In an exclusive interview with Express Computer, Murali Brahmadesam, Chief Technology Officer (CTO) and Head of Engineering, Razorpay, shares insights into the technological innovations and engineering strategies driving the significant growth of Razorpay in recent years. Brahmadesam emphasises Razorpay’s customer-centric approach, operational principles, and commitment to security, compliance, data reliability, and performance optimisation as foundational elements contributing to the company’s success. He discusses recent digital initiatives, advancements in digital transformation, and the integration of AI technologies, particularly in automating routine tasks and ensuring security and compliance. Brahmadesam also discusses the challenges faced in terms of security attacks, technological obstacles, and compliance, highlighting Razorpay’s proactive measures in addressing these challenges. Finally, he shares recommendations for security heads and outlines upcoming technology initiatives focused on democratising AI processes and fostering innovation within the organisation.
What do you attribute to Razorpay’s significant growth in recent years, particularly in terms of technological innovation and engineering strategies?
Our philosophy revolves around prioritising customer needs and working backwards from there. While it’s tempting to incorporate numerous features, our focus lies in determining what truly matters. Operationally, we’ve established key principles, beginning with security as our foremost priority. This entails a proactive approach to addressing security-related issues or potential threats without requiring formal permission. Compliance follows closely, given our status as a regulated entity, necessitating strict adherence to relevant regulations.
Next in line is data reliability, a critical aspect ensuring that transactions are accurately processed, refunds are handled correctly, and reconciliation occurs seamlessly. Our business’s success hinges on minimising financial losses, emphasising the utmost importance of data reliability. Concurrently, we prioritise service availability and reliability to ensure that our systems remain operational, contributing to our attainment of four nines of availability. Preventing transactional disruptions due to service downtime is paramount.
Performance optimisation is another focal point, ensuring that our systems can effectively scale to accommodate fluctuating traffic patterns, such as during sale events or high-traffic periods like IPL matches. By addressing these foundational elements, we pave the way for feature velocity, enabling us to innovate and introduce new functionalities without being bogged down by constant firefighting.
This concerted effort toward establishing robust operational principles and maintaining a customer-centric approach to innovation has been instrumental in our growth trajectory, allowing us to effectively meet customer needs and drive sustainable business expansion.
Could you discuss any recent digital initiatives or advancements in your organisation’s digital transformation journey?
In that regard, let me address the automation of routine tasks. Take our onboarding process, for instance, where merchants visit our webpage to provide details about their businesses and themselves. Previously, all supporting documentation had to undergo manual inspection. Consider a partnership deed, for example. It contains the business name and owners’ details provided in a form. However, verifying this information against the submitted partnership deed was time-consuming, as document formats varied across states. Now, we’ve implemented an assisted AI approach. Using OCR technology, documents are converted into digital formats, allowing our AI to extract relevant information and then we use GenAI to converse with it. This extracted data is then compared with other records, with highlights showing where the information was sourced from in the document. While this process isn’t fully automated to meet regulatory standards, it significantly streamlines validation for human reviewers.
How reliable do you think using GenAI is?
So far, our system has shown impressive performance with documents in English. However, there’s immense potential for improvement when it comes to handling documents in other Indian languages. Fortunately, there are ongoing efforts in both the open community and government sectors, such as Bhashini, aimed at enhancing this capability. With continued focus on two key aspects – increasing the availability of models for different languages and standardising documents – we anticipate significant enhancements. As we continue on this journey, we’ve observed considerable advancements in processing English documents, and we remain optimistic about further progress.
Do you believe there could be questions regarding the authenticity of the outputs being generated?
That’s precisely why I mentioned GenAI. As we discussed in the session, our approach involves assisted extraction, leveraging AI to pinpoint and display the source of extracted information. This way, we’re not solely relying on the document’s output; rather, we’re extracting insights from the process itself. Otherwise, a human operator would need to manually sift through numerous pages to locate the relevant information, consuming a significant amount of time and efficiency. By employing this method, we’re able to significantly enhance productivity and streamline the workflow.
Can you share insights into your approach to ensuring security and compliance, especially considering the sensitive nature of financial transactions?
