An automated, real-time trading system that allows administrators to configure trading strategies based on various technical indicators, and investors to invest their money in a selected strategy.
How to survive unreliable venues, payment providers, KYC APIs, and market data feeds.
A Monday Morning Failure Story
Imagine a fintech operations team opening its administrative dashboard at 09:17 on a Monday morning. A high-value customer transfer, a critical broker order, or an urgent KYC document verification has just been submitted from the mobile app.
The backend service makes a synchronous HTTP request to an external provider: a payment gateway, a banking API, a broker venue, or a KYC verification vendor. The request leaves the system successfully. Then the provider’s API hangs. After 28 uncomfortable seconds, the connection times out.
From the operator’s perspective, there is no final answer. The status is UNKNOWN. From the customer’s perspective, there is a spinner, then a generic error. But inside the provider’s systems, the request may already have been accepted. Ten minutes later, webhooks start arriving. The first says PENDING. Another says FAILED. A third says SUCCEEDED. Meanwhile, an automated retry from the backend has already fired because the original request looked like a failure.
Architecture Recommendation: Fail Fast with Circuit Breakers Allowing a connection to hang for 28 seconds under high load is a recipe for cascading failure. A sudden spike in provider timeouts will quickly exhaust your database connection pool and worker threads. Mature systems wrap synchronous external calls in a Circuit Breaker pattern. If the provider degrades, the circuit “trips,” failing incoming requests immediately without waiting for a timeout, giving the provider time to recover and protecting your internal infrastructure from resource exhaustion.
This is the moment when the real architecture of a fintech backend becomes visible.
A naive service treats the network timeout as a definitive failure and retries blindly. It updates its database based on whichever webhook arrived last. It assumes the provider’s latest message is the truth. That system may work in a demo, but in production it can create duplicate charges, double-submit orders, lose audit evidence, or force operations to reconstruct financial history from scattered logs.
A mature Python fintech system treats the external provider as an unreliable witness: necessary, valuable, but never allowed to overwrite internal truth without passing through strict, replay-safe rules. The provider may know something the platform does not know yet, but the platform decides how that information changes its own ledger, state machine, risk model, and operator workflow.
The Architecture Pattern: Internal Truth First
Fault tolerance begins with a simple rule: separate provider status from internal status.
External providers expose their own lifecycle vocabulary: succeeded, settled, filled, approved, cancelled. Those statuses are useful, but they are not your domain model. A fintech platform needs its own internal lifecycle built around business invariants:
- No duplicate ledger lines.
- No impossible state transitions.
- No silent balance changes.
- No irreversible operation without evidence.
- No provider event applied twice by the same consumer.
In Phoenix Platform, order legs use an explicit state machine. A PENDING leg can become PARTIALLY_FILLED, FILLED, REJECTED, or CLOSED. A CLOSED leg cannot move back to PENDING because a late provider message said so.
# services/portfolio_execution/src/portfolio_execution/domain/order_leg.py
_VALID: dict[LegState, frozenset[LegState]] = {
LegState.SUBMITTED: frozenset({LegState.PENDING, LegState.REJECTED, LegState.CLOSED}),
LegState.PENDING: frozenset({LegState.FILLED, LegState.REJECTED, LegState.PARTIALLY_FILLED, LegState.CLOSED}),
LegState.PARTIALLY_FILLED: frozenset({LegState.PARTIALLY_FILLED, LegState.FILLED, LegState.CLOSED}),
LegState.FILLED: frozenset({LegState.MODIFYING, LegState.CLOSED}),
LegState.MODIFYING: frozenset({LegState.FILLED, LegState.REJECTED, LegState.CLOSED}),
LegState.REJECTED: frozenset({LegState.CLOSED}),
LegState.CLOSED: frozenset(),Python Specifics: Data Types and Isolation When implementing financial ledgers in Python, never use float for monetary values. Floating-point arithmetic will lead to lost pennies and failed audits. Always use Python’s built-in Decimal module. Furthermore, when combining state machines with database transactions (e.g., using SQLAlchemy and asyncpg), ensure your transaction isolation level is set appropriately. To prevent “phantom reads” during simultaneous webhook processing, financial updates often require REPEATABLE READ or even SERIALIZABLE isolation levels.
The Dual-Write Problem and the Transactional Outbox
One of the most common ways fintech platforms lose data is through the dual-write problem.
An API receives a request. The backend updates PostgreSQL. Then it publishes an event to Kafka. If the database commit succeeds but the broker publish fails, the system is inconsistent. The money moved, but the risk system did not hear about it.
Enterprise platforms solve this with the transactional outbox pattern. The service writes both the domain state change and the intent to publish an event in the same database transaction. A relay publishes pending outbox records later.
# libs/outbox/src/outbox/model.py
class OutboxRecord(Base):
__tablename__ = "outbox"
id: Mapped[UUID] = mapped_column(sa.Uuid, primary_key=True, default=uuid4)
topic: Mapped[str] = mapped_column(sa.String(256), nullable=False)
payload: Mapped[str] = mapped_column(sa.Text, nullable=False)
status: Mapped[OutboxStatus] = mapped_column(_outbox_status_pg, nullable=False)
# ...At higher scale, teams often replace polling with CDC-based delivery (Change Data Capture), such as Debezium tailing the PostgreSQL write-ahead log. However, CDC introduces massive infrastructure complexity (schema evolution handling, replication slot monitoring). Recommendation: Do not rush into CDC. For most early-stage and moderate-volume systems, simple PostgreSQL polling using SELECT ... FOR UPDATE SKIP LOCKED is incredibly robust, highly concurrent, and requires zero additional infrastructure. Move to Debezium only when database load makes polling unsustainable.
