InterviewsVector
← All problems
Financial

Double-entry Ledger at Scale

Authoritative financial ledger that never loses, double-counts, or reorders entries.

Scale to anchor on

Billions of entries, multi-currency, multi-tenant, full audit trail, multi-region disaster recovery.

Requirements

Functional

  • Append-only entries with double-entry semantics (debit = credit).
  • Multi-currency with explicit FX events.
  • Reconcilable against external sources of truth.
  • Support multi-party splits (platform + connected accounts).

Non-functional

  • Strong consistency for balance reads after entry commit.
  • Cannot lose data.
  • Auditable for regulators years after the fact.

High-level architecture

An append-only log of transactions, each consisting of balanced entries against accounts. Balances are derived (materialized views) from the log. Multi-region replication with synchronous commit to a quorum within a region and async cross-region for DR.

Components

Transaction log
Append-only, immutable, the source of truth.
Materialized balance views
Per-account current balances, rebuildable from the log.
Reconciliation service
Compares ledger to bank statements, processor reports, internal events.
FX service
Authoritative rates with timestamped audit.

Key decisions

Append-only with derived balances.
Mutating balances directly destroys the audit trail; rebuildable views are essential for regulatory needs.
Synchronous regional quorum, async cross-region.
Survives regional outage with bounded RPO; pure sync cross-region is too slow.
Money types, not floats.
Floating-point rounding produces unrecoverable settlement drift.
FX as explicit events.
Implicit currency conversion blurs audit trail; explicit events allow precise reconstruction.

Pitfalls

  • Storing balances directly without a log.
  • Floats for currency.
  • Updating multiple ledger accounts in separate transactions without an outbox.
  • No daily reconciliation — drift accumulates undetected.

Follow-up questions

  • How do you handle a region-level failure during a transaction?
  • What's the schema for a multi-party split transaction?
  • How are FX rates audited?
  • What's the disaster recovery RPO and RTO?

Related patterns

outboxidempotencymulti-regioncdc

Further reading