Client
A FTSE-100 retail and commercial bank
Sector
Financial Services
Engagement
Strategy, delivery and embedded engineering - multi-quarter programme.
What the client needed
The client was running a high-volume sterling and euro payments platform on an ageing on-premise estate. Capacity was constrained, change cycles were measured in months, and regulatory expectations under the PRA’s operational resilience framework were tightening. A previous attempt to lift the platform into the cloud had stalled after nine months due to architectural and security concerns.
How we worked
- Spent four weeks discovering the real architecture - including undocumented batch dependencies and overnight reconciliation jobs - and produced a single, agreed system-of-record diagram for the first time in years.
- Designed a regulator-aligned landing zone with the bank’s security and compliance functions, with explicit controls mapped to PRA SS1/21, FCA SYSC 8, and the Bank of England’s critical third-party expectations.
- Built a strangler-pattern migration plan that moved low-risk batch workloads first, then progressively shifted real-time payment flows behind feature flags with continuous reconciliation against the legacy system.
- Embedded a small senior squad alongside the bank’s payments engineers, with explicit knowledge-transfer milestones and joint on-call from week six.
- Ran four formal game days against the new platform - including a full-region failure scenario - before the first production cutover.
Measured results
All figures verified with the client. Specific identifiers withheld in line with our standard confidentiality terms.
- 100% of in-scope payment volumes migrated with zero missed cut-offs and zero customer-impacting incidents during the cutover window.
- Average change lead time for the payments platform reduced from 11 weeks to 4 days.
- Annual run cost reduced by 38% versus the previous on-premise baseline, after factoring in cloud, licensing and decommissioning savings.
- Three subsequent regulatory inspections completed with no significant findings on the migrated estate.
- Internal payments engineering team grew their cloud and SRE capability through 9 months of paired delivery.
“Halfteck were the first partner who told us honestly what wasn’t going to work and why. The way they paired with our engineers meant the capability stayed in the bank long after they had moved on.”
Working on something similar?
If this engagement looks like the kind of problem you are facing, we would be glad to compare notes by email.
Context and constraints
The bank operated a payments platform that sat at the very centre of its business, processing high volumes of time-critical transactions against firm regulatory cut-offs. The platform had grown up around a mainframe-adjacent estate: a tightly coupled mixture of batch schedulers, message queues and bespoke integrations that had been reliable for years but had become expensive to change and difficult to recruit for. Every release was a delicate operation, and the cost of any outage, measured in both money and regulatory scrutiny, was severe.
The constraints were unusually demanding. Payments cannot simply be paused while a migration takes place; missed cut-offs carry real financial and reputational consequences. The bank was also subject to strict regulatory expectations around operational resilience, data residency and change control, which meant the target environment had to be demonstrably compliant before any production workload could be moved. There was, understandably, a low tolerance for risk and a strong preference for reversibility at every step.
The approach in depth
Our starting point was a regulator-aligned cloud landing zone. Rather than treating compliance as something to be retrofitted, we built the foundational controls, identity, network segmentation, encryption, logging and policy guardrails, into the platform itself so that any workload deployed onto it inherited a known-good security and resilience posture. This gave the bank's risk and audit functions confidence that the new environment met their obligations before a single payment was migrated.
We then decomposed the monolithic payments estate into a set of capabilities that could be migrated independently. Some components were genuinely suitable for re-platforming with minimal change, lifting them onto managed services that reduced operational burden. Others warranted more substantial refactoring to break tight couplings and to make them observable and independently deployable. We were deliberate about not over-engineering: where a component worked well and was not a bottleneck, we moved it with as little change as possible and revisited it later only if the case for further investment was clear.
Throughout, we held to a principle of preserving the existing payment guarantees absolutely. Idempotency, ordering and exactly-once semantics where required were treated as non-negotiable invariants. Every change was assessed against the question of whether it could, under any failure mode, cause a payment to be lost, duplicated or delayed past its cut-off.
