | SCA required (EU) | Redirect customer to authentication flow. Resume on completion. |
The critical error: Retrying a payment without checking whether the original succeeded. If the first attempt succeeded but the response was lost (network timeout), retrying without an idempotency key creates a double charge. Always check the payment status before retrying, and always include an idempotency key.
Architecture Decision 4: Compliance Automation
Manual compliance processes — checklists, spreadsheets, quarterly reviews — don’t scale. As your fintech product grows, the volume of compliance evidence, the frequency of policy checks, and the complexity of regulatory requirements outpace manual management.
Automated Evidence Collection (SOC 2)
SOC 2 Type II requires continuous evidence that your controls are operating effectively. Automate evidence collection rather than scrambling during audit season:
Access control evidence: Automated reports of who has access to production systems, when access was last reviewed, and any changes to access during the period. Pull from your identity provider (Okta, Azure AD) via API.
Change management evidence: Every production deployment tracked in your CI/CD system with: who approved it, what code changed, when it was deployed, and whether it passed all required gates (tests, security scans, review). GitHub’s PR history provides most of this automatically.
Monitoring evidence: Export from Datadog/Grafana showing that monitoring was active throughout the audit period. Incident reports showing detection, response, and resolution of issues.
Tools that automate SOC 2 compliance: Vanta, Drata, and Secureframe continuously monitor your systems and collect evidence automatically. They cost $10K–$30K/year but save 100+ hours of manual evidence gathering and significantly reduce audit preparation time.
KYC/AML Automation
Customer identity verification and anti-money laundering screening should be automated into your onboarding flow:
Identity verification: Integrate a KYC provider (Onfido, Jumio, Veriff) to verify government ID documents, match selfies to ID photos, and check against sanctions lists — all within your onboarding workflow.
Ongoing monitoring: Automated daily screening of your customer base against updated sanctions lists and PEP (Politically Exposed Person) databases. Flag matches for manual review. Log every screening check for regulatory reporting.
Transaction monitoring: Rules-based and ML-based monitoring for suspicious patterns: unusual transaction velocity, amounts inconsistent with customer profile, structuring (splitting transactions to avoid reporting thresholds), and transactions with sanctioned jurisdictions.
Architecture Decision 5: Multi-Currency and International Payments
If your fintech product operates across borders, currency handling adds significant architectural complexity.
Currency Handling Rules
Store amounts in the smallest currency unit (cents/pence, not dollars/pounds). Never use floating-point numbers for money — floating-point arithmetic introduces rounding errors that compound across thousands of transactions.
// WRONG: floating-point
const amount = 19.99; // Might be stored as 19.989999999999998
// RIGHT: integer cents
const amountCents = 1999; // Exactly 1999 cents, no ambiguity
Store the currency code alongside every amount. A column containing 1999 without knowing whether it’s USD, EUR, or JPY is meaningless. Every financial amount in your database should have a currency field.
Handle currency conversion at well-defined points. Convert at the moment of transaction, not at the moment of display. Store the exchange rate used and the original amount in the original currency. This is essential for reconciliation and regulatory reporting.
What Fintech Development Costs
Fintech development costs more than standard SaaS because of compliance requirements, security engineering, and the financial data integrity measures described above.
| Component | Standard SaaS | Fintech Premium | Why |
|---|---|---|---|
| Authentication | $3K–$5K | $5K–$10K | MFA mandatory, session management stricter, audit logging |
| Data layer | $5K–$15K | $10K–$25K | Idempotency, double-entry, audit trail, encryption |
| Payment integration | — | $10K–$30K | PCI scope management, error handling, reconciliation |
| Compliance infrastructure | — | $10K–$40K | SOC 2 tooling, KYC integration, monitoring |
| Security | $3K–$8K | $8K–$20K | Penetration testing, security review, WAF, fraud detection |
| Typical MVP | $40K–$80K | $80K–$180K | ~2x multiplier for fintech |
The premium is real but justified. Cutting corners on compliance engineering in fintech doesn’t save money — it creates liability that costs 10–100x more when regulators or auditors find it.
Fintech Software Development: Compliance, Architecture, and Scale
We engineer fintech products with compliance built into the architecture — not bolted on before an audit. Payment platforms, lending systems, banking integrations, and compliance automation.