back to article UK regulators: We will be CHECKING UP on banks' IT systems

UK regulators are to conduct a review later this year on how banks and building societies are managing the risk of IT outages affecting their business. Details of the review were contained in the Financial Conduct Authority's (FCA's) new business plan (52-page/4.56MB PDF). The FCA will undertake the review together with the …

COMMENTS

This topic is closed for new posts.
  1. Stretch

    mmmm Legacy

  2. Anonymous Coward
    Anonymous Coward

    "antiquated nature of bank IT systems"

    I wish there were some clarification of this point.

    I've said before that I feel it must be the "business processes and systems" that may appear antiquated, not the overall OS and tin. If my feeling is correct, I wish the analysts would point this out, rather than using over-generalised statements.

    I would much prefer my bank accounts to be handled by a recent model mainframe and adequately patched operating system than any farm of enterprise grade Windows or even Linux servers (I might trust proprietary UNIX systems, but I'm biased). I still value the engineering and reliability of a Sysplex'd System Z over any complex software clustering of cheaper systems. I just distrust the reliability of software, and the more extensive and complex a software solution is, the less I trust it.

    Layering software on top of software on top of cheap hardware to try and replicate a properly resilient hardware platform means that the chance of understanding a large failure when it happens (and it will!) becomes a herculean task, and I don't believe that the software expertise to perform these investigations is likely to exist in this modern FM-outsourced-devolved support model that is being forced upon the industry by aggressive cost-cutting and short-sighted bean-counters.

    It'll all end in disaster, even more than we saw with RBS.

    1. Mad Chaz

      Re: "antiquated nature of bank IT systems"

      By antiquated, they mean systems that are over 10 years old, running operating systems that haven't been patched in about as long and code that is so old no one even knows the programming language they were written in anymore.

      We're talking systems that were never meant to have connections to the outside world being accessed over the internet too and lots of them. And let's not forget the ATMs still running unpatched windows XP or older. (I saw one crashed to a windows 2k desktop not even a month ago here)

      So by antiquated, they mean exactly what the definition says.

      As to why they don't get it togeter to fix it, the fact that the fat cats at the top see no financial penalty for doing crap job probably as more to do with it then any kind of budget issue. It's not like the banks have trouble turning a profit.

      1. Anonymous Coward
        Anonymous Coward

        Re: "antiquated nature of bank IT systems" @Mad Chaz

        That's simply not true. Most bank's core IT systems are recent and patched. At least they are in the three major banks I've either worked in or had dealings with the IT departments.

        You are perpetuating the myth that banks are still running systems from before the Millennium. They're not, and this is mainly because they see the economic value in not paying the high maintenance costs of old hardware and software (as well as their license obligations).

        Whilst I may agree about things like having Windows as the OS on ATM's, do you really think that there is any economic validity in replacing the thousands of ATMs that are running XP, eComStation/OS2 with hardware capable of running Windows 8? As long as it is supported and patched, they should be adequate.

        I would guess that most ATMs use XP embedded, which is still supported, and are so far from the Internet that a most infection vectors cannot be used (poor engineering of USB ports aside).

        On the subject of the 'fat cats', they do see the value of not being one of the execs of a bank that lost it's banking license as a result of breaching the conditions. That tends to limit the options said person has of getting the next fat cat position, so has a direct financial impact on them.

        One major bank I worked in during the first decade of this century suspended pretty much all non-regulatory work on their IT systems for several months in order to audit and update the firmware, OS and software patches of almost their entire IT estate. This was as a result of one of the directors suddenly realising that they would be directly in the firing line of an external audit checking the patching level of the systems. So at least that bank (one of what used to be called the 'Big Four' UK banks) is nothing like your description of a bank. And it was not actually that bad before, with the majority of the estate having a quarterly update cycle.

        So go spread your FUD on another subject.

        1. Anonymous Coward
          Anonymous Coward

          Re: "antiquated nature of bank IT systems" @Mad Chaz

          "You are perpetuating the myth that banks are still running systems from before the Millennium. They're not"

          They most certainly are I'm afraid, at least in their core processing and that's from my experience of two of the "Big Four"

    2. Anonymous Coward
      Anonymous Coward

      Re: "antiquated nature of bank IT systems"

      Not sure that I can agree on this. The mainframes (ie the hardware) are indeed very reliable, but what runs on top of them is for historical reasons often not reliable. The amount of money invested over the years in these monsters is enormous and replacing those systems is probably not doable, both from a technical and economical point of view. I've been banking for years with banks that do not use mainframes and as a customer I have never experienced a single failure, even at times when merges have taken place. And I believe this boils down to the fact that the apps are written using modern languages and techniques, instead of being stitched together using Cobol and sort programs, which is often the case in the mainframe world. Another risk with mainframes is that many of those with a solid mainframe background are now reaching retirement age and are difficult to replace. And on top of that you have the constant outsourcing, where companies are trying to cure this headache by passing it on to somebody else. Well, I can only wish these banks good luck while trying to live up to the regulators' requirements.