Delivery phases and sequencing
We sequenced the migration to move risk to the margins. The first phase established the landing zone and migrated non-critical, lower-risk workloads to prove the operating model, the deployment pipelines and the resilience controls in a real but forgiving setting. This built organisational muscle and surfaced operational wrinkles long before anything truly critical was at stake.
Subsequent phases migrated payments-adjacent capabilities, running them in parallel with the legacy estate and reconciling outputs rigorously. Only when each capability had demonstrated equivalence under realistic load and failure injection did we cut production traffic over to it, and even then we retained the ability to fail back. The final phases addressed the most critical processing paths, by which point the team had migrated a great deal successfully and had a well-rehearsed playbook for cut-over, reconciliation and rollback. The result was that no single phase represented an all-or-nothing gamble, and crucially, no payment cut-off was missed across the entire programme.
Architecture and technology decisions and trade-offs
We chose managed services for undifferentiated heavy lifting, queueing, storage, container orchestration and observability, so that the bank's engineers could focus their scarce expertise on payments logic rather than infrastructure plumbing. We made resilience an explicit architectural property, designing for multi-zone redundancy, automated failover and graceful degradation, and we validated those properties through deliberate failure testing rather than trusting that they would simply work when needed.
There were genuine trade-offs to navigate. A fully cloud-native, event-driven rebuild was tempting and would have produced an elegant target architecture, but the time and risk involved in rewriting battle-tested payments logic were hard to justify against the bank's resilience obligations. We therefore favoured incremental modernisation over wholesale rewrite, accepting that some components would carry forward legacy patterns for a time in exchange for a far safer migration. We also accepted slightly higher running costs in places, for example by retaining warm standby capacity, because for a payments platform the cost of unavailability dwarfs the cost of redundancy. We were transparent with the bank about each of these choices and the reasoning behind them.
Measurable outcomes
The headline outcome was continuity: the entire critical payments estate was moved to a compliant cloud landing zone without missing a single payment cut-off. For a workload of this sensitivity, that uneventfulness is the strongest possible measure of success. Beyond continuity, the bank gained a materially better change posture. Releases that had once been tense, infrequent events became routine, repeatable and reversible, which we typically see translate into faster delivery of regulatory and product change alike.
Operationally, the bank reduced its dependence on scarce legacy skills and improved observability across the payments flow, making incidents easier to detect, diagnose and resolve. The landing zone also became a reusable asset: subsequent workloads could be onboarded onto the same compliant foundation, spreading the cost of the controls across the wider estate and accelerating future modernisation.
- Regulator-aligned landing zone with identity, segmentation, encryption and policy guardrails built in from the start.
- Capability-by-capability migration allowing independent, reversible moves rather than a single high-risk cut-over.
- Preserved payment invariants covering idempotency, ordering and timely settlement against every cut-off.
- Parallel running and reconciliation to prove equivalence under realistic load before redirecting production traffic.
- Deliberate failure testing to validate resilience properties rather than assuming them.
- Reusable compliant foundation that accelerates onboarding of future workloads.
Lessons learned
The most important lesson was that resilience and compliance are far cheaper to build in than to bolt on. By establishing a regulator-aligned landing zone first, we removed an entire category of late-stage surprises and gave the bank's control functions confidence early, which in turn unlocked the pace of the later phases. A second lesson was the discipline of reversibility: the ability to fail back at every step turned a daunting programme into a series of manageable, low-drama moves.
We were also reminded that, for critical financial workloads, the goal is not architectural purity but earned trust. Choosing incremental modernisation over a glamorous rewrite was the right call precisely because it kept payments flowing without interruption. The bank ended the programme with a modern, observable, compliant platform and, just as valuable, a team that had proven to itself it could change that platform safely.
If you are facing a high-stakes cloud migration where continuity and compliance cannot be compromised, we can help you do it safely and reversibly. Talk to us about a similar engagement. Email sales@halfteck.com.