Scaling SecureBank: How We Architected a Cloud-Native Banking Platform for 2.4 Million Users

Overview

SecureBank is a digital-only challenger bank serving the Indian market with 1.8 million active users as of January 2025. Their primary digital channels include a React Native mobile app, a customer-facing web portal, and an internal back office. The platform processes millions of transactions monthly and must comply with RBI guidelines, PCI DSS, and ISO 27001 standards.

Nine months later, SecureBank crossed 2.4 million users, maintained 99.97% uptime, reduced API latency by 97%, and passed its Q3 2025 compliance audit with zero critical findings. This transformation was achieved without a single day of service interruption for end users.

The Challenge

The core of SecureBank's infrastructure was a monolithic Node.js backend deployed on a single AWS EC2 instance. This monolithic architecture had grown organically over four years, making isolated deployments impossible. Every change required a full application restart, and the absence of container orchestration meant scaling was manual and error-prone.

The customer-facing web portal was built with server-rendered EJS templates and jQuery, limiting interactivity and making responsive design a patchwork of workarounds. Performance scores on Google Lighthouse averaged 42 out of 100, and mobile users were abandoning sessions at a rate of 68% within the first minute.

The biggest operational pain point, however, was compliance. The absence of centralized logging, traceability, and audit trails meant that each quarterly RBI audit required four weeks of engineering effort across the entire platform team. This time cost alone was estimated at over ₹14 lakhs in engineering salaries per audit cycle.

Goals

We defined success across three dimensions: technical resilience, user experience, and operational efficiency.

The primary technical goal was to reduce p99 API latency from 12 seconds to under 500 milliseconds. User experience targets were a Lighthouse performance score above 90, a mobile abandonment rate below 30%, and a net promoter score improvement from 31 to 45 or higher. On the operational side, we aimed to reduce audit preparation time from four weeks to under five days and enable zero-downtime deployments for all services except critical infrastructure components.

Our Approach

We recommended a phased migration strategy that prioritized business continuity over wholesale replacement. Rather than executing a big-bang rewrite, we deployed new services alongside the existing monolith, routed increasing traffic percentages to the new architecture, and decommissioned legacy components only after validating stability at each stage.

The new backend was built with NestJS, chosen for its built-in dependency injection, modular architecture, and first-class TypeScript support. We configured Azure Service Bus for asynchronous event processing between services, ensuring that transaction processing, notification dispatch, and audit logging could scale independently. AWS Lambda handled batch reconciliation jobs that ran nightly to reconcile ledger discrepancies.

For the customer web portal, we selected Next.js 14 with the App Router. The existing design system was redesigned using Tailwind CSS, enabling pixel-perfect implementation and consistent responsive behavior across devices. Three.js was incorporated to power interactive account visualization dashboards that showed customers real-time spending breakdowns and savings projections in an engaging, browser-native 3D environment.

The mobile application architecture remained React Native, but the codebase was fundamentally restructured. Navigation patterns were refactored to use deep linking and nested navigators. State management moved from scattered Redux stores to Redux Toolkit with normalized entities. Offline capability was added via WatermelonDB, allowing core banking functions like balance checks and fund transfers to work without cellular connectivity.

Implementation

The migration began with the lowest-risk, highest-traffic endpoint: the account balance inquiry API. This endpoint was read-heavy and idempotent, making it an ideal pilot. Within three weeks, we had deployed a NestJS microservice that cached balance data in Redis with a 30-second TTL, routed through an AWS API Gateway with throttling and WAF rules. Monitoring confirmed p50 latency of 87ms and p99 of 190ms—well within our target. This early success built confidence with both the engineering and product teams.

The Next.js portal migration followed in month four. We used Incremental Static Regeneration to pre-render frequently accessed pages such as the rate sheet and FAQ, while interactive dashboards rendered client-side with Suspense boundaries. The integration with the NestJS backend used tRPC for end-to-end type safety, eliminating a class of integration bugs that had plagued the previous jQuery-based frontend.