    3. Steven Jones

      Re: "antiquated nature of bank IT systems"

      Concentrating on the underlying hardware and OS rather misses the point. Certainly you can run rock-solid IT systems on mainframes, and characterising them as "antiquated" actually tells you nothing about the underlying resilience of the applications. However, even the most reliable and robust systems can be undermined by poorly trained and managed staff. It shouldn't be forgotten that the 2012 RBS outage was not due to dodgy Windows XP, Linux or UNIX systems, but a problem with the support and maintenance processes of good old CA-7 on a mainframe system. It's not that CA-7 or Z-OS is fundamentally unreliable, but a failure in good operational and support practices.

      The real issue is that, in the drive to reduce costs and roll out new features, that what is being sacrificed is the quality and experience of operational, technical support and IT management staff and resources. If good practices are not maintained, then even the most reliable hardware in the world will not prevent catastrophic outages.

      1. Anonymous Coward
        Anonymous Coward

        Re: "antiquated nature of bank IT systems" @Steven Jones

        I think your comment about the application reliability matches what I said. My original point was that there needs to be a qualification between the 'business systems' (which I define as the banking applications and processes) and the operating systems, middleware and hardware.

        I was defending the latter, not the former.

        Your "quality and experience of operational, technical support and IT management staff" matches my statements about cost cutting and outsourcing.

    4. Anonymous Coward
      Anonymous Coward

      Re: "antiquated nature of bank IT systems"

      It'll all end in disaster, even more than we saw with RBS.

      Ah dunnoh - Crummy IT systems probably limited the RBS to a few frauds per second; if they had been truly efficient, things would be much worse.

    5. Guus Leeuw

      Re: "antiquated nature of bank IT systems"

      Dear Anonymous Coward,

      have you ever worked in a large scale organization with two camps within the business constantly fighting each other and one obviously almost always winning?

      One camp is manned by people who have an interest in the service running on antiquated IT systems. The other camp is manned by people who have an interest in robust IT systems upon which services can be ran without hassle.

      Take this one: a telco has to allow the transition of numbers to and from its network. Not being able to do that carries fines. So some orgs put in systems some 13 years ago *and never touched them since*. Why? Because they are too important to the business success. Not running, these systems will cause fines upon fines, and potentially the death of the organizations.

      Or some banks running *critical* systems on an AIX version that even IBM doesn't know about anymore.

      Have you ever heard of the expression: "Never touch a running system"?

      Just my two cents,

      Regards,

      Guus

      1. Anonymous Coward
        Anonymous Coward

        Re: "antiquated nature of bank IT systems" @Guus Leeuw

        Not sure exactly what you mean. Almost every place I've worked at in the last 34 years has had a tension between the costs of IT and it's maintenance and the business benefits of said maintenance.

        I know that the business side of things is always reluctant to spend any money, but it is the infrastructure side to point out to them what the loss of a critical system would mean to the business, and the task of the management to decide where the balance should be.

        The balance will be different for different organisations. For a small organisation, it may be an acceptable risk to keep old systems running, as long as the benefits outweigh the risks. On example of this is the XP running CNC reports that Trevor Pott has recently posted. The cost of replacing the CNC outweigh the risks of running out-of-support systems, and as long as appropriate mitigation is applied, this can be a perfectly acceptable course of action.

        But in a UK bank, some of the policies are controlled by the FCA and other organisations.

        At it's heart, it comes down to governance. It is quite clear that the regulations regarding holding a UK banking license mandate keeping the systems at a reasonable patch level, and this needs to be reflected in their operational procedures.

        Any UK bank that "runs *critical* systems on AIX version that even IBM doesn't know about any more" (which would have to be +20 years old, bearing in mind that you can still pick up patches for AIX 4.1 from fixcentral) is taking completely unacceptable risks, and deserves everything they get (I know, IBM will not provide new fixes or support for levels before AIX 5.3 without very expensive extended support, but saying they don't know about it is a bit over the top).

        But that's not my experience from work in and contact with the IT departments in three large UK banks, all of whom take compliance with FCA requirements very seriously. You may have a different perspective, but one contract I did in a UK bank was specifically to find old equipment so that a proper risk evaluation or upgrade plan could be sorted out.

