Service Portfolio & Workflow Document

Moneyout Full System

Complete service portfolio, business workflows, security controls, and external integrations — covering the full Moneyout platform: backend API, admin web, mobile wallet app, and POS. Prepared for external auditors, compliance officers, and internal control.

System

Moneyout — Full Platform

Backend

Laravel (PHP) · REST API · MySQL

Admin Web

Angular · NgRx · Angular Material

Mobile Wallet

Mobile App · Wallet API · FCM

Audience

External Auditors · Compliance · Internal Control

This document is prepared for auditors and compliance review. It covers the full Moneyout platform: (1) backend REST API services and business logic, (2) Angular admin/operator web application workflows, (3) mobile wallet app flows (registration, send money, wallet-to-wallet), (4) POS 3D-secure payment flows, (5) all security controls and middleware, and (6) every external integration. No source code or internal implementation details are included.

Service Groups

Workflows

Integrations

Security Controls

Flow Diagrams

Audit Checklist Items

Confidential — For Audit Use Only · MoneyOut

📋

Executive Summary

Purpose, scope, and document control

Purpose

This Service Portfolio & Workflow Document provides auditors with a complete, structured view of the full Moneyout platform — covering all products and services: the backend REST API, Angular admin/operator web application, mobile wallet app, and POS payment system. It serves as the authoritative reference for compliance review, access control verification, and process audit.

For auditors: Use this document to understand (1) what services and products the full platform provides and which roles operate them, (2) how each business transaction flows end-to-end across all layers (UI → API → external party), (3) what security controls are in place at each layer, and (4) which external parties the system connects to and for what purpose.

Platform Overview

The Moneyout platform consists of four components working together:

1Backend REST API — Laravel (PHP), MySQL, Laravel Sanctum. Core business logic: money transfers, EFT, wallets, risk/AML, accounting, KYC, POS, commissions. Exposes all services via HTTPS REST endpoints.
2Angular Admin Web Application — Angular, NgRx, Angular Material, ngx-translate (EN/TR/AR, RTL). Used by Admin, Operator, SuperOperator, Teller, Agent, Risk, and Accountant roles for all back-office operations.
3Mobile Wallet App — Used by wallet customers for registration, KYC, deposits/withdrawals, wallet-to-wallet transfers, and international sends (via Ria/Korona). Push notifications via FCM.
4POS Payment System — 3D-secure card payment terminal management via Paygate/FzyPay. Merchants, terminals, payment profiles, and card type configuration.

All four components share the same backend API, security model, and data store. External integrations (transfer networks, banks, KPS, Sumsub, Logo ERP, PayCell, SMS) are consumed exclusively by the backend.

Document Control

Field	Value
Document Title	Moneyout — Full Platform Service Portfolio & Workflow Document
Version	1.0
Date	—
Classification	Confidential — For Audit Use Only
Owner	Product / Compliance Team
Audience	External Auditors, Compliance Officers, Internal Control

Version History

Version	Date	Changes
1.0	—	Initial release — full service portfolio, workflows, security controls, external integrations, access control matrix, SoD, audit checklist, and data retention for audit.

📦

Service Portfolio

All services provided by the Moneyout Core System

The system is organized into 19 service groups. Each group corresponds to a set of related API endpoints, business logic, and (where applicable) external integrations. The table below provides a complete inventory.

🔐

Authentication & Security

💸

Money Transfers (Send/Pay)

Outbound send, cash pickup pay, Ria/Korona/Aysar integration, fee/FX

🏦

EFT (Domestic Transfers)

Single and bulk Excel EFT to Turkish IBAN accounts

👥

Customer Management

Personal and corporate customers, KPS ID verification, documents

🏪

Agent & Teller Management

Agents, sub-agents, tellers, orchestration, work areas

💼

Wallet Operations

Wallet customers, deposit/withdraw, W2W, IBAN transfer, cards

🪪

KYC & Verification

KYC types/groups, document upload, NFC, Sumsub, liveness

⚠️

Risk & AML

Scenarios, formulas, black list, age risk, simulation, flag/hold/block

📒

Accounting & GL

Manual entry, vouchers, Logo ERP sync, account statements

🛒

POS & Payments

3D-secure POS, merchants, terminals, payment profiles, card types

📄

Invoice & Subscriptions

PayCell invoice search/pay/refund, subscription management

💰

Commission & Fees

Agent commission rules, fee configuration, cost calculation

✅

Approval Pool

Transfer hold queue, approve/reject/cancel, department routing

🔔

Notifications & Alerts

Inner system notifications, FCM, alert management, campaigns

📊

Reports & Analytics

Wallet/system/risk reports, earning, account statement, Excel export

🏢

Intercompany / Intermediary

Inter-company transfers, matching (mutabakat), reconciliation

⚙️

System Configuration

Config keys, worker queue, health checks, OTP rules, saved filters

🌐

External Integrations

Ria, Korona, Albaraka, VakifBank, KPS, Logo ERP, Sumsub, Tranglo, Instacash, PayCell, DataportSMS

🛡️

Security Architecture

Middleware stack, IP/time/role guards, Sanctum token, rate limiting

Service inventory table

#	Service Group	Description	Key Roles
1	🔐 Authentication & Security	Login, OTP, password, token, IP/time guards, role routing	All authenticated users
2	💸 Money Transfers (Send/Pay)	Outbound send, cash pickup pay, Ria/Korona/Aysar integration, fee/FX	Teller, Agent, Operator
3	🏦 EFT (Domestic Transfers)	Single and bulk Excel EFT to Turkish IBAN accounts	Teller, Agent, Operator
4	👥 Customer Management	Personal and corporate customers, KPS ID verification, documents	Teller, Agent, Operator
5	🏪 Agent & Teller Management	Agents, sub-agents, tellers, orchestration, work areas	Operator, Admin
6	💼 Wallet Operations	Wallet customers, deposit/withdraw, W2W, IBAN transfer, cards	Teller, Agent, Wallet User
7	🪪 KYC & Verification	KYC types/groups, document upload, NFC, Sumsub, liveness	Operator, Wallet User
8	⚠️ Risk & AML	Scenarios, formulas, black list, age risk, simulation, flag/hold/block	Risk Officer, Operator
9	📒 Accounting & GL	Manual entry, vouchers, Logo ERP sync, account statements	Accountant
10	🛒 POS & Payments	3D-secure POS, merchants, terminals, payment profiles, card types	Operator, Admin
11	📄 Invoice & Subscriptions	PayCell invoice search/pay/refund, subscription management	Operator, Agent
12	💰 Commission & Fees	Agent commission rules, fee configuration, cost calculation	Operator
13	✅ Approval Pool	Transfer hold queue, approve/reject/cancel, department routing	Operator, Admin
14	🔔 Notifications & Alerts	Inner system notifications, FCM, alert management, campaigns	All roles, Wallet User
15	📊 Reports & Analytics	Wallet/system/risk reports, earning, account statement, Excel export	Operator, Admin, Accountant, Risk
16	🏢 Intercompany / Intermediary	Inter-company transfers, matching (mutabakat), reconciliation	Operator, Admin
17	⚙️ System Configuration	Config keys, worker queue, health checks, OTP rules, saved filters	Operator, Admin
18	🌐 External Integrations	Ria, Korona, Albaraka, VakifBank, KPS, Logo ERP, Sumsub, Tranglo, Instacash, PayCell, DataportSMS	System (automatic)
19	🛡️ Security Architecture	Middleware stack, IP/time/role guards, Sanctum token, rate limiting	System / DevOps

📖

Glossary

Terms and definitions used in this document

Term	Definition
Sanctum	Laravel Sanctum — token-based authentication. Issues per-user API tokens; used as Bearer token in every request header.
OTP	One-Time Password — 6-digit code sent via SMS (DataportSMS). Required for login, transfer confirmation, password reset.
KYC	Know Your Customer — identity and document verification for wallet customers (document upload, NFC, Sumsub liveness).
KPS	Population Registry System (Turkey) — Nüfus Müdürlüğü. TC (Turkish ID) lookup for identity verification.
MERSIS	Central Trade Registry System (Turkey) — used for corporate customer verification.
EFT	Electronic Funds Transfer — domestic bank transfer to Turkish IBAN accounts.
IBAN	International Bank Account Number — used as beneficiary identifier for EFT transfers.
HOLD	Risk action: transfer is paused and sent to Approval Pool for manual review before execution.
BLOCK	Risk action: transfer is rejected immediately. User notified. No execution.
FLAG	Risk action: transfer proceeds normally but is logged in Triggered Risk Report for compliance monitoring.
Approval Pool	Queue of transfers placed on HOLD by risk scenarios. Operators review and approve/reject.
Voucher	Accounting record auto-created for each completed transaction. Contains debit/credit lines. Must be verified before posting to GL.
GL	General Ledger — the master accounting record. Verified vouchers are posted here.
Logo ERP	Logo Tiger — external ERP system. Verified vouchers are synced from Moneyout GL to Logo for official accounting.
Mutabakat	Turkish term for reconciliation / matching. Used in intercompany and bank reconciliation processes.
FCM	Firebase Cloud Messaging — push notification delivery to mobile wallet app users.
3D Secure	3-Domain Secure — card payment authentication protocol for POS payments (Paygate/FzyPay).
Orchestration	Agent orchestration — rules defining which products (Send, Pay, EFT) an agent can offer, with limits and conditions.
Sumsub	Third-party KYC platform for biometric and document verification of wallet customers.

🛡️

Security Architecture

Layered security controls protecting every service

Every API request passes through a middleware stack before reaching the controller. Security is enforced at multiple layers: network (IP allowlist), time (working hours), token (Sanctum), user state (active/blocked), and role (operator/admin). The diagram below shows the stack order.

Middleware execution order (every protected request)

Client Request→HTTPS/TLS→auth:sanctum (token)→localization→Checkip (IP guard)→Checkworktime (hours guard)→BlockUserInactive (status guard)→Isoperator / IsAdmin (role guard)→Controller → Response

Security controls — audit checklist

Control	Mechanism	Description
Token authentication	Laravel Sanctum	Bearer token issued at login. Every protected endpoint validates token. Stateless, per-user tokens with revocation support.
IP restriction	Checkip middleware	Client IP checked against per-agent/user allowlist. Requests from unknown IPs rejected.
Working hours	Checkworktime	Access restricted to configured working hours. Prevents off-hours access from agent/teller terminals.
Inactive user block	BlockUserInactive	Suspended, archived, or disabled users cannot access any protected endpoint regardless of valid token.
Role-based access	Isoperator / IsAdmin	Endpoints for config, reports, agent management, rule changes restricted to Operator/Admin roles.
OTP step-up	AuthController + DataportSMS	Sensitive operations (transfer confirm, password reset, wallet KYC) require OTP delivered via SMS.
Rate limiting	Laravel default + IpDailyLoginLimiter	Login and OTP endpoints rate-limited per IP. Too many failed logins block the IP.
Audit logging	LogController	Request/response logs, login logs, OTP logs, teller/agent/admin action logs. Stored per type and readable by authorized roles.
HTTPS / TLS	Server + external APIs	All external integration calls (Ria, Korona, banks, KPS, Sumsub, Logo) use TLS. Server-side HTTPS enforced.
Blacklist checks	BlackListCustomerController	Every Pay Money payout checked against blacklist. Customer and transfer company blacklists maintained and updated.

Note for auditors: IP restriction (Checkip) and working-hours restriction (Checkworktime) are applied at the application layer, not the network layer. Network-level firewall rules should be reviewed separately with the DevOps team.

🔒

Middleware & Access Controls

Which middleware is applied to which endpoint groups

Middleware	Purpose	Applied to	Behavior
`auth:sanctum`	Token authentication	All protected endpoints	Validates Bearer token (Laravel Sanctum). Rejects unauthenticated requests with 401.
`localization`	Language / locale	All protected + some public	Sets app locale (EN/TR/AR) from request header. Supports RTL for Arabic.
`Checkip`	IP allowlist control	Most protected endpoints	Validates client IP against allowlist. Blocks unauthorized IPs.
`Checkworktime`	Working hours restriction	Most protected endpoints	Restricts access to configured working hours (e.g. 08:00–22:00). Blocks outside hours.
`BlockUserInactive`	Inactive user block	All protected endpoints	Checks if user is active. Blocks suspended, archived, or disabled accounts.
`Isoperator`	Operator role guard	Config, reports, agent, rules	Allows only users with Operator or SuperOperator role. Returns 403 for others.
`IsAdmin`	Admin role guard	Admin-only config endpoints	Allows only Admin role. Used for destructive operations (delete bank, customer ID table, agent chart).

Access control matrix (summary): All endpoints require auth:sanctum except public endpoints (country list, currencies, wallet app status, reset-password flow). Operator-only config endpoints additionally require Isoperator. Admin-only destructive operations additionally require IsAdmin.

🔑

Access Control Matrix

Which role can perform which operation — 37 operations × 9 roles

The table below maps every significant operation to the roles that may perform it. This matrix is derived from the middleware stack, route guards (Isoperator, IsAdmin), and application-level permission checks.

Legend: ✅ Full access | 👁 Read-only | ⚠️ Limited / conditional | — Not permitted. For auditors: verify this matrix against actual endpoint middleware and role checks in the codebase.

