Finance CIOs sweat as regulators prepare to probe aging mainframes
Outages compound interest in creaking IT
Could the watchful eyes of regulators soon come to rest on the old and often creaking IT systems that run the back offices of the UK’s leading banks?
Among CIOs in the sector, there’s a palpable concern that they will. It’s no secret, after all, that most retail banks rely on decades-old technology for their core banking systems to manage deposits, loans, credit and customer records.
Last summer’s three-day outage at the Royal Bank of Scotland may have been traced back to human error, but many believe the incident has led to serious questions being asked about the resilience that older core banking systems offer.
“There’s absolutely no doubt in my mind that the RBS incident has raised levels of concern around infrastructure and, in particular, back-office resilience,” one banking insider, who asked not to be named, told The Register.
“There won’t be mandatory requirements to replace legacy platforms - I can’t see that happening. But the resilience required from legacy platforms, and the ability of banks to be able to demonstrate that resilience, may be mandated to shift quite considerably.”
Night scene of Bank tube station in central London
It’s not just a UK issue. Last year, David Pegrem, head of IT risk at the Australian Prudential Regulation Authority (APRA), warned banks in that country that there will be “no tolerance” for service outages at banks and building societies that can be traced back to neglected legacy systems.
“There [will be] no tolerance for known single points of failure, for poorly mapped business processes, for lost or poor knowledge retention, for fixing [with] Band-Aids rather than root-cause solutions,” he said.
Meanwhile, in the US, some 330 banks and credit unions will replace their core banking systems during 2013, according to research from research company the Aite Group. Vendors serving this market include FIS, Fiserv, Temenos, SAP, Oracle and Misys.
But replacement is a “high-risk, high-cost endeavour”, warns Aite Group analyst Christine Barry: “The financial crisis delayed many of these replacement projects and, as a direct result, there’s a much higher level of urgency now - but still a large degree of caution, because core system replacement is probably the largest and riskiest IT investment any bank could make.”
That’s why it’s been so easy for banks to postpone such projects. In the years prior to the 2008 banking crisis, profits were flush and there was no real incentive to embark on a major modernisation project. Plus, years of voracious mergers and acquisitions activity had left many banks with a sprawling legacy estate, so most investment went into consolidating systems acquired in banking takeovers or integrating them with the legacy systems of the acquiring bank.
“This is more the norm, with most institutions having multiple systems that are a result of inorganic growth,” says David Gee, CIO of Credit Union of Australia (CUA). But, he adds, “typically the integration of these organisations is never fully completed and there is a focus on key critical systems. Accordingly, legacy systems lurk around these organisations and there is often no plan to transition these.”
CIOs: Can you justify your expenditure?
Even where a far-sighted CIO does have a plan, and pushes for more fundamental modernisation, it’s not always easy for them to get their voice heard at board level, according to Tony Prestedge, now chief operating officer at UK bank Nationwide, and formerly of Barclays and the Portman Building Society.
“Before I came to Nationwide, it was often the case that you could only secure investment in either upgrading or replacing core systems when you had a business-line sponsor in place to support you - but very often, projects such as infrastructure renewal, capacity expansion or increased resilience do not bring with them immediate and direct financial benefits, so that support was hard to get,” he says.
“The truth is that retail banking institutions with highly defined business units that budget according to their own profit and loss [P&L] accounts find it very difficult to recognise the need for, and justify, expenditure in maintenance and upgrade of legacy systems. They just do.”
The situation at Nationwide is fundamentally different, because as a COO with direct responsibility for IT, Prestedge is solely in charge of the bank’s investment budget, “so if I believe there’s a need, for example, to invest in card systems, I don’t need to go to my head of cards business and telling them they’ve got to pay for a capacity upgrade out of their P&L.”
As a result, in his five years at Nationwide, Prestedge has been able to steer a £1.5bn transformation programme that has seen between £300m and £400m invested in making legacy systems “competent, fit-for-purpose, with future-proof capacity in a virtualised data centre world,” he says. A further £700m, meanwhile, has been spent on application renewal, including the introduction of new mobile banking and mortgage platforms and, more fundamentally, the complete replacement of the Nationwide’s core banking platform with a new system from SAP.
“It would be wrong to pretend [that project] wasn’t painful. At times, it was very painful,” he says. In total, it took four years to move the Nationwide off its legacy Unisys system onto SAP: one year of decision-making to get board approval and select a supplier; two years of building, developing and testing; and a further 12 months of implementation before the system went live last year.
The project, he says, could only be justified by the Nationwide’s ambition to increase its market share in personal banking products - current accounts, cards and consumer lending - from 5 per cent to 10 per cent. “We stared down the barrel of that goal and asked, 'If we’re going to achieve this, is the core banking platform we have in situ capable of growing and innovating at the pace that we need?' And we concluded that it wasn’t.”
Other banks, especially ones that are fighting to retain market share, rather than grow and enter new markets, simply don’t experience the same impetus, he says.
Are you even going to be around to see the change?
Another major stumbling block is the "shelf life" of most retail banking CIOs, according to Daniel Mayo, an analyst with IT market research company Ovum. This currently stands at about two to three years, he says, “so leaving risky and expensive projects for their successor to deal with is often the best approach for them to take.”
In other words, taking on a multi-year project of this complexity - and, worse still, failing to deliver before they "move on" - could continue to dog their professional reputation for years to come. In a worst-case scenario, it could be career suicide.
But in return for their complacency, retail banking CIOs are left dealing with a whole stack of other problems. One of the big challenges is getting the skills needed to manage decades-old legacy systems, often written in languages such as PL/1 and Cobol.
“When you’re making changes to these systems, rather than replacing them, you’re dealing with massive size and complexity, as well as criticality,” says former banking systems administrator Frances Coppola, now a writer and commentator on banking issues. Even if you can find developers who understand these languages, she says, that doesn’t mean they can tease out the business logic in order to understand how the systems work and what processes they are intended to achieve.
“Very often, the system has no documentation or very poor documentation, too, so the risks you run of making some subtle but disastrous change in function and thus triggering some sort of systems failure are actually pretty high,” she adds.
This, incidentally, is exactly the scenario that unfolded at RBS last summer, when an IT administrator attempting to run a routine end-of-day overnight batch cycle managed to erase the entire scheduling queue, as Ovum’s Daniel Mayo points out. The underlying technology itself was not to blame, he says, but rather a lack of skilled staff and the limited opportunity that IT teams now have to run batch processes, thanks to the rise of 24/7 online and mobile banking.
Hipster devs + knowledgeable old-timers = working legacy system
Either way, this clash of old and new in banking applications can lead to a crisis in communications for many retail banking IT teams. “To make this work effectively, you need some hybrid skills to understand web services that can actively expose parts of the core legacy systems in newer, smaller apps,” adds David Gee at CUA. “In short, [you need to get] a Gen Y developer working with a Baby Boomer or a Gen X mainframe senior IT professional - an architect who gets the bigger picture and can help "join the dots". This is a significant challenge to make these two worlds work effectively together.”
“It’s akin to a religious war,” he continues, “with, in one corner, older systems that are operational and, in the other corner, agile apps that are developed in short sprint cycles.”
In the usual scheme of things, most banks manage to keep legacy systems up and running, most of the time - but the currency of the information they offer to customers is also starting to struggle, particularly as customers increasingly expect the most up-to-date information about their balances and transactions, regardless of the time of day (or night), or their location.
That’s because most banks have taken a "middleware" approach to bridging the gap between their legacy core banking systems and newer applications, says Mark Holland, partner at Holley Holland, a business transformation consultancy specialising in the financial services sector.
“You can put a new front end on top, which gives the impression that everything’s shiny and new and working just fine, but the underlying systems that feed data into the new mobile and internet banking apps are still the same tired old legacy systems,” he says. “If, as a consumer, you expect to see your financial world, all in one place - all the latest data about your current account, your loans, your savings and your mortgage through an up-to-date online portal - you’re likely to be disappointed by most banks today,” he says.
From the point of view of the CIO, meanwhile, “what you end up with is not just technical integration complexity, but also platforms that are not designed to be responsive to new and emerging channels in the way today’s customers expect,” according to Tony Prestedge at Nationwide.
Still, it will take some powerful persuasion - or at least regulatory mandates - to get the situation to change in the UK.
These could be on the horizon, however. Earlier this year, the UK government proposed changes to the inter-bank payments system, owned collectively by the country’s large incumbent banks and largely self-regulated, which would see the market opened up and placed under a new regulator.
A change is coming...
The main reason given was competition issues: “The UK has a situation where a group of the most powerful users of a system are also its owners," says a March 2013 report [PDF, 28 pages] from HM Treasury. That means that smaller players and new entrants to banking must seek access, whether directly or indirectly, to systems that are jointly owned by a number of their competitors.”
But, at the same time, there are clearly concerns about the investment (or lack thereof) made by the banks in the technology that underpins inter-bank payments. At the Bank of England, executive director for financial stability Andrew Haldane has criticised payment systems for “an endemic degree of inertia”, with the bulk of spending going on merely maintaining legacy technology.
If the UK government and Bank of England have their way with the inter-bank payment system, they may start to look into the resiliency of back-office core banking systems, too. “We’re about to see tighter controls for banks over operational risk, and some of these legacy systems make it extremely difficult for banks to demonstrate they’ve got that,” says Graham Lloyd, a retail banking expert at management consultancy PA Consulting.
But critical incidents like the one that hit RBS in 2012 may leave regulators with little choice but to act, says Daniel Mayo at Ovum. “It’s won’t be that banks will be required to replace all their legacy systems immediately, but they’ll likely need to be able to demonstrate that they’re on top of the situation as regards resiliency and are actively working to ensure outages don’t happen in future.
"It certainly looks, from where I’m sitting, that more intervention is just around the corner.” ®