This talk took place at CukenFest London 2019, our annual conference for BDD enthusiasts. More info here –

This talk tells the story of how Mike and Jamie built ERMI, a tool for detecting financial crime. Mike is an expert in preventing financial crime and money laundering and Jamie is an autistic developer who normally focuses on digital accessibility. They have been friends for over a decade.

While working together building a kit car called “ERMY” they got talking about work and discussed the frustration with the tools for monitoring financial activity. Transaction monitoring rarely delivers value to the user while costing a fortune. Easily detectable crime goes undetected either because the tools are too rigid or unaffordable to those who need them.

This discussion slowly evolved (often while at least one of them was under a car holding a spanner) until they started to play. With Mike’s knowledge of regulations and crime, and Jamie’s software skills could they build something? Would it be useful to other people? Could they use their experience of building cars together to build software?

ERMI was born. A lightweight transaction monitoring tool. Along the way they had to reconsider everything from the way data is stored to the way users get results.

This talk will leave the audience with details of the following:

Effective collaboration between disciplines (law + development)

How Mike and Jamie harness the strengths of autistic thinking (and manage some of the difficulties)

Developer productivity, how to achieve big tasks with tiny resources

Scaling using docker/cloud

Automation, BDD process and planning.

Jamie Knight (@JamieKnight) + Mike Southgate (@misterwookie)

