Bank´s IT ring-fencing headache

by Graeme Burton, January 21, 2015

Imagine being the CIO of a major organisation, established for decades with an IT infrastructure that has been built up since the early 1960s. Then, imagine the challenge that you would face should a powerful regulator demand that the “core activities”of the organisation — and, hence, its supporting IT — be “ring-fenced”from the rest of it to prevent a crisis turning into a financial disaster?

That is what the CIOs at major banks headquartered in the UK are being asked to do by the Prudential Regulatory Authority (PRA), the relatively newly established banking industry regulatory body and the successor to the Financial Services Authority (FSA), along with the Financial Conduct Authority (FCA).

The aim of the regulation is to ensure that the operations on both sides of the ring-fence are able to operate independently, so that if another catastrophic financial crash were to occur the “socially useful”parts of any of the UK’s big banks could be rescued, if necessary, and continued, while the rest of them could either be sold off or more easily wound up without causing widespread havoc.

Furthermore, the proposals contain other regulatory requirements that will test the mettle of banking CIOs. Services group CGI — which absorbed Logica in 2012 — has already warned that some elements of the proposed new regulations could prove particularly challenging to implement at a technical as well as an operational level.

“The legislation states that the ring-fenced bank will be expected to monitor exposures on both ‘vostro’ [your] and ‘nostro’ [our] accounts in real-time. The regulator needs to be aware that in the case of nostro accounts this is currently very difficult.

“Banking providers vary in the quality of real-time information they provide and it is very challenging for the client banks to integrate this information into their systems and produce a genuinely real-time picture,”warned CGI in a report examining the impact of the ring-fencing regulations.

With the Financial Services (Banking Reform) Act passed in January 2014 and converted into regulation in September, banks now have until January 2019 to comply with its requirements. But given the scale of the task in front of them, many will struggle to meet the deadline.

All change

First, says Hans Tesselaar, executive director of the Banking Industry Architecture Network (BIAN) (pictured), banks will need to identify exactly what they have running and on which systems, because in order to comply with the letter of the regulations, non-core operations will need to run on separate IT systems. However, in the process, they can improve the efficiency of their IT systems, he argues, by updating and “componentising”applications, based on a service-oriented architecture.

Tesselaar believes that banks can take one of two different approaches.

“One is the bottom-up approach. So, you identify your ‘ideal landscape’ (using something like the BIAN model), and then identify applications you can incrementally componentise,”says Tesselaar. “So with a legacy system, you need to determine which capabilities willl be performed by the legacy system and how you would like to componentise that legacy system.”

He continues: “The other way is to design a new landscape, based on the BIAN model whereby the banks identify the components, build new components and let those components interact with the existing legacy systems,”says Tesselaar. “That’s a more costly exercise and it takes more time. But it also gives the bank the ability to streamline all the processes that the bank uses.”

Not surprisingly, perhaps, most banks in his experience have taken the first route towards solving the problem, rather than the second, more costly one but in the long run the latter might prove the better option.

“It ring fences the banking system, on the one hand, and on the other it will help standardise and componentise the systems, helping the whole organisation to become more agile,”says Tesselaar.

However, for many banks there will be at least four years of protracted pain before they manage to achieve that.