How Kasasa’s Cloud Journey to the AWS Financial Services Competency Helps Protect Their Customers’ Data

By Ulrich Bosquet, Partner Solutions Architect – AWS
By Hung Lee, Chief Information Security Officer – Kasasa
By Sudeep John, Global Tech Lead, Financial Services Competency – AWS

The Amazon Web Services (AWS) Cloud is enabling scalable, flexible, and cost-effective solutions for banking and payments, capital markets, and insurance organizations of all sizes, from startups to global enterprises.

To support the seamless integration and deployment of these solutions, AWS established the Financial Services Competency Program to identify consulting services and software partners with deep industry experience and expertise.

AWS Partners with the Financial Services Competency have demonstrated industry expertise, readily implemented solutions that align with AWS architectural best practices, and have staff with AWS Certifications.

One such partner is Kasasa, a financial technology and marketing provider that drives results for 900+ community financial institutions (CFIs) with innovative banking solutions, branded retail products, world-class marketing, and expert consulting.

In this post, we’ll walk through Kasasa’s multi-year migration to AWS, the benefits of Kasasa’s software-as-a-service (SaaS) platform, and how Kasasa brought 900+ CFIs along for this epic journey.

Kasasa’s Journey from Legacy Architecture to AWS

Founded in 2003, Kasasa was built upon the laser-focused mission of helping community financial institutions win in a highly competitive industry. Nearly two decades later, that mission statement holds true in every Kasasa endeavor.

The key to Kasasa’s success has been constant innovation across its award-winning product line: Kasasa Rewards Platform (KRP), Kasasa Loan System (KLS), and Kasasa Care.

With the explosion of SaaS applications and hyper-connectivity of applications, employees, and consumers, businesses can no longer build tall-enough walls or wide-enough moats around their data.

To stay in lockstep with the speed of innovation, data democratization, and compliance scrutiny, businesses must take a data-centric approach to security. This enables security teams, data owners, and regulatory examiners to confidently attest to the safety and privacy of customers’ most cherished asset: their consumer data.

Being in the financial services industry, and therefore subject to the most stringent security standards, Kasasa sought to gain customer confidence in their cloud competence. Kasasa needed to show their prospects and clients they would protect their data as if it was their own.

Moving to a Fully SaaS Solution on AWS

Rewards checking is one of Kasasa’s longest-standing products. To date, Kasasa has awarded nearly $2.8 billion to everyday consumers, with a significant portion of those rewards attributed to Kasasa’s flagship rewards checking product.

This was made possible by constantly pushing the evolutionary curve of Kasasa rewards checking via three major revisions: Gen1, Gen2, and KRP.

Each revision introduced greater security, scalability, and reliability to meet financial institutions’ rising demands and expectations. Today, KRP is more than the foundation of Kasasa’s rewards checking product—it’s the nexus of Kasasa’s world-class data analytics platform that provides consumer behavioral analytics to 900+ financial institutions across the United States.

Generation 1 (circa 2004)

Kasasa Gen1 Rewards Checking was an on-premises solution installed within each financial institution’s network. The installation package solution consisted of a Visual Basic (VB) application built upon Microsoft Access databases.

Generation 2 (circa 2008)

As the rewards checking product became more popular, Kasasa realized significant speed and scalability challenges with the Microsoft Access database backend. Furthermore, financial institutions yearned for more robust reporting to better understand their consumers’ behaviors. To meet these rising expectations, Gen2 was born.

While Gen2 was a significant step forward in the evolution of rewards checking, it did not fully eliminate all of the pain points of Gen1. Maintenance and software updates still required exhaustive coordination between the financial institution and Kasasa Technical Support Engineering personnel.

Furthermore, end-of-cycle rewards processing still required significant manual touch, and the lack of redundancy and high availability was a concern as delays in rewards processing could impact consumer adoption.

