Author: Idle fish technology — Hundred nights
An overview of the
As an Internet company, we deal with money more or less every day. Stability, capital loss, and security are the insuperable limits of our business and systems. Any capital loss event, the company will suffer capital losses, and even the amount of a capital loss compensation company can not afford to go bankrupt instantly. Capital loss events, in addition to capital losses, may also trigger public relations events, resulting in users of the company’s trust crisis, shaking the company’s mass base. So now every team, especially when it comes to payments, takes loss prevention and control very seriously. Although the prevention and control of capital loss is the most complicated problem that has not been solved by big measures at present, some experience and methodology have been accumulated through the input, practice, analysis and summary of various teams. This paper introduces the overall methodology of capital loss prevention and control and the practice under the idle fish trading system.
Capital loss definition
Definition of capital loss: Capital loss refers to any direct or indirect capital loss suffered by the company or its customers due to product design defects, product implementation abnormalities, and employee operation errors. Based on this definition, we need to focus on the following key points:
• Causes of capital loss: product design defects, product implementation abnormalities, staff operation errors. • Consequences of capital loss: direct or indirect capital loss to the company or its customers.
In a broad sense, as long as the funds after the operation of the system are inconsistent with the expected funds of the business, they are counted as capital loss events. In the process of troubleshooting capital loss, if the capital is still in the company system, it is easier to deal with, and will not cause actual capital loss. But once the funds out of the company system, to the hands of users, resulting in user losses, the company must pay, if the user profit, the company is more difficult to recover. Therefore, the outflow of funds involving users is the focus of capital loss prevention and control.
Overall methodology of capital loss prevention and control
• All capital loss events are caused by people, so the center of capital prevention and control must be carried out around the core of people. • All business is realized through applications. When a business operation is completed, data is left behind. Therefore, capacity building related to capital loss prevention and control must be carried out around application and data. Capital loss problem, especially for technical reasons, is also a bug, believe that everyone is clear, the bug is impossible to be completely destroyed, there will always be a bug can cause problems, omission to online some will lead to business failure user experience problems, serious can cause stability problem, some may have holes by the user use, while others can cause damage. Therefore, the problem of capital loss is impossible to be completely eliminated. Though capital loss problem cannot eliminate completely, but we can still through some methods and means, try to find information and loss problem before product launch circumvented (avoid), if the product online after happens also to be able to timely find (find), found in a timely manner after the emergency response ability (emergency), reduce the loss and impact of the capital loss events. • For capital loss risks, we need to invest special resources (organizational support) to do prevention and control related to the advance, and we need to develop corresponding norms and systems to ensure that everyone is in accordance with the corresponding norms and systems to avoid part of the risk. At the same time, we also need to reveal and disclose the risk situation, and invest resources to deploy risk prevention and control capabilities.
The definition and methodology of capital loss are introduced above. In the methodology, three capabilities required for capital loss prevention and control are mentioned: evasive ability, detection ability and emergency ability. The following focuses on the construction process of real-time detection ability of idle fish.
Discover the general idea of capacity building
The construction of discovery ability is mainly built around data checking to find the inconsistency between business information and funds. For discovery capabilities, the key metrics are coverage and timeliness. Coverage rate represents the problem of whether a capital loss problem can be discovered. If a capital loss problem is not covered by corresponding discovery ability, once it occurs, the loss caused is unforeseeable. The time limit represents the discovery time after the problem capital loss occurs. Assuming that a capital loss event causes a capital loss of 100,000 yuan per hour, then the discovery after one hour is 2.3 million yuan less than the discovery after one day. If it is 1 million yuan per hour, it is 23 million yuan. If the time efficiency achieves real-time, and has the real-time fusing ability, can even achieve 0 capital loss.
Technical background
There are many trading modes of idle fish: ordinary C2C, B2C, inspection treasure, purchase treasure, recycling, consignment and so on; So in so many transaction modes, how to extract a set of common, real-time, easily accessible assets of real-time discovery capabilities? First, a brief introduction of alibaba’s two platforms for capital loss prevention and control:
•MAC platform: data check platform, can compare two sections of SQL running results, there is a difference can alarm. Disadvantages: no real-time; Running SQL too often puts a lot of extra strain on the database. •BCP platform: real-time data verification platform, which can subscribe to the data of each middleware, and customize scripts for real-time data comparison, and has alarm ability.
