Transformation Blueprint · June 2026

XOX Pay 2.0

Stabilising the licensed wallet and building the telco-powered AI finance layer.

From BNM-licensed e-wallet to Malaysia's first MVNO-native AI finance platform. XOX already has the licence, the subscribers, and the distribution. The question is execution.

BNM Licensed DuitNow / NPG Live 1.5M MVNO Subscribers Hybrid 2.0 Recommended
Section 01
Why XOX Must Act Now
Five strategic imperatives that make the eWallet 2.0 rebuild a board-level decision — not an IT project.
Protect the BNM E-Money Licence
The current system has active security exposures — committed signing keys, hardcoded credentials, EOL runtime. A breach or audit failure puts the BNM licence at risk. Licence loss is existential for the eWallet business. BNM's updated Technology Requirements for Payment Services (March 2026) take effect 12 March 2027 — gap analysis is now mandatory.
Stabilise the Live Wallet
Balance logic is mutable — a crash mid-transaction permanently drifts the ledger with no recovery path. The API runs on Python 3.6 (EOL since December 2021) with zero test coverage on money logic. Every transaction processed today carries operational and regulatory risk that compounds daily.
Build the Telco + Wallet Growth Engine
XOX's 1.5M MVNO subscribers are an undermonetised asset. Telco data — reload behaviour, data usage, payment patterns — is the foundation for credit scoring, churn reduction, and ARPU uplift. No other Malaysian e-wallet has this distribution embedded inside a licensed MVNO. The technical foundation must be rebuilt before the data layer can be activated.
Turn eWallet from Cost Centre into Revenue Engine
Current eWallet is a maintenance liability. 2.0 repositions it as an ARPU and churn management platform: merchants accept via QR, subscribers reload seamlessly, AI models drive upsell and engagement. Every feature in the roadmap adds a monetisation lever that pure telco operations cannot access.
The window is 2027 — not open-ended
BNM's Technology Requirements for Payment Services Regulatees (issued March 2026) applies to non-bank e-money issuers. Compliance deadline: 12 March 2027. XOX needs a gap analysis and a remediation action plan now — not at year-end. Starting P0 stabilisation now gives 9–12 months of delivery runway before the BNM deadline closes.
Section 02
Current State — What Is Live Today
A BNM-licensed e-wallet built on a 2021-era Django stack. Live and processing real money — but carrying structural risks that must be addressed before scaling.
CLIENT LAYER API LAYER DATA + EXTERNAL Mobile App React Native · Expo JavaScript (partial TS) Consumer + Merchant 466 files ⚠ JWT stored in Redux Back-Office PHPRunner Low-code generated Ops · Finance · KYC ~300 PHP files ⚠ Tightly coupled HTTPS Django 3.2 REST API Python 3.6 · EOL Dec 2021 accounts/ Users · Wallets · KYC transactions/ Money · DuitNow otps/ Step-up auth bw/ Bank-wallet (MPP) reload/ Top-up flows logs/ Audit trail webapi/ Public endpoints ~1,360 commits · Last: Nov 2025 ⚠ No test coverage · Mutable balance ⚠ pycrypto CVE · OTP plaintext stored MySQL Single database Mutable balance model No migrations audit ⚠ No ledger pattern EXTERNAL RAILS DuitNow NPG Zoloz eKYC JWT Auth
What this diagram shows
The current system is a classic 3-tier monolith built in Django. Left: two client surfaces — a React Native mobile app (consumer + merchant wallets) and a PHPRunner back-office portal (ops, finance, KYC). Centre: a single Django 3.2 REST API handling all wallet, transaction, KYC, and payment logic across 9 internal apps — running on Python 3.6, which has received zero security patches since December 2021. Right: one MySQL database storing all data (including mutable balances), with live connections to DuitNow, NPG, and Zoloz eKYC as external rails. The key risk visible here: the entire financial system — money movement, KYC, audit trail — runs through a single EOL API process with no ledger pattern and no test coverage on balance logic.
Business Risk Summary
Risk Area Business Impact Priority
Security Licence exposure, user trust erosion, potential regulatory sanction. Committed signing keys are an active risk — not theoretical. CRITICAL
Money Integrity Mutable balance model means a crash can permanently corrupt wallet balances. No recovery path without a ledger. Reconciliation failures are BNM compliance events. CRITICAL
Legacy Stack EOL Python 3.6 blocks all dependency upgrades. Every new feature takes longer. External developers cannot be onboarded safely. Slow feature delivery = competitive disadvantage. HIGH
Back-Office PHPRunner portal has hardcoded credentials and no audit trail. Cannot support maker-checker controls required by BNM governance standards for e-money operators. HIGH
Data Quality AI fraud models, churn scoring, and credit risk require clean, immutable transaction history. Current mutable balances make all ML outputs unreliable — garbage in, garbage out. MEDIUM
Section 03
XOX Pay 2.0 — North Star
Not just a better wallet. A telco-powered AI finance platform that connects 1.5M MVNO subscribers to a full-stack financial layer.