Certainly, when it comes to our global operating principles, security stands as a cornerstone. Over time, we’ve meticulously honed our best practices for building technology, particularly in terms of safeguarding our services through defence in depth strategies. This entails ensuring that our security principles align with the identity of our services and the individuals accessing them. We implement multi factor authentication, utilise certificates for all communication—encrypting data both in transit and at rest—to fortify our defences comprehensively.
These practices have evolved into a playbook of sorts, facilitating the secure deployment of new services. However, we don’t rest on our laurels; instead, we actively validate our security posture. One way we do this is through bug bounty programs, engaging third-party services to probe and identify any vulnerabilities we may have missed. This proactive approach enables us to swiftly address any issues uncovered, ensuring continuous improvement in our security measures.
Moreover, we prioritise agility in responding to evolving threats. A key aspect of this is our focus on minimising downtime by swiftly detecting and mitigating potential disruptions. By closely monitoring for changes in traffic patterns, particularly indicative of distributed denial of service (DDoS) attacks, we can rapidly reconfigure our infrastructure to mitigate the impact, often within milliseconds of detection.
To stay ahead of emerging threats, we regularly conduct simulated attack scenarios, orchestrating “game day” exercises to assess our readiness and resilience. These proactive measures underscore our commitment to maintaining robust security protocols and ensuring the uninterrupted availability of our services.
What are the biggest challenges you’re facing in terms of security attacks or technological obstacles?
We’ve encountered Distributed Denial-of-Service (DDoS) attacks quite frequently at Razorpay, given the popularity of our service and the potential for exploitation. However, we’ve made significant improvements to our defences, to the extent that I can’t recall the last time an attack had any impact on us. We’ve implemented AI algorithms to enhance our detection capabilities. For instance, if a merchant is hosting a sale, we’ve fine-tuned our systems to avoid mistakenly blocking them under the guise of an attack. By analysing patterns across different merchants, customers, and incoming data, we’ve bolstered our ability to discern legitimate activity from malicious intent. This proactive approach has greatly strengthened our resilience against such threats.
Now, onto compliance. It’s a crucial aspect, particularly for us as a regulated entity subject to frequent audits by various banks. Over the past year, we’ve implemented a Governance, Risk, and Compliance (GRC) framework to streamline our compliance efforts. This framework includes an audit calendar and automated processes for collecting and presenting evidence as per regulatory requirements. As a result, the time and effort spent on audits have significantly reduced, benefiting both our internal teams and external auditors. This past year has been instrumental in automating our compliance processes, ensuring that we can readily provide the necessary evidence whenever required.
Do you have any recommendations for security heads to stay ahead of the curve and effectively combat challenges?
I believe the primary responsibility of CISOs worldwide is to ensure that engineering teams have dedicated bandwidth to address security and compliance matters. This often proves to be the most significant challenge in the industry. While people generally acknowledge the importance of security and compliance, without allocating time for them, progress won’t occur magically.
At Razorpay, we’ve tackled this challenge by committing to designated time slots and establishing clear priorities for all engineers. This means they don’t need explicit permission to address security and compliance tasks. Moreover, project managers are well aware of this approach. During sprint planning sessions, they proactively allocate time for security and compliance activities, ensuring they are adequately prioritised without constantly needing top-level intervention to create bandwidth.
Do you have any upcoming technology initiatives planned for the next six to 12 months?
In AI, our focus over the past year has been on democratising AI processes within the company. Previously, AI model building was primarily centralised within a dedicated team. However, we’ve since embraced tools like DataRobot to empower engineers to develop models autonomously. Looking ahead to the coming year, my optimism stems from the anticipation of witnessing a surge in bottom-up ideas. While some initiatives, like APEX, initially originated from a top-down approach, we’re eager to see a greater influx of ideas bubbling up from various teams. These ideas span a spectrum, from leveraging Gen AI for customer support to enhancing productivity through AI-driven documentation. These are fundamental concepts that the industry at large has been discussing, and our aspiration for the upcoming year is to foster a culture where every team contributes something innovative in the field of AI. To facilitate this shift, we’re revamping our SDLC model. Product managers are now encouraged to integrate AI considerations from the outset, ensuring it’s not an afterthought but an integral part of the design process. With this approach, we envision the next FTX will witness a multitude of launches rooted in AI, potentially numbering in the hundreds.