Since BCP can achieve real-time comparison and alarm, it is good for us to make use of BCP. What do we need to do? Standardize data sources, unify BCP configuration, unify BCP scripts. As long as we can standardize and unify, the time and learning cost of capital loss prevention and control can be greatly reduced.
Data checking and analysis
• Validation model
• Certificate: represents the business evidence of the occurrence of the business, such as transaction receipt and payment receipt. The business certificate records the source of the business, the parties involved, and the information related to the funds. • Solid: represents the actual capital flow. Alipay account, account, bank card account, account
• Business rules model
• There are often many business rules in our system, so whether the operation of business rules is in line with expectations needs to be checked. Take a simple example, we need to draw 10% of the order amount as inspection fee, and the inspection fee should be distributed to the platform and the inspector in accordance with a certain percentage. When any one of the three percentages is incorrectly configured or the code is buggied, the platform and the inspector will suffer from capital loss.
To summarize: With these two models, our data verification link is a verification link, and verification and reality are generated by business rules. In fact, it can be standardized from the transaction process: each business must have “certificate” on the order information, that is, according to the business rules in advance to calculate the settlement amount of each party, and put the information on the order; When the transaction is transferred to the state where the settlement is required, take the expected settlement amount (expectedAmount) we set ** to check the actual settlement amount (actualAmount)**, when the expectedAmount! = actualAmount, there must be problems on the business side or the settlement side.
Architecture design
Just now we have also analyzed that we need to compare expectedAmount with actualAmount. The next step is to realize it from a technical point of view. The whole comparison process should be standardized, easy to close and traceable. In terms of technical implementation, we need to make the BCP layer light, because it is just a tool, check need to write script, script itself is not easy to verify and difficult to maintain; As long as we have a unified format of account checking data and a unified account checking interface, the SCRIPTS of BCP can be completely consistent. A new business only needs to copy and paste in the BCP layer and change the alarm receiver to realize real-time capital loss prevention and control.
Here is the complete architecture diagram:Introduction to the system involved:
• Transaction processing service: the code related to the transaction is here, and it will also receive MQ messages sent by the middle Platform performance process; • Middle stage of transaction: deal with the general logic of order performance, which means order creation, delivery, transaction completion, etc.; MQ message will be sent to notify the business party after each performance stage is completed; •BCP: the platform for real-time data verification and alarm has been mentioned many times; • Settlement platform: according to the business and rules, the money is really distributed, generally to the platform or service provider.
You can focus on the flow of data, let me mention two points:
•
Unified data format: after receiving the performance message from the middle platform, we can parse out unified data from the order information according to the configured reconciliation rules and then send it to BCP. The simplest understanding is that I want to get the expectedAmount expected settlement amount. Tips:
• Rules are placed on dynamically configured platforms such as DUCC • Data parsing can introduce regular expressions such as MVEL; Regular expressions are more flexible and can cover more business
•
Unified account checking interface: Since we have data in a uniform format, the format of our interface can also be defined. What the interface needs to do is to check the actual settlement amount actualAmount on the settlement platform, and then compare whether the actualAmount is equal to the expectedAmount, and tell BCP if it is not equal. Just tell BCP to call the police.
conclusion
This paper mainly describes the process of building the ability of real-time discovery of assets and losses. At present, it has been equipped with 9 businesses such as Xianyu Inspection treasure, Purchase Treasure, C2B consignment and so on. From a technical point of view, capital loss prevention and control is actually the same as a business problem: the problem should be summarized and abstracted first, and finally solved with technology; And be good at leveraging the capabilities of existing platforms and not reinventing wheels. The implementation of the scheme mainly includes:
•
Abstract problem, design a complete link verification comparison;
•
MVEL expression is used for order data parsing to achieve higher coverage;
•
Real-time comparison platform (BCP) is used for data comparison and alarm;
•
Real-time Comparison platform (BCP) scripts use generic calls to call interfaces to avoid introducing any business packages;
•
The unified account reconciliation interface uses the policy mode to customize policies based on the account reconciliation type.
It is not enough to have the ability to detect, we also need a complete avoidance ability, and emergency response ability, so that capital loss prevention and control can become a system, so that the business can safely run on the capital link.