The most complex component was the transaction history and fund transfer module. This required careful coordination between the monolith and the new microservices. We implemented an event-driven architecture using Azure Event Grid, where the monolith published domain events and the new NestJS services subscribed. The migration continued over six weeks, during which both systems wrote to the database. We ran reconciliation scripts nightly and resolved discrepancies the following morning.

Flutter was used to create a unified cross-platform mobile experience. The app was built using the BLoC pattern for state management, ensuring testability and predictable state transitions. Hive provided local persistence for offline queues. We integrated biometric authentication through platform channels, added push notifications via Firebase Cloud Messaging, and implemented end-to-end encryption for all sensitive fields stored on the device.

Infrastructure was provisioned using Terraform. AWS EBS backed persistent storage mounted to EKS pods, while Azure Blob Storage handled document uploads and static assets. Datadog provided unified observability across all environments, and PagerDuty managed on-call rotations. The transition to Infrastructure as Code meant that any future environment could be provisioned reliably in under 45 minutes.

Results

On the day of full traffic cutover, the platform handled 1.9 million active users without a single incident. API p99 latency, which had been 12 seconds, measured 312ms on the first day and settled to 247ms after a week of traffic pattern normalization. The NestJS microservices handled 18,000 requests per second during Verified by Visa peak traffic events, a fivefold increase over the monolith's capacity.

The Next.js portal achieved a Lighthouse performance score of 94 on desktop and 91 on mobile. Core Web Vitals improved across the board: Largest Contentful Paint dropped from 6.8 seconds to 1.1 seconds, Cumulative Layout Shift fell from 0.32 to 0.04, and First Input Delay decreased from 180ms to 42ms. Session abandonment rate on mobile dropped from 68% to 22% within the first month of deployment.

The Flutter mobile application reached a 4.8-star rating on the Play Store and 4.7 on the App Store within six weeks of launch. Crash-free sessions stabilized at 99.92%, and the average monthly active user rate on mobile increased by 41%, driven by the improved reliability of the core banking flows.

Metrics

The migration delivered measurable improvements across every dimension we tracked. API latency improved by 97%, from a p99 of 12 seconds to 312ms. System uptime increased from 91.4% to 99.97%, eliminating the monthly brownout events that had damaged customer trust. Mobile session abandonment decreased by 67 percentage points, directly correlating with a 28% increase in completed signups. Net promoter score rose from 31 to 47 in the quarter following launch.

From an engineering velocity standpoint, deployment frequency increased from once every two weeks to an average of 3.2 deployments per service per week. Mean time to recovery dropped from eight hours to under 18 minutes, enabled by feature flags, canary deployments, and automated rollback triggers. The engineering team's cycle time—measured from code commit to production—shrank from 11 days to 2.3 days.

Lessons Learned

The most important lesson was the value of strangler fig migration over big-bang replacement. Executing a parallel-run architecture allowed us to validate every service against real production traffic before decommissioning the monolith. The nightly reconciliation scripts were an insurance policy that paid for themselves within the first month, catching three data drift issues that would have become customer-facing incidents.

End-to-end type safety between the Next.js frontend and NestJS backend using tRPC eliminated an entire class of integration bugs. In a system with dozens of API contracts, machine-checked type consistency between client and server reduced integration issues by an estimated 80% compared to the previous handwritten TypeScript interfaces.

Investing in observability early proved critical. Because Datadog dashboards and alerts were configured before traffic was routed to the new architecture, we detected a memory leak in one microservice within 48 hours of the first deployment. Early detection prevented the degradation from reaching production customers.

We underestimated the effort required to migrate legacy data. Documenting all entity relationships, handles, and unsupported data formats consumed an additional three engineering weeks. Future migrations should include a dedicated data archaeology sprint before infrastructure work begins.

Ultimately, this project demonstrated that legacy monoliths are not death sentences. With a disciplined migration strategy, modern tools like NestJS, Next.js, and Flutter, and a commitment to observability, even deeply entrenched systems can be transformed without disrupting the customers who depend on them. SecureBank's 33% user growth in the following quarter validated not only the technical success but the business impact that engineering excellence can drive.