Regulators urged to act on creaking bank technology

Intellect, the trade association for the UK technology sector, has called on financial regulators to force banks to upgrade their legacy IT systems, or risk future financial crises and systems failures.

  0 16 comments

Regulators urged to act on creaking bank technology

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The trade group, which numbers more than 150 suppliers of information systems, services and consultancy to the financial services sector among its membership, says the UK's regulatory authorities must step in and mandate change by requiring banks to ensure that their critical infrastructure is fit for purpose.

Intellect's urgings come in the wake of a number of high-profile systems failures at top UK retail banks and in the hi-tech reliant capital markets. It also coincides with the forthcoming fourth anniversary of the collapse of Lehman Brothers, an event that exposed the complexities and interconnectedness of the global financial system.

Four years on from the crisis, lessons have not been learned, states Intellect. While the wholesale markets struggle to cope with a new generation of super-fast automated trading systems, the retail sector remains underpinned by a patchwork of ageing, batch-based core banking systems.

Ben Wilson, head of financial services programmes at Intellect says: "This infrastructure is the foundation upon which the entire financial system is built and it has been neglected for far too long. The regulators, and in particular the Financial Policy Committee and the forthcoming Prudential Regulatory Authority, must take the lead on this now - it's not going to sort itself out. They either address this elephant in the room, or the effectiveness of the wider reforms that so much time and resource has been ploughed into over the last four years will be severely limited."

Complex legacy systems inhibit innovation across the financial system and specifically the development of industry utilities that could foster greater competition, he says.

"Legacy systems also inhibit existing banks' from developing their services in order to compete with new entrants," continues Intellect in a paper on the issue. "As voluntary renewal has so far been resisted, there is a strong argument for the regulatory authorities to set minimum standards for banks' systems (as part of wider minimum standards for infrastructure) - to minimise unnecessary complexity, potential downtime and the risks posed by future updates to these systems."

Sponsored [Impact Study] 2024 Fraud Trends in Banking, Insurance, and Beyond

Comments: (16)

A Finextra member 

Once an IT system is implemented it is effectively deemed "legacy".

Keeping the systems updated (latest or latest minus one OS / Service Packs etc.) is all that the regulator should be forcing banks to do (and making sure they have DR and test it).

It is far better for the market that new entrants (the ones with the shiny new technology) thrive and ultimately the market will decide if the new technology of the new entrants is "better" than the legacy technology of the existing players.

The majority of IT failures have been down to human error, so maybe spending the money on training and documentation would be a much more effective way of preventing any future disaster.

A Finextra member 

Totally agree with Robert, though some new approaches are totally adaptive and are capable of evolving with the business. But there is the rub - a new approach; breaking into a traditional market dominated by the large legacy suppliers with conservative, risk averse clients is very difficult. Intial excitement can soon dull to concerns of new technology, often size of company and even what it might find! 

Competitive advantage is always driven by open minds both in the business and the regulators - it has started with a few enlightened! D

Christopher Williams

Christopher Williams Chairman at RTpay

The time is right to centralize payments at the governmental (central bank) level so that much of this problem can be resolved - as well as offering enormous additional benefits. A central clearing where real time fraud analysis takes place (and blocks 'bad' transactions before they settle) is possible now we have the bandwidth and processing power to manage this.

From this fundamental change, we can see how to incorporate mobile phone-based payments as well as cards and transfers.

And, a massive added value for governments, would be in collecting sales tax or VAT in the course of the payments, so reducing the debt levels by cutting tax evasion, not raising rates.

It is time for governments to take the lead - with new technology it can be the best way to widen competition of financial services and lower administrative costs for merchants and consumers alike.

Gary Wright

Gary Wright 

Well they would say this wouldnt they! However despite the vested interests of the story it does happen to be true. Legacy systems are the biggest risk to financial markets stability than virtually any other but it rarely gets air time. Also for many in the technology side it is their jobs on the line to change. Most technology people are only ever interested in the latest technology but they are almost side lined when it comes to strategic change. Whats certain is that the new financial world to come will put pressure on legacy and restrict financial institutions from being competative,compliant or profitible leaving the door open for new entrants with great idea and a purpose but most of all no legacy

A Finextra member 

I agree with Robert, forcing banks to upgrade their ‘legacy’ systems would be a mistake.

The problem here is not the age of the systems involved, but the way in which they are managed and maintained. Banking infrastructure is built to last and it has persevered through decades of systemic and regulatory change. However, if it is not treated with the care and respect needed to keep it in optimum working condition some systems will inevitably fail.

Forcing banks to upgrade their systems won’t solve this problem, it will simply trap industry participants in a cycle of rip and replace where each new system, faced with years of neglect, will eventually encounter the same problems as its predecessor and have to be replaced. If we want to avoid future banking crises we need to address the root cause of the problem and begin treating legacy systems with more respect.

