Financial institutions, whether operating in investment, retail or commercial arenas, have long been closely regulated. In recent years, the introduction of even more legislation has forced them to up their game. The emergence of Basel II, the International Accounting Standards and the hastily introduced Sarbanes-Oxley laws has meant governance and the issues surrounding it have taken up much time and money. But most organisations believe they are now in a position to treat governance as it should be treated – as part of day-to-day housekeeping. Regulatory compliance, along with security and availability of systems, are part of the daily routine for IT departments. Security will forever cast a long shadow over financial institutions, especially with the growth of online identity theft and fraud being regularly highlighted in the media.
Keeping other people’s money safe, whether in the commercial or retail arena, has always been the job of banks, but the increased use of technology and online banking means the threat has changed.
IT directors now have to concern themselves not only with the internal security of the organisation’s systems, but also with the processes and procedures their customers use, which is out of their control.
Forrester Research’s Martha Bennett, vice-president and research director, financial services Europe, says: “Criminals are working hard to stay ahead − 74 per cent of the world’s top 50 malicious code samples are designed to take banking or credit card details, up from 54 per cent in 2002, according to Symantec. The security threat to online finance is changing and getting nastier. But financial institutions need to tread a fine line between panicking the customer and securing investment by securing the customer.”
Top of the list for Bennett is customer authentication. LloydsTSB has run a trial with two-factor authentication using hardware security tokens for 30,000 of its UK retail banking customers. HSBC is trialing a similar system in its Hong Kong and Brazil operations. Other retail banks are sure to follow suit. For commercial and investment banks, the security issues are slightly different and in these arenas it is the regulatory bodies that need to be satisfied first that systems are secure enough. When winning new business, IT directors are finding business alignment even more important. For example, Barclays’ retail customer facing channels like websites, call centres and branches are undergoing major technology updates.
This includes self-service options in branches and updating the channels and underlying infrastructures in both Barclays and the Woolwich. These strategic changes will help push new products and customer services aimed to bolster the bottom-line.
Forrester believes European banks will spend some 100 billion euros on renewing the application landscape over the next 10 years. It reckons 70 per cent of financial institutions have already started this or plan to do so. As these renewals take place there is also an increasing emphasis on collaborative working to increase efficiency.
DrKW, the global investment bank, is using collaborative technologies to develop and deploy software remotely around the world. It is increasingly using tools like instant messaging rather than email to implement better working practices. Meanwhile global giant HSBC, which has an IT team of around 3,500 in the UK alone, is using shared services and collaborative tools and is following the ‘do it once and share’ mantra.
There is no doubt that financial institutions are at the next stage of development in terms of technology. The last few years saw the public sector become the main source of strategic IT investment, but that mantle has passed to the City where IT salaries have risen, with the best staff being tempted back into financial services. Top IT workers in the City are commanding salaries of £1,000 per day or more and according to the Association of Technology Staffing Companies (ATSCo), contractors in the City earn between £50 and £59 per hour. That is about £50,500 per annum compared to contractors in the public sector who pocket nearer £37 per hour (£28,000), and those in telecoms at £36 per hour (£36,400). ATSCo says that contract rates in the City have risen between 10 per cent to 15 per cent over the last year and look like heading north in the foreseeable future.
Dresdner Kleinwort Wasserstein
- Headquarters: London and Frankfurt
- Number of employees: 3,000 UK, 6,000 global
- Last full-year revenues: Euros 2.1bn (2004)
- Head of IT: Stephen Ashton, global IT business manager
Dresdner Kleinwort Wasserstein (DrKW) is a European investment bank with a global reach. Like many financial services companies it is juggling the demands of its clients and business with those of industry and government regulatory bodies.
Stephen Ashton, global IT business manager says the organisation has four ongoing IT issues: strategic business alignment; resilience of systems; availability; and maintaining the control environment to meet business and regulatory requirements. “These are our main IT priorities − they remain constant, but we do juggle them. Last year we had to concentrate on the control environment. This year we will focus on business alignment, availability and resilience, while the control environment work beds down.”
