How Regulation Can Help Bank Technology Outages
The recent system outages in banking systems point to an underlying and growing issue within banks. The impact of some of these outages has been so severe that it has led some to describe retail banks as IT companies with banking licenses. While this is an extreme view, the failures do highlight that the technology infrastructure at the core of banking operations is in a poor state -- another item to add to the list of regulator concerns.
Complexity creates systemic risk
Modern banking systems are complex, however the last two decades have seen these systems become even more so due to the significant number of mergers which has resulted in legacy systems being cobbled together via interfaces. Making matters worse, the last 4 years of financial turmoil has resulted in under-investment in technology by banks; the result is creaking and complex infrastructure. This is not an issue only facing banks in Europe; this is a global issue. In the first 6 months of 2012, there have been significant outages in the UK, US, and Australia.
Making the issue worse, banks are more interested in investing in systems that increase profit than in the infrastructure – i.e. the plumbing that keeps the system running. The recent, well-publicized outages in the UK resulted in missed payments, the inability to withdraw cash from ATMs and in extreme cases some could not purchase food at the market.
One response is to accept occasional outages, i.e. that they are unpreventable. People are fallible; therefore anything that people make is fallible also. However after living through quite a few technology outages, I believe that all of these outages were preventable, and this is backed-up by a recent study.
What is interesting is that historically the regulators of the two leading financial markets -- the UK and US -- have chosen to do little in the way of regulation with regards to these outages, other than to fine the offender, even though these outages have had a significant impact on public confidence. The UK and the US have historically taken a ‘light touch’ approach to banking technology -- choosing to focus on capital ratios and making sure that the banks are not helping out the ‘bad guys’ such as terrorists, drug dealers, and rogue states.
Singapore Regulator Response
Both the US and UK can learn from Singapore. In Singapore -- which already has a well-run banking environment -- the regulator known as the Monetary Authority of Singapore (MAS) continues to innovate and promote enhanced reliability and risk reduction. One innovation which is likely to pass into Singapore law this year will increase diligence and improve risk management practices at banks associated with the design, implementation and support of critical systems including how they report outages to regulators.
The MAS has the dual role of both regulating the Singapore banking industry but of also promoting Singapore as a safe place to do business. As we know from the recent financial collapses in the US and Europe - a stable banking environment is crucial for a well-functioning modern economy.
The following is a brief summary of the new MAS requirements:
- The new regulations apply to all financial institutions, interpreted to be local and international banks as well as insurance companies.
- All critical systems are to be placed in purpose-built data centers with associated separate disaster recovery arrangements.
- Threat, Vulnerability, and Risk Assessments (TVRAs) are to be performed on all Data Centers housing critical systems.
- All outages of critical systems must be notified to MAS within 30 minutes.
In the short term, Singapore Data Centers will upgrade their resilience to support those additional requirements. Banks in Singapore will mobilize to meet the new requirements and additional capital costs.
Over the medium to long term, it is expected that the cost-base for regulated entities will increase as they meet the enhanced requirements. One impact will be that banks will strive to look for infrastructure synergies through shared infrastructure or infrastructure as a service, i.e. cloud computing. The current view by the MAS of the cloud is unfavorable because it can be difficult to evaluate the risk. No estimates have come out yet regarding the cost of compliance to these new regulations but it will be more expensive for banks in Singapore and it will put pressure on US and European banks operating in Singapore who are still struggling to meet the new capital reserve requirements in their home countries.
The Singapore banking system did not come to the edge of abyss like the US and Europe in 2008 - undoubtedly the active role of the regulator in the Singapore market contributed to its stability. The US and Europe regulators should learn from the example of Singapore and consider the steps the MAS is taking towards the management of technology risk.
Dan Morris is a Principal Consultant and the Head of the Project Management Practice for ITPM Consulting. ITPM Consulting has offices located in London, Hong Kong and Singapore. Dan lives in Singapore.