Since the Enron scandal and in the recent period of economic austerity, the public has borne witness to unprecedented scrutiny into industrial-scale problems. High profile banking outages – such as those reported at RBS, Santander, Barclays and HSBC – hand in hand with LIBOR rigging, PPI mis-selling and insider trading, has fuelled widespread criticism of the financial industry. This scrutiny, together with new legislative changes, has resulted in an array of new compliance measures such as ISO27002, Basel III, the Fair and Accurate Credit Transactions Act (FACTA) and the single euro payments area (SEPA). In order to support compliance requirements, banks need to change and update their core business mainframe applications through software development and testing. Yet related challenges including missing code documentation, a widening coding skills gap and data privacy risks have led to a melting pot of complexity that has seen banks increase spend simply to ‘keep the IT maintenance lights on’. JP Morgan recently announced that in order to support compliance demands it had grown its IT spend by 27 per cent since 2011.
According to research by Vanson Bourne, 590 global CIOs and IT directors estimate it would take an average of $11 million to bring their outdated mainframe applications up to date – an increase of almost a third (29%) from May 2012 when the figure stood at $8.5 million. On average, respondents expect their organizations to continue relying on mainframe applications for another ten years, with almost a third (32%) believing it to be longer than this. However, despite the perceived longevity of mainframe applications and mounting IT debt, the majority (81%) find it difficult justifying the expense of maintaining core applications and only 10% confirmed they are always successful in their justification. As a result, 51% of CIOs admit their business is exposed to compliance and risk issues.
It’s clear that supporting new and regularly updated regulations is no mean feat and as a result, banks continuously reconsider whether a complete IT infrastructure overhaul would prove more beneficial in order to reduce future failures and compliance issues.
In a climate of shrinking IT budgets, leaders need a new approach to compliance that will drive efficiencies and reduce costs in order to future-proof the business. This approach should include the use of automated application understanding, software development and test data software so that banks can find the right code, fix and test it quickly and efficiently, without exposing sensitive employee information.
Going beyond simply ‘keeping the lights on’
The burden of the existing day-to-day IT workload has never been greater and continues to grow. Spending on basic maintenance and compliance does little to really move the business forward, yet it consumes the vast majority of IT budget. Tech-savvy consumers are demanding cloud, mobile and new IT architecture, and this new generation of customer is forcing banks to look hard at their IT strategy and how to reduce expenditure on maintenance so that they can invest in innovation.
However, reducing IT spend on compliance is difficult. The legal imperatives and regulations facing the banking world today are accompanied by unmovable deadlines and threats of punitive measures. HSBC, for example, was forced to a pay a $1.9 billion (£1.2bn) anti-money laundering fine last year. With deadlines usually locked and loaded, associated projects become high priority ‘must haves’ and budget ‘must spends’.
Not complying is not an option, yet updating core applications to ensure compliance presents an array of challenges. So many of the world’s financial transactions are passing, in their billions, through code first devised some thirty years ago, meaning that often:
- Application documentation is missing: Understanding where to make changes can be difficult, especially when up-to-date application documentation is missing. This impacts on how quickly developers are able to identify specific areas of code impacted by the compliance change. Add to this the in-house regulations including coding guidelines, standards adherence and quality metrics, and ‘routine’ change projects can become arduous and resource-intensive.
- Coding skills gap: Developers must rely on the code itself to help them understand where to make their changes. However, many core banking applications are written in COBOL, whereas today’s software developer is trained in languages such as C# and Java. IT leaders often find their skill pool lacking for the task at hand.
- Testing can risk divulging personal employee information: A key element in de-risking IT to comply with new regulations is ensuring that applications are released and updated without the introduction of errors. This is fairly well understood in the industry. Less well understood seems to be the fact that using production data to test those applications is a very bad idea indeed. A 2009 survey of over 1,300 US and UK development professionals revealed an overwhelming majority of respondents, including 80% of US respondents, use copies of production data for application testing purposes.
Test data can contain sensitive employee data, such as payroll information, if pulled from company personnel for testing requirements. Personal data leaked through a testing process not only breaches best practice, but can represent a very high-profile failure in terms of regulatory compliance.
Find it, fix it and test it - the smart way
Using automation technology can create repeatable, effective steps for updating software when faced with the above challenges, driving efficiencies at every key stage. In doing so, banks are able to create a balance between lights-on and innovation projects, enabling development staff to focus their efforts more efficiently while fully understanding and managing the impact of the changes they make.
Find It: Embrace change and boost development efficiency
Application-understanding technology has been used to great effect on mass change programmes as far back as the year 2000. It has gone from strength to strength, forming the backbone of many organisations’ maintenance activities, including handling the change requests emerging from mandatory regulation. One such example is SEPA, which became a requirement for cross-border trading on February 1st 2014.
This technology helps business analysts work with developers to identify and isolate impacted sections of the application portfolio and provide a ‘single source of truth’ for all stakeholders, regardless of role or function. This increased insight impacts positively on risk and productivity, which can be scaled up to support more strategic IT planning and portfolio management initiatives too.
Help in finding where to make changes is also critical. Application-understanding technology provides developers with a ‘to do’ list, focusing them on impacted areas and dramatically reducing the learning curve associated with unfamiliar code. From there, the right technology enables developers to get the job done quickly and accurately, avoiding re-work and high-profile system failure.
Fix It: Wipe out the skills gap
The right technology to help close the skills gap is based on industry standards like Eclipse and Visual Studio, enabling the broadest possible pool of developers to be highly productive in the shortest possible time, whatever their background – COBOL or C#, mainframe or mobile. These environments bring huge productivity benefits through powerful editing, syntax correction and debugging features, and they present these features in a way that is immediately familiar to new arrivals. It means no matter what the required change, whatever the code, the task becomes straightforward.
Test It: Protect privacy through automated test data management
Effective test data management, including protecting sensitive data through various forms of automated masking, satisfies privacy regulation and removes the risk of personal information falling into the wrong hands when company property is stolen or mislaid.
Some organisations go even further, using those same tools to reduce the size of their data sets while keeping full referential integrity. By using smaller, more precise and secure test data sets, organisations can run their testing lifecycle in a shorter time, at a higher quality and with a lower cost.
Regulatory Change: A catalyst for innovation
Unless banks adapt their approach to regulation changes it will remain impossible for IT departments to service the needs of the compliance office and still satisfy the business innovation agenda. By introducing appropriate technology and, as Forrester analyst Tom Grant says, automating “anything and everything that can conceivably automate,” organisations can get ahead of the game – not just of compliance, but of their entire ‘lights on’ burden.
If teams use compliance as an opportunity for making improvements to team productivity it can act as a force for good in changing the way things are done. Only then will the CIO finally be able to generate the business growth the company needs and which IT can deliver.
 From an independent research survey undertaken by Vanson Bourne in May 2012.
By Derek Britton, Solution Marketing Director at Micro Focus