Most Indian banks still run on legacy on-premise systems — and for good reason. The regulatory requirements are intense. The risk tolerance is near zero. Every change needs to be auditable, reversible, and explainable to an RBI auditor who may not share your enthusiasm for Kubernetes.
In 2024, we built something that didn’t exist in India before: a fully cloud-native banking infrastructure. Multi-region AWS. Aligned with AWS Well-Architected standards. Compliant with RBI’s strictest requirements. Serving a regulated financial institution at production scale.
This is what I learned.
Compliance is an engineering discipline
The first decision that changed everything: we made compliance a first-class constraint from the start, not a layer we’d add at the end.
In most organisations, the security and compliance review happens after the architecture is designed — often after code is written. The result is expensive retrofits, last-minute blockers, and engineers who see compliance as an obstacle rather than a requirement.
We treated compliance controls the way we treated performance requirements: as design inputs. IAM policies were designed to be audit-ready from day one. VPC architecture was built around data residency requirements. Logging and observability were designed for the auditor’s needs, not just the engineer’s.
This made the initial design harder. It made every subsequent audit dramatically easier.
The hardest part was the org, not the architecture
Building the infrastructure took months. Getting eight teams across risk, compliance, security, and product to agree on what “done” meant took longer.
Each team had legitimate concerns. Risk wanted ironclad rollback procedures. Compliance wanted every config change to be attributable. Security wanted blast radius containment on every layer. Product wanted to ship features on the new infrastructure without waiting for the perfect foundation.
None of these were wrong. They were all right, in tension with each other. The coordination work — building shared understanding of constraints, making explicit trade-offs, getting genuine buy-in — was the real project. The infrastructure work was almost the easy part.
Own the primitives, don’t reinvent them
We leaned heavily on AWS primitives and Well-Architected patterns. The value we added wasn’t in inventing new infrastructure patterns — it was in the decisions about how to wire existing primitives together for our specific context: regulated, multi-tenant, high-availability, India-specific data residency requirements.
Regulated environments create a temptation to build custom solutions because off-the-shelf tools “might not meet compliance requirements.” In almost every case, the compliance requirement can be met by configuring the standard tool correctly. A well-configured standard tool is easier to audit, easier to maintain, and easier to staff than a custom build.
The outcome
~$200K/month in cost savings from consolidation and governance. >90% compliance posture, significantly improving audit readiness. Every business unit migrated to the new architecture. A foundation that product teams can build on without worrying about what’s beneath them.
The cost savings were the metric leadership tracked. The foundation was the thing that mattered.
The goal of platform work is not the platform. It’s what the platform enables.