Ove Kreison, CTO at Tuum

McKinsey’s latest report on banking found that traditional banks are spending a whopping 85% of their tech budgets on maintaining legacy solutions, with just 15% going towards building anything new for customers.

‘Digital transformation’ has been the buzzword in banking technology for years, but the figures suggest there’s still a lot of ‘transforming’ left to be desired. Now we’re beginning to see the term ‘digital acceleration’ come to the fore, what does that mean for the state of banking technology? What is the difference between acceleration and transformation, and what should banks and other financial services players do to remain competitive?

Digital transformation – the second machine age which has taken an age!

The idea of ‘digital transformation’ didn’t come out of the blue. Banking – like most other industries post-WW2 – has been experiencing the ‘second machine age’ for decades, exploring how technology can digitize processes and services to make cost, operational and organisational efficiencies. All the while, this process has also made it far easier for companies to be more competitive with new digital products that are slicker, quicker and more user-friendly.

Banks have benefited from wherever they have had digital transformation to date – but it is the digital transformation of core technology stacks that is having the most impact and making banks realise operational efficiencies while making them nimbler to adapt to changing customer needs and remain relevant and competitive in a highly disrupted market.  Digital transformation to the core gives banks the ability to launch new offerings to market quicker, renovate and modernize business models, leverage and analyse data from multiple systems taking innovation of the more exciting front-end and customer centric offerings to the next level.  Faster speed to market,  highly personalised offerings, more agile, more scalable.

Success and progress to date, however, has been slow. Traditional banks especially are lumbered with highly complex and costly core technology stacks. Digital transformation and upgrading these core stacks still remains a priority, but the next wave of digital acceleration is now an urgent priority on the c-suite agenda to ensure banks compete and survive in a rapidly evolving industry.

Digital Acceleration vs Digital Transformation

Digital transformation at its core takes the existing ways companies have run their business and applies new technologies to digitize them – for example, taking a paper-based application process and making it online.

Digital acceleration is different. Here, digital becomes the very core of the business model, creating further new digital processes. It gives the power to not just make existing processes digital but to reimagine how those processes impact and improve the business. Some of the most forward-thinking banks are already doing this. BBVA, the second biggest bank in Spain, is actively and openly seeking to become a software company in the future and has digital at the heart of its offering. It embraced open innovation and new technologies to better serve its customers – for example, it launched an app-based money transfer offering, Tuyyo, in 2017. It’s also exploring how technologies like blockchain can be used to transform fundamental banking services such as loan origination, with the aim of improving the way it runs its businesses.

Co-Value Creation – Going it Alone isn’t an Option

A core facet of digital acceleration – especially in a highly mature and saturated market like banking – will be how banks, fintechs, enterprises and others collaborate to mobilise these more diverse capabilities and expertise, bringing mutual benefits to all parties.

The pace of technological change is so hypercompetitive to the point now where organisations cannot always sustain their competitive advantage or ‘do it all’. Constantly updating your offering to maintain market share and react to new demands has become a necessity for banks, but it is exhausting. More and more banks and FS providers are realising that the strategic resources and capabilities needed to deliver these innovative services lie outside of their business, and given the fast pace of change, developing everything in-house is unrealistic given the skills gap, time and cost constraints. Moreover, tech advances around integration and APIs mean collaborating with third-party experts has never been easier or more effective to bring capabilities that, combined with their own core offerings and customer data, provide an important competitive advantage and valuable proposition for customers.

One brilliant example of this is ING. Recognising the struggles associated with traditionally manual and paper-intensive trade finance processes, it launched a blockchain-based commodities financing platfrom Komgo in 2018 with a consortium of other banks and corporates like Société Général, Citi, and Mercuria. In an age of hypercompetition – mutually beneficial collaboration is the answer.

Transform, accelerate, create

Ultimately, banks can continue to digitally transform while also looking to digitally accelerate. In fact, the two go hand in hand; in order to reap the benefits and be able to consider platform co-creation and digital acceleration, banks need to transform their tech stacks from the core to have the capability and agility to think beyond the realms of their own core business and their own technology. Those that get it right by driving innovation from the core, are reimagining their business models for the digital age, tapping into new revenue streams and becoming more customer-centric are not only more relevant now but future proofed for digital acceleration of the future.

By Andreas Wuchner, Angel Investor of Venari Security

Introduction

If you consider the most significant motivating factors behind cyber-attacks – the promise of large financial reward and the opportunity to cause maximum business and social disruption – it’s little wonder that banks and financial institutions are amongst the most inviting targets for would-be cyber criminals. In fact, according to IBM’s recent report, ‘banking and finance’ was the most attacked industry for the five years between 2015 and 2020 – surpassed only by threats to critical infrastructure in recent years. Successful attacks can provide aggressors with a mass of sensitive personal and financial information, and even access to people’s money itself. Furthermore, a suspension of withdrawals and deposits can cause huge social disruption and reputational damage. 