Operation	Admin	Operator	SuperOperator	Teller	Agent	SubAgent	Risk	Accountant	InternalControl
Login / OTP	✅	✅	✅	✅	✅	✅	✅	✅	✅
View dashboard / KPIs	✅	✅	✅	👁	👁	—	👁	👁	👁
Create money transfer (Send Money)	✅	✅	✅	✅	✅	⚠️	—	—	—
Execute cash payout (Pay Money)	✅	✅	✅	✅	✅	—	—	—	—
Cancel / refund transfer	✅	✅	✅	⚠️	⚠️	—	—	—	—
Create / manage EFT	✅	✅	✅	✅	✅	—	—	—	—
Create / edit customer	✅	✅	✅	✅	✅	—	—	—	—
Archive customer	✅	✅	✅	—	—	—	—	—	—
Create / edit agent	✅	✅	—	—	—	—	—	—	—
Create / edit teller	✅	✅	—	—	—	—	—	—	—
Set agent orchestration / products	✅	✅	—	—	—	—	—	—	—
Wallet deposit / withdraw (agent)	✅	✅	✅	✅	✅	—	—	—	—
Wallet-to-wallet transfer	✅	✅	✅	—	✅	—	—	—	—
Approve / reject KYC documents	✅	✅	✅	—	—	—	—	—	—
Review / approve pool item	✅	✅	✅	—	—	—	—	—	—
Escalate pool item	✅	—	✅	—	—	—	—	—	—
Create / activate risk scenario	✅	—	—	—	—	—	✅	—	—
Simulate risk scenario	✅	—	—	—	—	—	✅	—	—
Add / edit black list customer	✅	✅	—	—	—	—	✅	—	—
View risk flag / triggered reports	✅	✅	—	—	—	—	✅	—	✅
View unverified vouchers	✅	—	—	—	—	—	—	✅	👁
Verify voucher / post to GL	✅	—	—	—	—	—	—	✅	—
Create manual journal entry	✅	—	—	—	—	—	—	✅	—
Retry Logo ERP sync	✅	—	—	—	—	—	—	✅	—
Run / export reports (System)	✅	✅	✅	—	—	—	—	✅	✅
Run / export reports (Wallet)	✅	✅	✅	—	—	—	—	✅	✅
Run / export reports (Risk)	✅	✅	—	—	—	—	✅	—	✅
Configure system settings / keys	✅	✅	—	—	—	—	—	—	—
Delete bank / customer ID table (destructive)	✅	—	—	—	—	—	—	—	—
View activity log	✅	✅	✅	—	—	—	—	—	✅
POS terminal / merchant config	✅	✅	—	—	—	—	—	—	—
Pay invoice (PayCell)	✅	✅	—	—	✅	—	—	—	—
View notifications / alerts	✅	✅	✅	✅	✅	—	✅	✅	✅
Acknowledge alerts	✅	✅	✅	—	—	—	✅	—	✅
Manage commission / fee rules	✅	✅	—	—	—	—	—	—	—
View intercompany matching (mutabakat)	✅	✅	—	—	—	—	—	✅	✅
Archive management (view archived records)	✅	✅	✅	—	—	—	—	—	✅

Note: SubAgent permissions are a subset of Agent permissions and depend on orchestration rules set by the parent agent. InternalControl has read-only access to most areas for audit purposes.

⚖️

Segregation of Duties (SoD)

Who initiates, who approves, who executes, who verifies — for every critical process

Segregation of Duties ensures that no single person can initiate, approve, and execute a financial or sensitive operation without oversight. The table below documents SoD for every critical process in the system.

For auditors: Key SoD controls to verify — (1) money transfer approval-vs-execution separation, (2) accounting voucher auto-creation vs. manual verification, (3) risk scenario creation vs. activation, (4) pool approval isolation. Gaps should be raised as findings.

Process	Initiate	Approve / Authorise	Execute	Verify / Reconcile	Audit / Review
Money Transfer (Send)	Teller / Agent	Operator (if pool-held)	System via transfer company API	Accountant (voucher verify)	InternalControl / Admin
Cash Payout (Pay Money)	Teller / Agent	OTP confirmation (sender/teller)	System via company API	Accountant (voucher verify)	InternalControl / Admin
EFT Domestic Transfer	Teller / Agent / Operator	—	System via bank API	Accountant (voucher verify)	InternalControl / Admin
Wallet Deposit	Agent	OTP (if required)	System (WalletOperationCtrl)	Accountant (voucher)	InternalControl / Admin
Wallet Withdrawal	Agent	OTP (if required)	System (WalletOperationCtrl)	Accountant (voucher)	InternalControl / Admin
Accounting Voucher Post	System (auto-create)	Accountant (review)	Accountant (verify to GL)	Logo ERP (sync)	InternalControl / Admin
Risk Scenario Activate	Risk Officer (create)	Risk Officer (simulate + accept)	Risk Officer (activate)	Risk Officer (triggered report)	InternalControl / Admin
Pool Approval	Risk Engine (HOLD)	Operator (review)	SuperOperator (escalate) or Operator (approve/reject)	Accountant	InternalControl
KYC Document Approval	Wallet Customer (upload)	Operator (review)	Operator (approve/reject)	Wallet system (limit upgrade)	InternalControl / Admin
New Agent / Teller Setup	Operator (create)	Admin (if config required)	System (activate)	Operator (orchestration rules)	InternalControl / Admin
Logo ERP Sync	System (auto post verify)	Accountant (verify voucher)	LogoService (auto sync)	Accountant (retry if failed)	InternalControl / Admin
POS 3D Payment	Operator / Agent	Customer (3D bank auth)	Paygate / FzyPay API	CallbackController (verify)	Admin / InternalControl

Key SoD controls — summary

•Transfer initiation vs. approval: Teller/Agent initiates; Operator approves (when risk HOLD applies). System executes.
•Accounting voucher: System auto-creates (no human can initiate a fake voucher without a real transaction); Accountant verifies; Logo ERP receives only verified vouchers.
•Risk activation: Risk officer creates and activates. No 4-eyes enforced at system level — auditors should check if organisational controls compensate.
•KYC approval: Wallet customer uploads; Operator reviews and approves — two separate parties.
•Pool approval: Risk engine triggers HOLD; Operator or SuperOperator approves. Same operator who submitted transfer should not approve the pool item.

✅

Audit Checklist

39 audit points across 10 control areas — with cross-references to this document

Use this checklist as your primary working paper. Each item is tagged with an ID for referencing in audit findings. The Where to verify column links each item to the relevant section or workflow in this document.

For auditors: Tick each item after verification. Raise findings for any item that cannot be confirmed. Items marked with a ⚠️ note are areas where system controls rely on organisational / manual compensating controls.

Authentication (4 items)

ID	Checklist item	Where to verify
`AC-01`	Confirm all API endpoints require a valid Sanctum Bearer token (except public endpoints).	Middleware matrix · auth:sanctum row
`AC-02`	Verify OTP is required for login and sensitive operations (transfer confirm, password reset).	Workflow: Authentication & Token Lifecycle (B02)
`AC-03`	Confirm rate limiting is applied to login and OTP endpoints to prevent brute-force.	Security Architecture · Rate limiting row
`AC-04`	Verify token revocation is possible (Sanctum per-user tokens).	Security Architecture section

Access Control (5 items)

ID	Checklist item	Where to verify
`AC-05`	Verify IP allowlist (Checkip) is active for all protected endpoints.	Middleware matrix · Checkip row
`AC-06`	Verify working-hours restriction (Checkworktime) is configured and active.	Middleware matrix · Checkworktime row
`AC-07`	Confirm BlockUserInactive prevents access for suspended/archived users.	Middleware matrix · BlockUserInactive row
`AC-08`	Confirm Isoperator and IsAdmin guards restrict destructive endpoints to correct roles.	Access Control Matrix · destructive operations row
`AC-09`	Review Access Control Matrix: no role has unnecessary permissions (least privilege).	Access Control Matrix section

Segregation of Duties (5 items)

ID	Checklist item	Where to verify
`SD-01`	Confirm money transfer initiation and approval are performed by different roles.	SoD Matrix · Money Transfer row
`SD-02`	Confirm accounting voucher creation (auto by system) is separate from verification (accountant).	SoD Matrix · Accounting Voucher Post row
`SD-03`	Confirm risk scenario activation requires the same risk officer who created it (no 4-eyes for risk activation — flag if concern).	SoD Matrix · Risk Scenario Activate row
`SD-04`	Confirm pool approval (HOLD transfers) cannot be approved by the same operator who initiated.	SoD Matrix · Pool Approval row
`SD-05`	Confirm Logo ERP sync is triggered automatically — accountant cannot bypass GL posting.	SoD Matrix · Logo ERP Sync row

Money Transfers (5 items)

ID	Checklist item	Where to verify
`MT-01`	Verify blacklist check is performed on every cash payout (Pay Money).	Workflow: Cash Pickup Pay-Out (B04) · Step 3
`MT-02`	Verify risk scenarios are evaluated on every new transfer before execution.	Workflow: Risk & AML Evaluation (B08)
`MT-03`	Confirm HOLD transfers cannot be executed without pool approval.	Workflow: Approval Pool (wf-approval)
`MT-04`	Verify BLOCK transfers are rejected and logged with reason.	Workflow: Risk & AML Evaluation (B08) · BLOCK branch
`MT-05`	Confirm cost calculation (fee + commission + FX) is applied before transfer confirmation.	Workflow: Money Transfer Backend Flow (B03) · Step 2

EFT (3 items)

ID	Checklist item	Where to verify
`EFT-01`	Verify IBAN validation is applied to all EFT records before submission to bank.	Workflow: EFT Domestic Transfer (B05) · Step 2
`EFT-02`	Confirm bulk EFT invalid rows are reported back and not silently skipped.	Workflow: EFT Domestic Transfer (B05) · Step 3
`EFT-03`	Verify EFT status callbacks update the transfer status (Completed/Failed) in the system.	Workflow: EFT Domestic Transfer (B05) · Step 5

Wallet (3 items)

ID	Checklist item	Where to verify
`WL-01`	Verify wallet operations enforce daily/monthly limits per customer and KYC level.	Workflow: Wallet Deposit/Withdrawal (B06) · Step 3
`WL-02`	Confirm wallet-to-wallet transfers require OTP if configured.	Workflow: Wallet W2W (M03) · Step 7
`WL-03`	Verify KYC approval is required before limit upgrades are applied.	Workflow: KYC & Document Verification (B07) · Step 5

Accounting (3 items)

ID	Checklist item	Where to verify
`ACC-01`	Confirm every completed transfer auto-creates an accounting voucher.	Workflow: Accounting & Logo ERP Sync (B09) · Step 1
`ACC-02`	Verify unverified vouchers are in a separate queue and cannot auto-post without accountant action.	Workflow: Accounting & Logo ERP Sync (B09) · Step 4
`ACC-03`	Confirm Logo ERP sync failure triggers retry mechanism and is visible to accountant.	Workflow: Accounting & Logo ERP Sync (B09) · Step 6

Integrations (4 items)

ID	Checklist item	Where to verify
`EI-01`	Verify all external API credentials are stored in environment config, not in source code.	External Integrations section · note
`EI-02`	Confirm all external API calls use HTTPS/TLS.	External Integrations section
`EI-03`	Review data sharing with each external party — confirm only minimum necessary data is shared.	External Integrations section · auditor note
`EI-04`	Verify DPA/contracts exist for all external parties (Ria, Korona, KPS, Sumsub, Logo, PayCell).	Compliance team review

Audit Logging (5 items)

ID	Checklist item	Where to verify
`LOG-01`	Confirm request/response logs are retained and accessible to authorized roles.	Data Retention & Logging section
`LOG-02`	Verify login logs (success and failure) are retained and include IP and timestamp.	Data Retention & Logging section
`LOG-03`	Confirm OTP logs are retained and include user, timestamp, result.	Data Retention & Logging section
`LOG-04`	Verify teller/agent action logs are available and not editable by those roles.	Activity Log section
`LOG-05`	Confirm accounting audit trail: every voucher has a create timestamp, create user, and verifier.	Accounting workflow

POS (2 items)

ID	Checklist item	Where to verify
`POS-01`	Verify 3D secure is enforced for all card payment sessions.	Workflow: POS 3D Payment (B10/P01)
`POS-02`	Confirm callback signature verification prevents unauthorized payment completion.	Workflow: POS 3D Payment (B10) · Step 4

🗄️

Data Retention & Logging

What data is stored, for how long, and who can access it

All transaction data, logs, accounting records, and KYC documents are stored in the MySQL database and/or server file storage. The table below documents each data category, its storage location, retention policy, and access control.

For auditors: Items with Configurable retention should have a documented retention policy reviewed by the compliance team. Items marked Indefinite are retained until explicitly archived or deleted by an authorised admin.

Data / Log Type	Storage (table / endpoint)	Retention	Access (roles)	Notes
Transfer records	`transfers table`	Indefinite	Operator, Admin, Accountant, InternalControl	Full transfer lifecycle: create, execute, cancel, refund. Linked to voucher.
EFT records	`eft_transfers / import_eft`	Indefinite	Operator, Admin, Accountant	Per-row status tracking. Linked to voucher on completion.
Wallet transactions	`wallet_transactions`	Indefinite	Operator, Admin, Accountant, InternalControl	Deposit, withdraw, W2W, IBAN transfer. Linked to wallet_customers.
Accounting vouchers	`accounting_vouchers / entries`	Indefinite	Accountant, Admin, InternalControl	Auto-created per transaction. Includes debit/credit lines, verifier ID, Logo sync status.
General Ledger (GL)	`account_entries`	Indefinite	Accountant, Admin, InternalControl	Verified transactions posted to GL. Basis for Logo ERP sync.
Request logs	`log/request endpoint`	Configurable	Admin, InternalControl	Full HTTP request log per user. Includes endpoint, payload hash, timestamp, IP.
Response logs	`log/response endpoint`	Configurable	Admin, InternalControl	HTTP response log. Matched to request by correlation ID.
Login logs	`log/user (login entries)`	Configurable	Admin, InternalControl	Login success/failure: user ID, IP, timestamp, OTP result.
OTP logs	`log/otp`	Configurable	Admin, InternalControl	OTP send and verify events: user, phone, timestamp, result.
Activity log (actions)	`activity_log table`	Configurable	Admin, Operator, InternalControl	User actions on entities (create, edit, archive, approve). Read-only audit.
Risk triggered events	`risk_trigger_report`	Indefinite	Risk, Admin, InternalControl	Every transfer that matched a risk scenario. Includes scenario name, action, outcome.
KYC documents	`kyc_approvals / file storage`	Indefinite	Operator, Admin, InternalControl	Document images stored server-side. Approval status, reviewer, timestamp retained.
Approval pool history	`pool_requests`	Indefinite	Operator, Admin, InternalControl	Full approval pool lifecycle: create, approve/reject/escalate, timestamps, operator IDs.
Customer/agent records	`customers / agents tables`	Indefinite	Operator, Admin, InternalControl	Archived records remain in archive tables. Fully auditable.
POS payment sessions	`pos_orders / pos_callbacks`	Indefinite	Admin, InternalControl	3D payment session, callback, result, signature verification status.
Notification / alert log	`notifications / alerts`	Configurable	All roles (own) / Admin (all)	System and risk alert history. Acknowledgement timestamp and user.

