Updating any long-standing core applications to ensure compliance has its own related challenges. This may include missing code documentation, concerns over internal resourcing, and data privacy risks. These challenges have led to a melting pot of complexity that has seen banks increase spend simply to 'keep the IT maintenance lights on.' JP Morgan recently announced that in order to support compliance demands it had grown its IT spend by 27% since 2011.
However, whilst the cost of updating such systems seems high, it is far more costly and prohibitively risky to rip out these systems and replace them with something else. In order to best support compliance requirements, banks need to consider a modernisation strategy that helps them to continually but gradually change and update their core business applications through software development and testing to keep up with business demands.
TRP: Why should banks go beyond 'keeping the lights on?'
DB: Spending on basic IT maintenance backlog and compliance does not move the business forward, yet it consumes the overriding majority of IT budget. Customers are demanding more business functionality, covering innovative technology such as cloud, mobile and new IT architecture. This new generation of customer is forcing banks to look hard at their IT strategy and how to reduce expenditure on maintenance so that they can invest in innovation.
However, minimising IT compliance spend can be difficult. The legal imperatives and regulations facing the banking world today are accompanied by unmovable deadlines and threats of punitive measures. HSBC, for example, was forced to a pay a $1.9 billion (around £1.25 billion, AU$2.4 billion) anti-money laundering fine last year. With deadlines usually locked and loaded, associated projects become high priority "must-haves" and budget "must-spends."
TRP: What IT development challenges do banks come across when attempting to meet regulatory deadlines?
DB: A lack of visibility into the applications, testing and coding can all add to the complexity of updating applications.
Understanding where to make changes can prove difficult, especially when up-to-date application documentation is missing. This impacts on how quickly in-house or outsourced developers are able to identify specific areas of code impacted by the compliance change. In-house regulations such as coding guidelines, standards adherence and quality metrics, and 'routine' change projects, are equally and arduously resource intensive.
The process of testing applications must also be carefully handled to avoid introducing new IT failures and breaching existing regulations. Testing can risk divulging personal employee information: a key element in de-risking IT to comply with new regulations is ensuring that applications are released and updated without the introduction of errors.
Whilst this is fairly well understood in the industry, many do not understand the fact that using production data to test those applications is a bad idea. A 2009 survey of over 1,300 US and UK development professionals revealed an overwhelming majority of respondents, including 80% of US respondents, use copies of production data for application testing purposes.
Test data can contain sensitive customer data, including passwords, which if pulled from company personnel for testing requirements, can place banks in non-compliance territory. Personal data leaked through a testing process not only breaches best practices but can represent a very high-profile failure in terms of regulatory compliance.
As the bare necessity, developers must rely on the code itself to help them understand where to make their changes. As many core banking applications have been written in COBOL thirty or more years ago, the original authors may have long since moved on taking the coding knowledge of the application with them.
TRP: How can a modernisation strategy improve compliance?
DB: IT leaders need a modernisation approach to compliance that will drive efficiencies and reduce cost in order to future-proof the banking industry. IT automation and application portfolio management to improve efficiency will be key.