A Finextra member 

Your call is very valid and timely, that there is something wrong, and needs correction in the banks. But you see, each bank has a unique portfolio of technologies, applications and solutions. Regulator can issue broad guidelines and directions on standards for tech upgrades for the industry in terms of performance, downtimes, Disaster Recovery plans etc etc. For few banks, these would result into a major over haul, whereas for some others an application or technology upgrade or creating additional infrastructure. How the regulatory directions can be implemented would still be unique for each bank. If I can draw a parallel between a human body and a bank, then to diagnose the problem good doctors (consultants) can point out the areas that would need attention, excercise regime (process upgrade) or part replacement (applications, solutions). Its interesting though challenging. But still no one can guarantee if regulatory intervention for technology in banks would be the right medicine to avoid risk, future operational crisis and systems failure. Industry definitely needs standards on uptime, DR, performance guarantee, minimum guaranteed SLAs etc.

Thanks for raising this as an issue.

Gary Wright

Gary Wright 

A regultory involvement in technology support, devlopment and enhancement to asses the capability of the technology and systems to support the business and the ability of Banks to make good and correct decisions appears to me very sensible

When i was running operations the regulator would test most things but never technology or anything related. This always looked odd to me and caused me to create the BISS accreditation

I am therefore really supportive of regulatory interest. However i do agree with much of the sentiments posted that the regulatory involvement should be about performence and measuable capability to suport the business not replacement for the sake of it 

A Finextra member 

Mr Singh is right on the spot. What regulators need to make sure is that banks are capable of meeting quality requirements so that the services can be performed uninterrupted. The root cause of the problem is most likely underspending in maintenance, upgrading, proactive development and even know-how. This is caused by banks being measured by the stock market on cost/income ratio and even ITspend/income ratio. Large public banks seek to meet stock market expectations in many ways in order to push up the share value. IT spending cuts are endemic in the banking area despite the emegrence of  internet and mobile banking, online clearing demands, globalisation of the markets and the addition of new risks. Underspending, outsourcing while losing also the internal competence on own IT systems needs, badly documented legacy systems, loss of experienced staff due to cost cutbacks in staff area, postponement of all and any upgrades in combination with the development of new communication channles in combination with old legacy systems are a good part of the problem. The regulator needs to become IT savvy in order to measure how banks have arranged the sustainability and 24x7 customer access instead of focusing mostly on legal compliance and capital adequacy requirements as is the case today. This could be a whole new billing area for experienced IT consultants and sacked bank IT professionals!

A Finextra member 

Alternatively, it should be left to market forces - unless there is a risk of a scale and seriousness, plus a lack of action, that demands regulatory intervention.

The first step is to understand what problem needs to be fixed; and then to look at the options for doing so. One approach might be to commission a risk analysis such as was done to assess the systemic risk inherent in FX settlement, such as the Allsopp Report. Which resulted in voluntary industry action rather than more regulation, and has clearly been extremely successful. https://www.finextra.com/blogs/fullblog.aspx?blogid=6825

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Not sure if Intellect is aware that BFSI has been the #1 IT spending sector for a long time and that it provides more revenues to many leading IT services companies than all other industry verticals combined. Therefore, pressurizing banks to replace all their legacy systems may not be practical.

What might work is stronger regulation on the "ends" instead of greater interference with the "means". This could happen by regulators specifying stringent SLAs that banks have to fulfill at various customer IT touchpoints and enforcing those SLAs by levying punitive penalties for breaches. Some SLAs are already in place viz. 2 hour and 1 minute round-trip times for Faster Payments and TARGET2 transactions respectively. More of them could be introduced viz. say, "Three 9" uptime for Internet Banking, 1 hour lead time for ATM and ePayment transactions to reflect on account balance and statements, etc. It should be left to individual banks to figure out whether they can tweak their legacy systems to achieve these SLAs or they must adopt spanking-new technologies to avoid penalties for SLA breaches.

Gary Wright

Gary Wright 

Look its not the issue that regulators get directly involved between vendor and supplier. Its all about performence of the systems and architecture to support the business. If its legacy and its working fine but this dshould be tested against existing support as part of the annual regulatory visit. It should be about planning for future changes and how management cope with new needs.

To do this work regulators should be more aware than today about technology and certainly more able to determin if a FS firm is taking on risks in their technology. Legacy may or may not be a risk. In my view legacy should be considered a potential risk if it is expected to do things it simply cant do. All this should form part of the regulatory audit check. Its up to the FS firm if they heed it or not. There is no point going into detail or specifying a model as none exist all firms have differing environments ,needs and capabilities. However its how they manage the supporting infra structure thats important and how that infrastructure supports the business. I am very supportive of regulators to get involved as part of their normal checks but first they need to make sure they have the right people and the level of knowledge required to carry out their function. Today i doubt this very much

A Finextra member 

Thanks for all the comments on the paper - all valid points and one of the main motivations behind the paper is to start a dialogue on this issue across all stakeholders - so this is a great place to begin. To date reform of the system has left the issue of technology largely unaddressed - it merely becomes an issue when policy/regulation that has been formulated in isolation from the operational realities needs to be implemented. The paper is a statement of the technological art of the possible

Against the backdrop of a perennial ‘Mexican stand-off’ between the banks and the regulators, the paper sets out the case for infrastructure renewal, and is in effect a ‘third way’. It is a stimulus for all stakeholders to look at the foundations the system is built upon and re-evaluate how it can become more stable; support economic growth; and benefit both customers and the banks themselves.