Log endpoints (accessible to authorised roles)

Endpoint	Log type	Access
`GET /log/request`	HTTP request log	Admin, InternalControl
`GET /log/response`	HTTP response log	Admin, InternalControl
`GET /log/user`	Login / logout / OTP events	Admin, InternalControl
`GET /log/teller`	Teller action log	Admin, Operator, InternalControl
`GET /log/agent`	Agent action log	Admin, Operator, InternalControl
`GET /log/admin`	Admin action log	Admin, InternalControl
`GET /activity-log`	Entity-level activity log	Admin, Operator, InternalControl

Data integrity: Logs are append-only via the application layer. No update or delete endpoints are exposed for log tables. Direct database access is restricted to the DevOps team and should be reviewed separately.

🖥️

Product 1 — Backend API

Laravel (PHP) · REST API · MySQL · Laravel Sanctum · 19 service areas

The backend REST API is the core of the Moneyout platform. It is built with Laravel (PHP), uses MySQL as the primary database, and authenticates all requests via Laravel Sanctum token authentication. It exposes all business logic as HTTPS REST endpoints consumed by the Angular admin web, mobile wallet app, and POS terminal.

For auditors: All four products (Angular Admin Web, Mobile Wallet App, POS, and any future client) communicate exclusively with this API. No direct database access is exposed to clients. All security controls (IP allowlist, working hours, role guards) are enforced here.

Technology stack

Layer	Technology	Purpose
Framework	Laravel (PHP)	MVC framework, routing, middleware, queues, jobs
Database	MySQL	Primary relational data store for all transactions, users, configs
Authentication	Laravel Sanctum	Stateless per-user Bearer token authentication
Queue / Jobs	Redis + Laravel Queue	Async jobs: Logo ERP sync, large report export, email notifications
File Storage	Server-side storage	KYC documents, voucher attachments, Excel exports
Push Notifications	Firebase FCM	Push notifications to mobile wallet app users
Real-time	WebSocket (Laravel + Socket)	Real-time push to Angular admin web (notifications, pool, alerts)

Service areas (19 total)

🔐 Authentication & Security

POST /loginPOST /checkotpcodePOST /sendotpPOST /resetpasswordPOST /useKpsGET /common/getUserPermissions

💸 Money Transfers — Send Money

Create outbound transfer to Ria, Korona, Aysar (Tranglo), or Instacash. Includes cost calculation (fee + FX + commission), risk evaluation, OTP confirmation, and receipt generation.

POST /transfer/storePOST /transfer/costcaluclationPOST /transfer/getCompanyRatePOST /transfer/cancelTransferPOST /transfer/refundRequestPOST /transfer/getAll

💵 Money Transfers — Pay Money (Cash Pickup)

Search transfer by PIN, blacklist check, beneficiary verification, OTP, execute payout, update agent ledger.

POST /transfer/searchTransferforPayPOST /transfer/finishTransferPOST /transfer/one

🏦 EFT Domestic Transfers

Single and bulk Excel EFT to Turkish IBAN accounts via Albaraka, Vakif, or Finansbank. Row-level IBAN validation. Status callbacks.

POST /import-eftGET /get-eft-agentsPOST /transfer/efttransfers

👥 Customer Management

Personal and corporate customers. KPS identity lookup. Document upload and management. Transaction analysis per customer.

POST /customer/addCustomerPOST /customer/allPOST /customer/onePOST /customer/EditCustomerPOST /customer/archivePOST /customer/corporate-allPOST /customer/transaction-analysis

🏪 Agent & Teller Management

Create/edit/archive agents and tellers. Orchestration rules (which products an agent can offer, with limits). Work area assignment.

POST /agent/createPOST /agent/allPOST /agent/editPOST /agent/archivePOST /Orchestration/addPOST /teller/addTellerPOST /teller/allPOST /teller/EditTeller

💼 Wallet Operations

Wallet customer deposit, withdrawal, wallet-to-wallet transfer, agent wallet charge/withdraw, international send via Ria/Korona. Balance query and IBAN validation.

POST /walletoperation/depositWalletPOST /walletoperation/withdrawWalletPOST /walletoperation/sendWalletToWalletPOST /agentWalletOperation/chargePOST /walletMoneyTransfer/sendRiaPOST /walletMoneyTransfer/sendKoronaPOST /walletcommon/walletBalance

🪪 KYC & Verification

KYC document upload and approval queue. KYC types/groups. NFC chip data (eID). Sumsub liveness check.

POST /kycApproval/createApprovalRequestPOST /kycApproval/searchApprovalPOST /kyctype/storePOST /kycgroups/storePOST /walletcommon/sendNFCData

⚠️ Risk & AML

Create, simulate, and activate risk scenarios. Risk formulas and age-band risk weights. Black list management. Triggered risk reports.

POST /risk-scenario/storePOST /risk-scenario/simulatePOST /risk-scenario/activateSenarioPOST /risk-formula/storePOST /risk-percentages/editCountryRiskValue

✅ Approval Pool

Queue of transfers on HOLD. Operator review with approve, reject, escalate. Department-based routing.

POST /pool/allPOST /pool/onePOST /pool/updatePOST /pool/cancelGET /pool/getDepartments

📒 Accounting & GL

Auto-create vouchers on transaction completion. Accountant review and verification. Manual journal entries. Logo Tiger ERP sync with retry.

POST /account/getUnVerifiedVouchersPOST /account/verifyVoucherPOST /account/createNewEntriesPOST /account/getAccountStatementPOST /account/retryEntry

💰 Commission & Fees

Agent commission rules per product and tier. Fee configuration per transfer type and country. Cost calculation engine.

POST /agent-commission/storePOST /fees-definition/storePOST /transfer/costcaluclation

🏢 Intercompany / Intermediary

Inter-company transfers and matching (mutabakat). Balance and reconciliation reports per intermediary company.

POST /intermediary-company/allPOST /interCompaniesReports/mutabakat

📄 Invoice & Subscriptions

PayCell invoice search, payment, refund. Corporate company lookup. Subscription management.

POST /PayCell/invoiceSearchPOST /PayCell/invoicePayPOST /PayCell/invoiceRefund

🛒 POS & Card Payments

3D-secure POS payment sessions via Paygate/FzyPay. Terminal and merchant management. Payment profiles, card types, bank costs.

POST /posOperation/payment3dPOST /posTerminals/addPOST /merchant/createPOST /paymentProfile/add

🔔 Notifications & Alerts

Inner-system notifications (create, update, mark read, delete). FCM push notifications. Alert management and acknowledgement. Campaign notifications.

POST /innerSystemNotification/storePOST /innerSystemNotification/markAllIsReadedPOST /alert/allPOST /alert/acknowledge

📊 Reports & Analytics

System, wallet, risk, and POS reports. Earning/revenue reports. Account statements. Excel export with async queue for large datasets.

POST /walletreports/wallettowalletPOST /walletreports/walletTransactionPOST /transfer/earingReportPOST /account/getAccountStatement

⚙️ System Configuration

Countries, currencies, banks, languages, OTP rules, refund/sending reasons. Integration health checks. Worker queue management.

POST /systemsetting/countries/storeGET /systemsetting/integrations/healthPOST /systemsetting/otp/store

📋 Activity Log & Audit

Request/response logs, login logs, OTP logs, teller/agent/admin action logs. Read-only access for authorised roles.

GET /log/requestGET /log/responseGET /log/userGET /log/tellerGET /log/agentGET /log/admin

🅰️

Product 2 — Angular Admin Web Application

Angular · NgRx · Angular Material · ngx-translate (EN/TR/AR, RTL) · 32 modules

The Angular Admin Web Application is the back-office web platform used by all staff roles: Admin, Operator, SuperOperator, Teller, Agent, SubAgent, Risk Officer, Accountant, and InternalControl. It is a Single Page Application (SPA) with lazy-loaded feature modules, role-based routing, NgRx state management, and WebSocket-based real-time updates.

For auditors: All operations performed by staff (creating transfers, approving pool items, verifying vouchers, managing KYC) are done through this application. Access is role-controlled at both the route level (canActivate guards) and the UI level (canView permission checks). Every action is logged in the activity log.

Technology stack

Layer	Technology	Purpose
Framework	Angular (latest)	SPA framework, lazy-loaded modules, routing, guards
State Management	NgRx	Actions, reducers, effects, selectors for all async data
UI Components	Angular Material	Forms, dialogs, tables, steppers, date pickers
Localisation	ngx-translate	EN / TR / AR. Arabic activates RTL layout (dir=rtl)
Real-time	WebSocket (ngx-socket-io)	Notifications, approval pool, alerts, list updates
Data Lists	Shared data table + CDK virtual scroll	Infinite scroll (load more at 95%) across all list screens

Modules (32 total)

🔑 Authentication

Access: All roles. After login, router redirects by role: Admin/Operator → Dashboard; Teller/Agent → Send Money; Risk → Risk Management; Accountant → Manual Entry.

📊 Dashboard

Role-specific dashboards — Admin, Operator, Teller, Agent, Accountant, Risk

Dashboard Layout → Currency Cards → KPI Charts → Role-specific Widgets

Access: Different layout and widgets per role. Admin/Risk/InternalControl see currency cards and KPI overview. Teller/Agent see role-specific summaries. Skeleton loaders while data loads via NgRx.

💸 Send Money (Outbound Transfer)

5-step stepper: sender → details → beneficiary → risk check → confirmation

Transfers → Send Money → Sender → Transfer Details → Beneficiary → Risk Check → Confirm → Receipt

Access: Teller, Agent, Operator. Real-time cost calc (fee + FX + commission). Risk evaluation inline. OTP if configured. Receipt on success.

💵 Pay Money (Cash Pickup)

Search by PIN, blacklist check, verify beneficiary, execute payout

Pay Money → Enter PIN → Transfer Result → Verify Beneficiary → Confirm → Receipt

Access: Teller, Agent, Operator. Blacklist auto-checked. OTP if required. Agent ledger updated on payout.

🏦 EFT Domestic Transfer

Single entry or bulk Excel upload to Turkish IBAN

EFT Transactions → Single / Bulk Upload → Validate → Confirm → EFT List

Access: Teller, Agent, Operator. Row-level validation for bulk. Status tracked: Pending → Completed/Failed.

📜 Transaction History

Unified list of Send Money, Pay Money, and EFT with refund

Transaction History → Filters → Results → Transfer Detail → Receipt / Refund

Access: All roles (filtered by permissions). Date, type, status, agent filters. Infinite scroll. View detail, print receipt, request refund.

↩️ Refund

Request refund from transfer detail with configurable reasons

Transfer Detail → Refund → Select Reason → Submit

Access: Teller, Operator. Select refund reason (configured in System). Auto-processed or queued for approval.

👥 Customer Management

Personal and corporate customers, KPS identity lookup

Customer List → New / Edit Form → Customer Detail → Documents

Access: Teller, Agent, Operator. KPS auto-fill for Turkish ID. Corporate customers with authorised persons.

🏪 Agent Management

Agents, orchestration rules for products and limits

Agent List → New Agent Stepper → Info → Currency → Bank → Orchestration

Access: Operator, Admin. 3-step agent creation stepper. Orchestration rules define which products an agent can offer and limits.

🪪 Teller Management

Teller users and work area assignment

Teller List → New / Edit → Work Area & Permissions

Access: Operator, Admin. Assign work area and permissions.

🧮 Cost Calculation

Configure FX, fees, and commission rules for transfers

Cost Calculation → Config → Save

Access: Operator, Admin. Defines how transfer cost is computed.

📋 Pool Conditions

Conditions that route transfers to the approval pool

Pool Conditions → New Condition → Conditions List

Access: Operator, Admin. Set property + operator + value conditions (e.g. amount > X, country = Y).

📒 Accounting (Manual Entry)

Unverified vouchers, verify to GL, create manual entries

Journal List → Unverified Vouchers → View Voucher → Verify / Correct → Posted → Logo ERP

Access: Accountant. Auto-created vouchers from completed transfers. Verify → GL → Logo Tiger ERP sync.

💰 Agent Commission Definition

Commission rules per agent, product, and tier

Commission List → New Commission → Save

Access: Operator. Define rate type (fixed/percentage) per agent and product.

📋 Fees Definition

Fee rules per transfer type and country

Fees List → New Fee → Save

Access: Operator. Fixed or percentage fees per country and product.

🏢 Intercompany / Intermediary

Intermediary company transfers and reconciliation

Intermediary Company List → New → Basic Info → Transfer Setup → Matching Reports

Access: Operator, Admin. Stepper: basic info + transfer setup. Matching (mutabakat) reports.

👤 Wallet Management

Wallet customers, KYC, deposit/withdraw, stories, notifications

Wallet Customer List → Customer Info → KYC Approval → Deposit / Withdraw → Stories / FAQ / FCM

Access: Operator, Teller, Agent. KYC upload review. Commission rules for wallet. In-app story and FAQ management. FCM push to wallet users.

⚠️ Risk & AML

Scenarios, formulas, age risk, blacklist, flag reports

Risk Management → Scenario List → Add Scenario → Simulate → Activate → Blacklist → Flag Report

Access: Risk Officer. HOLD / BLOCK / FLAG actions. Simulation before activation. Blacklist checked on every payout.

👥 System User Management

Users and role assignments

User List → New / Edit User → Assign Role

Access: Admin. Create users, assign roles (Admin, Operator, Teller, Agent, Risk, Accountant, InternalControl, etc.).

📋 Rule Group Management

Fine-grained permission groups

Rule Group List → Edit Rules → Assign to Users

Access: Admin. Override or extend role-level permissions at group level.

✅ Approval Pool

HOLD transfer queue — approve, escalate, reject

Pool Queue → Transfer Detail → Approve / Escalate / Reject

Access: Operator, SuperOperator. Real-time updates via WebSocket.

📄 Invoice Management

Invoice pay and invoice transaction list

Invoice Pay → Invoice Transaction List → Download

Access: Operator, Agent. Pay invoices, view transaction history.

📂 Archive Management

Archived customers, agents, and wallet customers

Agent Archive → Customer Archive → Wallet Customer Archive

Access: Operator, Admin, InternalControl. Read-only or limited actions.

