How UK banks are flirting with IT disaster

How UK banks are flirting with IT disaster

Summary: The continuing NatWest debacle has highlighted the IT systems risks faced by British banks, springing from a lack of investment in back-office staff and a reluctance to abandon legacy systems

TOPICS: Security

The systems meltdown that hit NatWest customers is an accident waiting to happen to many UK banks, analysts have warned, as financial institutions try to balance cost-cutting with the need to modernise their IT.

The IT glitch that disrupted banking at NatWest, Ulster Bank and other companies owned by RBS over the past week highlights the risk of systems failure facing British banks in general. These are at risk of systems failure due to a lack of adequate investment in business processes, and the conflicting pressures of modernisation and austerity, analysts said.

NatWest cashpoint

The continuing NatWest debacle has highlighted the IT systems risks faced by British banks, springing from a lack of investment in back-office staff and a reluctance to abandon legacy systems. Image credit: NatWest

"In some of the banks the cost-cutting pressure is quite big — there are targets to meet," said Freeform Dynamics analyst Martha Bennett. "I have spoken with existing and former IT people in some of the larger banks who are saying they are just waiting for a disaster to happen."

"It's easy to cut corners when you don't see an immediate effect," she added.

Major banks have carried out back-office consolidation of previously separate teams, piling more workload on individuals, she noted. In addition, the teaming-up of employees around the world who may not have worked together before is common practice.

"I know of some cases of doubling the number of servers someone has got to administer, combining two back-office IT departments into one, without necessarily doing a proper assessment of whether the skills are actually the same when you combine these two things together," Bennett said.

Bennett said she didn't want to single out RBS, which has performed back-office consolidation.

"Frankly, I can see it in all of them," she said. "If you talk to some of those IT guys over a drink, they will probably tell you: 'There but for the grace of God go I'."

RBS has not confirmed the cause of its IT meltdown, but some reports have focused on outsourcing or offshoring as a possible cause. In RBS's case, it's likely that off-shored teams around the world have been put together without adequate recovery processes having been put in place first, Bennett suggested.

"It's having distributed teams where there's likely not to be a sufficiently resilient process," she said.

Legacy woes

In addition, IT professionals in the financial services industry are being put under pressure to make efficiencies where they can — migrating to fresh technologies, for example.

Chris Skinner, a banking technology strategist at Balatro, noted that many UK banks are still operating on legacy systems, but are under intense pressure to provide modern services such as online and mobile banking. The problem here isn't a lack of investment — banks spend more on IT than almost any other industry — but the threat of failure while migrating to new systems.

"[Banks] are stuck in a Catch-22," Skinner said. "They've got systems that are very old, but they haven't replaced them — they are highly concerned about the risk and exposure to failure. The longer legacy systems exist, the more likely they are to cause problems, by not being able to keep pace with things like mobile payments."

He noted that the pressure to update systems is coming from the retailers and the banks' customers, who want 24-hour mobile and online payment services. Retailers are particularly interested in payments via smartphone apps, which leads to increased demand for payments processing.

This shift needs to take place in a banking industry that still has not adjusted to a change its payment-clearing system introduced in 2008, when VocaLink brought in real-time rather than three-day clearing of payments, Skinner said. In addition, regulatory change in payments processing from Brussels has also put pressure on banks to alter their payments systems.

Despite this, some institutions will hang onto their legacy systems as long as they can, because they work and they aren't causing problems.

"There are bank systems out there that are still operating at the back-end in pounds, shillings and pence — old currency," Skinner said.

Delaying migration

When banks bite the bullet and make changes, they normally have disaster recovery plans in place to prevent customers from noticing, he noted. These don't always go according to plan, however.

For example, Santander migrated its systems across to a new platform, but scored low on customer satisfaction during the process, Skinner said. For three months in 2007, Abbey customers weren't being issued with debit cards. Santander denied that its computer systems were at fault.

The longer legacy systems exist, the more likely they are to cause problems, by not being able to keep pace with things like mobile payments.

– Chris Skinner, Balatro

The bank takeovers of the past several years have also put a crimp in the move to new technology. When Lloyds and HBOS merged, for example, the two institutions moved to using Lloyds's legacy systems, and the same happened in the RBS-NatWest merger, according to Skinner. This path offers the least risk, but does not set banks up for the future.

"Right now, Lloyds is looking at future migration. But it's not going to happen, because the systems are working. They are robust and resilient," he said.

This lack of movement means British banks are falling behind their international counterparts. For instance, Germany's Deutsche Bank, Bank of America and France's BNP Paribas have all moved their core payments systems to new, global platforms in the last decade — giving them a competitive advantage, Skinner said.

Overall, British banks need to find a way to keep their IT systems' lights on, while balancing legacy, economic and regulatory pressures. They need to grasp the nettle — give their IT departments more resources and manage changing processes effectively — or face RBS-style disruption.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I wonder how much of RBS's misfortunes are less down to their reliance on big iron and more down to a lack of skilled management able to keep it all hanging together. Management expertise is more not less essential when, like RBS, you diversify your workforce through outsourcing.
  • One reason they stick to the old systems, and probably the very reason that the newer ones fail, is that we used to do a load of hands on testing BEFORE letting stuff go live.
    The modern culture of a quick and dirty system that can be written by any spotty nosed graduate or foreigner is just not good enough for 24 hour online stuff.
    Yes the banking systems ARE old and do need replacing, but not with systems designed by marketing people.
    This sort of thing needs proper integrated design by IT professionals whose target is resilience NOT speed of delivery.

    Yes a lot of the bank's programs will probably still have my name on them from the 20th century.
  • Nothing wrong with the idea of a mainframe: it seems perfectly suited to what banks do.

    Bit more concerned about batching transactions, but I can't help thinking that any company that sacks a few thousand committed (and they must be, they have been there years) specialist veterans to save money then pays the directors far far more than the amount saved as a bonus really needs to look a their priorities.

    Harvey's second law of economics: That which is cheap is generally very nasty!
  • Care should be taken to avoid the assumption that old systems are automatically bad and must be replaced. It is their fitness for purpose that needs to be measured, not their age. As one CIO I know puts it, “this isn’t a legacy system, this is my core business”. Systems generally fail through lack of management attention and inadequate funding needed to enable IT to grow to support wider business initiatives.

    So-called legacy systems provide today's core business functions for a variety of “new technologies” such as, in the case of financial services, online banking and trading systems, mobile banking and so on. Organisations have found the tremendous value of reusing tried and trusted mainframe COBOL systems to support changing business needs. In fact, COBOL successfully supports the majority of all global transactions today.

    The challenge is to provide mainframe based IT services in as efficiently and cost-effectively as possible, and as quickly as the business (and end users) demand them. New generation technologies such as those provided by Micro Focus help address many of the challenges faced by mainframe (and other) organisations, based on the premise that exploiting systems that already work well today are a faster and lower-risk route to success than any possible alternative. If you want to build a conservatory, you don’t knock your house down first...