As banks have reacted to years of new regulation and emerging technologies, they often operate with a hugely complicated and disparate technology estates. This provides malicious actors with a wealth of potential attack vectors. A small breach from anywhere in this network can have enormous consequences, and lead to entire systems being overrun. As such, it’s crucial that security teams operate with the highest-grade security possible, including ensuring the strongest level of encryption standards. Banks need to look beyond regulatory tick-box commitments and ensure they are taking proactive and preventative steps to monitor and combat malicious attacks across their entire network.

Andreas Wuchner

However, the ability to react to cyber-threats across a vast estate requires speed and flexibility to quickly react and update security protocols. The sheer volume of legacy infrastructure slows this process down considerably leaving many security teams in a vicious cycle. 

The threat of legacy infrastructure

A sizeable proportion of the banking industry still maintains a reliance on systems first developed more than 40 years ago. In fact, many ‘core banking’ systems, like payments, loans, mortgages and the associated technologies, are still coded using COBOL (Common Business-Orientated Language), an otherwise defunct programming language that is older than the internet itself. In the UK and Europe, COBOL remains the ‘backbone of banking services,’ while in the USA, as much as 43% of banking systems are built on COBOL, meaning it underpins much of our financial system.

This presents a huge security risk. While code has been regularly updated over the years, these systems were built when security threats were far less sophisticated, less well-financed and the burden of data was far less pronounced. For several years, governments have pointed towards legacy systems, built using COBOL, as a major cybersecurity threat, incompatible with modern security best practices and solutions, including multi-factor authentication. For example, data from Kaspersky found that businesses with outdated technology are much more likely to have suffered a data breach (65%) than those who keep their technology updated (29%).

A further security consideration is the diminishing number of people who are trained in maintaining COBOL systems. Every year, experienced professionals exit the industry, making it increasingly difficult to service legacy technologies and creating significant delays in patching threats once they’re identified. This lack of supply of sufficiently trained experts, and the demand they face, makes any updates extremely expensive and time consuming.

Furthermore, legacy infrastructure is preventing the secure application of encryption, posing its own distinct cybersecurity and regulatory risks. Encryption is often heralded as a silver bullet solution for data privacy and has been a continuing area of focus for regulatory bodies in recent years. However, banks remain guilty of poor deployment, maintenance and management of encryption – using outdated protocols and inefficient methods of analysing and understanding network traffic. This, coupled with legacy ‘core banking’ systems that are incompatible with modern encryption techniques, equates to a regulatory and security headache for security teams.

Adopting a new mindset  

The risks posed by legacy systems and the volume of cybersecurity threats facing banks, mean a concentrated re-think of overall cybersecurity strategy is needed to prevent breaches and ensure data is protected long-term. Traditionally, banks have taken an ‘outside-in’ view – dedicating capacity, finances and knowledge to dealing with threats that are existing, known and well publicised. However, to aid long-term security, this should be superseded by an ‘inside-out’ proactive approach, whereby security teams are cognisant of their own internal systems and where the key vulnerabilities are found. Once banks have a detailed view of the security risks posed by their legacy systems, and specifically what data is threatened, they can address flaws, update these systems and build a stronger overall security posture.

The secure path ahead

Many of our successful high-street banks today have centuries of experience in dealing with social, economic and regulatory upheaval. However, the rapid development and deployment of technology continues to present a unique challenge. Many ‘traditional’ banks have built a complex technology infrastructure through decades of adjustment to new legislation and emerging technologies. While serviceable in the past, fintech start-ups are pushing the long-term viability of these systems to the limit.

Challenger banks have the luxury of being built from the ground-up, prioritising convenient digital services and features, and modern security processes. As the user base of these banks increase, customers are increasingly expecting these features and security from their existing banks, meaning even more complexity added to legacy infrastructures. As outlined by Deloitte, existing firms simply aren’t positioned to support the rising expectation of the market, exposing banks to additional risk and liability.

What’s more, it’s estimated that banks spend as much as 80% of their yearly IT budgets on the maintenance of legacy systems. While an immediate switch away from these systems is unrealistic, there is an opportunity to reduce wasted spend and divert spend towards modernisation efforts. However, while traditional banks may want to adapt quicker to technological advancements, they need to do so while continuing to minimise cyber risk and without jeopardising the security of their data or systems. This means placing cybersecurity at the heart of any modernisation efforts and maintaining a steady rate of change. As more of the technology estate begins to be modernised, the potential risks of regulatory non-compliance will also reduce.

Legacy systems need a considered update

Banking systems have heavily relied on legacy infrastructure for too long now, bringing difficulties in maintaining the highest-grade cybersecurity and in facilitating innovation. The risks presented by novel cybersecurity attack vectors and competition from new and emerging digital services offered by challenger banks are exacerbating these issues. As such, legacy systems need a managed modernisation in the long-term, facilitated in part by a managed redistribution of existing IT spend. However, to ensure long-term security overall, cybersecurity needs to be central to be at the very heart of modernisation efforts.