📄 Reports

System, Wallet, Risk, POS reports with Excel export

Reports → Category → Report Type → Filters → Results → Export Excel

Access: Operator, Admin, Accountant, Risk, InternalControl. 30+ report types. Async Excel export for large datasets.

⚙️ System Management

Countries, currencies, banks, OTP, health checks

System Config → Countries / Currencies / Banks → Refund & Sending Reasons → OTP Rules → Health Monitor

Access: Operator, Admin. Integration health monitoring. Refund and sending reason configuration.

⚠️ Alerts

System and risk alerts with real-time updates

Alert List → Filter → View / Acknowledge

Access: Operator, Risk, InternalControl. Real-time push via WebSocket.

📋 Activity Log

Read-only audit trail of all user and system actions

Activity Log → Filters → Results → Export

Access: Admin, Operator, InternalControl. Filter by user, action type, date. Infinite scroll.

🗺️ Monitoring

Geographic or status view of branches and agents

Monitoring → Map / Status View → Refresh

Access: Admin, Operator. View agent/branch locations or operational status.

👤 Profile

User preferences — password, language, theme

Profile → Change Password → Language (EN/TR/AR) → Theme

Access: All authenticated roles.

🔔 Notification Center

Bell icon header panel with real-time push

Bell Icon → Notification Panel → Mark Read / Delete → Click → Navigate

Access: All roles. Real-time via WebSocket. Navigate to related entity on click.

🛒 POS Management

Merchants, terminals, bank pricing, payment profiles

POS Management → Merchants → Terminals → Bank Pricing → Payment Profiles

Access: Operator, Admin. Configure POS setup. Links to POS 3D Payment for card payment operations.

💳 POS 3D Payment

Initiate 3D-secure card payment

POS 3D Payment → Form → Enter Details → Submit → 3D Auth

Access: Operator, Agent (canPayOrder permission). Requires POS setup. 3D-secure via Paygate/FzyPay.

📱

Product 3 — Mobile Wallet App

Customer-facing mobile app · Wallet API · Firebase FCM · 11 feature areas

The Mobile Wallet App is the customer-facing product. Wallet customers use it to register, complete KYC, manage their wallet balance, send money internationally, transfer between wallets, and receive push notifications. The app communicates exclusively with the Moneyout backend API.

For auditors: All wallet customer transactions (deposits, withdrawals, W2W, international sends) originate from this app via the backend API. KYC documents uploaded from the app are reviewed by back-office operators in the Angular Admin Web. OTP is required for all sensitive operations. FCM notifications confirm every transaction to the customer.

Technology stack

Layer	Technology	Purpose
Backend	Moneyout REST API	All business logic, authentication, and data storage
Authentication	Laravel Sanctum token	Phone + password + OTP login; token stored on device
Push Notifications	Firebase FCM	Transaction confirmations, KYC status, system events
Languages	EN / TR / AR	Arabic activates RTL layout
Identity Verification	Sumsub (optional)	Biometric liveness check during KYC process
NFC	eID NFC chip read	Optional: read identity data from NFC-enabled ID cards

Features (11 areas)

📱 Registration & Onboarding

New user downloads app, registers with phone number, verifies via OTP. Account created at KYC Level 0. Supported languages: EN/TR/AR.

Download App → Enter Phone → OTP Verify → Account Active (KYC Level 0) → Login

🔑 Login & Authentication

Phone + password login. OTP step-up. Sanctum token stored on device. Session management.

Enter Credentials → OTP Verify → Token Stored → App Home

💼 Wallet Balance & Dashboard

Home screen shows current wallet balance, recent transactions, and quick action buttons. Balance updates in real time.

Home Screen → Balance Display → Recent Transactions → Quick Actions

💸 International Send Money

Send money internationally via Ria or Korona network. Displays live rate and fee before confirmation. OTP required.

Select Ria / Korona → Enter Amount & Beneficiary → View Rate + Fee → OTP Confirm → Transfer Created → FCM Notification

↔️ Wallet-to-Wallet Transfer

Transfer funds to another wallet user by phone or wallet number. Commission shown before confirm. OTP if configured. Both parties receive FCM push.

Search Recipient → Enter Amount → Commission Shown → OTP Confirm → Debit Sender / Credit Receiver → FCM Both Parties

⬇️ Wallet Deposit

Agent charges wallet on behalf of customer. KYC level and daily/monthly limits enforced. Commission shown before confirmation.

Agent Opens Deposit Screen → Search Customer → Check Limits → Commission Shown → OTP Confirm → Balance Updated

⬆️ Wallet Withdrawal

Customer or agent initiates withdrawal. KYC level and limits enforced. OTP required. Linked bank account used.

Initiate Withdraw → Check Balance & Limits → OTP Confirm → Funds Transferred to Bank

🪪 KYC & Identity Verification

Customer uploads ID/passport document from app. Optional NFC chip read (eID). Sumsub liveness check if required. Back-office operator reviews and approves/rejects.

Upload Document → Optional NFC / Liveness (Sumsub) → Back-office Review → Approve → Limits Upgrade

📜 Transaction History

Full history of all wallet operations: deposits, withdrawals, W2W, international sends. Filter by date and type.

Transaction List → Filter by Date / Type → Open Detail → View Receipt

🔔 Push Notifications (FCM)

Firebase Cloud Messaging push notifications for transfers, wallet ops, KYC approvals, and system events. Notification centre in-app.

Event Triggered (server) → FCM Push to Device → In-App Notification Centre

🌐 Multilingual & RTL

Supports English, Turkish, and Arabic. Arabic activates RTL layout. Language preference stored per user.

Select Language → EN / TR / AR → Arabic → RTL Layout → Strings Update

🛒

Product 4 — POS Payment System 🚧 IN DEVELOPMENT

3D-secure card payments · Paygate / FzyPay · Merchants & Terminals · Not yet in production

Status: In Development. The POS Payment System is currently under active development. The features listed below describe the intended scope. Not all features are available in the current environment. Auditors should note that POS is not yet in production and should not be included in the scope of the current audit cycle unless explicitly agreed.

The POS Payment System will enable agents and operators to accept card payments at physical or virtual terminals using 3D-secure (3DS) authentication. It integrates with Paygate / FzyPay for payment session management and bank callback processing.

Planned features

🛒 Merchant Management IN DEV

Create and manage merchants linked to agents/branches. Each merchant has a name, type, and contact.

🖥️ Terminal Management IN DEV

💳 3D-Secure Card Payments IN DEV

Initiate 3D-secure payment sessions via Paygate/FzyPay. Customer authenticates with bank. Callback verification.

💲 Bank Costs & Pricing IN DEV

Configure bank API costs, pricing tiers, and interchange rates per card type.

📋 Payment Profiles IN DEV

Payment profile templates: card types accepted, limits, allowed currencies. Link to terminal.

🔄 Refund & Void IN DEV

Refund completed POS payment to card. Void pending authorisation. Subject to bank API capabilities.

📊 POS Reports IN DEV

Transaction reports per terminal/merchant. Settlement reports. Currently stub — full reporting in later release.

Technology stack (planned)

Layer	Technology	Purpose
Payment Gateway	Paygate / FzyPay	3D-secure payment session creation, terminal management
Callback Handler	Laravel CallbackController	Receive and verify bank payment callbacks; update order status
Backend Integration	Moneyout REST API	All POS operations routed through the same secured API layer
Security	Signature verification	Every bank callback validated before order status update

Audit note: When POS reaches production, the audit scope should include: (1) 3D-secure enforcement on all card payments, (2) callback signature verification, (3) terminal access control (only authorised agents/operators), (4) POS transaction reconciliation with bank statements.

⚙️

Outbound Money Transfer (Send Money)

End-to-end business workflow

Workflow flow

Request→Cost Check→Risk Eval→OTP→Execute→Receipt→Voucher → GL

Step-by-step process

User submits transfer: sender, country, transfer company, amount, beneficiary. (TrasfareController@store)

System calls CommissionController@costcaluclation: calculates fee, commission (agent rules), FX rate. Returns total cost to sender. (CommissionController)

Risk engine evaluates scenario conditions against transfer properties. HOLD → added to Approval Pool. BLOCK → rejected. FLAG → proceeds, flagged for report. (RiskController)

If OTP required (per OtpCheckController config): system sends OTP via DataportSMS; user confirms. (AuthController + DataportSMS)

Transfer submitted to transfer company API (Ria/Korona/Aysar/Instacash) via dedicated service class. Status set to Pending. (RiaSendMoneyService / KoronaPayService / TrangloController)

On confirmation: receipt generated (PDF). Transfer appears in All Sent list and Transaction History. (TrasfareController@finshTransfer)

Accounting voucher auto-created (Debit: agent; Credit: pending liability). Accountant verifies → posted to Logo ERP. (AccountingController + LogoService)

Audit point: Each step above maps to one or more API endpoints in the Backend API product section. Logs for each step are available in the activity log (log/request, log/response, log/user).

⚙️

Cash Pickup Pay-Out (Pay Money)

End-to-end business workflow

Workflow flow

Search by PIN→Blacklist Check→Verify Beneficiary→OTP→Pay Out→Receipt→Voucher → GL

Step-by-step process

Teller/agent enters PIN (or reference). System queries transfer company API to find transfer. (TrasfareController@searchTransferforPay)

System checks beneficiary against BlackListCustomer table. If match → payout blocked. (BlackListCustomerController)

Teller verifies beneficiary identity (national ID, passport). System logs verification. (TrasfareController)

If OTP required: system sends OTP to sender or beneficiary; teller confirms. (AuthController)

Payout executed: finshTransfer called. Transfer status → Paid. Agent ledger updated. (TrasfareController@finshTransfer)

Receipt generated. Transfer appears in All Pay Transactions. (TrasfareController)

Accounting voucher auto-created. Accountant verifies → Logo ERP. (AccountingController)

⚙️

EFT Domestic Transfer

End-to-end business workflow

Workflow flow

Single / Bulk Excel→Validate IBAN→Execute Bank API→Status Callback→Voucher

Step-by-step process

User enters single EFT or uploads Excel. EFTController@importFromExcel parses rows. (EFTController)

System validates each IBAN and bank. Invalid rows reported back to user. (EFTService)

Valid EFT records submitted to bank (Albaraka/Vakif/Finansbank) via service class. Status: Pending. (AlbarakaBank / VakifBank / FinansBank)

Bank sends status callback (or system polls). Status updated to Completed or Failed. (EFTService)

Accounting voucher auto-created. Appears in unified Transaction History. (AccountingController)

⚙️

Wallet Deposit / Withdrawal

End-to-end business workflow

Workflow flow

Search Customer→Check Balance & Limits→Commission Calc→OTP→Execute→Ledger Update

Step-by-step process

Agent opens deposit or withdraw screen. Searches wallet customer by phone or wallet number. (WalletOperationController / AgentWalletOperationController)

System loads customer balance, KYC status, daily/monthly limits (walletcustomer/getUserLimits). (WalletController)

Commission calculated (walletcommission rules). Displayed to user before confirmation. (WalletCommissionController)

OTP sent if required. Agent/user confirms. (AuthController + DataportSMS)

Transaction executed (depositWallet / withdrawWallet). Wallet balance updated. (WalletOperationController)

Transaction recorded in wallet ledger. Appears in wallet reports (recharge/withdraw). (WalletReportsController)

⚙️

Wallet KYC & Document Verification

End-to-end business workflow

Workflow flow

Upload Document→NFC / Liveness→Sumsub Review→Approve / Reject→Limit Upgrade

Step-by-step process

Wallet customer uploads identity document (ID, passport) via mobile app. (WalletKycController)

Optional: NFC chip read from eID (sendNFCData) or Sumsub liveness check. (KycProgressApprovalController + SumsubClient)

Operator reviews uploaded documents in KYC upload queue (kycApproval/searchApproval). (KycProgressApprovalController)

Operator approves or rejects. Approval updates KYC level; rejection sends notification. (KycProgressApprovalController)

On approval: customer limits upgraded per KYC group rules. Wallet status updated. (WalletController)

⚙️

Risk Scenario Evaluation (AML)

End-to-end business workflow

Workflow flow

Configure Scenario→Simulate→Activate→Live Check→HOLD / BLOCK / FLAG

Step-by-step process

Risk officer creates scenario (risk-scenario/store): defines conditions (amount, country, frequency, etc.), action (HOLD/BLOCK/FLAG), and priority. (RiskController)

Simulation run on historical data (risk-scenario/simulate): shows how many past transfers would have been triggered. Officer can adjust thresholds. (RiskController)

Officer activates scenario (activateSenario). From this point it is evaluated on every new transfer. (RiskController)

On transfer submit: risk engine evaluates all active scenarios. First match by priority applies action. (Risk evaluation in TrasfareController)

HOLD: transfer added to Approval Pool (pool/all). Operator reviews and approves/rejects.
BLOCK: transfer rejected immediately, user notified.
FLAG: transfer proceeds; logged in Triggered Risk Report. (PoolController / RiskController)

⚙️

Accounting & Logo ERP Sync

End-to-end business workflow

Workflow flow

Transfer Completes→Auto Voucher→Accountant Reviews→Verify → GL→Logo ERP Sync

Step-by-step process

When a transfer is completed (send, pay, EFT, wallet deposit/withdraw), the system auto-creates an accounting voucher (debit/credit lines). (AccountingController)

Voucher enters Unverified Vouchers queue (account/getUnVerifiedVouchers). (AccountingController)

Accountant opens voucher, reviews debit/credit lines, attached document, and amounts. (AccountingController@getEntry)

Accountant verifies (account/verifyVoucher): voucher posted to General Ledger. Status becomes Verified. (AccountingController)

Verified voucher sent to Logo Tiger ERP via LogoService. If sync fails, account/retryEntry allows retry. (LogoService)

⚙️

Approval Pool Workflow

End-to-end business workflow

Workflow flow

Risk → HOLD→Pool Queue→Operator Reviews→Approve / Reject / Escalate

Step-by-step process

Transfer triggers a HOLD risk scenario. System moves transfer to Approval Pool with reference to the triggered scenario. (PoolController)

Operator opens Approval Pool (pool/all). Can filter by department, date, status. (PoolController)

Operator opens transfer detail (pool/one): sender, beneficiary, amounts, risk scenario details, documents. (PoolController)

Approve: pool/update with approved status → transfer executes.
Reject: transfer cancelled, agent/customer notified.
Escalate: item moved to next-level department. (PoolController)

