Architecture Templates

How to Build Template 6: Core Banking Platform

Core Banking Platform architecture diagram

A reusable system context template for a core banking platform with regulatory actors, payment rails, fraud systems, and open banking integrations.

If you are looking for a Core Banking Platform architecture diagram, this page gives you a real system context architecture diagram you can study, reuse, and adapt in Uxxu.

2025-11-14Uxxu Team

Quick Summary

How to use this template

This page is meant to be scanned quickly and then adapted to your own system.

  • Use the live diagram as a starting point, not a final answer.
  • Focus first on the main actors, systems, and critical dependencies.
  • Adapt the model to your product, team boundaries, and technical constraints.

How to Build Template 6: Core Banking Platform

This template shows how to model a core banking platform at the System Context level. It is designed to make the regulatory, financial network, and compliance infrastructure visible from the very first diagram — before anyone assumes this is just a ledger with a web interface.

Banking is one of the most architecturally constrained domains in software. Unlike most software products, a core banking system cannot be designed freely from the inside out. The external environment imposes hard constraints: the payment rails it must connect to are set by national and international financial infrastructure, the reporting obligations are mandated by regulators, the fraud detection requirements are shaped by the threat landscape, and the open banking interfaces are increasingly mandated by law. Understanding those constraints before discussing containers or services is essential. The System Context diagram is the right tool for this.

What This Template Shows

  • Retail customers accessing banking services through digital and branch channels
  • Back-office operations staff handling exception processing, settlement, and payment operations
  • Risk and compliance officers who interact with the system to fulfill regulatory obligations
  • The payment rails — ACH, SWIFT, SEPA — that connect the bank to the wider financial system
  • Fraud detection, KYC, and credit infrastructure that gates account opening and transaction processing
  • Regulatory reporting systems that receive mandatory submissions from the bank
  • Open banking APIs that expose controlled access to third-party financial applications

This is the right level when you need to communicate that the system operates inside a tightly constrained, multiply-regulated financial environment — not just a complex application.

Embedded Diagram

Why This Context Diagram Works

The strongest architectural signal in this diagram is that banking is not an application domain — it is a networked, regulated operating environment. A core banking system has value only because it can connect to payment rails that move money to and from the rest of the financial system, satisfy reporting obligations imposed by multiple regulators, withstand fraud pressure at transaction scale, and remain auditable at every step.

That is why the context diagram must show payment rails, fraud infrastructure, regulatory reporting, and open banking APIs as explicit system-level dependencies — not implementation details to be figured out later. Every single one of these is a hard constraint that shapes the architecture from the outside.

The second key signal is the presence of compliance actors alongside customer actors. A Risk and Compliance Officer interacting with the system is not a power user or an admin — they are a distinct actor whose obligations to regulators are a legal function of the institution. Their presence in the diagram signals to anyone reading it that this system is not just a product for customers — it is also an instrument of regulatory compliance, with all the auditability, data retention, and reporting obligations that entails.

Core Elements To Include

People

Retail Customer The primary end user of the banking product. In a modern digital bank, the retail customer interacts almost entirely through the mobile app and web banking portal: viewing balances and transaction history, initiating transfers and payments, setting up direct debits, applying for credit products, and managing account settings. In a traditional bank with branch presence, the customer also interacts through branch staff who operate on their behalf. The customer experience must convey trust and security above all else — a brief degradation in transfer reliability or a false positive fraud block has outsized impact on customer confidence compared to equivalent failures in other product types.

Branch / Back Office Operations Analyst Internal staff who handle transaction exceptions, settlement reconciliation, manual review of flagged transactions, and customer service escalations that require account-level access. Exceptions arise constantly in payments processing: a SWIFT transfer with a beneficiary name mismatch, a direct debit that was returned unpaid, an ACH reversal that must be applied, a chargeback dispute on a card transaction. Operations analysts work within the bank's internal tooling to investigate and resolve these exceptions within the time frames imposed by the payment rail's operating rules — SWIFT GPI norms, NACHA return windows, SEPA SLA requirements. These staff are invisible to retail customers but critical to the operational integrity of every payment that flows through the system.

Risk and Compliance Officer Responsible for Anti-Money Laundering (AML), Suspicious Activity Reporting (SAR), Know Your Customer (KYC) program oversight, sanctions screening, and interaction with regulators. Risk and compliance officers review cases escalated from automated transaction monitoring systems, file SARs with FinCEN (US), SOCA (UK), or equivalent national financial intelligence units, conduct periodic customer due diligence reviews, and respond to regulatory examination requests. They interact with the banking platform to query transaction history, customer profiles, and case management systems. Their obligations are legally mandated — failure to file a required SAR or to maintain adequate KYC records is a criminal liability for the institution, not just a process failure.

Payments Operations Specialist Manages the operational layer of the payment rails: monitoring SWIFT correspondent relationships, managing ACH origination limits and return rate compliance (NACHA imposes penalties above return rate thresholds), handling SEPA direct debit mandate management, and responding to payment investigations (inquiries about where a wire is). Payments operations specialists live at the intersection of the bank's systems and the payment network operating rules. They are the people who understand what happens when a payment goes wrong in the network layer — the steps to recall a SWIFT transfer, the timelines for ACH reversal, the SEPA dispute process.

Main System

Core Banking Platform The central system. It maintains the general ledger of account balances, processes transactions (debits and credits) with ACID guarantees, manages product configurations (current accounts, savings accounts, loans, fixed-term deposits), enforces transaction limits and controls, routes payments to the appropriate payment rail, generates the data consumed by regulatory reporting systems, and exposes APIs for digital channel applications and third-party open banking consumers. The core banking system is the system of record for all money movement. Its availability, consistency, and auditability are non-negotiable.

External Systems

ACH Network The Automated Clearing House network is the US domestic payment rail for batch electronic transfers. ACH processes payroll direct deposits, bill payments, person-to-person transfers (via services like Zelle, which rides on ACH), and direct debits. ACH operates on batch settlement cycles — historically twice daily with next-day availability, increasingly with same-day ACH (SACH) settlement windows. The core banking system must generate NACHA-formatted ACH files for origination (sending payments), receive and process incoming ACH files for receipt, handle return files (returned items for insufficient funds, closed accounts, stop payments), and comply with NACHA's origination agreement requirements including return rate monitoring. ACH is the highest-volume payment rail for most US banks by transaction count.

SWIFT Network The Society for Worldwide Interbank Financial Telecommunication network is the messaging infrastructure for international wire transfers. SWIFT does not move money directly — it is a messaging network that carries payment instructions between correspondent banks. A SWIFT wire from a US customer to a beneficiary in Germany involves the originating bank, one or more correspondent banks with nostro/vostro relationships, and the beneficiary bank, each receiving and forwarding SWIFT messages (MT103 for customer transfers, MT202 for bank-to-bank cover payments). SWIFT GPI (Global Payments Innovation) adds end-to-end tracking and same-day settlement norms. The core banking system must generate SWIFT messages, parse incoming messages, apply sanctions screening to every message, and manage the correspondent bank relationships that determine routing options.

SEPA Rail The Single Euro Payments Area infrastructure for euro-denominated payments across 36 European countries. SEPA comprises two primary instruments: SEPA Credit Transfer (SCT) for euro bank transfers, and SEPA Direct Debit (SDD) for recurring pull payments (with mandate management requirements that are distinct from ACH direct debit). SEPA Instant Credit Transfer (SCT Inst) provides 24/7/365 settlement in under 10 seconds, fundamentally changing the real-time payment landscape in Europe. Banks connecting to SEPA do so through SEPA scheme participants or directly through the European Central Bank's TARGET2 system for larger institutions. The SEPA rail is mandatory context for any European bank or any bank with significant EUR payment flows.

Fraud Detection Platform (Featurespace / FICO Falcon / Sardine) Transaction fraud detection operates in real time, scoring every transaction before it is authorized or released. For card transactions, the scoring must complete within milliseconds — any latency that delays the authorization response at a merchant terminal is operationally unacceptable. For ACH and wire payments, the fraud scoring can tolerate slightly more latency but must still complete before the payment is released. Modern fraud detection platforms use machine learning models trained on the bank's transaction history, behavioral biometrics (how the customer typically navigates the app, typical transaction patterns, device fingerprints), and consortium data (fraud signals shared across multiple financial institutions). The platform returns a fraud score, a decision (approve, decline, step-up authentication required), and a reason code that feeds into the bank's fraud operations and customer communication workflows.

Open Banking API Gateway (PSD2 / FDX / UK Open Banking) Open banking mandates — PSD2 in Europe, the UK Open Banking Standard, and the emerging FDX standard in the US — require banks to expose regulated APIs that allow licensed third-party providers (TPPs) to access customer account data (with customer consent) and initiate payments on behalf of customers. The Open Banking API Gateway is the regulated interface layer that enforces consent management, strong customer authentication, API versioning, rate limiting, and audit logging for all third-party access. It sits between the external TPP ecosystem (personal finance apps like Mint, payment initiation services, accounting software integrations) and the core banking platform. Connecting to this gateway is how third-party applications legally read a customer's bank balance or initiate a bank transfer without the bank having to build those integrations themselves.

