Design Mobile Bank Transfer (Chime ↔ External Bank)

Design the mobile-to-mobile transfer system that lets a Chime member move money between their Chime account and an external bank account (or vice-versa) from inside the Chime app. The flow must work for 8 M active members, sustain 50 K peak transfers per second, guarantee exactly-once semantics, and never place a member’s ledger in an inconsistent state. You must support two rails: (1) ACH (1–3 business-day settlement) and (2) instant debit-card push (sub-30 s) where the external bank supports it. Start with account linking: allow members to add an external account via Plaid OAuth (instant) or micro-deposit verification (1–2 days). Once linked, expose a single “Transfer” endpoint that accepts {from_account_id, to_account_id, amount, currency, idempotency_key}. Before touching any rail, enforce the ownership gate: the caller must own at least one side of the transfer and the other side must be either their own Chime account or their own linked external account; reject pure external-to-external requests at the API layer. Immediately adjust the member’s available_balance (but not ledger_balance) and write a pending_hold row so the UI reflects the deduction while the rail is in-flight. Build a state machine for every transfer—INITIATED → HELD → SENT → SETTLED or FAILED or RETURNED—and expose long-polling & push notifications so the member sees real-time status. ACH returns can arrive up to 60 days later; when one does, reverse the ledger_balance, claw back any already-spent funds, notify the member, and optionally freeze the account for fraud review. Provide idempotency across retries, duplicate SNS/SQS events, and client re-submissions. Discuss how you would partition the ledger service, shard the transfer table, guarantee at-least-once delivery to partner banks, and still keep p99 latency for the member below 200 ms. Address regulatory requirements: Reg E for consumer protections, Nacha rules for ACH, and BSA/AML screening before funds leave the bank. Finally, outline your observability strategy (distributed tracing, ledger-inconsistency alerts, ACH return rate dashboards) and how you would detect and mitigate fraudulent external-account linking.