The process of finding out why so many technology outages occur in banking IT systems is not rocket science - it happens because 30 year old legacy systems are used alongside multiple applications and changes have not been made in order to adapt to the evolving environment around these traditional players. bobsguide went to a panel discussion on reducing IT outages in UK banks, organised by CAST Systems and techUK, and saw what experts in the industry had to say about preventing and solving this problem in the near future.
Before the session, Lev Lesokhin, EVP Strategy & Analytics at CAST, spoke to us about the importance of ensuring the structure and code quality in a back end system is up to scratch. He referenced a recent CAST CRASH (CAST Research on Application Software Health) report on financial services and the trends emerging in five health factors: robustness, security, efficiency, transferability and changeability. Lesokhin highlighted that no one saw the importance in discussing the quality of the systems five years ago, but now new players are entering the market and potentially taking a part of the market share from the banks.
Complexity has been a forever problem
However, the problem is not a recent issue. Complexity in banking systems has been prevalent for a very long time now and having to adapt to suit the modern digital age puts legacy systems under increased pressure. Andrew Agerbak, director at BCG, explained how complexity in the systems is a good starting point to providing resilience in the organisation, as “after the financial crisis, banks had to cut back on costs and deal with an avalanche of reporting requirements.”
Agerbak moved on to discuss how, as well as this, while new market entrants are advocating mobile payments and blockchain, the traditional banking structure have also had to deal with a decrease in the number of people visiting branches. All of these pressures amount to why banks have not made changes to their structure, because all of these issues have made an impact at the same time. He alluded to how banking organisations should “do what Microsoft do” and concentrate only on the most critical applications, but that is impossible with the bandwidth of work that needs to be completed.
There is a lot of opportunity for improvement but what banks struggle with is the time window that they have been forced to make these changes in. “Most banks are choosing to take an incremental approach rather than an end to end approach,” Agerbak said. He used ING Bank as an example of a bank that has used automation to its advantage and Agerbak described this as courageous. “If they pull it off, they will be the toast of the industry.” Head of Cards and Payments at Cognizant UK, Abhijit Deb, followed on with a comment about how the current banking ecosystem is governed by disruption and regulation.
“There is so much disintermediation with fintech,” Deb said, and said that the reason why fintech players are succeeding at the moment is because they have less technical debt, are nimble, agile and have access to funding. On the other hand, banks have to deal with standards like PSD2 and SEPA in order to operate and chief innovation officers have to spent leftover budgets on ring fencing. “This is part of the solution, but also part of the problem.” Marc Earl, ex-Managing Director & global head of GT Production, Deutsche Bank, shared some insight on what actually goes on inside banks.
Old systems need to be updated
Earl also explored how complexity of back end systems is an issue in moving forward because the landscape is so huge. “With many thousands of interfaces, the complexity is such that people cannot understand the process in their heads anymore,” Earl said. He added that most of the work that banking developers are doing now is changing the applications that are 10, 20 or 30 years old, but “there is a major knowledge deficit and major legacy systems, which is a difficult dichotomy as they are all trying to chase the same maturity.”
“There is an awful lot of papering over the cracks going on,” Earl said as the person that created the code decades ago do not work at the organisation anymore, they are more than likely retired by now. Dr. Bill Curtis, Director of CISQ and Chief Scientist at CAST said that the same is happening in the US and provided an example of a trading crash where dead code was left in the system and algorithms that were unwanted were executed. However, Curtis revealed that the UK is slower to adapt to these practices.
Earl added that France and Germany are the most efficient in this area as engineers are more respected there and in turn, changes are made much faster. Curtis presented an idea of where the complication may occur. “You have small banks, medium banks and large conglomerations of small and medium banks which we call big banks. This can get complicated when people want to keep the same processes.”
Keith Saxton, Chair of techUK's Financial Services & Payments Programme put across an idea that a lot of industry players are asking at the moment: why don’t regulators renew infrastructure rather than imposing fines? Saxton emphasised that technology is embedded in everything new now so a seamless transformation is necessary, which is difficult with Basel III, which Saxton described as the biggest regulatory challenge. “Regulation can bust the business model but the tech industry is also going through the same transformation. It is the perfect storm.”
Regulating risk for UK banks
“Tech risk is a bigger risk than credit risk and market risk,” Saxton said, and said that the Financial Conduct Authority are now scrambling because of this as no one has forced a renewal of all banking technology. The UK and the US, according to all panelists are behind in this respect and Saxton highlighted that the Singapore regulator is the only governing body that has published an informal, but mandatory technology risk framework.
The FCA have taken great strides in their activity with UK innovation but this should be taken into consideration only when all the complexity in the banking systems has been eradicated, if such a time will ever come. Saxton said that with all the challenger banks emerging with their modern legacy systems, significant changes have not been made and there is a degree of “regulatory fatigue.” Curtis commented on this by saying that technology is underpinning the concept of regulatory risk and “those that make the most progress have a regulatory gun to their head.”
“We need a common language to understand risk properly and this should be imposed by the regulators, maybe,” Earl hesitantly said and went on to put across that more education at all levels needs to take place. What board members do not understand is that the cost of doing this right is more than what it costs at the moment, Earl said. Curtis “wants to believe that we’re getting better, but we’re not.”
Curtis continued to state that 20 years ago, we did not need as many IT staff as banks employ now, because the systems were much simpler. Now, they have to outsource to university students, different countries and people who have taught themselves, which means that the skill level is low and “this is terrifying.” Saxton added to this and said that the expected natural renewal, that most other industries have gone through, has not yet happened for the banking sector.
“The answer is not in business as usual” - Saxton mentioned as he alluded to a conversation he recently had with a banking boss about how in two to three years, the bank will not be able to afford the technology they are currently using. When regulators enforce fines, this means there has been a failure in the process and in turn, a failure of knowledge and if banks want this to stop, they will have to invest in external systems.
Is there a future for fintech?
Agerbak predicted that in three years, there will be another big outage in the banking industry, which would drive sterner regulatory action. Alongside this, we are seeing more evidence of structural shift in comparison to five years ago, especially with new players entering the financial sector, but he does not believe that there will be dramatic change.
“Any smart new bank should consider themselves a technology company. Fintech is not the cavalry, it is a modular industry and banks have to work with them, rather than against them,” Saxton said.