The resilience of the UK banking sector – once dubbed the ‘banker to Europe’ – is beginning to come under question. Not only is political strife influencing the industry’s reputation, but a spate of technology outages has also prompted the government and the UK’s Financial Conduct Authority (FCA) to issue warnings about the state of British banking.
Challenger banks have been making headway in the industry since the time of the global financial crisis
Tech crashes at UK banks more than doubled in 2018, rising by 187 percent in the year to October. Even with this staggering increase, the FCA said its estimates were likely to be conservative due to significant under-reporting. However, a few incidents were too big to sweep under the rug: for instance, in April last year, a botched IT operation at TSB – which is owned by Spain’s Banco de Sabadell – locked millions of customers out of their online banking accounts for weeks. The fiasco cost the company £330m ($426.8m) and led to the resignation of its CEO, Paul Pester.
Numerous other shorter-lived outages occurred in the UK in 2018 and into 2019, but the issue for financial institutions is global: banks ranging from the US’ Wells Fargo to National Australia Bank have reported nationwide outages over the past year, while in June, Visa Europe’s payment system crashed, leaving millions of customers across the continent unable
to use their cards.
An unstable legacy
Large financial institutions are perfect targets for hackers. Not only do they safeguard a vast store of private data and sensitive financial information, but they are often furnished with ageing IT infrastructure. Igor Pejic, Head of Marketing at BNP Paribas’ personal finance arm in Austria and author of Blockchain Babel, a new guide to distributed ledger technology, told World Finance that some banks’ legacy core systems date back to the 1950s and 60s when the technology was first developed. “Legacy systems are the major point of IT failure,” Pejic said.
50%
of all banking IT assets were in urgent need of modernisation in 2016
43%
of banking systems were running on COBOL in 2017
220bn
lines of COBOL code were still in use in 2017
Up to 50 percent of all banking IT assets were found to be in “urgent” need of modernisation in 2016, according to the Escaping Legacy report conducted by consultancy firm Accenture and the University of Surrey. In fact, many banks still use the programming language COBOL, or Common Business-Orientated Language, which was developed in 1959. In 2017, Reuters reported that 43 percent of banking systems were currently built on COBOL and 220 billion lines of COBOL code were still in use.
COBOL’s age is not a problem in itself – its software was updated as recently as 2014. “However ancient and clunky legacy systems are perceived to be, the truth is they are generally robust,” explained Gareth Jones, the director of information security and platform development at financial services provider Fraedom.
But when it comes to maintaining systems, programmers who use COBOL are most likely to be between 45 and 55 years old, Reuters found, whereas younger coders use programming languages such as JavaScript and Python, both of which were developed in the 1990s. This means that within a decade, COBOL expertise could be very difficult to come by.
The matter is further complicated by the fact that many banks have created a patchwork system, with layer upon layer of newer tech built on top of ageing core systems. These irregular structures are now often the culprits behind banking outages, as it is very difficult for new IT recruits to follow decades’ worth of complex workarounds unless in-depth knowledge is passed on.
This all creates technical debt, a concept in software development that reflects the additional cost of work caused by taking an easy route instead of a longer-term approach that might be more expensive upfront. When companies take shortcuts, they accumulate technical debt. According to Pejic, this results in more problems in the long run: “The more subtle complexity you have, the more possible bugs or glitches you can have. Eventually [these shortcuts] will end up causing more likely IT failures or… vulnerabilities to hackers.”
Rising to the challenge
Challenger banks have been making headway in the industry since the time of the global financial crisis because of their groundbreaking, tech-led strategies and personalised approach. A 2019 Fraedom survey of banking decision-makers in the US and UK found that nearly half of all respondents thought the biggest barrier to the growth of commercial banks was legacy systems. In response to the rise of nimble and innovative challenger banks, 44 percent expected their organisation to invest heavily in updating legacy systems.
But updating the technology at the core of our financial institutions is even more complicated than maintaining legacy systems. According to the FCA, many of the UK’s tech outages in 2018 were caused by replatforming failures. Pejic compared it to changing a jet engine while in flight: “You cannot just switch it from one day to the other.”
Any move away from legacy systems will create technological issues, including outages. Jones told World Finance: “The outages are… a symptom of a general drive within the industry to innovate, reduce costs, transform digitally (including the move away from legacy systems) and the break-up of banks.”
Some companies do manage to pull off these impressive feats of computer programming: Ant Financial, a subsidiary of China’s Alibaba, is just 14 years old, and already it is on its fifth generation of IT infrastructure. Unfortunately, many financial institutions are not so proactive. Following its study, Accenture said “legacy stasis” is deeply embedded in banks’ boardrooms. Though executives know the pace of technological change is only accelerating, they see the modernisation of systems as being “overly complex, expensive and unacceptably risky”.
It typically takes a “cataclysmic event, like a full-blown outage” to catalyse change, the Accenture report said. “By then, of course, irreparable damage may well have been done.”
A seat at the table
Institutions that want to match Ant Financial’s pace of technological change should employ someone at board level who understands the bank’s IT infrastructure and the current technological environment, such as a chief digitalisation or chief data officer.
“Unless the legacy system is understood fully – with all of its bolt-ons – it’s very difficult to do a lift and shift from a legacy system to a new one. So, transition challenges are really in change management, the system’s features and strategy management,” Jones told World Finance.
According to the FCA’s Megan Butler, who spoke in London last year about tech outages, banks are struggling to recruit the right skills at the top level. “Historically, and for most of my career in this industry, the rock stars of finance were always the alpha traders,” she said at the time. “Today, it’s the CIOs and IT consultants who are in high demand and short supply… meaning the best are difficult to employ and hard to retain.”
At a time when cyberattacks are getting more structured and coordinated, it is clear just how important it is for banks to have the right protections in place. Migrating core systems may be daunting, but it is necessary. At the moment, Jones sees outages as inevitable due to the sector-wide shift towards online products and offerings. “As a matter of fact, we’ve probably not seen the worst of it yet,” he said. The FCA also said it sees “no immediate end in sight to the escalation in tech and cyber incidents”.
Despite this, outages are becoming more concerning due to the criticality of banking services. Banks big and small will be faced with continual challenges as the tech landscape evolves, but as Pejic’s jet engine metaphor makes clear, moving away from legacy systems will be as complicated as it is essential.
Going forward, it appears inevitable that consumers will continue experiencing outages as the industry modernises. Therefore, the banks that recover the quickest and do the most to protect consumer data and security will be the ones to come out on top.