Kasasa Rewards Platform (circa 2017)

By this time, public cloud adoption had become mainstream. Major players in the financial services space had migrated to AWS, and Kasasa realized it was time to follow suit.

A complete redesign of the rewards checking product’s underlying architecture ensued, and coupled with a rebranding of the Gen2 moniker, the Kasasa Rewards Platform was born.

The migration from an on-premises software installation to the KRP SaaS platform transformed its capabilities pertaining to reporting, security, scalability, and reliability. To date, Kasasa has nearly 700 financial institutions on KRP, with approximately 450 of those being Gen1/Gen2 migrants.

Kasasa Rewards Platform Cloud Architecture Overview

Kasasa developed a new software platform using AWS with the intent to entirely replace and surpass the functionality of its legacy systems.

KRP enables faster processing, simplified data transfers, excellent security, and virtually 100% uptime while reducing cost of ownership. It also permits rapid deployments for upgrades, patches, and integrations—a critical feature as banks embrace the digital banking demands of today’s consumers.

Nicolet National Bank, a Kasasa client based in Wisconsin with $4.5 billion in assets, was accustomed to devoting a minimum of six hours a month to calculating and processing rewards for thousands of account holders. They were using a complex arrangement that included an on-site server, secure connections between Kasasa’s headquarters and the bank, as well as file transfers to the bank’s core software provider.

Nicolet saw the potential for significant improvement in the speed, quality, and security of their monthly reward processing needs. They agreed to migrate to KRP by moving away from their manual legacy data extraction and end-of-cycle processing mechanism to the more automated extraction process with no human intervention.

With this migration complete, Nicolet saw a decrease in reward processing errors, resulting in thousands of dollars saved in mistaken payments per month—costs that are carried by the bank and Kasasa.

For reference, in Q4 of 2017, with all clients running legacy software, the error rate was 0.579%. In Q4 2020, with all clients running on KRP, the error rate fell to 0.178% for a 31% reduction in errors that affected rewards. Additionally, the bank was able to slash personnel hours for monthly processing by 91%.

“The benefits of migrating to KRP running on AWS are clear based on the impressive statistics, but it’s the real-life results that truly inspired us to press forward,” says Pradeep Ittycheria, former Kasasa CTO.

“The pandemic stretched everyone’s resources, within businesses and in their employees’ personal lives. So, providing a solution to cut financial costs while gaining employees’ bandwidth was a meaningful pursuit. It’s this sort of innovation that supports community financial institutions and the people they serve that makes me proud to be a part of the Kasasa team,” adds Pradeep.

Automated End-of-Cycle Processing

For Gen1 and Gen2 customers, end-of-cycle rewards processing was manual and time-consuming, spending 10-15 minutes per product to run qualifications and rewards.

This means a financial institution with multiple Kasasa products—such as Cash, Cashback, Tunes, and Saver—can take over an hour to create posting files. With KRP, qualifications and rewards processing are automated.

When financial institution teams come in on the statement end date, the posting files are ready and waiting for them. KRP will already have run qualifications, verified against the previous month’s totals, and sent the files. All the teams need to do is send the posting files to their core providers.

Improved Data Validation

As part of the improved automation, Kasasa also developed more complex algorithms to validate and flag cycle-over-cycle data for inconsistencies.

For example, these algorithms ensure products and transaction codes within datasets are always current and accurate. This means someone at a financial institution can make a change to a product or transaction code, and KRP will proactively flag that change as inconsistent and work with the organization to resolve it prior to incurring consumer impact.

Leveraging AWS Components Within KRP

KRP’s underlying infrastructure is based on Kubernetes on top of Amazon Elastic Compute Cloud (Amazon EC2) instances. Kasasa is currently exploring the benefits of AWS Elastic Kubernetes Service (Amazon EKS), and utilizes AWS native security services like Amazon GuardDuty, Amazon Inspector, Amazon Macie, and AWS Security Hub to protect KRP.

