In April 2016, SWIFT became the latest financial institution to be at the centre of a systems failure scandal that saw thieves syphon $81 million from the Bangladesh Bank, in what looks set to be just one of many. The extent of the damage is still unknown, but SWIFT has warned customers that the malware imbedded to hide such fraudulent activities will have led to further losses.
But this is not an isolated event. In the UK, nearly all of the High Street banks have suffered recent major outages, impacting business and retail customers alike. For streams of business and customer interactions to flow seamlessly, millions of transactions must complete securely, correctly and on time every day.
Failure is now commonplace
When you look at the list of banks hit by outages in the past few years alone, the common theme is that they are all well-respected, long-established players within the sector, with vast customer bases of both consumers and businesses alike. Because of this, we expect them to be exceedingly robust and modern. Yet in 2015, the UK experienced more than 20 major banking outages. Failure is all too common, and the risk of failure is always present.
Perceptions about the reliability of our biggest banks may be beginning to shift. Without a marked change in behaviour from these institutions, there may be more frequent disruptions, damaging the functionality and ultimately the credibility of Britain’s business environment.
The source of the problem
These regular and high-profile failures beg the question: Why are they still happening, and what can be done to stop them?
Firstly, the technical and architectural complexity is huge. Banking and financial institutions have multiple and diverse applications, messaging protocols and data warehouses—to name just a few—that make the process of maintaining and testing an end-to-end banking platform incredibly difficult. The complexity has been further exacerbated by the established banks having large legacy systems dating back decades—often fragmented from many years of mergers.
With the changing requirements of the banks, the modern need to provide multi- or omni-channel solutions can result in a technological patchwork that increases the intricacy of offerings within the industry. Different channels are fulfilled by different systems and technologies, meaning cross-channel development involves numerous teams and technical handoffs. Any functional feature will almost certainly have one or more corresponding security requirements, and banks frequently fail to address this non-functional aspect properly. To cap it all off, new requirements generally need to be delivered quickly, which further compounds the problem.
Secondly, the increasingly complicated industry landscape means that across all transactions, there are now multiple parties originating from different countries, such as issuer banks, acquirer banks, settlement banks, central banks, government bodies. These results in a tangled web of overlaying systems supported by globally dispersed teams, further widening the margin for error.
Added to this multifarious sector, the ubiquity of banking and financial systems leads to huge volumes of data, impacted by multiple sources in near or real-time, putting strain on systems and lowering performance and reliability.
And finally, there is the lack of cohesion and conversation between the banks and intermediaries, and indeed within the banks themselves. In the digital race to win market share, banks are creating closed, independently developed technical and data models. Often the risk profile of these models is not fully understood, which means testing is inevitably too limited or incorrectly focused. The absence of a quality-oriented culture, which would mean a more scientific approach to development and testing, is very noticeable when compared to other different industries, such as engineering.
Time for change
Big banks have come under increasing pressure in recent years—especially since the global financial crisis of 2008. Anybody who has glanced at the front page of the newspaper from time to time will be aware of their overlying problems; Libor-rigging, PPI (payment protection insurance) mis-selling and international tax scandals have all grabbed the headlines. Regulations are tightening, the fines are stacking up, and public sentiment towards the financial-services sector remains as sceptical as it was after the financial crisis.
Yet it is the problems that are lying under the surface, hidden from plain sight that cause the greatest potential risk to our finance sector. Archaic IT (information technology) systems are not going to improve without substantial change, and banks must realise that a failure to invest now might mean more than just bad public relations.
New players in financial-services markets—challenger banks and disrupters in digital payments in particular—are growing at a phenomenal rate. When it comes to IT, they have two considerable advantages over the established names. They have the benefit of hindsight, learning from the failure of their predecessors. But most importantly, new players are able to build their systems from the ground up, making use of the most advanced technologies.
It is this new and innovative sector that the traditional retail banks need to look to as the benchmark for how their own systems should look. As drilled back, efficient and lean as possible, while able to work effectively with multiple sources, across hundreds of locations, while remaining robust and largely impenetrable. Technology underpins the banking infrastructure, and banks must have executive representation from technology leaders. These leaders need to promote a “quality culture” that includes the appointment of roles with accountability for quality. The risk profiles of banking platforms and any changes need to be properly understood and effective mitigation sought—development and testing strategies need to be tailored appropriately.
If outages continue to disrupt businesses and consumers in the UK, the heightened capability of new financial-services providers will not escape the notice of businesses exploring all avenues in the race to get ahead. It is premature to think that retail banks will lose their footing in the marketplace; indeed they are well-positioned to acquire many of the new entrants. But it is safe to say that the current approach to maintaining a patchwork of legacy systems whilst consolidating and delivering new offerings to market are numbered. The financial and reputational risks involved are only increasing, and in an age in which firms need to drive value by all means possible, the appetite for failure can only decrease.