As the range of technology employed by the UK's leading banks widens, the balance between cost-effectiveness and manageability of solutions becomes increasingly difficult to strike. Mike Pierides (Partner) and Rich Jones (Associate) from law firm Pillsbury examine some of the challenges banks face in sourcing the technology they need to stay competitive.

Background

The banking sector in the UK has grown significantly through acquisition and amalgamation. The result is a market dominated by banking groups, which have not yet had the time, finances or inclination to set about harmonising the underlying IT infrastructure of their respective component parts. The table below highlights some of the key retail bank elements of the UK's major clearing banks, alongside which it is necessary to consider the various additional investment bank, private client, credit card and other major business unit components that sit within the same group.

Click here to view table.

Some of the legacy systems still used in UK banks are decades old, were set up for batch-based branch banking, and may generally not be fit for purpose in the 24-hour roles that they are now required to fulfil. For a number of reasons, including recent global economic conditions, there has understandably been little appetite on the part of banks to break structures down and build new, holistic systems. Arguably, the 'cobbling together' of old parts and the addition of new, has been the cause of a number of high profile failures in customer-facing systems in recent times.

This situation also makes troubleshooting a more difficult process when things do go wrong, as the patchwork of programming languages, hardware and fixes mean the specialisms and requisite knowledge of systems amongst technical staff to address issues, are as nebulous as the range of issues to which they are attending.

Third Party Outsourcing

In seeking to remedy this situation and avoid the adverse publicity-generating outages that have made front page news in recent years, one option is to migrate services onto third party systems, including the cloud. The key for banks is in determining what functionality they are good at, or see as 'core' - and so still want to manage themselves; and splitting that which can effectively be outsourced to drive efficiency through scalability, cost savings and service improvement.

This decision can be made as part of a wider strategic review: greater automation, broader functionality and better performance can be achieved through a third party outsourcing, but key parts of the estate that give a bank its competitive advantage may be best kept closer to home.

However, there are risks when shifting activities to third parties. The regulator's own view of what constitutes a 'material' outsourcing for a financial institution has also developed as the critical nature of IT services becomes better understood, such that hosting or desktop services that may have been 'non material' five or ten years ago may be 'material' today. Contractual levers to incentivise performance and 'punish' shortcomings are essential, given the application of the Systems and Controls (SYSC) 8 requirements in the FCA Handbook, under which critical or important outsourced functions are still fully the responsibility of the outsourcing financial institution in question.

Some of the key considerations to have in mind are:

  • Data protection - the proposed General Data Protection Regulation may see a substantial increase in potential fine levels for data breaches, and reputational damage can be very serious. As a result, it is common to see unlimited indemnities given by service providers for data breaches.
  • FCA and other regulatory breaches - though, as above, under the SYSC rules banks may not be able to absolve themselves of responsibility, any regulatory fines should be covered on an indemnity basis, where they are incurred as a result of failures by a service provider.
  • Reputational damage - reputational damage can be difficult to establish and quantify, though it is one of the most damaging parts of a service outage, as such incidents seldom fail to make front-page news. As a result, banks should consider a means of benchmarking reputational impact, and using a scale whereby service credits or damages are awarded for negative impacts, and potentially money goes the other way where a bank's reputation for the service provided tangibly improves.
  • Service continuity - since there is no 'quiet time' for banks, continuity of service is one of the most important metrics in a hosting agreement. These should be properly documented in service levels, and audit rights, disaster recovery services, exit assistance and so on should be built around it to ensure that loss of profits and reputational damage is not incurred as a result of outages.

Transform?

Banks need also to consider transformation of their legacy estate. Since this may involve the elements of the business seen as 'core', the risk of such transformation could be perceived as being equally high or higher than the third party outsourcing of the non-core elements, and so transformation will also involve specialist third party input.

A report by Capgemini found that 53% of financial services IT budgets now focus on new application development initiatives, with little left over for a 'big bang' transformation of legacy back-end infrastructure onto a more suitable platform. Chronic underinvestment in back-end systems (as a result of squeezed budgets) and a focus on 'sexier technologies' such as mobile app functionality, have arguably led to a patching and layering approach and a reluctance to make a large investment for a medium- or long-term gain.

Ultimately, significant cost savings and performance gains may be achieved through transformation. Contracting with a third party, appropriately incentivised to successfully achieve the transformation of existing systems, is a potential option in order to reduce the cost, risk and time required in achieving such transformation, that will support a bank in its business mission of operating safely and successfully with the 24/7 demands that are placed upon it.