Change has never happened this fast before, and it will never be this slow again...

It is fair to say that the Financial sector has seen some massive changes in the use of IT over the last few years, but with the explosion of Fintech and the continued uptake in use of the cloud, we are poised to see some substantial further changes over the next few years – including the adoption of artificial intelligence, robo advice, blockchain and open banking.

Drivers for Change?

So what is driving the change in approach to IT and Fintech within the sector? The answer to this is complex, but the reasons include:

  • Customer demand – for online banking and financial services, a better user experience and a more personalised service;
  • Big data and data analytics – harnessing the power of new technology to derive further value both for customers and business;
  • Legacy – a desire to move away from the reliance on legacy systems, and their associated mounting costs and operational headaches, to improve security and achieve greater flexibility;
  • Cultural Change - within the sector and its relationship with its customers;
  • Innovation – in a drive towards efficiency, cost saving and a better customer experience in an increasingly competitive market.

Changes to how we contract?

The days of the traditional outsourced model, where businesses outsource their IT requirements to a global IT company under a managed services model, are not completely gone. However, CTOs are now faced with wide choices in technology sourcing and the contractual decisions and potential risks can be complex.

Different Models

  • Prime outsource – large prime contractor (often a global IT company acting as strategic integrator) takes responsibility for delivery of full scope of services, and usually sub-contracts elements of the scope to smaller, often more specialist organisations. Often longer term arrangements with substantial scope of services. Historically a heavily used model and still has its place for large bespoke requirements, where legacy systems are being maintained.
  • SIAM and Towers – a model which developed primarily in the public sector until it fell out of fashion around 2015 when Cabinet Office discouraged its use – it has been used in other sectors including FS. It involves an outsourced SIAM (strategic integration and management) contractor being appointed to manage an eco-system of specialist “best of breed” tower suppliers e.g. application management; networks; hosting; end user computing etc. Risk of gaps and interdependencies between towers need to be carefully managed.
  • Hybrid Cloud Integration / Brokerage – the rapid growth of standardised cloud services has given rise to an opportunity – with careful planning – to move IT estates to a consumption based model with infrastructure, platforms and software hosted remotely as a service, allowing for rapid scalability and avoiding large capital outlays and redundancy. Most established cloud providers now have solutions for data security, availability and regionalisation. There are still challenges around integrating public and private cloud within on premise IT and maintaining cost efficiencies, which is where hybrid cloud integrators come in. We expect this model to grow rapidly in the next few years.

Regulatory Considerations

FCA regulations require that financial services businesses maintain effective control over their operations and closely manage all aspects of risk. The decision to use cloud services (or any third party service provider) is just another risk that FS businesses must assess, quantify, justify and manage from the outset and as service provider relationships develop. The FCA has recently issued Guidance for firms outsourcing to the cloud and other IT services (FG 16/5) expanding on its existing outsourcing rules. So what do you need to think about?

  • Control and data security - are at the forefront of the FCA’s concerns. The outsourced process is still your responsibility and firms need to retain sufficient expertise to manage the outsourcing.
  • Diligence – is there a good business case for using the cloud? Is the provider reliable and competent? How will you monitor this? What will you do if it all goes horribly wrong?
  • Transition and contingency – can you effect a smooth transition to another provider, and properly manage and minimise the effect of outages?

It’s not always easy to apply existing rules in a new and dynamic context and the Guidance has thrown up some interesting practical questions, such as:

  • Jurisdiction – can you control where your data are to be processed? The FCA suggests that businesses agree a Data Residency Policy.
  • Access to premises – the FCA still requires that firms, auditors and the Regulator should have physical access to service providers’ premises to monitor performance. This poses challenges with highly secure cloud facilities but it is up to you to determine with the cloud provider how this access can be achieved.

Firms need to assess the Guidance and determine its relevance to their own activities. The Guidance is not binding, but compliance indicates compliance with FCA outsourcing rules. In other words, you need to be able to justify any deviation from the Guidance.

Both providers and firms are having to adapt their contractual negotiating positions to accommodate the Guidance but there is still a clear gap to be bridged.