Selected work

Traders depositing in multiple currencies were funnelled to a single payment provider, so deposits failed whenever that provider had localised outages or weak success rates in specific corridors — stalling onboarding in regulated regions.

Designed a routing layer that selects PSPs per request based on currency, region, KYC tier, and live success-rate metrics. Integrated multiple global providers behind a uniform internal contract, with per-provider adapters, idempotent request handling, and a fallback chain for failed authorisations.

Deposit success rate improved measurably across affected corridors. Onboarding a new PSP dropped from weeks to days.

Retries from upstream PSPs and async webhook deliveries occasionally produced duplicate postings against trader wallets, forcing finance to perform manual clawbacks and exposing the firm to regulator-flagged clawback risk.

Reworked the deposit and withdrawal pipeline around deterministic idempotency keys persisted in PostgreSQL, with explicit state machines per in-flight transaction. Made webhook handlers replay-safe. RabbitMQ-driven workers retry until a terminal state is reached, with a dead-letter queue and operator tooling for stuck entries.

Eliminated double-postings in production. Nightly reconciliation moved from manual review to an automated daily report with exceptions only.

Reconciling internal wallet ledgers against PSP statements was a manual end-of-day exercise that could not keep up with trade volume; discrepancies were caught hours or days after the fact.

Built a reconciliation pipeline that ingests PSP statements (CSV, API, SFTP-delivered) into a normalised event store, then matches them against the internal ledger using deterministic and fuzzy rules. Surfaced unmatched entries in an operations UI with one-click resolution actions.

Daily reconciliation dropped from a multi-hour manual review to an automated run with a small exception queue. Discrepancies are now caught the same day they occur.

Permissions for sensitive operations — overriding KYC, approving large withdrawals, adjusting trader balances — were spread across services with inconsistent enforcement, making audits and least-privilege reviews painful.

Designed a scalable permission module centralising role definitions, resource scopes, and approval workflows. Modelled around domain-driven primitives so each service checks authorisation against a single source of truth. Added an audit log capturing every sensitive action.

Audits that took weeks of evidence-gathering now run from a single query. Onboarding new operational roles became a configuration change rather than a multi-team effort.

Banks, insurers, and brokers across the US must report and remit unclaimed customer funds to each state under different escheatment rules. Maintaining accurate state-by-state reporting cycles was a manual exercise that exposed clients to regulatory fines whenever a rule changed.

Built a compliance platform handling owner-record ingestion at scale, due-diligence workflows (notifying owners before remittance), and per-state reporting formats with versioned rule packs. Mixed ASP.NET MVC for the operator interface with .NET Framework and .NET Core Web API services backing the workflow engine.

State reporting that previously took weeks of analyst work compressed to a guided multi-day workflow. Per-state rule changes ship as data updates rather than code releases.

Internal services exposed inconsistent authentication schemes and rate limits, blocking partner onboarding and pushing security policy into every team's backlog.

Led the design and build of an API gateway combining .NET Core, Node.js, and Azure API Management — fronting all partner-facing services with unified OAuth2, throttling, request shaping, and routing. Migrated services behind the gateway incrementally without disrupting active integrations.

Partner integration time dropped from weeks to days. Security policy is now enforced in one place rather than audited per service.

A monolithic legacy product could not be extended to support multi-tenant deployments and hierarchical project-group structures without taking the entire system down for every release.

Designed a distributed microservice architecture from scratch around domain-driven service boundaries. Implemented structured workflows for project lifecycles, role-based access for hierarchical data, clean service contracts, and message-driven coordination.

Each service ships independently, enabling continuous delivery for the first time. New tenants onboard without code changes and team-level rollouts no longer block product-wide releases.

Regulated customers needed a fully digital onboarding flow — identity verification, document capture, address validation, and a complete audit trail — that legacy paper-based processes could not deliver at scale.

Led the design and build end-to-end: backend APIs (.NET Core, Web API, SQL Server), a customer-facing Angular frontend, and supporting services hosted on Azure with CI/CD for continuous delivery. Integrated identity providers and an immutable audit log capturing every step.

Average onboarding time dropped from days to minutes for end customers. Full audit trails are available to compliance officers on demand.

Customers in regulated industries needed legally-credible electronic signatures with tamper-evident proof of document integrity that could stand up to legal challenge years after signing.

Designed and built a secure e-signature service: backend APIs handling signing ceremonies, a responsive frontend for signers, and blockchain integration anchoring document hashes to a public chain for independent verifiability. Hosted on Azure with hardened key management.

Signed documents became independently verifiable from the document and the chain reference alone — without trusting the issuing platform. Adopted by clients with the strictest evidentiary requirements.

First-responder agencies needed a single platform to track critical assets — vehicles, equipment, personnel — and coordinate response during incidents, with role-based access for neighbouring agencies sharing the same infrastructure during multi-agency operations.

Built the platform on ASP.NET Boilerplate with an AngularJS front-end, leveraging its modular architecture for tenant isolation, role-based access control, and audit trails. Designed workflows for incident lifecycles, asset assignment, and cross-agency coordination.

Agencies that previously coordinated by phone and spreadsheet now share a live operational picture during incidents. Tenant isolation lets neighbouring agencies join multi-agency operations without granting full data access.

As trader volume grew, several backend services were hitting tail-latency budgets — slow synchronous database queries and chatty service-to-service calls dominated the hot path during market opens.

Profiled the hot path end-to-end. Introduced Redis caching for read-heavy reference data, moved non-critical work onto RabbitMQ workers, and containerised the affected services with sized resource limits for predictable scheduling. Tuned EF Core query patterns and added per-endpoint latency budgets enforced in CI.

p99 latencies on the affected endpoints dropped substantially. The platform now absorbs market-open spikes without degraded user experience.

Each new client deployment required engineers to provision and configure servers by hand — slow, error-prone, and inconsistent. Environment drift led to reproduction-only bugs in production.

Built an automated provisioning toolchain combining Angular for the operator UI, a .NET Core Web API as the control plane, and Ansible playbooks for the actual infrastructure work. Every deployment was idempotent and parameter-driven.

New client environments now stand up in minutes instead of days. Environment drift between clients and across release cycles has effectively been eliminated.