KYC / Credit Bureau Provider (Experian / Equifax / Jumio / Onfido) Before a new customer can open an account, the bank must verify their identity (Know Your Customer) and assess their creditworthiness for credit products. KYC verification involves confirming the customer's identity against government-issued ID documents (Jumio, Onfido, and similar providers handle automated document scanning and biometric matching), checking the customer against sanctions lists (OFAC SDN list, EU consolidated sanctions, UN sanctions), checking politically exposed person (PEP) databases, and checking adverse media. Credit bureau checks (Experian, Equifax, TransUnion) provide credit scores and credit history for lending decisions. These checks happen at account opening and must be repeated at defined intervals for ongoing customer due diligence under AML regulations.

Regulatory Reporting Platform (FFIEC / FCA / ECB Reporting Systems) Banks must submit regular mandatory reports to their prudential regulators covering capital adequacy (Basel III / CRR capital ratios), liquidity coverage, large exposure limits, suspicious activity, and more. In the US, this includes Call Report submissions to the FFIEC, HMDA data to the CFPB, and various Federal Reserve reporting requirements. In the EU, it includes COREP (Common Reporting) and FINREP (Financial Reporting) submissions to the ECB and national competent authorities. These reports are generated from data in the core banking system — account balances, transaction volumes, loan portfolio data — aggregated, formatted, and submitted on defined schedules. Failures to submit on time or submission of inaccurate data are regulatory violations with material consequences.

Payment Rail Architecture Considerations

Understanding the operational characteristics of each payment rail is essential for designing the core banking system's payment processing architecture:

Latency and settlement finality differ dramatically across rails. ACH next-day has settlement finality 24+ hours after origination. ACH same-day shortens this to hours. RTP (Real-Time Payments) and FedNow in the US provide settlement finality in seconds, 24/7/365. SWIFT GPI targets same-day availability but is not real-time. SEPA Instant provides 10-second finality. These differences matter because once settlement is final, the payment is irrevocable — the system's ability to recall or reverse payments changes fundamentally based on which rail was used.

Operating rules compliance is not optional. NACHA's operating rules for ACH origination, SWIFT's operating procedures and GPI compliance norms, and SEPA's scheme rules all impose technical and operational obligations on participating banks. Non-compliance — exceeding ACH return rate thresholds, missing SWIFT GPI tracking requirements, failing to process SEPA instant transfers within the required 10-second window — results in scheme penalties, suspension, or exclusion.

Correspondent banking relationships underpin international payments. No bank connects directly to every country's payment system. SWIFT payments route through correspondent banks that hold accounts for each other (nostro accounts from the originating bank's perspective, vostro from the receiving bank's perspective). Managing these relationships, monitoring their health, and optimizing routing for cost and speed is an ongoing operational function that the architecture must support.

How To Adapt It

You can adapt this template for specific banking contexts:

  • Digital challenger banks: add a Banking-as-a-Service provider (Synapse, Column, Bankable) as an external system if the challenger bank is using an existing bank's charter and core infrastructure rather than holding its own charter. Remove branch operations actors if the bank is app-only.
  • Regional banking modernization programs: add the legacy core banking system (Temenos, FIS, Fiserv) as an external system being migrated from. The context diagram shows the new platform gradually taking over responsibilities from the legacy system.
  • Payments-focused platforms: narrow the scope to ACH, RTP, and FedNow if the product is domestic payments only. Add card scheme connections (Visa, Mastercard) if card issuing or acquiring is in scope.
  • Islamic banking products: the regulatory and product structure differs significantly — replace credit bureau providers with Sharia advisory board interactions, and adjust product terminology to reflect Islamic finance principles.

If your scope is domestic only, remove SWIFT or SEPA. If the system is card-focused, add card processors (TSYS, FIS) and card scheme integrations (Visa, Mastercard) as additional external systems.

When To Use This Template

Use this template when you need to explain:

  • where the core banking system sits in the broader payment network landscape and why payment rails are architectural dependencies, not integrations to figure out later
  • why compliance is structural to the architecture — not a reporting module bolted on — because regulatory obligations shape transaction processing, data retention, and API design
  • how fraud detection systems influence transaction design, latency budgets, and authorization flows
  • why open banking changes the external system boundary and creates a regulated API surface the bank must manage as a product
  • how KYC and sanctions screening are mandatory gates in the customer onboarding and payment processing flows, not optional enrichment
  • why the system serves compliance officers and payment operations specialists as first-class actors alongside retail customers