WeLend, a pioneer in the online direct-to-consumer lending market in Hong Kong, runs 100% of its workloads in the cloud and its head of IT believes that the company is in good technological footing because of it.
“If we were to build what we have now using traditional infrastructure, we wouldn’t be able to automate as much as we have,” said Eddie Tse, head of IT at WeLend, during a recent roundtable interview with the local technology press.
WeLend is the first service offered by WeLab when it begun a foray into the then emerging Fintech industry in 2013. Through its WeLend online trading platform, WeLab blazed the trail with the first short-term loan offering in Hong Kong – providing a low-cost alternative to traditional financial services.
Today, two other business arms have joined the WeLab family – Wolaidai in China and AWDA, a Fintech joint venture in Indonesia.
True to its startup mentality, WeLend’s drive for innovative transformation is not limited to its business. It also influenced the company’s decision to take advantage of the expediency of the cloud to jumpstart the development of their IT infrastructure.
“The whole business in Hong Kong is composed of around 110 people. We in the IT department run a very lean team of 20 people,” said Tse, adding that the team is primarily tasked on to develop WeLend’s online platform and build services on top of that.
With the IT team focused on delivering online loan application services to customers, the company went to AWS to provide the compute and storage resources it needed to build WeLend’s technology from scratch.
“We have been using AWS for quite a number of years. They are the right partner for us when we were developing our platform six years ago. AWS has always been quite supportive of the open source community. As a startup, that aligns quite well with what we want,” said Tse, adding that his team has built up a lot of skillsets in using the AWS platform.
He added: “AWS helped us along the way even when we were a small startup on how to use their technologies and services. So, our team have been very comfortable with using AWS – how to operate and run it in a production environment.”
Don’t reinvent the wheel
By relying on AWS to provide the underlying infrastructure, WeLend found a cost-effective way to scale up their IT resources as needed – which is very important then to the new Fintech startup making a foothold in a nascent market.
According to Tse, one of the benefits of having a long-term partnership with an established technology provider like AWS is its ability to accompany an enterprise customer through their technology roadmap as the business matures.
“This is a very good thing for us because we do not necessarily have to have our R&D team focused on the underlying infrastructure and cloud services,” he said. “We leave it to the expert team, at AWS to do that for us, so we can concentrate on building what we are good at and what we deliver to the marketplace – which is our credit risk technology and our operating model for the lending business.”
“So why do we need to reinvent the wheel if we need to run and manage a database? We started off using an open-source database that we run ourselves on top of AWS. But then later, we moved to their relational database serves (RDS) because that frees us from having to manage and run that database, giving us more time to focus on what we do best,” he added.
Over the years, WeLend has expanded its adoption of AWS offerings.
“One of the things that makes the AWS partnership worked for us is that they constantly bring out new services as they follow industry trends, which keeps the technology behind underlying infrastructure current,” Tse said.
From starting out with AWS S3 to store information, the company has enabled additional features such as automatic backup and policies.
“Before, we had to write scripts if we were running EC2 instances and we wanted to have resiliency and disaster recovery. We had to write scripts and take snapshots of the EBS volume,” Tse recalled. “Now, they have come out with services where it is an API call to automate that backup for us.”
Furthermore, WeLend moved its earlier AI efforts into the AWS platform, when the technology provider released its packaged AI offering called SageMaker.
AWS SageMaker provides every developer and data scientist with the ability to build, train, and deploy machine learning models quickly. The fully-managed service covers the entire machine learning workflow to label and prepare your data, choose an algorithm, train the algorithm, tune and optimize it for deployment, make predictions, and take action.
“About two or three years ago, there was a big push about AI, chatbots and all these sort of stuff. We were using an open-source framework to do those ourselves,” Tse said. “But AWS SageMaker also has the strong support of that open source ecosystem that we used to internally build our model It just makes it easier for us to use the same toolset.”
