In September 2022, Monzo became a direct participant of the Bacs scheme 🎉
Bacs is the scheme that powers Direct Debits and Direct Credits, which allow you to pay your bills automatically and get your salary paid directly into Monzo. Through new connections, extensive testing and a successful migration, we can continue scaling up safely and have reduced our risks around moving money. Here's how we did it.
Bacs to Basics
Bacs is one of the oldest payment schemes in the industry, and was originally designed for automating credits between banks. It is built around a three day processing cycle which originally gave time for operators at banks to walk magnetic tapes with payment instructions between banks. Nowadays, Bacs files are sent over the SWIFT Banking Network and are processed fully digitally, but there are still tape markers in the digital files we receive today!
There are two types of Bacs payments:
Direct Credits pushes money into your account, such as your salary. These types of payments power our Get Paid Early feature that allows you to get your salary a day earlier
Direct Debits pull money from your account, like bill payments
We say that money is pulled from your account because you or your bank don’t trigger the payment to be sent. Instead, to get money for a bill, your utility provider sends a request to your bank to pull the money from your account, which is authorised with a Direct Debit Instruction.
Moving money between banks
In 2017, we partnered with another bank to be our Bacs Sponsor, but what does this mean? Let’s take a look at how a Direct Debit gets paid behind the scenes:
Your utility provider submits a Bacs record to the scheme containing your account number, sort code, the amount that needs to be paid and who to send the money to.
The Bacs scheme knows which bank owns each sort code and on the second day sends all of the records with Monzo’s sort codes to us in files during the day. We process the files and show you a notification to tell you the payment will happen the next day. Bacs also tells our Sponsor and the Bank of England the total amount of money that needs to move between banks.
On the third and final day, we take the money from your account. We then have to send money to our Sponsor Bank to cover all the bills being paid by our customers. Finally, the Bank of England moves the money from our Sponsor's bank account and they send it to the bank the utility provider uses.
Moving this money between banks is called Settlement and the process varies between different payment schemes. For example, whilst Bacs settles once per day, Faster Payments settles three times a day.
Reducing risks
For the final step where money moves, we had to build controls and checks around the manual step of moving money between us and our Sponsor bank. As Monzo continues to gain more customers, this amount was getting bigger and bigger, and the risk of something going wrong was increasing.
There are also limits imposed by our regulators of how much money we could hold in our sponsor bank. In the middle and at the end of the month when our customers typically get paid, we were getting close to this limit.
To mitigate these risks and allow us to continue growing, we needed to become Direct Participants of the Bacs scheme. The main benefit of this is that we no longer need to manually send money to our Sponsor as the scheme settles directly with Monzo’s Bank of England account, as well as no longer having limits on how much money we could receive each day.
Migrating to Direct Participants
Over 18 months, a team of Monzonauts across engineering, operations, customer support, risk, legal, infrastructure and more, have been working behind the scenes to enable us to become Direct Participants. We had to:
build a new connection to the the Bacs scheme over the SWIFT banking network
acquire, implement and test a new set of certificates to validate that Bacs files are coming from the scheme and have not been tampered with
perform extensive testing with Bacs to prove we could send and receive Bacs files according to specifications
test that settlement occurred correctly in our Bank of England account
make sure we conformed to scheme rules and regulations, both from a technical and contractual perspective
most importantly, roll this out to over 6 million customer accounts without affecting a single payment or our customers noticing anything had changed
Connections and certificates
As part of becoming Direct Participants, we needed a new connection to the scheme and as part of this, a new set of certificates. These certificates are used to sign and verify that the files we send and receive from Bacs are actually from the scheme. This is crucial to make sure that payments we send and receive are coming from who they say they are.
The certificates are stored in Hardware Security Modules (HSM), a cryptographic hardware device that signs and verifies data. Let’s take a look at what happens when we send a Bacs file:
One of our Bacs microservices generates a file and takes a hash of the file. We send this hash to the HSM that signs the hash with our private key.
The HSM returns a signed hash of the file and we append this to the end of the Bacs file.
We queue the signed file to be sent within our SWIFT Infrastructure.
We send the file over SWIFT to the scheme. The scheme have our public key, and can verify the signed hash came from Monzo, and that the file contents matches the hash. This then fully verifies the hash and that the content is a genuine file from Monzo.
We had to do additional testing with our new certificates to ensure that we were not going disrupt our existing connections to both Bacs and other schemes.
Testing
After several rounds of testing in the schemes test environment, we were confident with the migration and received the go ahead to do this in production from the scheme and our internal risk committee. We chose Monday 12th September 2022 for our customer migration day.
We chose this date as we typically receive a lower volume of Bacs payments on this day of the month and if anything went wrong, it would reduce the potential impact on customers. Our data analytics helped us figure this out, and if you're interested you can read more about our data tooling and warehouse in a previous post.
Migration day
Bacs is crucial to many of our customers as it’s how you typically receive your salary and pay your bills. Throughout the night, the team of engineers kept a close eye on our systems using our extensive monitoring and alerting, to make sure that the file was verified and processed correctly.
If anything went wrong, we were ready to tackle any issues that would prevented customers seeing payments they expected in their apps when they woke up that morning. We also were excited to see 18 months of our hard work pay off.
On Tuesday 13th September at 12:19am, we received our first file of customer Direct Debit Instructions over our new connection, and 8 minutes later we received our first file of payments 🎉
The migration went very smoothly, and the payments and instructions files were processed without any engineering intervention. Since the migration, we have processed billions of pounds of customer Direct Debits and Direct Credits, and are now listed as one of the 31 banks in the UK who are Direct Participants of Bacs.
Our mission is to make money work for everyone. Bringing this crucial part of how customers pay their bills and get their salary paid into Monzo helps us with this mission. Becoming Direct Participants of Bacs not only reduces our risk, but also allows us to continue scaling up and enable new capabilities in the future. We'd like to thank the Bacs scheme and their technical partners for working with us throughout planning, testing and the migration to customers.