⚙️

Refund Processing Workflow

End-to-end business workflow

Workflow flow

Completed Transfer→Refund Request→Rule Check→Auto / Manual Approval→Execute Refund→Voucher

Step-by-step process

Operator/agent opens a completed transfer from Transaction History and clicks Refund. (TrasfareController)

System checks refund eligibility: transfer status must be Completed, time-limit and product rules apply. (TrasfareController)

Refund Reason is selected from configured list (system/refundReasonsList). (RefundReasonController)

Request sent to transfer/refundRequest. Auto-approve rules evaluated. If auto-approve: refund API call made to transfer company. (TrasfareController)

If manual approval required: refund enters operator queue for review → Approve or Reject. (TrasfareController)

On successful refund: transfer status updated to Refunded. Refund voucher auto-created. Appears in Refund Transaction Report. (AccountingController)

⚙️

OTP Authentication & Step-Up Verification

End-to-end business workflow

Workflow flow

Action Triggered→OTP Generated→SMS Delivery→User Submits Code→Verify→Proceed

Step-by-step process

A sensitive action (transfer confirm, password reset, wallet operation, KYC approval) triggers OTP requirement check. (OtpCheckController)

6-digit OTP generated and stored server-side with expiry (per user, per action type). Duplicate requests invalidated. (OtpCheckController)

OTP delivered to user's registered phone via DataportSMS integration. (DataportSmsService)

User submits code via POST /checkotpcode. Attempt counter incremented on failure. (OtpCheckController)

Code validated: match + expiry check. Too many failed attempts → cooldown lock applied for the action. (OtpCheckController)

OTP verified: marked used (cannot be re-used). Original action proceeds to execution. (OtpCheckController)

⚙️

Agent Onboarding & Orchestration Setup

End-to-end business workflow

Workflow flow

New Agent Form→Basic Info→Currencies→Bank Info→Orchestration Rules→Active

Step-by-step process

Admin opens Agent Management → New Agent. Multi-step stepper begins. (AgentController)

Step 1 — Basic Info: name, contact, address, identity (TC/passport), KPS lookup validates identity. (AgentController + KpsService)

Step 2 — Currencies: assign allowed send/receive currencies and limits per currency. (AgentController)

Step 3 — Bank Info: bank account details for agent settlement. (AgentController)

Orchestration Rules: configure allowed products, transfer limits (daily/monthly/per-transaction), allowed countries, commission tier. (OrchestrationController)

Agent saved and activated. Agent can now log in and process transfers within their assigned orchestration limits. (AgentController)

⚙️

Report Generation & Async Excel Export

End-to-end business workflow

Workflow flow

Select Report→Apply Filters→Run→Table Results→Export Queue→Email Download

Step-by-step process

User navigates to Reports → selects category (System / Wallet / Risk / POS) and report type. (ReportController)

Filters applied: date range, agent/teller, status, currency, country, account code. Saved per session. (ReportController)

Report executed: data queried with applied filters. First page of results displayed in paginated table. (ReportController)

User can view, sort, and page through results inline. Row click opens transaction/customer detail. (ReportController)

Export: small dataset → immediate Excel download. Large dataset → async job queued via Redis. (ReportController + Redis Queue)

Async export job completes → user receives email notification with secure download link. Link expires after configurable period. (ReportController + MailService)

⚙️

System Configuration & Health Management

End-to-end business workflow

Workflow flow

Open System Menu→Configure Entity→Save→Integration Health Check→Re-check on Failure

Step-by-step process

Admin opens System Management. Available config: Countries, Currencies, Banks, Languages, Cities, Job Titles, Age Control, State. (SystemController)

Each config entity has a list screen (filterable, paginated) and a create/edit form with validation. (SystemController)

Refund Reasons and Sending Reasons are configurable here — used in transfer and refund flows. (SystemController)

OTP settings (expiry, max attempts, cooldown) and worker queue thresholds configured. (OtpCheckController + QueueConfig)

Integration Health screen shows live status of all external services (Ria, Korona, Albaraka, Vakif, etc.). (SystemController)

If a service shows error status: admin can trigger re-check (system/re-check). Alert raised if persistent failure. (SystemController)

🌐

External Integrations

All third-party systems the backend connects to

The Moneyout Core System integrates with the following external parties. All connections use HTTPS/TLS. Credentials are stored in environment configuration (not in source code).

System	Purpose	Service Class / Controller	Description
Ria Money Transfer	Outbound send + cash pay	`RiaSendMoneyService, RiaPayMoneyService, WalletInternationalMoneyTransferController`	Create/cancel transfers, get rates, verify beneficiary, search orders ready to pay. REST API over HTTPS.
Korona Pay	Outbound send	`KoronaPayService`	Send money via Korona network. Get rate, get city, send transfer.
Aysar (Tranglo)	Outbound send + callback	`TrangloController, Tranglo service`	Transfer submission and status callback webhook. TLS-secured callback endpoint.
Instacash	Outbound send	`InstantCash service, InstantDataController`	Transfer submission and instant balance query.
Albaraka Bank	EFT / bank transfers	`AlbarakaBank.php service`	Domestic EFT execution via Albaraka Bank API. TLS, bank-specific auth.
VakifBank	EFT / bank transfers	`VakifBank.php, VakifKatilim.php`	Domestic EFT via Vakif and Vakif Katilim APIs.
Finansbank	EFT / bank transfers	`FinansBank.php`	Domestic EFT via Finansbank API.
KPS (Population Reg.)	Identity verification (TR)	`KpsHelper, KpsHelper1, Kpsv2Sorgulayici`	Look up Turkish national ID (TC) from population registry. Used for sender/customer identity check.
MERSIS	Company registry (TR)	`MERSIS.php service`	Look up Turkish company data from trade registry. Used for corporate customer verification.
Logo ERP	Accounting / GL sync	`LogoService`	Post verified vouchers to Logo Tiger ERP. Retry on failure. Bi-directional account data.
Sumsub	KYC / liveness check	`SumsubClient.php`	Remote KYC and liveness verification for wallet customers via Sumsub platform API.
PayCell	Invoice payment	`PayCellController, PayCell.php`	Invoice search, pay, refund, and corporate company lookup via PayCell API.
Paygate / FzyPay	POS 3D-secure payments	`FzyPayController, Paygate.php, FziPay.php`	Create 3D-secure POS payment sessions, get terminals, manage payment profiles.
DataportSMS	OTP / SMS delivery	`DataportSMS.php`	Deliver OTP codes via SMS. Used in login, reset password, transfer OTP flows.
GIB Reports	Tax reporting (TR)	`GIBreports.php`	Generate Turkish tax authority reports (GIB).
MoneyBasket	Transfer network	`MoneyBasket.php`	Additional transfer network integration.

For auditors: Data shared with each external party is limited to what is necessary for the operation (e.g. sender/beneficiary name and amount for transfer networks; TC number for KPS identity check). Data sharing agreements (DPA) and contracts with each party should be reviewed separately by the compliance team.

🔄

Data Flow Overview

How data moves between system components

Transfer data flow (end-to-end)

Operator / Teller UI (Angular)→ HTTPS POST /transfer/store→ auth:sanctum + guards→ TrasfareController→ Risk Engine (RiskController)→ Transfer Company API (Ria / Korona / EFT bank)→ MySQL (transfers table)→ AccountingController (voucher)→ Logo ERP (GL sync)

Wallet deposit data flow

Agent UI→ POST /walletoperation/depositWallet→ auth:sanctum + IP + time guards→ WalletOperationController→ Commission check (WalletCommissionController)→ OTP via DataportSMS→ MySQL (wallet_transactions)→ FCM notification (Firebase)

KYC data flow

Wallet Mobile App→ POST /kycApproval/createApprovalRequest→ Document stored in server storage→ Optional: Sumsub API (biometric)→ KycProgressApprovalController→ Operator review (approve / reject)→ MySQL (kyc_approvals + wallet_customers)

Risk evaluation data flow

Transfer submitted→ RiskController evaluates active scenarios→ HOLD → Approval Pool (PoolController)→ BLOCK → Reject, log→ FLAG → Proceed + log (risk_trigger_report)

Accounting data flow

Transfer / Wallet op completes→ Auto voucher created (AccountingController)→ Unverified Vouchers queue→ Accountant verifies (POST /account/verifyVoucher)→ General Ledger (MySQL)→ Logo Tiger ERP (LogoService)

Data retention: All transaction data, logs (request/response/login/OTP), and accounting records are retained in the MySQL database. Activity logs are readable by authorized roles via the log/* endpoints. Audit log export is available.

📊

Flow Diagrams

79 interactive diagrams — backend, mobile wallet, POS, and admin UI flows

How to use: Click Expand on any diagram to open a full-screen viewer with zoom, pan, and SVG download. All diagrams use Mermaid flowchart notation and render directly in-browser. Diagrams are grouped by domain: Backend (B-series), Mobile Wallet (M-series), POS (P-series), and Angular Admin UI (A-series).

Group	Count	Coverage
🖥️ Backend Architecture & Security	20	20 diagrams covering system architecture, authentication token lifecycle, full money-transfer backend flow, EFT, wallet operations, KYC, risk/AML evaluation, accounting/GL sync, and POS 3D payment.
📱 Mobile Wallet App Flows	11	11 diagrams covering wallet registration, login, dashboard, send money, wallet-to-wallet, IBAN transfer, KYC, withdrawal, FCM push, and multilingual/RTL.
🛒 POS Payment Flows	2	2 diagrams covering 3D-secure POS payment end-to-end and terminal setup.
🅰️ Angular Admin UI Flows	46	46 diagrams covering the Angular admin/operator web application: architecture, authentication, send money stepper, pay money, EFT, approval pool, wallet lifecycle, KYC, risk scenarios, NgRx state, accounting, dashboard, reports, system health, and all 32 modules.

🖥️

Backend Architecture & Security

20 diagrams — backend architecture & security

Audit guidance: Each diagram below shows a complete flow. Use the Expand button for a full-screen, zoomable view. Use Download SVG to attach diagrams to audit working papers.

B01 — Backend System Architecture

flowchart TB subgraph Client["Clients"] A1["Angular Admin Web"] A2["Wallet Mobile App"] end subgraph Laravel["Laravel REST API (Moneyout Backend)"] MW["Middleware Stack\n(Sanctum / IP / Time / Role)"] CT["Controllers"] SV["Services"] JB["Jobs / Queue Workers"] end subgraph Data["Data Layer"] DB[(MySQL Database)] ST["File Storage"] CA["Cache / Queue (Redis)"] end subgraph External["External Integrations"] TR["Transfer Networks\n(Ria / Korona / Tranglo / Instacash)"] BK["Banks (EFT)\n(Albaraka / Vakif / Finansbank)"] GOV["Government APIs\n(KPS / MERSIS)"] ERP["Logo Tiger ERP"] KYC["Sumsub KYC"] SMS["DataportSMS"] POS["Paygate / FzyPay (POS)"] INV["PayCell (Invoice)"] end A1 -->|HTTPS REST| MW A2 -->|HTTPS REST| MW MW --> CT --> SV SV --> DB SV --> ST SV --> JB JB --> CA SV --> TR SV --> BK SV --> GOV JB --> ERP SV --> KYC SV --> SMS SV --> POS SV --> INV

B02 — Authentication & Token Lifecycle

flowchart TD A([Client sends credentials]) --> B[AuthController: validate] B --> C{Valid?} C -->|No| D[Return 401] C -->|Yes| E[Send OTP via DataportSMS] E --> F[Client enters OTP] F --> G{OTP correct?} G -->|No| H[Increment attempts] G -->|Yes| I[Issue Sanctum token] I --> J[Return token + role + permissions] J --> K[Client stores token] K --> L[Every request: Bearer token header] L --> M[auth:sanctum validates] M --> N{Active user?} N -->|No| O[BlockUserInactive: 403] N -->|Yes| P[Checkip: allowed?] P -->|No| Q[403 IP blocked] P -->|Yes| R[Checkworktime: allowed?] R -->|No| S[403 outside hours] R -->|Yes| T[Controller executes]

B03 — Money Transfer — Full Backend Flow

flowchart TD A([POST /transfer/store]) --> B[Auth + guards middleware] B --> C[TrasfareController: validate request] C --> D[CommissionController: cost calculation\nfee + commission + FX rate] D --> E[RiskController: evaluate scenarios] E --> F{Risk result?} F -->|HOLD| G[Add to approval pool] F -->|BLOCK| H[Reject: return error] F -->|FLAG or PASS| I[OTP required?] I -->|Yes| J[Send OTP via SMS] J --> K[Client confirms OTP] K --> L[Submit to transfer company API\nRia / Korona / Tranglo] I -->|No| L L --> M{API success?} M -->|No| N[Return error to client] M -->|Yes| O[Update transfer status: Pending] O --> P[Auto-create accounting voucher] P --> Q[Return receipt to client] G --> R[Pool queue: operator reviews] R --> S{Decision} S -->|Approve| L S -->|Reject| T([Transfer cancelled])

B04 — Cash Pickup Pay-Out — Backend Flow

flowchart TD A([GET /transfer/searchTransferforPay]) --> B[Search transfer by PIN at company API] B --> C{Found?} C -->|No| D[Return error] C -->|Yes| E[Return transfer details to client] E --> F[Client: verify beneficiary ID] F --> G[POST /transfer/finishTransfer] G --> H[BlackListCustomerController: check blacklist] H --> I{Blacklisted?} I -->|Yes| J[Block payout] I -->|No| K[OTP if required] K --> L[Execute payout via company API] L --> M{Success?} M -->|No| N[Return error] M -->|Yes| O[Update status: Paid] O --> P[Update agent ledger] P --> Q[Auto-create accounting voucher] Q --> R([Return receipt])

B05 — EFT — Single and Bulk Backend Flow

flowchart TD A([POST /import-eft or single EFT]) --> B[EFTController: parse input] B --> C{Single or Bulk?} C -->|Bulk Excel| D[Parse rows from Excel] C -->|Single| E[Validate IBAN + bank] D --> F[Validate each row: IBAN, bank, amount] F --> G{Any invalid?} G -->|Yes| H[Return validation errors to client] G -->|No| I[EFTService: submit to bank API] E --> I I --> J{Bank: Albaraka / Vakif / Finansbank} J --> K[Bank processes transfer] K --> L{Status callback / poll} L -->|Completed| M[Update status: Completed] L -->|Failed| N[Update status: Failed] M --> O[Auto-create accounting voucher] N --> P[Notify operator: retry available]

