Bungled IT change is a leading culprit for outages and disruptions at U.K. financial institutions, and an over-reliance on legacy systems and outsourcing could make the problem worse, according to market participants.

Out of nearly 1,000 “material incidents” reported to the U.K. Financial Conduct Authority in 2019, 17% were attributed to IT changes gone wrong, according to a report published earlier in February. A heavy reliance on outmoded tech infrastructure is linked to a higher likelihood of failed changes, the regulator said.

Legacy tech comes back to bite

The FCA report found that 33% of firms surveyed relied mostly on legacy infrastructure, while 58% used legacy infrastructure for “some” functions. The FCA defines “legacy” as “an outdated application, technology or programming language that is still in use instead of available upgraded versions.”  The regulator also found that the higher the proportion of a financial institution’s IT budget went into change management, the more likely they were to achieve glitch-free tech changes. Those that dedicated between 50% and 75% of their IT budget to change management had the lowest proportion of change-related incidents.

The study is based on a sample of 23 firms, which carried out one million production changes over the course of 2019.

Louise Beaumont, entrepreneur, regulatory advisor and chair of the Open Finance & Payments Working Group at trade association techUK, believes that a stark gap will appear in the banking world between lenders that have modernized and invested in their technology, and those that lean heavily on legacy systems.  “We can expect to see customers suffering more frequent outages at those banks which are still lumbering up the curve, than at those banks which have crossed the chasm,” she said in an email.

High-profile bank outages have occurred frequently in the U.K. in recent years. In 2019, a NatWest Group PLC outage on Black Friday, an important shopping day, left customers unable to access their bank accounts, while a BBC study reported that bank customers were facing as many as 10 shutdowns a month. Barclays PLC racked up the highest number of outages of the big U.K. banks, reporting 33 incidents in the 12 months to the end of June 2019, according to the BBC. Customers of Lloyds Banking Group PLC, along with its brands Halifax and Bank of Scotland, were hit with an outage on Jan. 1, 2020, a bank holiday, which lasted for almost nine hours and left them unable to access mobile or online banking.

But there is hope that banks could become more adept over time at handling IT change, according to Beaumont. The coronavirus pandemic has “forced the pace of change” in banking technology, and this means that lenders are having to get used to making more frequent IT-related tweaks and upgrades.

“A bank might do several releases a week, whereas in the ‘before times’ they had an attack of the vapors at the thought of doing one a quarter,” she said in an email. “Just doing it more often has forced them to get better at it — practice does make, if not perfect, then a lot better.”

Third-party risks

Another risk factor is a lack of visibility over the activities of third-party tech providers, the FCA noted. Financial institutions regularly outsource tech functions to other companies, and 30% of development activity carried out by companies in the FCA sample was done by third-party teams.

The FCA is not alone in flagging the potential for risks to financial institutions introduced by outsourcing and the use of third-party service providers. This has been a hot-button issue for regulators around the world over the past year, with the Financial Stability Board launching a consultation paper on regulatory and supervisory issues created by outsourcing and third-party relationships in November 2020.

“IT applications and services [at financial institutions] often make use of multiple providers and systems spread across multiple sites which means the level of complexity the banks have to deal with is increasing,” Ali Moinuddin, managing director, Europe, at the Uptime Institute, an advisory organization that focuses on the performance and reliability of business-critical technology.

Because of the increasing complexity of financial institutions’ digital infrastructure, “single event” failures are becoming a thing of the past, he said in an email.

“Minor incidents cascade, failures of equipment or processes quickly escalate, frequently involving multiple facilities and IT systems, and often extending out into inter-dependent services and systems,” he said.

For Simon Taylor, head of ventures and co-founder at 11:FS, a fintech and banking tech consultancy, outsourcing has become a fact of life in financial services tech, but it has added complexity to change processes.  “Big banks spend far more time planning a change than a technology company has to, because their technology estate is so complex; and despite massive spending, it’s consistently outsourced,” he said. “The irony is, each time something is outsourced, more processes get added to manage the complexity. The size of the change then becomes bigger and so does the risk of failure.”

Cultural issues

The FCA is correct in identifying legacy infrastructure as a problem in the context of banks, according to Taylor. But banks’ approach to managing change is also an issue.

“The consistent rush to add new products, without senior leadership understanding the tech implications, has led to a massive tech debt and compounding quality issues and complications. Banks have seen tech as a cost to be managed rather than a competitive advantage,” he said in an email.

Source:  S&P Global