It has been noteworthy that many banks and exchanges have been facing computer failures recently. There appears to be more and more of them, the most high-profile of which was the payment problems at Royal Bank of Scotland where, for some customers, basic transactions could not be processed for almost a month.
There have been many more institutions experiencing problems over the past three years, however, from the National Bank of Australia to Nasdaq, and it may get worse. What's going on? It appears that the issues arise for one of three reasons:
- Old technology is unable to cope with the modern world.
- Upgrading legacy systems and screwing it up.
- Running systems that are fit for purpose, but hide known risks.
The need for change
The first category is the one that will occur more and more often, as banks have so many legacy systems across their core back-office operations. It is far easier to change and add new front-office systems – new trading desks, new channels or new customer service operations – than to replace core back-office platforms, such as deposit account processing, post-trade services and payment systems.
Why? Because the core processing needs to be highly resilient; 99.9999999999999999999999% and a few more 9s fault-tolerant; and it needs to be running 24 hours a day, seven days a week. In other words, these systems are non-stop and would highly expose the bank to failure if they stop working.
It is these systems that cause most of the challenges for a bank, however. This is because, being a core system, they were often developed in the 1960s and 1970s. Back then, computing technologies were based upon lines of code fed into the machine through packs and packs of punched cards. The cards would take years to programme and days to update in batch.
Tens of thousands of lines of code would inter-relate in modules that would mean any change to any minutiae in any single line of code would rip through the rest of the programme and potentially corrupt it. That is why banks would not change or touch these systems, and is the reason why, once they were up and running and working, they would be left to run and work non-stop. “If it ain’t broke, don’t touch it,” was the mantra.
The systems were then added to layer by layer, as new requirements came along. ATMs were added, then call centres, and then internet banking. And the core systems just about kept up.
This process is less true in the investment world – where many systems were replaced lock, stock and barrel for that old bugbear Y2K – but the retail bank world let its core systems become so ingrained and embedded that changing, replacing or removing them became sacrosanct.
Reducing risk
Then the world moved on, and technology became a rapid-fire world of consumer-focused technologies. Add to this the regulatory regime change, which would force banks to respond more and more rapidly to new requirements, and the old technologies could not keep up. Finally, the technology had to change.
This is why banks have been working hard to consolidate and replace their old infrastructures, and why we are seeing more and more glitches and failures. As soon as you upgrade an old, embedded, non-stop, fault-tolerant machine, however, you are open to risk. The 99.9999+% non-stop machine suddenly has to stop. That's the issue.
A competent bank derisks the risk of change by testing, tesing and testing, while an incompetent bank may test but not enough. Luckily, most banks and exchanges are competent enough to test these things properly by planning correctly through roll-forward and roll-back cycles.
The real issue with an upgrade or consolidation though is that it has to be done more and more frequently due to the combined forces of regulatory, technology and customer change. The mobile internet world squeezes and exposes the legacy on the one hand – this is why many banks have struggled to incorporate mobile services with their internet banking services – while the global, European and national regulatory requirements are placing further pressures on the core processes as well.
Just look at the erosion of processing fees thanks to the Payment Services Directive and the Durbin amendment to Dodd-Frank, or the intraday and soon real-time margin calls for collateralisation under European Market Infrastructure Regulation and Dodd-Frank, if you want to see how that changes things (not to even mention Basel III).
Finally, assuming you managed a successful migration to the new world, there are still massive exposures to risk. In this case known risks that are hidden, as was shown by the Knight Capital issues.
For example, 10 years ago the company had a very similar trading issue but managed to avoid losses as officials agreed to void the unintentional trades. This time they did not and it just goes to show the danger of bringing new systems online that are not fully tested or programmed properly.
The bottom line is that we live in a world where technology drives our markets and yet the fear of changing technology is killing us.