XOX Pay 2.0 = Wallet + Telco Data + Merchant Network + AI Intelligence
This is not a technical rebuild for its own sake. It is the platform that turns XOX's telco subscriber base into a financial services distribution network — with BNM compliance built in from day one. Every architectural decision in 2.0 serves this commercial outcome.
Wallet & Ledger Core
Double-entry immutable ledger. Balances derived, never overwritten. Integer sen precision. BNM-grade audit trail. This is the load-bearing foundation — all other features depend on it.
Payment Rails
DuitNow, RPP, NPG — consolidated into a single payment service. One certification point for BNM audits. Idempotent callbacks, retry queues, dead-letter handling.
KYC / Compliance / Fraud
Zoloz eKYC with tiered wallet limits. BNM AML/CFT reporting automated. Fraud scoring on every transaction in real time. XOX compliance team retains ownership and sign-off.
Merchant QR Acceptance
XOX merchants accept payments via QR. Builds closed-loop spend data. Creates a merchant ecosystem that enriches subscriber transaction history for AI models.
Telco Reload / Bill / Rewards
Seamless reload via XOX telco account. Bill payment, data bundle purchase, and loyalty rewards through the wallet. Deepens the subscriber relationship and reduces churn through financial lock-in.
Customer 360 + AI Layer
Churn scoring, ARPU upsell, credit risk, and agentic payment flows — built on clean ledger data + telco behaviour signals. The AI layer is Phase 2+; it requires the ledger foundation first.
Target System Architecture — XOX Pay 2.0
CLIENT GATEWAY SERVICES DATA RAILS Mobile App React Native + TypeScript Consumer + Merchant Keychain / Keystore tokens Back-Office Portal React + TypeScript RBAC + Maker-Checker Replaces PHPRunner API Gateway Rate limiting · Auth (JWT) · TLS termination Kong / AWS API GW  ·  idempotency keys enforced at boundary Secrets + HSM AWS Secrets Manager Signing keys never leave HSM Ledger Core ★ Kotlin + Spring Boot Double-entry immutable Balances derived, never written Integer sen (no floats) ≥80% test coverage SLA Payment Service Single NPG + DuitNow module Replaces 4 diverged copies Outbox pattern + Kafka Idempotent callbacks Retry + dead-letter queue Identity & KYC Zoloz eKYC · Liveness BNM eKYC requirements Tiered wallet limits OTP hashed at rest Step-up auth preserved AI / Fraud Engine Real-time scoring · AML ML on XOX transaction history Automated STR drafting Account takeover detection Feeds BNM compliance officer Observability OpenTelemetry + Grafana End-to-end trace per txn Settlement reconciliation Anomaly alerting No more log digging PostgreSQL Immutable ledger entries NUMERIC · Exclusion constraints · Audit log Replaces MySQL mutable balance Redis Hot balance cache Rate limiting · Dist. locks Idempotency key store Kafka / SQS Event bus Transactional outbox Async payment callbacks Secrets Vault + HSM AWS Secrets Manager Zero secrets in code HSM for signing keys DuitNow / RPP NPG Zoloz eKYC BNM Reporting MVNO Data (XOX) Legend Sync call (HTTPS) Async / event Core / Ledger Payment Security / AI
What this diagram shows
The 2.0 target architecture across five horizontal layers. Clients: TypeScript mobile app and a proper React back-office portal (replaces PHPRunner). Gateway: single API gateway enforces rate limits, auth, and idempotency before any request reaches a service. Services: five independent domains — Ledger Core ★ is the load-bearing piece; Payment, Identity, AI/Fraud, and Observability each have clear responsibility boundaries. Data: PostgreSQL for the immutable ledger, Redis for hot reads and distributed locks, Kafka for async event delivery. Rails: external payment and compliance integrations touched only by the Payment and Identity services — not scattered across the codebase. The ★ Ledger Core is intentionally central: everything reads from it; nothing writes balance directly.
