Finance CIOs sweat as regulators prepare to probe aging mainframes

Outages compound interest in creaking IT

Could the watchful eyes of regulators soon come to rest on the old and often creaking IT systems that run the back offices of the UK’s leading banks?

Among CIOs in the sector, there’s a palpable concern that they will. It’s no secret, after all, that most retail banks rely on decades-old technology for their core banking systems to manage deposits, loans, credit and customer records.

Last summer’s three-day outage at the Royal Bank of Scotland may have been traced back to human error, but many believe the incident has led to serious questions being asked about the resilience that older core banking systems offer.

“There’s absolutely no doubt in my mind that the RBS incident has raised levels of concern around infrastructure and, in particular, back-office resilience,” one banking insider, who asked not to be named, told The Register.

“There won’t be mandatory requirements to replace legacy platforms - I can’t see that happening. But the resilience required from legacy platforms, and the ability of banks to be able to demonstrate that resilience, may be mandated to shift quite considerably.”

Night scene of bank station in central london

Night scene of Bank tube station in central London

It’s not just a UK issue. Last year, David Pegrem, head of IT risk at the Australian Prudential Regulation Authority (APRA), warned banks in that country that there will be “no tolerance” for service outages at banks and building societies that can be traced back to neglected legacy systems.

“There [will be] no tolerance for known single points of failure, for poorly mapped business processes, for lost or poor knowledge retention, for fixing [with] Band-Aids rather than root-cause solutions,” he said.

Meanwhile, in the US, some 330 banks and credit unions will replace their core banking systems during 2013, according to research from research company the Aite Group. Vendors serving this market include FIS, Fiserv, Temenos, SAP, Oracle and Misys.

But replacement is a “high-risk, high-cost endeavour”, warns Aite Group analyst Christine Barry: “The financial crisis delayed many of these replacement projects and, as a direct result, there’s a much higher level of urgency now - but still a large degree of caution, because core system replacement is probably the largest and riskiest IT investment any bank could make.”

That’s why it’s been so easy for banks to postpone such projects. In the years prior to the 2008 banking crisis, profits were flush and there was no real incentive to embark on a major modernisation project. Plus, years of voracious mergers and acquisitions activity had left many banks with a sprawling legacy estate, so most investment went into consolidating systems acquired in banking takeovers or integrating them with the legacy systems of the acquiring bank.

“This is more the norm, with most institutions having multiple systems that are a result of inorganic growth,” says David Gee, CIO of Credit Union of Australia (CUA). But, he adds, “typically the integration of these organisations is never fully completed and there is a focus on key critical systems. Accordingly, legacy systems lurk around these organisations and there is often no plan to transition these.”

CIOs: Can you justify your expenditure?

Even where a far-sighted CIO does have a plan, and pushes for more fundamental modernisation, it’s not always easy for them to get their voice heard at board level, according to Tony Prestedge, now chief operating officer at UK bank Nationwide, and formerly of Barclays and the Portman Building Society.

“Before I came to Nationwide, it was often the case that you could only secure investment in either upgrading or replacing core systems when you had a business-line sponsor in place to support you - but very often, projects such as infrastructure renewal, capacity expansion or increased resilience do not bring with them immediate and direct financial benefits, so that support was hard to get,” he says.

“The truth is that retail banking institutions with highly defined business units that budget according to their own profit and loss [P&L] accounts find it very difficult to recognise the need for, and justify, expenditure in maintenance and upgrade of legacy systems. They just do.”

The situation at Nationwide is fundamentally different, because as a COO with direct responsibility for IT, Prestedge is solely in charge of the bank’s investment budget, “so if I believe there’s a need, for example, to invest in card systems, I don’t need to go to my head of cards business and telling them they’ve got to pay for a capacity upgrade out of their P&L.”

As a result, in his five years at Nationwide, Prestedge has been able to steer a £1.5bn transformation programme that has seen between £300m and £400m invested in making legacy systems “competent, fit-for-purpose, with future-proof capacity in a virtualised data centre world,” he says. A further £700m, meanwhile, has been spent on application renewal, including the introduction of new mobile banking and mortgage platforms and, more fundamentally, the complete replacement of the Nationwide’s core banking platform with a new system from SAP.

“It would be wrong to pretend [that project] wasn’t painful. At times, it was very painful,” he says. In total, it took four years to move the Nationwide off its legacy Unisys system onto SAP: one year of decision-making to get board approval and select a supplier; two years of building, developing and testing; and a further 12 months of implementation before the system went live last year.

The project, he says, could only be justified by the Nationwide’s ambition to increase its market share in personal banking products - current accounts, cards and consumer lending - from 5 per cent to 10 per cent. “We stared down the barrel of that goal and asked, 'If we’re going to achieve this, is the core banking platform we have in situ capable of growing and innovating at the pace that we need?' And we concluded that it wasn’t.”

Other banks, especially ones that are fighting to retain market share, rather than grow and enter new markets, simply don’t experience the same impetus, he says.

Are you even going to be around to see the change?

Another major stumbling block is the "shelf life" of most retail banking CIOs, according to Daniel Mayo, an analyst with IT market research company Ovum. This currently stands at about two to three years, he says, “so leaving risky and expensive projects for their successor to deal with is often the best approach for them to take.”

In other words, taking on a multi-year project of this complexity - and, worse still, failing to deliver before they "move on" - could continue to dog their professional reputation for years to come. In a worst-case scenario, it could be career suicide.

But in return for their complacency, retail banking CIOs are left dealing with a whole stack of other problems. One of the big challenges is getting the skills needed to manage decades-old legacy systems, often written in languages such as PL/1 and Cobol.

“When you’re making changes to these systems, rather than replacing them, you’re dealing with massive size and complexity, as well as criticality,” says former banking systems administrator Frances Coppola, now a writer and commentator on banking issues. Even if you can find developers who understand these languages, she says, that doesn’t mean they can tease out the business logic in order to understand how the systems work and what processes they are intended to achieve.

“Very often, the system has no documentation or very poor documentation, too, so the risks you run of making some subtle but disastrous change in function and thus triggering some sort of systems failure are actually pretty high,” she adds.

This, incidentally, is exactly the scenario that unfolded at RBS last summer, when an IT administrator attempting to run a routine end-of-day overnight batch cycle managed to erase the entire scheduling queue, as Ovum’s Daniel Mayo points out. The underlying technology itself was not to blame, he says, but rather a lack of skilled staff and the limited opportunity that IT teams now have to run batch processes, thanks to the rise of 24/7 online and mobile banking.

Similar topics

Narrower topics

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022