He added: “Once again, it saves us time having to operate our own configuration and deployment using those open-source tools to a productized environment. The advantage of that is as I am getting new resources to grow my team, my new team member do not have to learn my proprietary deployment of those tools. If they have worked with AWS in their previous jobs, the talents that come onboard already have that skillsets. It is that ecosystem which helps us to get them up to speed quicker.”
Dealing with compliance requirements
Data security is a priority for WeLend and it constantly seeks ways to improve the protection of data in their platform.
According to Tse, WeLend takes a holistic approach to security to ensure the company’s data are protected technologically, with the internal human processes properly aligned and people trained in the right handling of data.
Beyond this, the company has independent assessors to come in regularly to assess its security posture and external consultants are also brought in for fresh perspective on new ways that hackers can use to launch their attacks. Furthermore, penetration testing are also being done regularly.
“We make sure that only the right people have access to the data. If you apply a loan with us, you are the ultimate owner of the data that you entrust to us,” Tse said. “We take the ‘least privilege access’ mentality so that as we are processing your application, our processes are designed such that we only need to see what is necessary to get the job done, which for us is to review and approve the loan application. And then we make sure that we are in compliance with all the requirements of Hong Kong’s PDPO Ordinance on data privacy.”
According to Tse, compliance has become top of mind inside the company especially in the last 12 months.
“As we go through the growing journey of a startup, the compliance issue is something that we need to pay more and more attention to. In the early phase of the startup, it was all about following the lead, having that start up mentality and getting the product out there.”
According to Tse, when WeLend embarked on its cloud journey with AWS, the security of the infrastructure is not as robust as it is now.
“When we started, they did have the new security features that they have now,” he said. “And just as we are getting ready to be more compliant and are doing more compliance work, because we are getting bigger, AWS’ security services are there to give us a good headstart to get compliance in the cloud.”
Last year, the company enabled services such AWS Config and CloudTrail. AWS Config enables WeLend to assess, audit and evaluate the configurations of its AWS resources, while CloudTrail enables governance, compliance, operational auditing and risk audition of WeLend’s AWS account,
“And then, when AWS came up with GuardDuty, which essentially takes the CloudTrail information and then put machine learning abstraction on top of it to interpret events that are generated and then raised alerts for us”
On the application level, Tse said the company uses data masking, with encryption playing a very important role in it.
“Once the data is encrypted, then you can’t see even if you get a copy of the data,” Tse said. “So how we use AWS for security is more about how we operate AWS so that we have all those encryption and access controls in place.”
He added: “There are a number of different options available in AWS. For example, we can use their Key Management Service (KMS) and use its built-in encryption techniques for different types of AWS services.
“For example the EC2 that compute the backend storage on S3 can be encrypted with KMS. RDS, which is something that we use, can leverage the same sort of techniques to make sure data are secure in transit as well as at rest.
“Then, we want to have control of owning the master keys which are the encryption keys. So we put our internal process around how to use the KMS service so that we have control of the encryption key rotation and all that sort of stuff to make sure it is compliant with data protection requirements.”
Security as a shared responsibility
According to Tse, a strong partnership with your technology provider is essential in securing a company’s data in the cloud.
“We put a lot of emphasis on making sure our data is secure in AWS. And the way we do that is to always how we can leverage the services provided by AWS to create that strong data security. Strong partnership is a must because they have abstracted the best practices from different customers and put them in the platform. We can then leverage on these best practices that the platform provide and use them.”
As WeLend grows in its use of AWS, Tse sees the shared responsibility model of the cloud provider as a major benefit.
“AWS operates the security off the infrastructure and when we as the end-user manages the security of how we use AWS. It is about a lot of training and best practices framework on both sides.”
Moving forward, Tse hopes to do more automation.
“We have already done a lot of automation work but we want to take it to a point where it is even more automated – being able to repeatedly use the services in a consistent way. Consistency and repeatability is very important for us."