Section 04
Recommended Build Model — Hybrid 2.0
Three options considered. One recommended. The Hybrid 2.0 path stabilises first, builds the new ledger in parallel, then migrates module by module — maximum safety for a BNM-regulated system.
Option 1 Patch Legacy
Fix security · Upgrade runtime · Keep old architecture
Addresses immediate vulnerabilities. Upgrades Python and Django. Keeps mutable balance model and existing architecture intact.
Fastest. Lowest cost.
Mutable ledger remains. BNM 2027 tech gap unresolved. Scale ceiling unchanged. Not a foundation for AI.
Survival mode only
Option 2 ★ Hybrid 2.0
Stabilise legacy · Build shadow ledger · Replace modules step-by-step
Stabilise and secure the existing system first. Build the new double-entry ledger in parallel. Validate balances against legacy. Then replace payment, admin portal, and KYC modules one by one. No big-bang cutover.
Licence stays live throughout. Lowest migration risk. Shadow ledger validates before cutover. BNM 2027 compliant path.
More complex to run parallel systems.
Best recommendation
Option 3 Full Greenfield
Full rebuild from scratch · Complete architectural reset
Kotlin + Spring Boot core, double-entry ledger, Kafka event bus, AI/fraud layer from day one. Built to support 1M+ wallets, open banking APIs, BNPL/credit products.
Unlimited scale. Full AI/fraud layer. No legacy debt.
Highest migration risk for BNM-regulated system. BNM engagement required early. 12–17 months before live system is replaced.
Powerful — but higher risk
Hybrid 2.0 — Phased Delivery
P0 Emergency Stabilisation
2–4 weeks · Starts now
Rotate all committed secrets. Deploy secret scanner. Patch Python CVEs. Restrict PHPRunner to internal network. Full dependency audit. Deliverable: no known active exploits.
P1 Compliance & Tech Gap
30–60 days
BNM Technology Requirements gap analysis. Architecture audit. Data mapping. Payment rail mapping. Produce 2027 compliance action plan for XOX compliance team. BNM engagement where required.
P2 Shadow Ledger Core
3–4 months
Build double-entry ledger beside legacy system. No risky migration yet. Validate that shadow ledger reconciles to the cent against live balances in real time. ≥80% test coverage SLA.
P3 Modular Replacement
4–8 months
Replace payment module. Replace PHPRunner admin portal with React RBAC portal. Migrate KYC/fraud. Rebuild reconciliation. Each module replaced independently — no single cutover risk.
P4 Growth Layer
6–12 months
AI fraud engine. Customer 360. Churn scoring. ARPU upsell. Merchant QR tools. Agentic payment flows. This layer only possible because the ledger foundation is clean.
BNM Regulatory Readiness
Runs parallel to all phases
BNM 2027 technology requirements tracked as a first-class workstream — not an afterthought. XOX compliance team leads with Fast Tech support. Gap report → action plan → evidence package → audit readiness.
Why not Full Greenfield first?
For a regulated e-wallet, a full rebuild sounds cleaner — but migration risk is materially higher. A phased Hybrid 2.0 lets XOX stabilise the live wallet immediately, build and validate the new ledger without downtime, and replace modules one by one with clear rollback options at each step. Regulatory impact is assessed early with XOX compliance team and BNM engagement where required — not discovered at go-live.
Section 05
Fast Technology — AI + Wallet Transformation Partner
Not "we fix your code." Fast Technology as XOX's end-to-end transformation partner across technical, product, regulatory, and AI dimensions.
Partner Scope
Technical Audit & Security
P0 remediation. Codebase forensics. Dependency audit. Secret rotation. CVE patching.
PMO & Delivery Governance
Milestone tracking. Phase gate sign-offs. Scope control. Stakeholder reporting.
Product Roadmap
eWallet 2.0 feature prioritisation. Telco + wallet integration sequencing. AI layer phasing.
Data & AI Architecture
Ledger data model. Fraud ML pipeline. Customer 360 schema. Credit scoring architecture.
Wallet 2.0 Build Supervision
Vendor coordination. Code review. Architecture decisions. Shadow ledger validation oversight.
KPI & ROI Tracking
Fraud loss prevention metrics. ARPU uplift measurement. Churn reduction attribution. BNM compliance scorecard.
XOX Retains (Non-Negotiable)
BNM Compliance & AML/CFT
XOX Compliance Officer owns all BNM reporting, AML/CFT decisions, and SAR/STR submissions. BNM fit-and-proper requirement — cannot be outsourced. Fast Tech provides tooling and automation; XOX signs off.
