By Rob Lamb, Cloud Business Director – UK & Ireland for EMC
Almost lost amongst all the Media coverage of the Forex scandal and the record breaking fines the regulators have levied on the five banks involved was just a few column inches about another record breaking fine. Ulster Bank has received the largest fine ever imposed by the Central Bank of Ireland for its 2012 meltdown that left customers unable to access their accounts for a month. There is likely to be further sanction on Ulster Bank from the UK’s Financial Conduct Agency for the impact on customers in Northern Ireland. The investigation found “systemic weaknesses” in the management and governance of Ulster Banks IT and those weaknesses meant the bank did not have a proper understanding of the IT infrastructure on which its business operated. The risks associated with the infrastructure and the software used to process customer transactions were not well understood and there wasn’t an appropriate contingency plan in place to enable the bank to recover quickly from an incident. All in all not a pretty picture and in a sector that is ever increasingly IT reliant and where reliability and customer confidence are critical this seems a woeful list of failings.
But Ulster Bank are not alone – in August the European financial regulators, probably because of the Ulster Bank incident, published a report on the risks and vulnerabilities in the EU Financial System and actually called out IT risk as an area needing focus by both the financial institutions and the supervisory bodies. “IT risks in banks and other financial institutions do not yet appear to be sufficiently understood. Institutions should give increased priority to related risks and reinforce IT controls and audits covering all parties along the value- added chain of IT (e.g. IT-service providers, third-party providers and IT-outsourcing providers).” The report specifically calls out that the supervisory bodies need to up their game with an increased focus, and capability to address IT related risks. “It also appears that these risks are not yet recognized amongst supervisors, who should factor the mitigation of IT-related risks into regular risk assessments, including IT inspections with the necessary scope and depth.”
While the report understandably highlights cyber security threats as a significant area requiring focus it also highlights the need to focus on IT infrastructure and policies – and they are right to do so. IT risk reduction isn’t just about the technology, it is just as important to ensure that the people and processes are up to the task.
Sadly I’m not surprised by the findings at Ulster Bank or the European Banking Authorities report. The need to focus on the IT risks is, in my view, long overdue. In 2012 I wrote that regulation of the financial sector should be looking beyond the balance sheets of organisations and ensuring that IT is being run in line with good practice and that undue risk isn’t being taken. The financial sector has historically preferred to spend on activities that will add to the top line and in many cases haven’t been paying enough attention to the back end systems. Many infrastructure components are aging, often on extended support, even end of life in some cases – in the desire to sweat assets and reduce costs. Systems have become overly complex through being “slammed together” during M&A activities with little thought as to how to ensure resilience or facilitate recovery in the event of a major problem.
But it isn’t just a technology problem, it is an organizational culture issue too. The IT organisations in some banks are huge, with as many freelance contractors as permanent staff – you can’t have effective objectives and control in such a model. There is often a significant discount between the Procurement organisation and IT around the definition/perception of “value to the business” and IT architects and engineering teams who, in the belief they are “special”, invent testing scenarios and “proof of concepts” that aren’t adding any business value to the organisation. Such behaviour is, in reality, a barrier to innovation and the delivery of new services and capabilities to their customers. Other regulated business sectors don’t do it. Engineering in other sectors is about end-to-end solution creation and having a strong business understanding to convert requirements into technology design; not trying to pad CV’s by “playing with toys” or creating DIY IT infrastructure when the requirements can be met off the shelf. The IT requirements of the finance sector aren’t really that different from other transactional-based enterprises. They have only become more complex because the culture and behaviour have let them and become so by bolting on solutions, rather than rationalizing each time they acquire a new business.
This has to change and the financial regulators also have to increase their capability/expertise to identify IT risks in the organisations they supervise. Asking closed questions from check lists like “Do you have a DR plan?” allowing the respondent to simply answer “Yes” while knowing full well it hasn’t been tested and probably wouldn’t work (I know this has happened) isn’t enough. Supervisors have to be IT savvy enough to challenge behaviour. The “We’ve always done it like that” approach cannot be allowed to continue. Yes they are large complex organisations and change takes time but the people, processes and technology capabilities of the banks have to be bought up to date.