I'm going to crack off by just explaining that I find speech kind of difficult which I know is kind of ironic considering I spend half my time doing public speaking and that feedback loop is amazing there's an echo there so if you come up to me later and I'm not verbal with you and I use my phone to communicate it's just because I'm having a bit of speech trouble or I think you're boring 5050 if you see me chatting to someone else later it's probably cuz I thought you were boring to just introduce myself I'm Jamie my day job is with the BBC where I am a senior research engineer which basically means I break things and don't have to fix them and this is Mike all workers everybody I'm a weird kind of lawyer and I work for an investment bank it's okay we can all silently hate him he's a product person sorry collaborative cooperative boom I just got to try and keep that one quiet yeah I brought my own product person oh and this is lion I'm autistic and lion's gone everywhere with me for about 10 years and the feedback from the last time we talked was need more lion so you can have your more lion he always shows us up it's kind of embarrassing more followers miles where yeah yeah I finally caught up with his Twitter followers okay so the most important part of this whole talk we're not going to talk about science we're gonna talk about anecdote the Pribilof anecdote isn't data we're just going to tell you one story about how we approach things we're not talking for all autistic people and we're certainly not talking for all wookies they do this whole pulling your arms off thing that's kind of frowned upon mr. lawyer-man if I covered yeah I think we are basically displaying to the hell out so if you rely on this and do anything silly that's your own down if you have a weird lump see a doctor basically that if you have a digital equivalent of a weird lump see a doctor God that joke is not landing it's do you need more coffee more coffee less coffee do I need to do a little jig come on what I normally do is I pick one person at the front who's smiling and then just stare at them and today is this poor gentleman in the white frowning halfway through the tour we're gonna go off the rails it's my starts trying to hide behind these notepad guys yeah also I'm autistic and I can't tell the difference between a grimace and a smile so this should be fun okay we're ready to go coffee down okay so we're going to talk about three things today we'd like to talk about me which is our product the thing we do when we're not doing anything then we're going to talk about how we collaborate and then I'm quickly gonna talk through the technical side of building army you're gonna see this slide quite a lot as it's the structure that will come across so mr. Buckey take it away ernie is a it's a tool that uses data to scrutinize transactions that take place through banks and financial institutions in order to detect money-laundering you finished okay it's it's basically we have a big file a CSV file of banking data numbers numbers business business maths happens it poos a spreadsheet and then we put the spreadsheet on the cloud and go to there it's an FYI it poos a spreadsheet is why I said to the head of compliance for an international bank when I described how it worked nom had unknown puh-puh-puh he thought it was quite funny well in other words bad stuff bad stuff in this file all the stuff we think is fraud all the stuff we think is illegal it's in there go look make sense yeah it's really very simple I don't see what all the fuss is about frankly so why do we do this well effectively in the industry there are two types of tool one is probably a lady called Doris or similar who sits and goes through all of the transactions in a spreadsheet and hopes she can spot the fraud the other thing is multi-million pound tools that are real-time dashboards lots of complexity our aim is to sit in the middle we aim to be cheaper and better than doing it with people but we're not trying to compete with the multi-million dollar tools because frankly business business numbers numbers isn't really our thing but there are other reasons too so one of them is and it's going to sound a bit silly but we actually want to help tech people and fight crime so I'm autistic and quite vulnerable so we've taken advantage of knowing the ways that I'm vulnerable and then started building rules around it so for example if one of the carers came up to me and said I did your shopping yesterday you owe me 20 pounds I'd go okay here's 20 pounds if they did it the next day I'd probably still give them another 20 quid because I tend to trust people and I don't trust my own memory match because it's full of holes so we ended up building a set of rules that do things like import the database from the Care Quality Commission and then actually I can do it better than that given given a pair and the payers location as a care home when the analysis tool and their turnover and they've made frequent small payments when the analysis tool is run then the transaction then the payer should be flagged how's that for live gherkin I'll do the same thing that you do to me every single time to say the phrase frequent small payments is ill-defined and you need to tell me what that means okay we are going to come on to that later how many arguments I Scott his definition somewhere so we did things like we built rules based on our own experiences and the second thing is we think it's kind of ridiculous that banks are paying multiple pounds per transaction for this very basic thing and because it's so expensive a lot of people who need it don't have it so all of the people committing fraud and crime go through those tools so they know where the weaknesses are so it's kind of that rising tide thing if we can just lift the the worst of it out we actually protect everybody a little bit better and the third thing is I used to be addicted to video games and I'm not anymore so this is kind of like my my therapy when I'm done doing BBC stuff for the day and I've broken all of the BBC things I come and break this instead fair enough not sure it's than the improvement you're selling it has but I mean it's not heroin so at least we've got you off that well guys let me go it's so Moorish not supposed to eat it I'm not eating the Lego just collecting and hoarding it and storing it in little bags like a weird Lego dragon like a weird Lego dragon that's a phrase so that's what we do with I mean this isn't floette is no this will get there eventually so this is a me and that's what we do we eat bank data we poop fraud fair enough no poopy fraud prevention prevention art like your job title had a financial crime yeah it should be a head of financial crime prevention but for years I've been removing the word prevention and just putting Head of Finance require waiting to see how long it is before somebody asked