Design and Implementation of a Stable Withdrawal (Outflow) System

Introduction : The withdrawal (outflow) system connects to UnionPay and WangLian to complete user fund settlements. Because any abnormal duplication can cause direct financial loss, the system follows a core principle of stability.

Glossary : Definitions of key terms such as "withdrawal", "WangLian", "UnionPay", "channel", and "reversal" are provided.

Stability Principles :

Do not change the withdrawal serial number after it is generated, ensuring idempotency.

Do not change the transaction time, leveraging channel idempotency for the same day.

Strictly control exception handling: only process clearly successful responses; all other responses go through a manual verification flow.

Capture all system and business exceptions, ensuring that any abnormal condition is either handled automatically or escalated.

Utilize fund‑monitoring mechanisms and multiple fast‑circuit breakers to quickly interrupt outflows during anomalies.

System Construction Process :

1. Integration with UnionPay: synchronous request‑accept interface with asynchronous callbacks for final results. The team initially handled only explicit success states and treated all other statuses as exceptions, relying on manual statistics and retries.

2. Compensation Logic: The system defines four stages of compensation:

Stage 1 – Records stuck in “application” state; compensation re‑issues the request.

Stage 2 – Timeout or no response; compensation queries the transaction, retries, or escalates.

Stage 3 – Long‑awaited asynchronous callback; compensation triggers status queries.

Stage 4 – Upstream does not receive results; a status query API is provided for upstream systems.

3. Operational Functions: Since only successful withdrawals are auto‑processed, all exception cases require manual handling via an operations console offering actions such as "reject", "synchronize", "retry", and "switch channel" (WangLian → UnionPay).

4. Integration with WangLian: Synchronous request/response with optional asynchronous notifications within 7 minutes. WangLian’s handling reduces the chance of reversal because account errors are detected immediately.

Withdrawal Routing Design :

The system supports two channels and must handle channel unavailability, per‑transaction limits, and future extensibility. Two routing implementation options were evaluated: cache‑plus‑in‑memory calculation vs. database aggregation. The database‑based approach was chosen, using SQL SUM for real‑time hourly statistics and periodic batch jobs for older data, achieving performance for up to 500 k withdrawals per hour.

Rule abstraction stores routing rules and details in the database; a rule‑execution engine evaluates conditions dynamically, allowing flexible addition of features such as channel blacklists.

Current Withdrawal Flow : A diagram (image) illustrates the end‑to‑end process, from request generation to channel interaction and final status reporting.

Future Optimizations : Ongoing work focuses on refining designs while maintaining the core stability principle.