B06 — Wallet Deposit / Withdrawal — Backend Flow

flowchart TD A([POST /walletoperation/depositWallet\nor withdrawWallet]) --> B[Auth + IP + time guards] B --> C[WalletOperationController: validate] C --> D[Load wallet customer: balance + KYC + limits] D --> E{Within limits?} E -->|No| F[Return limit error] E -->|Yes| G[WalletCommissionController: calc commission] G --> H{OTP required?} H -->|Yes| I[Send OTP via SMS] I --> J[Client confirms] J --> K[Execute: update wallet balance] H -->|No| K K --> L[Record wallet transaction ledger] L --> M[FCM push notification to wallet user] M --> N([Return receipt])

B07 — KYC & Document Verification — Backend Flow

flowchart TD A([Wallet customer uploads document]) --> B[POST /kycApproval/createApprovalRequest] B --> C[Store document in file storage] C --> D{NFC / Liveness requested?} D -->|NFC| E[POST /walletcommon/sendNFCData\nparse chip data] D -->|Liveness| F[Sumsub API: biometric check] D -->|No| G[Add to KYC approval queue] E --> G F --> G G --> H[Operator: POST /kycApproval/searchApproval] H --> I[Review: document + NFC + liveness result] I --> J{Decision} J -->|Approve| K[Update KYC level] K --> L[Upgrade wallet limits] J -->|Reject| M[Notify customer: re-submit]

B08 — Risk & AML — Backend Evaluation Flow

flowchart TD A([Active risk scenarios loaded on boot]) --> B[Transfer submitted] B --> C[RiskController: evaluate all active scenarios by priority] C --> D{Any scenario matches?} D -->|No| E[Transfer proceeds normally] D -->|Yes| F{Action type?} F -->|HOLD| G[PoolController: add to approval queue] F -->|BLOCK| H[Transfer rejected immediately\nUser notified] F -->|FLAG| I[Transfer proceeds\nLogged in triggered_risk_report] G --> J[Operator reviews pool item] J --> K{Pool decision} K -->|Approve| L[Submit to transfer company] K -->|Reject| M[Transfer cancelled] K -->|Escalate| N[Move to next level operator] I --> O[Risk Flag Report available\nfor compliance review]

B09 — Accounting & Logo ERP Sync — Backend Flow

flowchart TD A([Transfer / Wallet op completes]) --> B[AccountingController: auto-create voucher] B --> C[Voucher: debit + credit lines\nlinked to transaction] C --> D[Status: Unverified] D --> E[Accountant: GET /account/getUnVerifiedVouchers] E --> F[Review debit/credit lines + attachment] F --> G{Correct?} G -->|No| H[POST /account/createNewEntries: adjust] H --> F G -->|Yes| I[POST /account/verifyVoucher] I --> J[Status: Verified\nPosted to General Ledger] J --> K[LogoService: sync to Logo Tiger ERP] K --> L{Sync success?} L -->|Yes| M([Voucher complete]) L -->|No| N[Status: sync failed] N --> O[POST /account/retryEntry: manual retry] O --> K

B10 — POS 3D Secure Payment — Backend Flow

flowchart TD A([POST /posOperation/payment3d]) --> B[Auth + role guards] B --> C[FzyPayController: validate payment request] C --> D[Paygate / FzyPay API: create 3D payment session] D --> E[Return 3D redirect URL to client] E --> F[Client: redirect customer to bank 3D page] F --> G[Customer completes 3D authentication] G --> H[Bank callback: POST /callback/3dsecure] H --> I[CallBackController: verify callback signature] I --> J{Payment result?} J -->|Success| K[Update order status: Paid] K --> L[Generate receipt] J -->|Failed| M[Update order status: Failed] M --> N[Notify operator]

B11 — Commission & Cost Calculation — Backend Flow

flowchart TD A([Transfer submitted]) --> B[POST /transfer/costcaluclation] B --> C[CommissionController: load fee rules] C --> D[Match: product + country + transfer type] D --> E[Load agent commission rules] E --> F[Match: agent + product + tier] F --> G[Call transfer company API for FX rate] G --> H[Calculate total:\nFee + Commission + FX spread] H --> I[Return breakdown to client] I --> J[Client confirms amount] J --> K[Commission recorded on transfer execute] K --> L([Agent commission ledger updated])

B12 — Invoice & PayCell Payment — Backend Flow

flowchart TD A([POST /PayCell/invoiceSearch]) --> B[Auth + role guards] B --> C[PayCellController: call PayCell API] C --> D{Invoice found?} D -->|No| E[Return not found] D -->|Yes| F[Return invoice: amount, due date, company] F --> G[POST /PayCell/invoicePay] G --> H[PayCell API: process payment] H --> I{Success?} I -->|No| J[Return error to client] I -->|Yes| K[Record invoice transaction] K --> L[Auto-create accounting voucher] L --> M([Return paid confirmation]) A2([POST /PayCell/invoiceRefund]) --> N[Call PayCell refund API] N --> O[Update transaction status: Refunded]

B13 — Notification & FCM Push — Backend Flow

flowchart TD A([System event: transfer / KYC / alert]) --> B{Target audience?} B -->|Staff user| C[InnerSystemNotification: create DB record] C --> D[WebSocket push to connected Angular clients] D --> E[Angular: bell icon badge updates] B -->|Wallet customer| F[FCM push via Firebase] F --> G[Mobile app receives push notification] G --> H[In-app notification centre updated] B -->|Alert| I[AlertController: create alert record] I --> J[WebSocket push to Alerts subscribers] J --> K[Alerts list updates in real time] C --> L[POST /innerSystemNotification/store] I --> M[POST /alert/store]

B14 — Intercompany Transfer & Mutabakat — Backend Flow

flowchart TD A([POST /intermediary-company/transfer]) --> B[Auth + Isoperator guard] B --> C[IntermediaryController: validate request] C --> D[Record intercompany transfer:\nsend currency, pay currency, amount] D --> E[Link to authorised persons] E --> F[Auto-create accounting voucher] F --> G([Transfer recorded]) G --> H[POST /interCompaniesReports/mutabakat] H --> I[Load internal records for company + date range] I --> J[Compare vs company-reported figures] J --> K{Discrepancy?} K -->|Yes| L[Return mismatched rows] K -->|No| M([Mutabakat: matched — reconciled])

B15 — Refund — Backend Processing Flow

flowchart TD A([POST /transfer/refundRequest]) --> B[Auth + role guards] B --> C[TrasfareController: load transfer] C --> D{Transfer status: Completed?} D -->|No| E[Return: not refundable] D -->|Yes| F[Check refund rules\ntime limit, amount, product] F --> G{Auto-approve?} G -->|Yes| H[POST to transfer company: refund API] G -->|No| I[Create refund approval request] I --> J[Operator reviews in queue] J --> K{Decision} K -->|Approve| H K -->|Reject| L([Notify requester: rejected]) H --> M{Company API success?} M -->|No| N[Return error — log failure] M -->|Yes| O[Update transfer status: Refunded] O --> P[Auto-create refund voucher] P --> Q([Notify requester: refunded])

B16 — OTP — Send & Verify Standalone Flow

flowchart TD A([Action requires OTP]) --> B[OtpCheckController: is OTP required?] B --> C{OTP enabled for this action?} C -->|No| D[Skip OTP — proceed directly] C -->|Yes| E[Generate 6-digit OTP] E --> F[Store OTP with expiry\nper user, per action type] F --> G[DataportSMS: send OTP to phone] G --> H[Client: user enters code] H --> I[POST /checkotpcode] I --> J{Code matches?} J -->|No| K[Increment attempt counter] K --> L{Max attempts?} L -->|Yes| M[Lock action for cooldown period] L -->|No| N[Return: wrong OTP] J -->|Yes| O{Code expired?} O -->|Yes| P[Return: OTP expired\nUser must request new] O -->|No| Q[OTP verified — action proceeds] Q --> R([Mark OTP as used])

B17 — Agent Orchestration — Backend Evaluation

flowchart TD A([Transfer submitted by agent]) --> B[Load agent orchestration rules] B --> C{Rules exist for agent?} C -->|No| D[Use default agent permissions] C -->|Yes| E[Match rule: product type] E --> F{Product allowed?} F -->|No| G[Return: product not permitted] F -->|Yes| H[Check transfer limits\nper product, currency, period] H --> I{Within limits?} I -->|No| J[Return: limit exceeded] I -->|Yes| K[Check allowed countries] K --> L{Country allowed?} L -->|No| M[Return: country not allowed] L -->|Yes| N[Orchestration passed] N --> O[Continue to cost calc + risk eval]

B18 — Blacklist — Check & Management Flow

flowchart TD A([Pay Money / transfer submit]) --> B[BlackListCustomerController: check beneficiary] B --> C[Match: name, TC, phone, passport] C --> D{Match found?} D -->|Yes| E[Block payout immediately] E --> F[Log blacklist hit] F --> G([Return: beneficiary blocked]) D -->|No| H[Proceed with transfer] I([Admin: manage blacklist]) --> J[GET /blacklist/all: list entries] J --> K[New entry: name + ID + reason + notes] K --> L[POST /blacklist/store] L --> M([Entry active immediately]) J --> N[Edit / deactivate entry] N --> O([Updated — effective immediately])

B19 — WebSocket — Server Push Lifecycle

flowchart TD A([Client connects with auth token]) --> B[POST /validate-token] B --> C{Token valid?} C -->|No| D[Reject connection] C -->|Yes| E[Socket authenticated] E --> F[Join user-specific room] F --> G[Join role-specific room] G --> H[Connection established] H --> I{System event?} I -->|New notification| J[Emit to user room] I -->|Pool update| K[Emit to operator room] I -->|Alert| L[Emit to role room] I -->|List change| M[Emit to subscribed room] J --> N[Angular: NotificationService receives] K --> O[Angular: PoolService receives] L --> P[Angular: AlertService receives] M --> Q[Angular: ListService updates rows] H --> R{Disconnect?} R -->|Yes| S[Remove from rooms] S --> T([Connection closed])

B20 — Risk Formula & Age Risk — Evaluation Flow

flowchart TD A([Transfer or customer event]) --> B[RiskController: load active formulas] B --> C[Load age-band risk weights\nfrom risk_percentages table] C --> D[Load country risk weights] D --> E[Calculate customer risk score\nage band weight + country weight + history] E --> F[Load active risk scenarios] F --> G[Evaluate each scenario formula] G --> H{Score exceeds threshold?} H -->|No| I[Risk: pass] H -->|Yes| J{Action?} J -->|HOLD| K[Add to approval pool] J -->|BLOCK| L[Reject transfer] J -->|FLAG| M[Log to risk_trigger_report] I --> N([Transfer proceeds]) K --> O([Awaits operator approval]) L --> P([Transfer rejected]) M --> N

📱

Mobile Wallet App Flows

11 diagrams — mobile wallet app flows

Audit guidance: Each diagram below shows a complete flow. Use the Expand button for a full-screen, zoomable view. Use Download SVG to attach diagrams to audit working papers.

M01 — Mobile Wallet App — Registration Flow

flowchart TD A([Download App]) --> B[POST /register] B --> C{TC already exists?} C -->|Yes| D[Return error] C -->|No| E[Create wallet account] E --> F[Send OTP via SMS] F --> G[User verifies phone] G --> H[POST /walletVirfiy] H --> I[Account active at KYC Level 0] I --> J[POST /walletLogin: login] J --> K[Sanctum token issued] K --> L([App home screen])

M02 — Mobile Wallet App — Send Money (Ria/Korona)

flowchart TD A([App: Send Money]) --> B[Select Ria or Korona] B --> C[POST /ria/get-customer-charge\nor Korona/getSendRate] C --> D[Show rate + fees] D --> E[Enter beneficiary details] E --> F[POST /walletMoneyTransfer/sendRia\nor sendKorona] F --> G[Backend: submit to Ria/Korona API] G --> H{Success?} H -->|Yes| I[Transfer created] I --> J[FCM push notification] H -->|No| K[Return error to app]

M03 — Mobile Wallet App — Wallet-to-Wallet Transfer

flowchart TD A([App: Send to Wallet]) --> B[Enter recipient phone / wallet number] B --> C[POST /walletcommon/checkiban or search] C --> D[Show recipient name + balance check] D --> E[Enter amount] E --> F[POST /walletoperation/sendWalletToWallet] F --> G[Check sender balance + limits] G --> H{OTP required?} H -->|Yes| I[SMS OTP via DataportSMS] I --> J[Confirm] J --> K[Debit sender wallet] H -->|No| K K --> L[Credit recipient wallet] L --> M[FCM to both parties] M --> N([Transaction complete])

M04 — Mobile Wallet App — KYC Document Upload

flowchart TD A([Wallet App: KYC Screen]) --> B[Select document type\nID / Passport / Other] B --> C[Capture or upload photo] C --> D{NFC available?} D -->|Yes| E[Read NFC chip from eID] D -->|No| F[Skip NFC] E --> G{Liveness required?} F --> G G -->|Yes| H[Sumsub: biometric liveness check] G -->|No| I[POST /kycApproval/createApprovalRequest] H --> I I --> J[Documents stored server-side] J --> K[Status: Pending review] K --> L[FCM: KYC submitted notification] L --> M[Back-office operator reviews] M --> N{Decision} N -->|Approve| O[KYC level upgraded] N -->|Reject| P[FCM: rejection notification] O --> Q[Wallet limits upgraded] Q --> R([FCM: KYC approved notification])

M05 — Mobile Wallet App — IBAN Transfer to Bank

flowchart TD A([App: Transfer to Bank]) --> B[POST /walletcommon/checkiban] B --> C{IBAN valid?} C -->|No| D[Show error] C -->|Yes| E[Display bank name + account holder] E --> F[Enter amount] F --> G[Check wallet balance] G --> H{Sufficient funds?} H -->|No| I[Show insufficient balance] H -->|Yes| J[Calculate commission] J --> K[Show total deduct to user] K --> L{OTP required?} L -->|Yes| M[Send OTP via SMS] M --> N[User confirms OTP] N --> O[POST /walletMoneyTransfer/sendToIban] L -->|No| O O --> P[Debit wallet balance] P --> Q[Initiate bank transfer] Q --> R([FCM: Transfer submitted])