me whether I'm going for Breaking Bad it's like if I don't pay you enough you break my knuckles it's great knuckle realignment so here's one of the things we need to collaborate and he's a product person legal expert and if we're honest I'm a job in front-end developer who knows a bit of JavaScript and that's about it so we needed to learn how we could collaborate and how we could get on without killing each other because you know building a have you ever heard the thing don't start software products or businesses with your friends hey neighbors hi family so we broke all of those so he had to make sure that this didn't go horribly wrong and kill us both now when it came to collaboration we've also got the Joe once we've also got the joy that I'm autistic so we had to build that into what we were doing and then end up building a way of working that both complements the fact that I'm autistic and complements how it needs to fit into the rest of our lives so let's crack on with communication first so we've decided that we had a confusion of collaborators so lime wanted it to screen for antelope wool he wanted it to have a fancy UI and maps and I was sat there basically going how do I build all of this in a weekend and as with a lot of things when it comes to confusion we had to start by kind of naming stuff so I'm going to introduce a tool that you may not have heard of its called cucumber big facts it's big fans of cucumber although having to explain the difference between cucumber and gherkin to people the gherkin what like that big building we sort of give him a big building when the wind blows so we adopted cucumber from the very outset because when will he would explain rules to me I would get really confused so for example payee and payer I can still not remember which way round they go if it's any consolation neither can people who work in banks they really should have named them two very sender receiver remit er beneficiary but no payor and payee and that's that's in the regulations as well I think it's the e useful honestly we should believe that thing it's a mess sarcasm sarcasm flag telling him I was a product guy was bad so we went for like payer and beneficiary right keep it simple also I'm Dyslexic and can't spell beneficiary so that was also fun as well so when we first started talking about the product we ended up talking about what we were going to build we were building a kit car together and at the time I didn't have verbal speech so I was literally hiding under a kit car with the spanner and I was stuck in the room with the disgruntled Google employee who was basically decided telling me about all the ways their software was awful so I couldn't escape and you know what happens when you corner a developer and you tell them a problem the developer has that really bad thought which is doesn't sound that complicated now that's the thought that have made Leni of many of us astray over the years which is ironic because product people go oh it's not that hard it's really really simple it's just one change to the system and you're going oh Jesus you don't know but we're not fact there underneath I was like well it's just a big-ass CSV file basically yeah yeah yeah databases bla bla bla big CSV file make some totals flag some things put it in the cloud doesn't sound that complicated I've used the Dropbox API so we started by discussing some gherkin and that very quickly made us kind of start defining our what do you mean by a payer what do you mean by a transaction what do you mean by a flag and we also got to things like a transaction in a payment may not be the same things if we're doing like a full party transaction where you have company sending the money on your behalf there might be four individual people involved in the transaction but there's only one payment in the middle for example so broadly we kind of understood what we were talking about with each other and then we got into stuff like given a beneficiary now do we mean a beneficiaries in the legal entity mr. Lyon or do we mean the beneficiaries bank account so we had to start kind of working out what these things meant and in a lot of places our clients didn't know either which led to some interesting conversations so in this point the beneficiary again for example we have multiple parties in the in the transaction and when we meant beneficiary in the industry we meant the final person who actually got the money the people would throw this kind of terminology around and what we fail to realize is that you have ultimate beneficiary which is the person who owns the company but that's the person who sends the money and you have beneficiaries receiving the money again somebody should have named this stuff more clearly at the start but also if you click on again I'd failed to realize that the phrase month was not very very clearly defined obviously how most people like Oh month I mean January in James Gang no I need a specific number of days how many days are there in a month yeah months are there in a year that's another fun one and what happens we're dealing with leap years and what happens if within with a calendar that doesn't have months in the same way that we've go some of the we it's all Chinese calendar which we haven't come onto yet but we will so I fail to realize that all of this stuff was massively undefined and we also have ones fun things like time zones so six hundred and fifty time zones in tmdb and we have to validate every single one of them for both input data and the p.m. the place in which we do analysis when we first started we when we're okay we're in the UK we're on GMT we never change time zone bugger is the short answer to that we do we change between BST and GMT so we ended up having to build that in and build back into our gherkin so as we were talking about this house we were defining the gherkin we had to learn a language and set up some standards between ourselves we also had to kind of scope the problem and solutions so we went go-karting and had an argument which was great because we then got to get the aggression out on the track some other sod knocked me off at the last corner when I was winning but I'm sure they weren't actually working for working it's perfect he was then angry at then and not angry at me for the conversation it happened before so it was almost just actually so we would get questions there we'd start talking with stories like we need you know the user looks at the mapped the user logs in the user does this and then I'd be able to go okay well that is three months work that's six weeks work that's we could start talking about these features and then the more we talked about it the more we needed the more we realized that what we were building was a go-cart we weren't going to even build a sports car we were going to build the minimum lightweight product needed to get people a level of