Business alignment is key, says Ashton. “We balance doing what the customer wants with tying it to the business strategy. Business alignment is an iterative process, which takes place through a series of discussions beginning at budget rounds.
“Getting strategic business alignment right is about communication, communication and more communication,” says Ashton.
The governance and control environment landscape has been built to ensure everything complies with industry and government regulations. “This includes security, the whole lifecycles of products and systems. As with regulations like Sarbanes-Oxley there is now a burden of proof to do that,” says Ashton. “It is like a perimeter fence that satisfies those concerns and means that we can react to any changes in a controlled manner.” Ashton points out that although new legislation like Sarbanes-Oxley has brought governance into the spotlight, financial institutions like DrKW have always been highly regulated. They have had control environments at the core of their processes and procedures ‘forever’.
Availability and resilience are part of the housekeeping for IT, but Ashton says they are increasingly challenging because of the huge amounts of data now involved. “Data volumes are growing exponentially. Data storage and retention volumes are mounting and growing more complex. This means if something changes or is broken the complexity and size of the data makes it very challenging to fix.”
In terms of availability and resilience, Ashton says IT has to make judgement calls on what is acceptable. There is a cost issue of doing business and the challenge is deciding, with the business, what, how and when data is made available.
An increase in mobile and wireless devices has also had an impact. “Customers just want to turn on the device and go. This throws up two focal points – regulatory and security. If people are seeking to trade, are the regulatory requirements to do this being satisfied and is it secure? Are they really working or do they just want access? We must be careful.”
As well as focusing on its four IT priorities, DrKW keeps up with technical innovations. This includes implementing discovery and mapping tools to help run its infrastructure. “The systems and scale are so complex and inter-related that this work cannot be done manually, so we are using automated tools to help us understand what happens when something changes and to understand what might go wrong,” he says.
The firm uses IT innovations to address business issues like stabilising the governance and control environment. “Applications like spreadsheets and databases are critical to the business and things like versioning changes need to be controlled,” says Ashton.
DrKW is using groundbreaking collaborative technologies to develop and deploy software globally – without having to travel across the world. “We are using communications tools to help us work remotely as a team, and increasingly using things like instant messaging rather than email to achieve this.”
Ashton’s advice to other CIOs in today’s market is to make sure they understand the requirements of the business. “Clarify and specify at the beginning, even if it is very painful for the business. If you don’t, systems at the business end will suffer.”
- Headquarters: London
- Number of employees: 60,000
- Last full-year revenues: £11.327bn
- Head of IT: Kevin Lloyd, IT director UK banking
During the last 12 months Barclays IT has concentrated on service delivery and improvement. “We have been focused on continued operational excellence to ensure stability of the bank’s systems and improve performance,” says Kevin Lloyd, IT director for UK banking at Barclays. “The bank handles a huge and complex volume of transactions and whatever else you are doing, you cannot afford to drop that ball while continuing to move forward.”
He is referring to a very crowded change agenda which is part of a company-wide review of operations. “You have to be very careful at this point in the plan not to screw up the opportunity to move forward,” he adds.
The review includes business processes and standardising platforms and infrastructures. Last year it reorganised its IT department and began to use single suppliers for some areas like applications development and communications instead of a range of third-parties.
It signed a seven-year framework agreement with BT, which covers voice, LAN, WAN and firewall services. It also extended its BPO deal with Siemens and its applications development contract with Accenture.
Lloyd says that increasing the use of single suppliers like BT and other systems integrators makes service provision to the rest of the organisation more efficient. “We have a service management wrapper architecture for the supply chain and are re-skilling our supply chain management activity,” he says. “Diligent supply chain management and the stability of our IT operations are key to the success of the company. We had to look closely at our service performance management and how we assessed our capacity, then re-skill accordingly.”
Like most financial institutions, Barclays is investing in its infrastructure. Lloyd says: “Customer facing channels like the website, the call centres and the branches are all undergoing major updates in technology. This includes self-service options and we had a rebranding, with our branches getting a facelift.
“All the channels, underlying infrastructure and the brands of Barclays and the Woolwich are undergoing changes.”