Webhook Handling and Strict Idempotency
Inbound webhooks are the most revealing integration surface in a fintech system. The idempotency guard must be durable. A Redis cache may help performance, but the reliable guard is a stable identity backed by a database uniqueness constraint.
Phoenix models this with ProcessedEvent, where event_id and consumer_group form the composite key.
However, naive implementations often introduce a critical Check-Then-Act race condition. If you query is_processed() and then execute your handler, two concurrent webhooks (e.g., delivered simultaneously due to a network retry) will both pass the check before either writes to the database.
To fix this, you must use an Insert-First approach. Uniqueness must be enforced by the database before business logic runs:
# libs/messaging/src/messaging/consumer.py
async def process_if_new(
self,
event_id: UUID,
session: AsyncSession,
handler: Callable[..., Awaitable[None]],
) -> bool:
store = self._get_idempotency_store(session)
# 1. Enforce uniqueness at the database level FIRST.
# Using PostgreSQL's `INSERT ON CONFLICT DO NOTHING`.
# This prevents the classic "Check-Then-Act" race condition.
lock_acquired = await store.acquire_event_lock(event_id, self.consumer_group)
if not lock_acquired:
logger.info("Skipping already-processed or concurrently processing event %s", event_id)
return False
# 2. Execute business logic.
# If the handler raises an exception, the SQLAlchemy transaction rolls back,
# releasing the lock (the idempotency record is not saved), allowing safe retries.
await handler()
return TrueReconciliation Is A First-Class Product Feature
Even with strong state machines, transactional outboxes, and durable idempotency, webhooks are not enough. A provider can permanently drop an event, or group hundreds of charges and fees into a single settlement payout.
If the platform relies only on inbound events, it is outsourcing correctness to network timing. Reconciliation is how the platform takes correctness back.
The Reconciliation Pipeline
A production reconciliation subsystem usually has five stages:
- Ingestion. Importing raw provider reports and preserving raw evidence.
- Normalization. Mapping provider schemas into a canonical internal schema.
- Matching. Connecting external rows to internal records.
- Classification. Identifying the exact shape of a mismatch (
MISSING_INTERNAL,AMOUNT_MISMATCH,TIMING_MISMATCH). - Resolution and evidence. Triggering automated compensating actions for safe mismatches, or opening manual investigation cases for risky ones.
A Python Reconciliation Job Shape (Fixed for Scale)
A common mistake in reconciliation scripts is the N+1 query problem: making a database query inside a loop for every single row in a bank report. On a report with 50,000 transactions, this will crash your database. The solution is batch-fetching.
Here is an optimized, production-ready reconciliation workflow:
from dataclasses import dataclass
from decimal import Decimal
from enum import StrEnum
class MismatchType(StrEnum):
MISSING_INTERNAL = "MISSING_INTERNAL"
AMOUNT_MISMATCH = "AMOUNT_MISMATCH"
# ...
@dataclass(frozen=True)
class ProviderLedgerRow:
provider_transaction_id: str
amount: Decimal # Never float!
currency: str
raw_report_id: str
async def reconcile_provider_report(report_id: str) -> None:
raw_rows = await provider_reports.load_raw_rows(report_id)
provider_rows =[normalize_provider_row(row) for row in raw_rows]
# FIX: Batch-fetch internal records to avoid the N+1 database problem
provider_ids =[row.provider_transaction_id for row in provider_rows]
internal_records = await ledger.find_by_provider_ids(provider_ids)
# Create an O(1) lookup map
internal_map = {record.provider_transaction_id: record for record in internal_records}
for provider_row in provider_rows:
internal = internal_map.get(provider_row.provider_transaction_id)
if internal is None:
await exceptions.open_case(
mismatch_type=MismatchType.MISSING_INTERNAL,
provider_row=provider_row,
evidence={"raw_report_id": provider_row.raw_report_id},
)
continue
if internal.amount != provider_row.amount or internal.currency != provider_row.currency:
await exceptions.open_case(
mismatch_type=MismatchType.AMOUNT_MISMATCH,
provider_row=provider_row,
internal_record_id=internal.id,
evidence={
"internal_amount": str(internal.amount),
"provider_amount": str(provider_row.amount),
},
)
continue
await reconciliation.mark_matched(
provider_transaction_id=provider_row.provider_transaction_id,
internal_record_id=internal.id,
report_id=report_id,
)Automated Resolution vs Manual Investigation
Not every mismatch should be fixed automatically. Missing internal ledger entries for a successful provider transfer is not something to silently insert without review. An amount mismatch may involve fees, FX, or provider-side adjustments.
This is why reconciliation dashboards matter. A mature dashboard should show internal and provider objects side-by-side, highlight differences, suggest mismatch classes, and provide exportable evidence for auditors. Reconciliation is not a back-office script; it is a control surface for financial truth.
The Business Value of Fault Tolerance
For business stakeholders, enterprise buyers, and compliance officers, this technical depth translates directly into commercial credibility.
An engineering team that can explain outbox patterns with SKIP LOCKED, strict state machines, insert-first idempotent consumers, circuit breakers, and reconciliation exception management is easier to trust with regulated workflows than a team that only promises fast feature delivery.
For fintech teams building Python-based platforms, fault tolerance should be designed into the architecture from the start. API boundaries, state machines, async processing, observability, reconciliation, and audit evidence all need to work together. This is where experienced Python development services for enterprise AI, data, and real-time systems become relevant — not as generic backend development, but as engineering for systems that must stay reliable under imperfect external conditions.
When failure is treated as an expected architectural input rather than a surprise, the fintech platform becomes more than a collection of APIs. It becomes an operational system that can protect money, explain decisions, and recover gracefully when the outside world behaves badly.