fraud protection so from the very start we could see that we weren't going to work with big databases because frankly I don't know big databases and we weren't going to build a massive user interface we recently found out that our entire product has less lines of code than one of our competitors home pages which is quite nice so we have a small product that we're keeping lightweight and when we talk about features we ask ourselves well Duet do go-carts have air conditioning you know is this air conditioning there is this sewing about the performance in the handling the go cut by going this way we also got to build on the skills we had so for example I know JavaScript really pretty well I don't admit it in polite company but I think it's pretty good yes okay nobody hissed at me this time that's nice nobody threw a shoe at me either just choose your audience and this Blake knows Excel but as we were talking about it and as we were working through this stuff we had this realization that our clients all know Excel too so rather than spend hundreds of thousands of pounds and hundreds of hours replicating excel badly in a web browser when all our users would do is log in and download the data anyway we said okay well let's just build a thing that gives them excel files and go from there so the third thing that we've been doing to collaborate successfully as we've been co-owning complexity so it's very easy to kind of have this set up where you have a product person on one side hey they write the specification of something like find all the suspicious activity which is a general thing we actually we were talking to one third we may have been a client and they gave us their specification for an internal transaction monitoring tool and it simply said to the developer that's all must find suspicious activity and that is all it said there's no knowledge of money during a financial crime whatsoever and that was what he had to work so that's how we're not working because frankly I'd have killed him by now and fed him to the lion so what we do instead is we have like a three-stage process we collaborate so we work together first on github and we write the gherkin together or quite often wiki will draft the gherkin and then I'll kind of tweak it and send it back and we'll play kind of gherkin tennis which is a phrase that will not make any sense to anybody outside of this room no but at some point Malaysian tennis rackets and if we really hate each other we can hit each other with them yeah we play gherkin tennis on github and then we get to a point where we merge it into our merger into our repo and this is actually where we started using cucumber jam so called Jam now there you go so we were using cucumber jam for bits of this so we talked and then I'd be committing to github because letting product people near github is a little bit scary I'm just going to make a small change so yeah we'd use Jam and we'd look at github and then the last thing we do is we do planning poker now story points are a bit of a vague concept but they've worked pretty well for us because we'll be able to have a discussion something like this this feature is three points and I'll go nu8 because that'll do that and it would reveal the things where we'd misunderstood all the things where we had got the the wrong kind of understanding I mean this was this was a revelation to me again because I never really so that investment bank and also technically the CTO which is a scary thing in so many different ways but we would have this constant friction between developers and the product owner how long things were taken how much complexity was involved and actually we've started I'm trying to get them to move towards the process that we're using here because that cucumber piece and explaining exactly what we're doing to each other and what the requirements are means I get better understanding as a product person of the complexity involved and then that that sort of planning poker pieces at the end means I know how much build time there is involved and nine times out of ten I will say three I think this is really really simple and Jamie will go to know you've fundamentally misunderstood how bloody awkward what you are as a person just generally yeah just generally but how much normal you know how much our problem you've just created them and it's only through going through that's all three-step process that I go actually I've just realized this is massively complicated address matching is harder than I thought it was because we bought by the data etc so that process from a product side is is just terribly useful for me I've learned so much yay and we also do things I've learned a lot about time zones in the last light year and a half I've learned enough about time zones that I'd literally dream about time zones as an FYI do you see the quote from about the EU changing and allowing people to change time zones and one of the MPS in the UK said I was bad enough they're enforcing their words on this but now they want to be Time Lords which I thought was the right can I be a Time Lord so examples of things like this I think wiki said oh can we add a sheet to the spreadsheet showing people their largest transactions and then we went okay well to do that we actually have to translate because a lot of foreign exchange companies because they're always sending different currencies they're never pegging it back to a single currency they don't know what their largest transaction was so we ended up pulling that data out of our system and just including it in the spreadsheet and it's still one of the most useful tools in the spreadsheet because the person can sit at it and go I don't recognize that transaction I should have had that one come through me and it didn't so those sorts of things we've started by building lean quality from the start testing was there in our second or third commit because quite frankly I have zero confidence in anything has anybody's tried to do mathematics with JavaScript literally you can't add two numbers together and get the right answer we found this out at about my ninth commit I started regretting using JavaScript from that point on and it's now been two years of solid regret but it's still the best programming language I know and for what we're doing which is eating a spreadsheet one line at a time it's actually very efficient also we can talk about JavaScript multi-threading at some point it does have it and it's actually quite straightforward but anyway so we have taken the decision from the start that we will carry any technical debt in the solution not the testing so generally speaking we have built the complicated test system up front we have about four times more code in our test system than in our but that confidence in the testing means that when we come to refactor something or we have a better way of doing something we can quickly