Banks with mountains of legacy tech risk causing more outages as they race to catch up with their "agile" competitors, the Treasury Select Committee was told.
Speaking at the hearing on IT outages in the financial sector yesterday, deputy chief executive of the Prudential Regulation Authority, Lyndon Nelson said innovations in the sector are driving change.
"If you are a large retail bank in the UK, you are probably dealing with legacy systems" but as fintech companies are adding new features to their apps, they are keen to do the same "for competitive reasons."
"The question IT officers are thinking is 'how many times in a week can we change an app without it falling over?'"
He added if a bank's business depends on its banking app being able to compete with "fleet of foot" challengers making updates four times a week, they must ensure they have robust systems in place.
Alison Barker, director of specialist supervision at the Financial Conduct Authority, said 65 per cent of outages are in retail banks. She said the regulator received 853 notifications of outages in 2018/19 "that is a huge increase on the previous year". However, she added some of those incidents were relatively minor, with part of the increase being due to a change in regulatory reporting requirements.
Asked to what extent legacy systems are used across the sector, Lyndon said: "It is still pretty extensively, I'm afraid… some pretty core systems are still run on legacy."
"They still use code back from the 1970s on some of these systems, and they've just built on top of them."
Nelson said banks do have plans to phase it out but "it's often quite a brave chief technology officer to envisage that" because of the inherent risk in changing systems. He noted not many programmers are left who can use COBOL.
Committee member Simon Clarke said: "Members of the public would probably be alarmed to learn that some of their financial institutions are running on systems that are possibly 50 years old.. and often are not well understood by the people working with them. How widespread is that problem?"
Nelson replied: "I think they do understand them because they built systems on top of them. I think the understanding is deficient when things do go wrong."
David Bailey, executive director of Financial Market Infrastructure at the Bank of England, said the body has suggested banks provide a full list of their critical services and which specific IT systems are required to support them. Once that is in place, they can look at a plan to migrate from the remaining legacy architecture, he said.
Last week the committee heard that as more banking services move to the cloud, their is an increasing dependency on the three large providers: AWS, Google, and Microsoft.
Nelson echoed concerns raised about "the shortage of choice". He said for small providers, cloud services probably provide better protection. "But we are also worried about the concentration [of these services]." ®
Sponsored: Webcast: Ransomware has gone nuclear