Beyond the internal changes Lloyd says the company will be driving out new products and customer services aimed at hitting the bottom- line. These projects, most of which are in development, are rolling out over the next 18 months to three years.
But overlying all these structural and business process changes, new product and services activity, are the constants of regulatory compliance and security. “Sarbanes-Oxley, Basel, Swift, and BACS regulations are all changing payment standards in the industry,” he says. “The rules that are continually changing are government regulated and overseen by the Office of Fair Trading, which means the standards are rigid and inflexible. Like everyone else we have to meet them.”
Security sits over the top of all of this. “Obviously strenuous attention to security will continue,” says Lloyd. “Combating fraud, attacks on online services and identity theft are part of the routine. We are vigilant and areas like points of entry to the systems and controls are continually updated. Our security is essential and we live by rigorous, hard testing and constant revisiting of systems security.” Barclays’ infrastructure programme is being rolled out globally.
“The systems must fit with the global view and all systems have to correspond and work together,” says Lloyd. “The IT execution and service is at the same level, and customer information is shared, but because of the way in which customer activity changes in different markets, part of the systems can be different. In the credit card business each market is very different and then you have capital and assets systems which are different again.”
UK banking accounts for about 40 per cent of turnover at Barclays, but about 80 per cent of the bank’s global IT activity is carried out from the UK. “The UK is a star performer,” says Lloyd.
- Headquarters: London
- Number of employees: 45,000
- Last full-year revenues: £3.797bn
- Head of IT: Rumi Contractor, CIO
Two years ago HSBC’s IT operated as large monolithic units for each core business. As competition increased and demands for new markets to feed the business went up, it became clear to Fergie Williams, the then CIO, that the structure of IT operations needed a radical overhaul.
“Each core business unit was doing its own thing in terms of IT. They were doing their own development and had no real relationship with the business. That had to change,” he says.
The IT operation was reorganised so that it better served the bank’s business needs, rather than operating as separate units. It illustrated how IT could really add to the bottom-line, according to Williams.
The IT organisation was consolidated and Williams introduced business relationship managers to work closely with the business units. The aim was to ensure that technology was fulfilling needs, solving problems and meeting new business requirements. These managers are dual skilled, so not only do they understand what a business requires, but also appreciate the technical side of the equation.
Now the IT department, with a team of around 3,500 in the UK, is looking at using shared services and doing more collaborative work. “New ideas need collaboration between the different parts of the company,” says Williams.
“We think of the implications of any new ideas in terms of the skills requirement and time scales involved,” he says. “The mantra is ‘do it once and share’. This would not have been easy before the reorganisation.”
Laws for order
Most financial institutions have been spending much of their resources on regulatory compliance. Although Williams claims that compliance has not been so much of a problem for HSBC as for some other organisations.
“Compliance regulations like Basel II and Sarbanes-Oxley have put pressure on all organisations to take control of their data,” says Williams. “But HSBC’s data management is already very deep and sustained in the company. We use one customer number across the businesses, and good data management has been going on for the last 10 years.”
Crime is one area that the bank is working on as hard as everyone else, particularly online fraud, which is still rising.
At the same time as restructuring its IT operations, HSBC has been concentrating its efforts on online security and identity theft, although it has gone slightly further than some in suggesting that online users should take some responsibility for their online safety in the future.
Last year its group chief operating officer, Alan Jebson said: “Most banks post helpful advice about internet security on their websites. HSBC has gone to considerable lengths to issue guidance, but we believe the industry may have to take a stronger line.”
More recently, as part of its drive to keep customers online, and keep transaction costs down, while at the same time improve security, it announced that it would be trialing two-factor authentication using security tokens in its Hong Kong and Brazil operations.
At the moment it has no plans to introduce them to the UK, as LloydsTSB has done for 30,000 of its customers, but if the trials are successful, it is an option.
HSBC is at the beginning of a new phase in its IT operations, with a new CIO, Rumi Contractor.
Of course, he will face the same issues of security and governance, but he will also have to handle the latest compliance issue – the EU’s Single European Payments Area (SEPA), which aims to drive down pan European transaction costs and comes into force in 2008.
The onus to meet this latest regulatory requirement will fall inevitably to the IT department.