implement it with a high degree of confidence so kind of like the second part of this is the joys of working with an autistic person so for a moment I'd like to talk about a thing that every grown-up in my life says to me at some point just go wash your hands in the toilet when I was about eight I started asking if I should flush the toilet first because I'm very literal it's an autism thing I tend to do exactly what I'm told to do you are allowed to laugh at that by the way that is really funny it's fine it's amazing it's amazing it's fine you can laugh at me doing being literal but it's really great for gherkin because I will I will respond literally and that can be really useful rather than trying to fight it and trying to get Jamie to use more figurative language we embrace the literalism and kind of went for it it has bits in the ass violence which is where my gherkin was literally wrong yeah is that a great side of that for Jamie is that he can go you are literally wrong yeah you you have an outcome it's not in the technical specification it's not necessary that you've written that's got flowery language it's there in six lines of gherkin and you were wrong you asked for the wrong thing if you can do that to a private person even well in a way yes or no but at the same time we also found so I wasn't particularly angry when we got it wrong because quite frankly I think out of a thousand dev hours we've wasted about ninety less than what's like nine percent I think there's a lot of product people who'd love to only waste nine percent of their developers time and whilst we didn't achieve that rule we did build some building blocks along the way that we can reuse in the future I was a little annoyed at the time though has I'd been kind of working weekends so we we split it up like this we're basically Wilkie does all of the business he staff and I do all of the code D things I think we're running out of time I like that damn because I've got a whole third of a presentation to go yet okay I'll get through this bit really quickly so that's how we collaborate which is basically what this event is around by using gherkin we have a single point of reference and we have a single shared language so how does only itself actually work well we're using cloud man well more specifically we realized that the value is in the output how we got to the output didn't really matter our clients don't give a whether we use go or JavaScript or MongoDB or whatever other thing that's fancy this week I should have built-in react damn it one person laughed Melbourne thank you the the value is in the output in our goal is to deliver value to the user not necessarily build a giant tech infrastructure now it's really easy to say that all we're big data and when you go 30 million data points and three billion dollars worth of transactions per evening that sounds really cool then you realize it's about 100 Meg it's not actually that big so we're not big data we're detailed data with the difference being that in big data no single track no single line matters but in detailed data every line matters I wait for people to stop taking photos that's a good sign and part of it is we've been keeping it really simple so I'll give you a complete technical walkthrough over me there's a spreadsheet and some CPU threads each CPU thread does each type of analysis so they're just streams each one drinks the file itself and it poops out another spreadsheet and then they all get glued together into an Excel spreadsheet I put that inside a docker container it's just a command line application you do Urmi analyze give it a file it poops out another file wrap that in the docket container put the Dockers container onto AWS patch and trigger it with lambda that's our entire infrastructure what we do is we've got a really big client we might ask them to split by let's say honestly that's a weird noise somebody's playing with the balloon so if we've got a really big client we might ask them to split by let's say name so we get 26 times parallelism all of the through all of the action analysis happens in parallel as well so we can just spin up and drop down these jobs off of AWS batch using lambda now one of the reasons why we can do this is the on the cloud a thousand CPUs for one our cost the same as one CPU for a thousand hours so it's not necessarily about being efficient it's about keeping things really simple so rather than building piece of software that can screen over a seven day period or has a live database system we have a single piece of software that's very simple that we can run multiple times so if you want to have a new if you want to have 15 minutes latency between the transaction and the analysis we'll just run our piece of software every 15 minutes if you want to have a day's license so you run it once a day if you wanna have a week Slaten so you run it once a week it's that sort of thing so it's very simple and we have multiple overlapping runs of a simple piece of software rather than having a complicated date logic within the software and finally in the biggest benefit for me is that unless we're running we don't exist because we don't have any standing infrastructure and we don't have any databases or api's to secure I sleep a lot better at night knowing that there's nothing for people to attack although it can sometimes get a little bit confusing when our clients who are banks go can we have an IP address for your system and I'm not I don't know what it is if you can find it out for me that would be great because I don't I think we randomized region availability zone and the time that it runs so when I'm debugging it I sometimes find it hard to find it which i think is a good sign right yeah you can't even take money off of you to do this because there's nothing for us to do we the consultants go mad you can see I'm melting in front of you yeah but I have one of those security question is what's usually joiners and leaving process don't have any what's your two-factor authentication we don't have a login system well I'm sure yeah that was quite fun I was at an event in the US recently talking to someone from MIT who is a security researcher there and he pointed out that our biggest vulnerability was me yeah and the fact that I'm easy to manipulate and inside someone within the company attacking us that that's our biggest vulnerabilities we think although I'm not going to say that too loudly because I don't want to go it's the Titanic it's unsinkable let's not say it's secure and it's unhackable it's relatively secure but there's nothing more secure than turned off and in a nutshell that's everything we're going to talk about Urmi collaboration how we build it thank you for listening and I'm only about five minutes late which isn't too bad [Applause]

Leave a Reply

Your email address will not be published. Required fields are marked *