Finance CIOs sweat as regulators prepare to probe aging mainframes
Outages compound interest in creaking IT
Could the watchful eyes of regulators soon come to rest on the old and often creaking IT systems that run the back offices of the UK’s leading banks?
Among CIOs in the sector, there’s a palpable concern that they will. It’s no secret, after all, that most retail banks rely on decades-old technology for their core banking systems to manage deposits, loans, credit and customer records.
Last summer’s three-day outage at the Royal Bank of Scotland may have been traced back to human error, but many believe the incident has led to serious questions being asked about the resilience that older core banking systems offer.
“There’s absolutely no doubt in my mind that the RBS incident has raised levels of concern around infrastructure and, in particular, back-office resilience,” one banking insider, who asked not to be named, told The Register.
“There won’t be mandatory requirements to replace legacy platforms - I can’t see that happening. But the resilience required from legacy platforms, and the ability of banks to be able to demonstrate that resilience, may be mandated to shift quite considerably.”
Night scene of Bank tube station in central London
It’s not just a UK issue. Last year, David Pegrem, head of IT risk at the Australian Prudential Regulation Authority (APRA), warned banks in that country that there will be “no tolerance” for service outages at banks and building societies that can be traced back to neglected legacy systems.
“There [will be] no tolerance for known single points of failure, for poorly mapped business processes, for lost or poor knowledge retention, for fixing [with] Band-Aids rather than root-cause solutions,” he said.
Meanwhile, in the US, some 330 banks and credit unions will replace their core banking systems during 2013, according to research from research company the Aite Group. Vendors serving this market include FIS, Fiserv, Temenos, SAP, Oracle and Misys.
But replacement is a “high-risk, high-cost endeavour”, warns Aite Group analyst Christine Barry: “The financial crisis delayed many of these replacement projects and, as a direct result, there’s a much higher level of urgency now - but still a large degree of caution, because core system replacement is probably the largest and riskiest IT investment any bank could make.”
That’s why it’s been so easy for banks to postpone such projects. In the years prior to the 2008 banking crisis, profits were flush and there was no real incentive to embark on a major modernisation project. Plus, years of voracious mergers and acquisitions activity had left many banks with a sprawling legacy estate, so most investment went into consolidating systems acquired in banking takeovers or integrating them with the legacy systems of the acquiring bank.
“This is more the norm, with most institutions having multiple systems that are a result of inorganic growth,” says David Gee, CIO of Credit Union of Australia (CUA). But, he adds, “typically the integration of these organisations is never fully completed and there is a focus on key critical systems. Accordingly, legacy systems lurk around these organisations and there is often no plan to transition these.”
CIOs: Can you justify your expenditure?
Even where a far-sighted CIO does have a plan, and pushes for more fundamental modernisation, it’s not always easy for them to get their voice heard at board level, according to Tony Prestedge, now chief operating officer at UK bank Nationwide, and formerly of Barclays and the Portman Building Society.
“Before I came to Nationwide, it was often the case that you could only secure investment in either upgrading or replacing core systems when you had a business-line sponsor in place to support you - but very often, projects such as infrastructure renewal, capacity expansion or increased resilience do not bring with them immediate and direct financial benefits, so that support was hard to get,” he says.
“The truth is that retail banking institutions with highly defined business units that budget according to their own profit and loss [P&L] accounts find it very difficult to recognise the need for, and justify, expenditure in maintenance and upgrade of legacy systems. They just do.”
The situation at Nationwide is fundamentally different, because as a COO with direct responsibility for IT, Prestedge is solely in charge of the bank’s investment budget, “so if I believe there’s a need, for example, to invest in card systems, I don’t need to go to my head of cards business and telling them they’ve got to pay for a capacity upgrade out of their P&L.”
As a result, in his five years at Nationwide, Prestedge has been able to steer a £1.5bn transformation programme that has seen between £300m and £400m invested in making legacy systems “competent, fit-for-purpose, with future-proof capacity in a virtualised data centre world,” he says. A further £700m, meanwhile, has been spent on application renewal, including the introduction of new mobile banking and mortgage platforms and, more fundamentally, the complete replacement of the Nationwide’s core banking platform with a new system from SAP.
“It would be wrong to pretend [that project] wasn’t painful. At times, it was very painful,” he says. In total, it took four years to move the Nationwide off its legacy Unisys system onto SAP: one year of decision-making to get board approval and select a supplier; two years of building, developing and testing; and a further 12 months of implementation before the system went live last year.
The project, he says, could only be justified by the Nationwide’s ambition to increase its market share in personal banking products - current accounts, cards and consumer lending - from 5 per cent to 10 per cent. “We stared down the barrel of that goal and asked, 'If we’re going to achieve this, is the core banking platform we have in situ capable of growing and innovating at the pace that we need?' And we concluded that it wasn’t.”
Other banks, especially ones that are fighting to retain market share, rather than grow and enter new markets, simply don’t experience the same impetus, he says.
Are you even going to be around to see the change?
Another major stumbling block is the "shelf life" of most retail banking CIOs, according to Daniel Mayo, an analyst with IT market research company Ovum. This currently stands at about two to three years, he says, “so leaving risky and expensive projects for their successor to deal with is often the best approach for them to take.”
In other words, taking on a multi-year project of this complexity - and, worse still, failing to deliver before they "move on" - could continue to dog their professional reputation for years to come. In a worst-case scenario, it could be career suicide.
But in return for their complacency, retail banking CIOs are left dealing with a whole stack of other problems. One of the big challenges is getting the skills needed to manage decades-old legacy systems, often written in languages such as PL/1 and Cobol.
“When you’re making changes to these systems, rather than replacing them, you’re dealing with massive size and complexity, as well as criticality,” says former banking systems administrator Frances Coppola, now a writer and commentator on banking issues. Even if you can find developers who understand these languages, she says, that doesn’t mean they can tease out the business logic in order to understand how the systems work and what processes they are intended to achieve.
“Very often, the system has no documentation or very poor documentation, too, so the risks you run of making some subtle but disastrous change in function and thus triggering some sort of systems failure are actually pretty high,” she adds.
This, incidentally, is exactly the scenario that unfolded at RBS last summer, when an IT administrator attempting to run a routine end-of-day overnight batch cycle managed to erase the entire scheduling queue, as Ovum’s Daniel Mayo points out. The underlying technology itself was not to blame, he says, but rather a lack of skilled staff and the limited opportunity that IT teams now have to run batch processes, thanks to the rise of 24/7 online and mobile banking.
Sponsored: Global DDoS threat landscape report