        I did come across a couple of situations where there was a specific reason for keeping old hardware running (quite often the non-availability of a suitable replacement), but in every case, it was not caused by people burying their heads in the sand. There was serious consideration and risk evaluation performed, with the risks being properly evaluated, and plans in place to keep a service running in the case of software or hardware failure. In some cases, the ultimate resolution of the issue resulted in the complete withdrawal of a banking service, but this had to wait until an alternative offering was put in place.

        In fact, putting this in context, I understand that the earlier of the two problems at RBS were partly caused by a poorly implemented upgrade to one of the middleware components, with a poor implementation plan and an inadequate backout plan. That is a procedural and skill related issue that RBS should be able to fix by ensuring they have the correct skill and governance, and nothing to do with the age or patching level of the software.

  3. Anonymous Coward
    Anonymous Coward

    I forsee a lot of documentation

    I'm sure all the outsourcing firms and consultants have documents saying everything is just great - but the only way I would trust them would be to watch them failover from their active site to their backup site. I somehow doubt that will happen however.

    Basically they are just asking for the Risk Assessment documentation that, as we all know, is churned out without much thought or testing.

    1. Anonymous Coward
      Anonymous Coward

      Re: I forsee a lot of documentation

      Thats probably a little unfair. When banks do DR tests they generally do them well in my experience. Cant speak for the customer facing kit - but certainly the internal stuff was done well when I last did one.

  4. Anonymous Coward
    Anonymous Coward

    Kinda Missing the point

    In the grand scheme of things it doesnt matter if a few customers accounts arent updated or someone cant get cash out on a Friday night. They are a pain and reputationally damaging - but minor impacts in the grand scheme of things. If the next crash (and there will be one) causes a Major Sovereign Default it will make the last crisis look like a storm in a teacup..

    What all the regulators should be doing is concentrating on the stability of the Banks Financial and Regulatory reporting as its crushed under the weight of new regulation since 2007. New regulatory demand is all well and good - but when half the submitted answers come off fag packet spreadsheets and are generated by rote processes offshore in the boonies - the integrity of it has to be questioned.

    If the regulators had any sense (and they recieve their directions from politicians so they dont), they would draw a line under the regulations as they stand today and concentrate on the current quality being produced - with withdrawal of Banking Licenses if they dont measure up within 3 years.

    And whilst they are doing that - start taking a look at Hedge funds and insurance companies with much closer scrutiny as thats where a lot of the iffier banking stuff has been offloaded to.

    Anon for obvious reasons.

    1. streaky

      Re: Kinda Missing the point

      Completely different issues, and frankly there's no reason they can't do both.

  5. David 45

    Antiquated?

    Bring back the quill pen, parchment and abacus, I say!

  6. pacman7de
    Facepalm

    UK regulators conducting a review

    "UK regulators are to conduct a review later this year on how banks and building societies are managing the risk of IT outages affecting their business"

    Has any of the regulators ever actually worked in IT, on the shop floor, at the coal face, so to speak. Will this review consist of tonnes of paper reports?

  7. streaky

    Erm

    This has just become a thing after computers being a major part of the business for many decades now? Also enjoy your flights to India!

  8. TopOnePercent

    Dear FCA

    The problem is all the off shoring.

    Outages used to be minimal when IT was onshore in the UK. Sure, you’d get SMEs leaving teams due to bad management or lack of prospects or appropriate pay, but you could handle that by following best practices and enforcing standards.

    What we have now is more than a decade of relentless off shoring to India and other low cost locations. That was fine when it was just HR IT systems and the like, nothing mission critical. We passed that point about 6 years ago now, with ever increasing chunks of RTB and even BTB being sent where it can be done cheap, rather than done properly.

    Software critical to the UK should be built, supported, located, and maintained by people in the UK.

    Put another way, were I to tell you that you will crash into a wall at 100 mph, would you prefer to be in a Rolls Royce, or a Tata Nano?

  9. Ken 8

    Given that Barclays has made a load of IT staff redundant and has cut the rates for contractors, it's to be hoped their IT capabilities are properly assessed.

    1. Gordon 10

      to be fair Barclays

      Not that I want to be - but they went absolutely mental on recruitment last year, nearly everyone I knew who was looking to move went there, so this was always on the cards, so most of the stuff at Barclays is just cyclical. No comfort if you were one of the ones affected - best thing to do is respond in kind by moving to a someone else ASAP.

This topic is closed for new posts.

Other stories you might like