To go into a couple of the points raised in the comments so far:

Financial infrastructure is effectively the 'plumbing' of the system - that allows data – the lifeblood of the financial system – to flow within and between financial institutions. As we know, in reality, this infrastructure is a complex myriad of systems, networks, applications servers, databases, physical storage systems, and end-user computing systems and devices. That banks do not have a holistic view of their own operations and exposures is because this infrastructure is substandard - in many cases information silos inhibit the sharing of timely and accurate data across the disparate operations of a bank. When a bank cannot quickly gather an accurate and holistic view 'of the whole' of its operations, there is little chance the regulatory authorities will be able to.

The motivation behind a regulatory-mandated renewal of infrastructure is that these regulatory authorities - and specifically the Financial Policy Committee who's role it is to identify and mitigate future market events before they happen - need to be confident that the data they are receiving from banks is reflective of the entire exposures of each individual bank. This is not currently the case. Current efforts to standardise data (e.g. LEIs) to increase the transparency of the system will be undermined if this standardised data does not reflect the exposures 100% of each individual bank. The process should stem from an evaluation from the Financial Policy Committee of what capabilities it will require in the future in order to identify and mitigate risks - before they occur. These requirements can then be reverse engineered and can inform the infrastructure standards that all financial institutions should be obliged to achieve. It is, in effect, about ensuring that the regulatory authorities have the right tools to perform their duties - spin off benefits for banks, customers and the economy from the banks better knowing their own operations will stem from this.

Regardless of how effective the core systems of banks are, they are an obstacle to timely and inexpensive business change - such as breaking down these information silos so banks can better know their own operations and exposures. You add into the equation the complexity (not necessarily old, there are some bulletproof older core systems out there) of some of these systems and the fact that are only getting more complex as changes are bolted on and the disincentive for change merely increases.

On this point, the paper is focused upon the wider infrastructure of banks and the wider financial system - not just the issue of legacy systems. This is merely part of the issue and to focus on just this is misleading.

Addressing the point that it is predictable that the technology trade association would push for a regulatory-mandated change is for commercial reasons is off the mark. Yes, if banks renewed this infrastructure the technology industry would benefit, but then so would everybody else, including the banks. However, as many readers of Finextra will know, the fact is that if the status quo remains, the technology industry will continue to benefit, by providing the banks with the products and services that hold their patchwork of existing systems together - but customers, financial stability, economic growth and the banks themselves will continue to be the losers.

I hope that’s covered some of the points. If you're able to read the paper, it goes into a lot more detail and has received some positive feedback so far. it can be downloaded on the Intellect website.

Gary Wright

Gary Wright 

Thanks Ben for giving your point of view on the discussion so far. I get what is trying to be achieved and support the attempt. Its been long over due. What other ideas does your organisation have for raising and pushing this forward? I am always sceptical of industry groups that have a commercial interest in the outcome as we have seen with MiFID and many others. Would the organisation perhaps consider working with a independent acedemic organisation not related to the industry? Reading? Cass?

A Finextra member 

Thanks for your comment Gary - I understand your point of view completely. Whilst this paper was the result of the aggregated expertise of the Intellect membership - we are working with the International Centre for Financial Regulation (ICFR) and Loughborough University School of Economics and Business (Alistair Milne, previously of Cass Business School) to push this debate along. Specifically we're running a joint conference with these two organistions in September at the London Stock Exchange to kickstart dialogue.

We'll also be doing a number of spin off papers over the year, working with other relevant organisations for each paper. Happy to talk offline if you would like more information. My email address is on the Intellect website.

Gary Wright

Gary Wright 

Thanks Ben, looks like you have it well covered. Will contact you direct

A Finextra member 

Four years on and regulators are still tacking issues initiated and highlighted by the Lehmans collapse. With the swift hand of regulation sweeping across the industry, banks are feverishly trying to comply.

Instead of making regulators responsible for mandatory system upgrades within financial institutions, there needs to be a cultural shift in the banking sector. Banks must take control and drive change.

It’s up to them to innovate and become leaner and meaner as budgets are being slashed. Banks must invest in the right tools and expertise to keep their businesses afloat and continue to generate returns. Taking a strategic approach to data and when updating systems, ensuring that the change also enhances operational efficiency, is the key to getting there.

[Impact Study] Adding GenAI To Your Fraud Prevention StrategyFinextra Promoted[Impact Study] Adding GenAI To Your Fraud Prevention Strategy