You are currently viewing our desktop site, do you want to download our app instead?
Moneyweb Android App Moneyweb iOS App Moneyweb Mobile Web App

NEW SENS search and JSE share prices

More about the app

How resilient is your internet banking?

Midnight downtime maintenance is fine – anything else is not

There are usually some stressed cries from Moneyweb readers whenever we report on the banks. The comment section always contains a wail or three about the fragility of a bank’s online system, its downtime and unreliability. “It’s always offline, counter-intuitive design, so slow, not sure if the transaction went through, can’t login in, kicks me out, call centre doesn’t have a clue……”  With social media, banking outages can be in the public domain before the bank itself even knows it has a problem.

IT issues are not limited to internet and mobile offerings, and those who still visit branches can recall systems going down at inconvenient moments. And it’s not just a local thing – UK customers recently endured downtime courtesy of state-backed Lloyds and RBS, as well as Natwest and Ulster.

John Lyons, PwC UK Banking/Technology Resilience partner, gets straight to the nub of why banking systems are not as resilient as they should be. Firstly, he goes back many years to the legacy systems designed in the 1960s and 70s. Unbelievably, these are still functioning today and are often at the core of banking systems. Banks have then plopped their newer digital channels on top of these historic designs. And added to this, is complex growth in the banking industry as well as acquisitions which have not always been cleanly integrated.  Financial institutions are now sitting with a complex IT state which is exceptionally difficult for them to navigate.

The second culprit contributing to IT weakness is a lack of reinvestment in technology. Since the financial crisis, banks have been under huge pressure to deleverage balance sheets and bring down expenses. Lyons notes that when IT costs are reduced, head count gets shaved and certain functions get outsourced and offshored. With these changes, knowledge of the legacy system walks out the door. And with poor to incomplete systems documentation, there are few people left at the bank who have a holistic understanding of the entire IT system.

In a live Q&A webcast, Lyons observes how banking customer standards have changed dramatically over the past few years with the development of mobile and digital offerings. He notes that banks now offer 24/7 ability to transact, so customer expectations are heightened. This trend will continue as banks introduce further applications in an effort to be more customer-centric.

In order to solve outages, reduce IT risk, strengthen system resilience and increase customer confidence, Lyons says that a mind-set change is required. Instead of seeing IT resilience as an IT issue, it must rather be viewed as a business matter. It is certainly a concern to be addressed at highest Board level, and not limited to the chief technologists.

Also key, is for a bank to determine its risk appetite for outages. Lyons cautions that if the tolerance level is set at no downtime whatsoever, the outlay required will be considerably expensive.  Again, he emphasises that determining acceptable residual IT risk should be a business decision, rather than one solely for the IT department.

Another important issue is how to manage outsourced functions. Lyons urges the banks to avoid only focussing on the obvious and large-value third party service providers. With the rapid change in technology, there are now some small contractors who provide critical services at crucial points and banks have to assess and manage risk associated with these make-or-break functions.

Yet a further problem is that when IT systems do go down, all too often short-term solutions are used as permanent patches. PwC cautions that corrective action needs to be sustainable and that bolt-on quick-fixes are not acceptable.

PwC highlights that IT disruptions affect the stability of the banking sector and have a knock-on effect throughout the greater economy. In the UK, they are of huge concern to politicians and the supervisory authorities. The UK regulator is going all out on driving banking IT resilience and demanding answers from the highest level of banking management. It is becoming tougher and far more intrusive and prescriptive on what it wants from banks regarding robust IT design and the benchmarks they must meet.

Lyons also points to Germany and Singapore where regulators have taken an audit-based approach to managing IT risk in the banking sector. Have we reached a point in SA at which banking IT resilience – at the very least, for the frequent offenders – should become a focus issue for our local oversight bodies?



Comments on this article are closed.





Follow us:

Search Articles:
Click a Company: