Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


By Rob Lamb, Cloud Business Director – UK & Ireland for EMC

Almost lost amongst all the Media coverage of the Forex scandal and the record breaking fines the regulators have levied on the five banks involved was just a few column inches about another record breaking fine. Ulster Bank has received the largest fine ever imposed by the Central Bank of Ireland for its 2012 meltdown that left customers unable to access their accounts for a month. There is likely to be further sanction on Ulster Bank from the UK’s Financial Conduct Agency for the impact on customers in Northern Ireland. The investigation found “systemic weaknesses” in the management and governance of Ulster Banks IT and those weaknesses meant the bank did not have a proper understanding of the IT infrastructure on which its business operated. The risks associated with the infrastructure and the software used to process customer transactions were not well understood and there wasn’t an appropriate contingency plan in place to enable the bank to recover quickly from an incident. All in all not a pretty picture and in a sector that is ever increasingly IT reliant and where reliability and customer confidence are critical this seems a woeful list of failings.

But Ulster Bank are not alone – in August the European financial regulators, probably because of the Ulster Bank incident, published a report on the risks and vulnerabilities in the EU Financial System and actually called out IT risk as an area needing focus by both the financial institutions and the supervisory bodies. “IT risks in banks and other financial institutions do not yet appear to be sufficiently understood. Institutions should give increased priority to related risks and reinforce IT controls and audits covering all parties along the value- added chain of IT (e.g. IT-service providers, third-party providers and IT-outsourcing providers).”  The report specifically calls out that the supervisory bodies need to up their game with an increased focus, and capability to address IT related risks. “It also appears that these risks are not yet recognized amongst supervisors, who should factor the mitigation of IT-related risks into regular risk assessments, including IT inspections with the necessary scope and depth.”

While the report understandably highlights cyber security threats as a significant area requiring focus it also highlights the need to focus on IT infrastructure and policies – and they are right to do so. IT risk reduction isn’t just about the technology, it is just as important to ensure that the people and processes are up to the task.

Sadly I’m not surprised by the findings at Ulster Bank or the European Banking Authorities report. The need to focus on the IT risks is, in my view, long overdue. In 2012 I wrote that regulation of the financial sector should be looking beyond the balance sheets of organisations and ensuring that IT is being run in line with good practice and that undue risk isn’t being taken. The financial sector has historically preferred to spend on activities that will add to the top line and in many cases haven’t been paying enough attention to the back end systems. Many infrastructure components are aging, often on extended support, even end of life in some cases – in the desire to sweat assets and reduce costs.  Systems have become overly complex through being “slammed together” during M&A activities with little thought as to how to ensure resilience or facilitate recovery in the event of a major problem.

But it isn’t just a technology problem, it is an organizational culture issue too. The IT organisations in some banks are huge, with as many freelance contractors as permanent staff – you can’t have effective objectives and control in such a model. There is often a significant discount between the Procurement organisation and IT around the definition/perception of “value to the business” and IT architects and engineering teams who, in the belief they are “special”, invent testing scenarios and “proof of concepts” that aren’t adding any business value to the organisation. Such behaviour is, in reality, a barrier to innovation and the delivery of new services and capabilities to their customers. Other regulated business sectors don’t do it. Engineering in other sectors is about end-to-end solution creation and having a strong business understanding to convert requirements into technology design; not trying to pad CV’s by “playing with toys” or creating DIY IT infrastructure when the requirements can be met off the shelf. The IT requirements of the finance sector aren’t really that different from other transactional-based enterprises. They have only become more complex because the culture and behaviour have let them and become so by bolting on solutions, rather than rationalizing each time they acquire a new business.

This has to change and the financial regulators also have to increase their capability/expertise to identify IT risks in the organisations they supervise. Asking closed questions from check lists like “Do you have a DR plan?” allowing the respondent to simply answer “Yes” while knowing full well it hasn’t been tested and probably wouldn’t work (I know this has happened) isn’t enough. Supervisors have to be IT savvy enough to challenge behaviour. The “We’ve always done it like that” approach cannot be allowed to continue. Yes they are large complex organisations and change takes time but the people, processes and technology capabilities of the banks have to be bought up to date.