Kasasa performs batch processing upon receipt of core extract files from financial institutions’ core processors. These core extracts are loaded into a small, lightweight application called the Financial Institution Transport (FIT) tool.

The FIT tool is installed in financial institutions’ networks and, courtesy of its lightweight design and small footprint, does not require a dedicated server. The FIT tool executes automatic daily transfers of these core extract files from the network into KRP.

The daily core extract files are loaded into Amazon Simple Storage Service (Amazon S3) buckets that have data encryption enabled to secure all data at rest. Additionally, all financial institutions are assigned unique FI Identifiers (FI IDs), and the Amazon S3 prefixes correspond with these unique FI IDs to create logical separation of one financial institution’s data from another’s.

Upon detection of the core extract files within the S3 bucket, an Amazon Simple Notification Service (SNS) message is triggered. KRP has a downstream service that subscribes to that SNS topic, creates an event on a queue, and consumes the messages from the queue to ensure a continuous flow of messages to process out of that queue.

Each time a file is produced by a service, it’s written to an S3 bucket, the SNS topic gets a message, the SQS queue subscribes to that SNS topic, and the messages from the Amazon Simple Queue Service (SQS) queue are consumed by the subsequent service.

The movement of the core extract files out of the original S3 bucket into a data archive bucket triggers another SNS message that kicks off another service to initiate the data transformation process. This is a critical element of the KRP ecosystem because core extract files have different data schemas depending on the originating core provider.

The data transformation process creates Unified File Format (UFF) files that undergo a data obfuscation process. Upon completion of the UFF and obfuscation processes, KRP initiates the FIDIL process that includes a series of parallel-processing AWS Lambda functions and Java services. Upon completion of the FIDIL processing, the data is sent to the rewards processing engine built upon Amazon Aurora relational database instances.

The Aurora databases utilize FI-specific database schemas to ensure data segmentation between financial institutions. The rewards processing engine awaits a set of files and will not initiate rewards processing until the full set of files has arrived.

Once the full set of files have arrived in the reward processing engine, a job management system built into the reward processing service initiates rewards processing, updates the job management queue, and provides external updates to financial institutions.

Figure 1 – Kasasa Rewards Processing (KRP) components.

Upon completion of rewards processing, various downstream processes ensue.

1. Reporting: A set of reports is written out to another Amazon S3 bucket that FIs can access via the FIRSTBase web application. Some reports are also automatically transmitted via the FIT tool from S3 buckets to the financial institutions’ network.
2. Enterprise data warehouse (EDW): The EDW (built upon Amazon Redshift, Amazon Athena, and AWS Glue) is the foundation for Kasasa Insight, a data analytics platform that provides world-class consumer behavioral analytics to Kasasa’s FIs.
3. Posting service: After end-of-month posting, the posting service will pick up the posting information and translate it back into the FI’s core language, put it in the S3 bucket that the FIT tool is monitoring, and that will automatically be transferred back to the financial institution for them to process and issue rewards. FI-specific data configurations are used to ensure proper translation of these posting files back to the FI’s core language, and these configurations are stored in Amazon DynamoDB.
4. End-of-cycle emails: Completion of end-of-month processing triggers end-of-cycle emails that are sent directly to all customers to inform them of their qualifications and rewards during that cycle. The email data gathering and sending is performed via a Lambda-based microservice.

Figure 2 – Kasasa Rewards Processing (KRP) data flow.

Summary

“Customer confidence in our cloud competence” served as Kasasa’s North Star throughout this cloud migration journey. From the early stages of a Microsoft Access database to today’s KRP SaaS platform running on AWS, Kasasa has always put customer trust, safety, and satisfaction at the forefront of its endeavors.

Educating community financial institutions on the benefits of AWS was imperative to gaining their trust and willingness to adopt the AWS Cloud. Achieving the AWS Financial Services Competency accreditation further shows Kasasa’s commitment to the safety and privacy of securing FI’s most cherished asset: their consumer data.