Out-Law Analysis | 26 Jun 2013 | 1:33 pm | 6 min. read
Improving IT governance may require a wholesale review of existing relationships and contracts and is a massive and complex task but it is the banks' best protection against sanctions from financial regulators.
Banks are increasingly aware that they face a variety of problems in dealing with technology. Firstly, their basic systems are often many years old and were originally designed for a different world, a world in which banks closed to customers early in the afternoon, and had until the next morning to run essential processes and fix any problems in their systems. Second, most of the larger banks are the product of multiple mergers, each merger bringing with it a different legacy system which has to be reconciled with the existing systems. Thirdly, the businesses that banks operate have themselves become more complex, so that the systems are asked to do more, and at a faster rate.
None of these three factors is unique to banks, and these problems are faced by other large-scale users of IT, but the combination of the three puts banks under particular strain. The problem is so significant that it has an effect on major mergers - Santander pulled out of purchasing 316 RBS branches after deciding that it could not integrate the necessary IT systems. One of the benefits of Co-op's aborted purchase of Lloyds was intended to be the replacement of Britannia Building Society systems which Co-op had struggled to integrate with its own.
But the factor that has brought the banks' IT issues very firmly into the public domain, and has led to the most damaging publicity, is the banks' exposure to the 'always on' culture. Market pressures have led to all major banks offering 24 hour banking on computers, tablets and mobile phones and to some offering apps that transfer money directly between accounts.
The attraction of these offerings to the banks' customers is their simplicity and convenience, but the customers' simplicity and convenience comes at the cost of an additional layer of technological complexity. Apart from the fact that this complexity can expose the bank to new risks, as the Bank of England has warned, what ratchets up the pressure further is a change in customer behaviour. The customer who has 'bought' convenience may introduce changes to his way of interacting with the bank. He no longer has to plan his transactions in advance and ensure that he leaves time for those transactions to be processed: he can leave his critical transactions to the last minute knowing that the bank is 'always on'. This means that when bank's systems fail, the failure has an immediate and very public impact on its customers and their businesses.
So what can a bank do? The superficial solution might seem to be to replace all legacy systems with shiny new systems that are better adapted to the environment in which the bank now does business; but financial constraints, the risk to business and data that the disruption of a wholesale change would entail, and the rapid onward march of technology all make a 'big bang' solution impractical. So while most banks will incrementally adopt new approaches to IT provision, such as cloud, in their search to renew their systems, many of their existing systems, and supporting services are likely to continue in existence for several years yet.
If the solution does not lie in new equipment, where does it lie? In a single word: governance.
When IT failures emerge in any industry it is always tempting to look for a simple, single explanation, but while the subsequent investigation might find one proximate cause – a coding error or aberrant process – its focus often turns to the context in which the error occurred: why did the agreed procedures not prevent the introduction of poorly-written code or trigger a fail-safe routine that would contain the effects of the aberrant process? Why did the business not foresee the risk and adequately guard against it?
This approach is reflected in the attitude of regulators. The focus of the Information Commissioner's Office, for example, is rarely on the particular breach that has led to a leak of personal data but rather on the adequacy of the processes that were, or should have been, in place to ensure that such a breach did not take place. In other words, the focus is on governance and, where the service is reliant on third party suppliers, the implementation of the contracts that apply that governance to those suppliers.
With the recent suggestions that regulators should allocate more responsibility to individuals in considering remedies, a focus on governance could be seen as a massive disincentive to accepting executive responsibility for any aspect of IT. But if the right governance structures and processes are in place, and they are implemented consistently and with a proper degree of commercial rigour, the risk to managers and directors is decreased.
If governance has been implemented effectively, the failure can be seen to be caused, as it often is, by an inadvertent human error or lapse in concentration against which no practical preventative measures could have been put in place without disproportionate expense. Assuming there was some external involvement in the failure, the question then becomes one of contract rather than governance: who agreed to take the risk of such errors and how was financial responsibility apportioned?
So if banks want to manage their IT risks, there is little alternative but to manage their IT contracts as effectively as possible. The regulatory emphasis is undeniably correct: ultimately it is the banks themselves who are responsible for ensuring that their systems function effectively, that transactions are processed accurately and on time; and that their customers' data is protected. Large areas of responsibility must necessarily be entrusted to suppliers but it is the bank's responsibility to ensure that the supply chain is robust and that it is managed effectively. In short, it is the bank's responsibility to make sure that its contracts work.
Let us be clear about what we mean by making sure 'contracts work'. We are not saying that the bank must ensure that its suppliers perform their contracts flawlessly or that the contracts must cover the bank for all foreseeable financial consequences of breach. Contracts are the product of commercial negotiations and considerations of price, risk and market practice will place limits on the bank's ability to recover. But we are saying that the bank must show that it has managed its contracts as effectively as possible.
The task of making contracts work is rarely easy. First, the contracts may be inadequate for the bank's current business and contain provisions that do not reflect its current issues. Second, it may be difficult to determine what terms actually apply: the contracts may have been ignored since they were signed and current practice may bear little relation to what was originally agreed. Third, the relationship with the supplier may have become 'distressed' so that a constructive dialogue is difficult.
For all three of these issues, the solution is governance. Contracts should be regularly reviewed to ensure they remain fit for purpose. If current performance has drifted away from what was originally intended, there is a choice: change the contract so that it reflects current practice or, if current practice is not acceptable, agree an updated contract that reflects the parties' intentions. Both these solutions require the agreement of suppliers but maintaining a constructive dialogue with suppliers is one of the keys to successful governance. Distressed contracts should be tackled as quickly as possible. If necessary, back-up provisions should be put in place so that the fall-out from a major failure or dispute can be contained. And, most important of all, the revised or new contracts should be actively managed to ensure that both parties' performance meets the expected standard and fulfils the bank's objectives.
The emphasis on both parties' performance is critical. Not everything can be outsourced, nor can end-to-end responsibility for each essential process be neatly placed with a single supplier. Some responsibilities will remain with the bank that it must either perform itself or ensure that another supplier performs. And while apportioning risk to the party best able to manage the risk in question is a sound practice, it does not mean that, once apportioned to a supplier, the risk ceases to be the bank's concern.
Making contracts work means managing the totality of the contractual responsibilities, those that remain with the bank and those that are allocated to suppliers, and governance of IT as a whole involves viewing performance as a whole, including performance in those areas that remain internal to the bank, in order to ensure that all significant risks have been identified and are being actively and appropriately managed. This is not a foolproof guarantee against IT failures but it is a means of demonstrating, when those failures inevitably occur, that the bank took all reasonable steps to prevent their occurrence and minimise their impact.
Iain Monaghan is an IT expert at Pinsent Masons, the law firm behind Out-Law.com