Fraud Operations
Fraud case management, escalation decisions, and final call on account actions are XOX in-house. AI Fraud Engine provides signals and automated STR drafts; XOX compliance team reviews and approves.
MCMC & Regulatory Interface
XOX owns all regulator relationships — BNM, MCMC, FIED. Fast Tech supports with technical documentation and gap analysis; regulatory engagement is XOX's direct responsibility.
E-Money Licence
Licensed entity remains XOX throughout. No change of control on the licensed entity at any phase of the rebuild. BNM licence continuity is a non-negotiable constraint on every architectural decision.
BNM 2027 Readiness Plan
BNM's Technology Requirements for Payment Services (March 2026) covers governance, risk management, fund safeguarding, outsourcing controls, IT/cybersecurity, reporting, and consumer protection. Regulatory impact to be assessed early with XOX compliance team and BNM engagement where required — before P3 module replacement begins.
Phase Engagement Type Commitment Level
P0 — Immediate Security triage. Key rotation. Dependency audit. 2–4 weeks, fixed scope. Start here — no long-term commitment required. Show up with a fix, not just a proposal. Low commitment
P1 — Discovery BNM gap analysis. Full technical audit report. Wallet 2.0 architecture proposal. Fixed-scope deliverable. XOX can walk away after P1 with a meaningfully safer system and a clear blueprint. Low commitment
P2–P3 — Build Shadow ledger core. Modular replacement. Retainer baseline + milestone payments tied to phase delivery. Shared upside on cost savings and new revenue enabled by the platform. Partnership terms
P4 — Growth AI fraud, Customer 360, churn scoring, merchant tools, agentic payments. Outcome-based commercial structure. Revenue-share model available on AI/monetisation features. Outcome-based
Section 06
Risk Register
Top risks across both build approaches with proposed mitigations. Hybrid 2.0 is specifically designed to reduce the top two risks.
Active Security Exposures
CRITICAL · Live Now
Committed signing keys and hardcoded DB credentials are live exploits. PHPRunner portal is exposed. Every day without remediation is a BNM compliance risk.
Mitigation: P0 triage starts immediately. Key rotation + secret scanner deployment within Week 1.
Migration Cutover Failure
HIGH · Greenfield Path
Balance mismatch between legacy and new system at cutover. BNM-regulated — any reconciliation error is a compliance event. Hybrid 2.0 shadow ledger approach eliminates this risk.
Mitigation: Cohort migration model — never cut a cohort until opening ledger balance reconciles to the cent. Parallel-run period minimum 4 weeks.
BNM Re-certification Risk
HIGH · Both Paths
Material changes to licensed system may require BNM notification or re-certification. The 2027 Technology Requirements deadline adds urgency — inaction is also a compliance risk.
Mitigation: Early BNM engagement (pre-P3). Keep XOX as licensed entity throughout. No change of control on the licensed entity at any phase.
Scope Creep / Timeline Slip
HIGH · Both Paths
Feature additions mid-build are the primary driver of schedule slippage. Each phase gate is a natural scope checkpoint.
Mitigation: Feature freeze after each phase scope sign-off. Change requests priced separately. Milestone payments create natural scope discipline.
Knowledge Transfer Gap
MEDIUM · Both Paths
XOX currently has no internal engineering team. Post-delivery dependency on Fast Tech if no internal capability is built in parallel.
Mitigation: Structured KT sessions throughout with monthly sign-off by XOX internal lead (tied to payment release). XOX hiring plan for 2–3 internal engineers by M4 — shadow during build, not onboard at handover. Documentation-first culture baked into delivery SLA.
DuitNow / NPG Rail Certification
MEDIUM · Modular Replacement
New payment service module requires re-certification with DuitNow and NPG. Certification windows are fixed and may gate go-live dates.
Mitigation: Begin certification process at P2 (parallel to shadow ledger build). 6-month lead time budgeted into timeline.
Section 07
Decision Ask
One clear ask. Low commitment to start. Full blueprint before any major investment.

Approve P0 Stabilisation + 60-Day Wallet 2.0 Blueprint

P0 secures the live system immediately. The 60-day blueprint phase produces the full architecture, BNM gap report, and budget plan before any major build commitment is made. XOX can assess and decide after P1 — with a safer system already in hand.
Deliverables at End of P0 + P1
Secured current codebase — no known active exploits
BNM Technology Requirements gap report + action plan
Wallet 2.0 architecture — confirmed and scoped
Migration roadmap — phased, with rollback options
Budget and manpower plan — fixed-scope P2–P3 proposal
AI + telco monetisation roadmap — ARPU, churn, credit