M06 — Mobile Wallet App — Transaction History

flowchart TD A([App: History tab]) --> B[POST /walletreports/walletTransaction] B --> C[Load transactions list] C --> D[Display with infinite scroll] D --> E{Filter?} E -->|Yes| F[Select type / date range] F --> G[Reload filtered results] E -->|No| H[Scroll down → load next page] G --> I[Open transaction row] H --> I I --> J[View detail: amount, type,\ndate, status, reference] J --> K[Download / share receipt PDF]

M07 — Mobile App — Login & Session Management

flowchart TD A([App opens]) --> B{Stored token?} B -->|Yes| C[POST /validate-token] C --> D{Token valid?} D -->|Yes| E([Restore session → Home screen]) D -->|No| F[Clear token] F --> G[Show Login screen] B -->|No| G G --> H[Enter phone + password] H --> I[POST /walletLogin] I --> J{Valid?} J -->|No| K[Show error] J -->|Yes| L[OTP screen] L --> M[Enter 6-digit OTP] M --> N[POST /checkotpcode] N --> O{OTP correct?} O -->|No| P[Show wrong code error] O -->|Yes| Q[Store Sanctum token] Q --> R[Load wallet profile + balance] R --> S([Home screen]) G --> T[Logout path] T --> U[Clear token from device] U --> G

M08 — Mobile App — Home Dashboard & Quick Actions

flowchart TD A([Login success]) --> B[Load wallet home screen] B --> C[GET /walletcommon/walletBalance] C --> D[Display balance: amount + currency] D --> E[Load recent transactions\nPOST /walletreports/walletTransaction - page 1] E --> F[Show last 5 transactions] F --> G[Quick action buttons] G --> H{Action?} H -->|Send Money| I[Navigate to International Send] H -->|Wallet to Wallet| J[Navigate to W2W screen] H -->|Transfer to Bank| K[Navigate to IBAN Transfer] H -->|Transaction History| L[Navigate to full history] H -->|KYC| M[Navigate to KYC screen] F --> N[FCM: new event updates balance] N --> O([Balance refreshed in real time])

M09 — Mobile App — Wallet Withdrawal

flowchart TD A([App: Withdraw tab]) --> B[Load linked bank accounts] B --> C{Bank account linked?} C -->|No| D[Prompt to add bank account] D --> E[POST /walletcustomer/addBank] E --> F([Bank account added]) C -->|Yes| G[Select bank account] G --> H[Enter withdrawal amount] H --> I[POST /walletcommon/getUserLimits] I --> J{Within daily/monthly limit?} J -->|No| K[Show limit error + remaining limit] J -->|Yes| L[Calculate withdrawal commission] L --> M[Show: amount, fee, total deduct] M --> N{OTP required?} N -->|Yes| O[Send OTP via SMS] O --> P[Confirm OTP] P --> Q[POST /walletoperation/withdrawWallet] N -->|No| Q Q --> R[Debit wallet balance] R --> S[Initiate bank transfer] S --> T([FCM: Withdrawal confirmation])

M10 — Mobile App — FCM Push Notification Receive

flowchart TD A([Backend event fires]) --> B[Firebase FCM API called] B --> C[FCM routes to device token] C --> D{App state?} D -->|Foreground| E[In-app notification banner] D -->|Background| F[OS push notification] D -->|Killed| F F --> G[User taps notification] G --> H[App opens / resumes] H --> I[Parse notification payload] I --> J{Notification type?} J -->|Transfer| K[Navigate to transaction detail] J -->|KYC approved| L[Show KYC status screen] J -->|KYC rejected| M[Navigate to KYC re-submit] J -->|Balance update| N[Refresh home balance] J -->|System| O[Show in-app notification centre] E --> P[Notification centre badge +1] P --> Q([User can view all notifications])

M11 — Mobile App — Multilingual & RTL Switch

flowchart TD A([App settings: Language]) --> B{Select language} B -->|English| C[Load EN translation strings] B -->|Turkish| D[Load TR translation strings] B -->|Arabic| E[Load AR translation strings] C --> F[dir = ltr] D --> F E --> G[dir = rtl] F --> H[All labels, buttons, menus update] G --> H H --> I[Layout mirrors for RTL\nicons, alignment, text direction] I --> J[Preference saved to device storage] J --> K([Applied on next app launch too])

🛒

POS Payment Flows

2 diagrams — pos payment flows

Audit guidance: Each diagram below shows a complete flow. Use the Expand button for a full-screen, zoomable view. Use Download SVG to attach diagrams to audit working papers.

P01 — POS 3D Payment — Full Flow

flowchart TD A([Operator: POST /posOperation/payment3d]) --> B[FzyPayController: validate] B --> C[Paygate API: create session] C --> D[Return 3D redirect URL] D --> E[Customer browser: 3D page] E --> F[Customer authenticates with bank] F --> G[Bank: POST /callback/3dsecure] G --> H[CallBackController: verify signature] H --> I{Result?} I -->|Success| J[Order paid] I -->|Failed| K[Order failed] J --> L[POST /posOperation/refundPayment available]

P02 — POS Terminal Setup

flowchart TD A([Operator]) --> B[POST /posTerminals/add] B --> C[FzyPayController: create terminal] C --> D[Link to merchant POST /merchant/create] D --> E[Set bank costs POST /bankCosts/add] E --> F[Create payment profile POST /paymentProfile/add] F --> G[Add profile details POST /PosPaymentDetails/add] G --> H[Set commission rates POST /posCardtypes/add] H --> I([Terminal ready for payments])

🅰️

Angular Admin UI Flows

46 diagrams — angular admin ui flows

Audit guidance: Each diagram below shows a complete flow. Use the Expand button for a full-screen, zoomable view. Use Download SVG to attach diagrams to audit working papers.

A01 — Angular App Architecture Overview

flowchart TB subgraph Browser["Browser SPA"] Login["Login Component"] --> AuthGuard AuthGuard -->|"token valid + role ok"| Router["Angular Router"] Router --> FM1["Dashboard Module"] Router --> FM2["Transfers Module"] Router --> FM3["Wallet Module"] Router --> FM4["Risk Module"] Router --> FM5["Reports Module"] end subgraph NgRx["NgRx Store"] Actions --> Reducer --> State State --> Selectors Actions --> Effects end FM2 --> NgRx NgRx --> Effects Effects --> API["Backend API"]

A02 — Authentication — UI Flow

flowchart TD A([User visits Login]) --> B[Enter email + password] B --> C{Already logged in?} C -->|Yes| D([Redirect to Dashboard]) C -->|No| E[Submit credentials] E --> F{Valid?} F -->|No| G[Show error] F -->|Yes| H[Navigate to OTP] H --> I[Enter 6-digit OTP] I --> J[Store token + role] J --> K[Resolver loads permissions] K --> L{Role?} L -->|Admin/Operator| M([Dashboard]) L -->|Teller/Agent| N([Send Money]) L -->|Risk| O([Risk Management])

A03 — Send Money — UI Stepper

flowchart TD A([Send Money]) --> B[Step 1: Sender Info] B --> C[Step 2: Transfer Details] C --> D[Step 3: Beneficiary] D --> E[Step 4: Risk Check] E --> F{Risk?} F -->|High| G[To Approval Pool] F -->|OK| H[Step 5: Confirmation] H --> I[OTP if required] I --> J[Execute] J --> K([Success + Receipt])

A04 — Pay Money — Cash Pickup UI

flowchart TD A([Pay Money]) --> B[Enter PIN/Reference] B --> C[Select company] C --> D[Search transfer] D --> E{Found?} E -->|No| F[Error] E -->|Yes| G[Verify beneficiary ID] G --> H[Confirm payout] H --> I[OTP if required] I --> J[Execute] J --> K([Receipt])

A05 — EFT — UI Workflow

flowchart TD A([EFT]) --> B{Single or Bulk?} B -->|Single| C[IBAN, amount, description] B -->|Bulk| D[Upload Excel] C --> E[Validate] D --> E E --> F[Confirm] F --> G[Submit to bank] G --> H([Status tracked])

A06 — Approval Pool — UI Flow

flowchart TD A[Transfer to pool] --> B[Operator queue] B --> C{Decision?} C -->|Approve| D([Execute]) C -->|Escalate| E[SuperOperator] C -->|Reject| F([Cancel]) E --> G{Decision?} G -->|Approve| D G -->|Reject| F

A07 — Wallet Customer Lifecycle

flowchart TD A([New Customer]) --> B[Register] B --> C[KYC Level 0] C --> D[Submit KYC] D --> E[Back-office review] E --> F{Approved?} F -->|Yes| G[KYC Level 1] F -->|No| H[Re-submit] G --> I[Operations enabled]

A08 — KYC Verification — UI Flow

flowchart LR A([Submit ID]) --> B[Documents stored] B --> C[Verification queue] C --> D{Result?} D -->|Pass| E[Admin queue] D -->|Fail| F[Retry] E --> G[Admin review] G --> H[Approve / Reject]

A09 — Risk Scenario Evaluation — UI

flowchart TD A([Transfer]) --> B[Load formula] B --> C[Calculate score] C --> D{Scenario?} D -->|No| E[Proceed] D -->|HOLD| F[Pool] D -->|BLOCK| G([Block]) D -->|FLAG| H[Proceed + flag] F --> I[Approval flow]

A10 — NgRx State — Send Money

flowchart LR subgraph Component D1[LoadPartners] D2[CalculateCost] D3[SubmitTransfer] end subgraph Effects E1[HTTP] E2[HTTP] E3[HTTP] end subgraph Reducer R1[Success] R2[Success] R3[Success] end D1 --> E1 --> R1 D2 --> E2 --> R2 D3 --> E3 --> R3

A11 — User Permission Resolution

flowchart TD A([Login]) --> B[Resolver] B --> C[Load permissions] C --> D[Store in auth] D --> E{Route} E --> F[canView check] F --> G[Show or hide]

A12 — Accounting Voucher — Manual Entry

flowchart TD A([Transfer done]) --> B[Unverified voucher] B --> C[Accountant queue] C --> D[Review lines] D --> E{Correct?} E -->|Yes| F[Verify] E -->|No| G[Correct] F --> H[Ledger + Logo sync]

A13 — Dashboard KPI Load

flowchart TD A([Dashboard]) --> B[Load data] B --> C[Parallel requests] C --> D[Skeleton loaders] D --> E[NgRx Reducers] E --> F[Charts + KPIs rendered]

A14 — Wallet Deposit and Withdrawal — UI

flowchart TD A([Agent]) --> B[Search customer] B --> C[Balance + limits] C --> D[Enter amount] D --> E{Limits OK?} E -->|Yes| F[Commission shown] E -->|No| G([Error]) F --> H[OTP if needed] H --> I[Confirm] I --> J[Deposit or Withdraw] J --> K([Receipt])

A15 — Multilingual and RTL

flowchart TD A([Select EN/TR/AR]) --> B[Load translations] B --> C[TranslateService] C --> D[Strings update] D --> E{Arabic?} E -->|Yes| F[dir=rtl] E -->|No| G[dir=ltr] F --> H[Re-render] G --> H

A16 — Report Generation and Export

flowchart TD A([Open Report]) --> B[Apply filters] B --> C[Run report] C --> D[Table or paginated list] D --> E[Export Excel] E --> F[Queue job] F --> G[Email file link]

A17 — System Health Monitoring

flowchart TD A([Integrations Health]) --> B[Load status per service] B --> C[Green / Red per service] C --> D{Any DOWN?} D -->|No| E([All Healthy]) D -->|Yes| F[Re-check] F --> G[Refresh status] G --> H[Investigate if still down]

A18 — Risk Scenario — Create and Simulate

flowchart TD A([New Scenario]) --> B[Conditions + threshold] B --> C[Action HOLD / BLOCK / FLAG] C --> D[Save inactive] D --> E[Simulate on historical data] E --> F[View results] F --> G{Accept?} G -->|Yes| H[Activate] G -->|No| B H --> I([Scenario live])

A19 — Transaction History and Refund

flowchart TD A([Transaction History]) --> B[Filter list] B --> C[Open detail] C --> D[View receipt] C --> E[Request Refund] E --> F[Select reason] F --> G{Approval?} G -->|Auto| H[Process refund] G -->|Manual| I[Approval queue] I --> H H --> J([Refund status])

A20 — Approval Pool and Conditions — Full

flowchart TD A([Approval Pools]) --> B[Pool Conditions config] B --> C[Set thresholds] A --> D[Pool Queue] D --> E[Review transfer] E --> F{Decision?} F -->|Approve| G([Execute transfer]) F -->|Escalate| D F -->|Reject| H([Cancel transfer])

A21 — Customer Management — Create Personal Customer

flowchart TD A([Transfers → Customer → New Personal]) --> B[Step 1: Identity] B --> C[Name, TC, birth date] C --> D{KPS available?} D -->|Yes| E[Auto-fill from Population Registry] D -->|No| F[Manual entry] E --> G[Step 2: Contact] F --> G G --> H[Phone, email] H --> I[Step 3: Address] I --> J[Country, city, state, address line] J --> K[Step 4: Documents] K --> L[Upload ID / passport] L --> M[Submit → customer created] M --> N([Customer list — row added])

A22 — Customer Management — Corporate Customer

flowchart TD A([Transfers → Customer → New Corporate]) --> B[Company info] B --> C[Name, tax ID, MERSIS, contact] C --> D[Add authorised persons] D --> E[Person: name, role, ID doc] E --> F{More persons?} F -->|Yes| D F -->|No| G[Submit → corporate created] G --> H([Corporate list — row added]) H --> I[Each person can execute\ntransfers on behalf of company]

A23 — Agent Management — Create Agent

flowchart TD A([Transfers → Agent → New Agent]) --> B[Step 1: Basic Info] B --> C[Name, code, tax ID, contact, type] C --> D[Step 2: Currency Setup] D --> E[Select currencies agent can handle] E --> F[Step 3: Bank Info] F --> G[Agent bank accounts] G --> H[Submit → agent created] H --> I([Agent list — row added]) I --> J[Set orchestration rules] J --> K[Which products: Send / Pay / EFT] K --> L[Limits per product and currency] L --> M([Orchestration saved])

A24 — Teller Management

flowchart TD A([Transfers → Teller Management]) --> B[Teller list] B --> C[New Teller] C --> D[Assign user account] D --> E[Set work area / branch / terminal] E --> F[Set permissions and limits] F --> G[Submit → teller created] G --> H([Teller active — can login and process]) B --> I[Edit teller] I --> J[Update work area / limits] J --> K([Changes saved])

A25 — Commission & Fees Definition

flowchart TD A([Transfers → Agent Commission]) --> B[Commission list per agent] B --> C[New Commission] C --> D[Select agent + product] D --> E[Rate type: fixed or percentage] E --> F[Set value / tier] F --> G[Save] G --> H([Applied on next cost calculation]) A2([Transfers → Fees Definition]) --> B2[Fees list] B2 --> C2[New Fee] C2 --> D2[Select transfer type + country] D2 --> E2[Fixed or percentage fee] E2 --> F2[Save] F2 --> G2([Applied on next transfer cost])

A26 — Cost Calculation — Transfer Cost Flow

flowchart TD A([Teller enters transfer amount]) --> B[POST /transfer/costcaluclation] B --> C[Load fee rules for product + country] C --> D[Load agent commission rules] D --> E[Load FX rate from transfer company] E --> F[Calculate: fee + commission + FX] F --> G[Return total cost breakdown] G --> H[UI shows: Send amount, Fee,\nCommission, FX rate, Total deduct] H --> I{User confirms?} I -->|Yes| J[Proceed to risk check] I -->|No| K([User adjusts amount])

A27 — Intercompany — Transfer & Reconciliation

flowchart TD A([Transfers → Intermediary Company]) --> B[Company list] B --> C[New intercompany transfer] C --> D[Step 1: Basic Info] D --> E[Select company, send/pay currency] E --> F[Step 2: Authorised persons] F --> G[Step 3: Amounts + confirmation] G --> H[Submit transfer] H --> I([Transfer recorded]) I --> J[Reports → System → Intermediary Matching] J --> K[Load mutabakat report] K --> L[Compare internal records vs company data] L --> M{Discrepancy?} M -->|Yes| N[Raise adjustment] M -->|No| O([Reconciled])

A28 — Invoice Management

flowchart TD A([Invoice → Invoice Pay]) --> B[Search invoice by number or customer] B --> C[POST PayCell/invoiceSearch] C --> D{Found?} D -->|No| E[Show not found] D -->|Yes| F[Show invoice details: amount, due date] F --> G[Confirm payment] G --> H[POST PayCell/invoicePay] H --> I{Payment success?} I -->|No| J[Show error] I -->|Yes| K([Invoice marked paid]) K --> L[Invoice Transaction list updated] A2([Invoice → Invoice Transaction]) --> B2[Filter: date, status] B2 --> C2[Results list] C2 --> D2[Open row: view detail + download]

A29 — Archive Management

flowchart LR A([Archive Management]) --> B[Agent Archive] A --> C[Customer Archive] A --> D[Wallet Customer Archive] B --> E[List: search, filter, sort, infinite scroll] C --> E D --> E E --> F[Open record: read-only detail] F --> G{Re-activate?} G -->|Yes| H[Restore record to active list] G -->|No| I([View only])

A30 — Alerts — Real-time Alert Management

flowchart TD A([Sidebar → Alerts]) --> B[Alert list] B --> C[WebSocket: new alert pushed in real time] C --> D[List updates without page refresh] B --> E[Filter: date, type, priority, status] E --> F[Results] F --> G[Open alert: view detail] G --> H{Acknowledge?} H -->|Yes| I[POST /alert/acknowledge] I --> J([Status: Acknowledged]) H -->|No| K([Leave as new]) J --> L[Removed from unread count]

A31 — Activity Log — Audit Trail

flowchart TD A([Sidebar → Activity Log]) --> B[Data table: all user actions] B --> C[Filter: date range, user, action type, entity] C --> D[Apply filters → list refreshes] D --> E[Infinite scroll: load more at 95%] E --> F[Open row: action detail] F --> G[View: user, action, entity, IP, timestamp] G --> H[Read-only — no edit / delete] B --> I[Export to Excel] I --> J{Large dataset?} J -->|Yes| K[Queue job → email when ready] J -->|No| L([Download immediately])

A32 — Notification Center

flowchart TD A([Header: bell icon]) --> B[Open notification panel] B --> C[Load notification list] C --> D[WebSocket: new items pushed in real time] D --> E[Unread count badge updates] E --> F[Infinite scroll list] F --> G[Click notification] G --> H{Type?} H -->|Transfer| I[Navigate to transfer detail] H -->|Customer| J[Navigate to customer] H -->|KYC| K[Navigate to KYC queue] H -->|Other| L[Navigate to relevant screen] B --> M[Mark all as read] M --> N[POST /innerSystemNotification/markAllIsReaded] B --> O[Delete notification] O --> P[POST /innerSystemNotification/delete]

A33 — System User Management & Role Assignment

flowchart TD A([System Users → User List]) --> B[Data table: all users] B --> C[New User] C --> D[Set name, email, username, password] D --> E[Assign role: Admin / Operator / Teller / Agent / Risk / Accountant] E --> F[Assign rule group for fine-grained permissions] F --> G[Submit → user created] G --> H([User can login with assigned role]) B --> I[Edit user] I --> J[Change role / rule group / status] J --> K([Changes applied immediately]) A2([Rule Group Management]) --> B2[Rule group list] B2 --> C2[Edit rules: add/remove permissions] C2 --> D2[Assign group to users]

A34 — Profile & User Preferences

flowchart TD A([Sidebar / Header → Profile]) --> B[Profile screen] B --> C[Change Password] C --> D[Enter current password] D --> E[Enter new + confirm] E --> F[Submit → password updated] B --> G[Language Selection] G --> H{Language?} H -->|EN| I[Load EN translations] H -->|TR| J[Load TR translations] H -->|AR| K[Load AR translations + dir=rtl] B --> L[Theme preference] L --> M[Light / Dark toggle] M --> N([Theme applied and saved])

A35 — Monitoring

flowchart TD A([Sidebar → Monitoring]) --> B[Load monitoring view] B --> C{View type?} C -->|Map view| D[Geographic map of agents/branches] C -->|Status view| E[Operational status list] D --> F[Click location: view agent/branch info] E --> G[Filter: region, status, type] G --> H[Results list] H --> I[Open detail] B --> J[Refresh data] J --> K([Map/status updated])

A36 — POS Management — Setup Flow

flowchart TD A([POS Management]) --> B[Merchant list] B --> C[New Merchant] C --> D[Name, type, contact, agent link] D --> E([Merchant created]) E --> F[Terminal list] F --> G[New Terminal] G --> H[Terminal ID, bank, merchant link] H --> I([Terminal registered]) I --> J[Bank Costs: set pricing per card type] J --> K[Payment Profile: set accepted cards + limits] K --> L[Payment Profile Details: add card rules] L --> M[Commission Rates: set rates per card/bank] M --> N([POS terminal fully configured]) N --> O[Ready for 3D payment]

A37 — System Management — Config & Health

flowchart TD A([System → System Management]) --> B[Config categories] B --> C[Countries / Currencies / Banks] C --> D[Add / edit / deactivate entries] B --> E[Refund Reasons: list + new] B --> F[Sending Reasons: list + new] B --> G[OTP Rules: configure OTP behaviour] B --> H[Age Control / Job Titles] B --> I[Integration Health Monitor] I --> J[Load status per external service] J --> K{Any DOWN?} K -->|Yes| L[Re-check service] L --> M[Alert if still down] K -->|No| N([All services healthy])

A38 — Forgot Password & Reset Password — UI Flow

flowchart TD A([Login screen]) --> B[Click Forgot Password] B --> C[Enter registered email] C --> D[POST /sendResetPasswordEmail] D --> E[Email sent with reset link] E --> F[User opens email link] F --> G[Reset Password screen] G --> H[Enter new password + confirm] H --> I{Passwords match?} I -->|No| J[Show validation error] I -->|Yes| K[POST /resetpassword] K --> L{Token valid?} L -->|No| M[Show expired link error] L -->|Yes| N[Password updated] N --> O([Redirect to Login])

A39 — Refund — Detailed UI Flow

flowchart TD A([Transaction History or All Sent/Pay]) --> B[Open completed transfer] B --> C{Refundable?} C -->|No| D[Refund button hidden] C -->|Yes| E[Click Refund] E --> F[Select Refund Reason\nfrom configured list] F --> G[Confirm refund request] G --> H[POST /transfer/refundRequest] H --> I{Auto-approve?} I -->|Yes| J[Refund processed immediately] I -->|No| K[Sent to approval queue] K --> L[Operator reviews refund] L --> M{Decision} M -->|Approve| J M -->|Reject| N([Refund rejected - user notified]) J --> O[Transfer status: Refunded] O --> P([Appears in Refund Transaction Report])

A40 — Pool Conditions — Configuration UI

flowchart TD A([Transfers → Pool Conditions]) --> B[Conditions list] B --> C[New Condition] C --> D[Select property\namount / country / risk score / product] D --> E[Select operator\ngreater than / equals / in / between] E --> F[Set threshold value] F --> G[Set action: HOLD → pool] G --> H[Save condition] H --> I{Activate?} I -->|Yes| J([Condition active — applied on new transfers]) I -->|No| K([Saved as inactive]) B --> L[Edit existing condition] L --> M[Modify property or threshold] M --> N([Saved and live immediately])

A41 — Rule Group Management — Permission Assignment

flowchart TD A([System → Rule Group Management]) --> B[Rule group list] B --> C[Create rule group] C --> D[Name the group] D --> E[Add permissions\ncanView / canCreate / canEdit / canDelete] E --> F{More permissions?} F -->|Yes| E F -->|No| G[Save group] G --> H([Group created]) H --> I[Assign group to users] I --> J[System Users → Edit User] J --> K[Select rule group] K --> L([User permissions updated immediately]) B --> M[Edit group: add / remove permissions] M --> N([All assigned users affected immediately])

A42 — WebSocket — Platform Pattern Connection Flow

flowchart LR subgraph After Login A([Login success]) --> B[SocketService.connect with auth token] B --> C{Connected?} C -->|Yes| D[Header: green indicator] C -->|No| E[Header: disconnected indicator] E --> F[Auto-reconnect attempt] F --> C end subgraph Subscriptions D --> G[onFetchNotification] D --> H[onPoolUpdate] D --> I[onAlertUpdate] D --> J[onListUpdate\nAgent / Customer / EFT] D --> K[onBalanceUpdate] end subgraph UI Updates G --> L[Bell badge updates] H --> M[Pool queue updates] I --> N[Alerts list updates] J --> O[List rows update] K --> P[Balance display updates] end

A43 — Data Tables & Infinite Scroll — Platform Pattern

flowchart TD A([User opens list screen]) --> B[SharedDataTableComponent loads] B --> C[POST API: page 1 with filters] C --> D[Render rows with CDK VirtualScroll] D --> E[User applies filter / sort] E --> F[Reset to page 1] F --> C D --> G{Scroll position > 95%?} G -->|No| H[Stay on current data] G -->|Yes| I[Emit scroll event] I --> J[Load next page] J --> K[Append new rows to table] K --> G D --> L[Row action: View] L --> M[Navigate to detail screen] D --> N[Row action: Edit] N --> O[Open edit dialog / form] D --> P[Export button] P --> Q{Large dataset?} Q -->|Yes| R[Queue async job → email link] Q -->|No| S([Download immediately])

A44 — Wallet Management — Full Screen Flow

flowchart TD A([Wallet Management]) --> B[Customer List] B --> C[Search / filter wallet customers] C --> D[Open Customer Info] D --> E[View balance, KYC level, limits, documents] A --> F[KYC Types: list + add new type] A --> G[KYC Groups: list + add new group] A --> H[KYC Upload Queue] H --> I[Review uploaded documents] I --> J{Decision} J -->|Approve| K[KYC level upgraded + limits updated] J -->|Reject| L[Notification to customer] A --> M[Issue Money to Wallet\npromo / adjustment] A --> N[Customer Bank Accounts] A --> O[Customer Card Config] A --> P[Commission Rules: wallet commissions] A --> Q[Story / Story Groups\ncontent management] A --> R[FAQ / FAQ Groups] A --> S[Notification Groups + Send FCM] A --> T[Blocked Limits Management]

A45 — NgRx State — Risk Module

flowchart LR subgraph Component D1[LoadScenarios] D2[SimulateScenario] D3[ActivateScenario] D4[LoadFormulas] D5[LoadBlacklist] end subgraph Effects E1[GET scenarios] E2[POST simulate] E3[POST activate] E4[GET formulas] E5[GET blacklist] end subgraph Store R1[scenarios list] R2[simulation results] R3[active status] R4[formulas list] R5[blacklist list] end D1 --> E1 --> R1 D2 --> E2 --> R2 D3 --> E3 --> R3 D4 --> E4 --> R4 D5 --> E5 --> R5

A46 — Reports — Deep Dive: All Categories & Export

flowchart TD A([Reports sidebar]) --> B{Category?} B -->|System| C[14 report types\nAccount Statement, Earning, Unpayment,\nIntermediary, Refund, Customer Transaction,\nLedger, Protection, Matching...] B -->|Wallet| D[8 report types\nW2W, Recharge, Withdraw, Balances,\nUnmatched, Transactions, Ledger,\nWallet Protection] B -->|Risk| E[7 report types\nFlag Report, Same Address, Yesterday Customer,\nTriggered Daily/Weekly/Monthly,\nTransaction & Customer Analysis] B -->|POS| F[POS Reports hub] C --> G[Select report type] D --> G E --> G F --> G G --> H[Apply filters: date, agent,\nstatus, currency, account...] H --> I[Run report] I --> J[Paginated table results] J --> K{Export?} K -->|Small dataset| L([Download Excel immediately]) K -->|Large dataset| M[Queue async job] M --> N[Email notification when ready] N --> O([Download from email link])

Scroll to zoom · Drag to pan · ESC to close 100%

Moneyout — Full Platform Service Portfolio & Workflow Document

Confidential — For Audit Use Only