Banking IT systems are too old to be secure

Last week there were a lot of noise around Royal Bank of Scotland, as about 600,000 payments failed to enter the accounts of RBS customers on Wednesday and could not be completed until the end of the week. 

Thousands of people couldn't make a payment, buy products and medicines, pay wages and bills or were left without any money for a half of week. Despite the customer support attempts to calm the clients (some of which were waiting to be connected with an consultant for an hour!), the frustration was growing.

The customers of RBS, NatWest, Coutts and Ulster Bank are all part of the same banking group and they all have been affected by the latest issue. The problem was caused by a segment of information not being inputted into the system.

However, it isn't the first time for the banking group, when their customers were unable to access their accounts. In June 2012, after a software upgrade, millions of clients faced the same problem. The group was fined ￡56 millions by regulators. It had invested hundreds of millions of pounds to improve its computer systems since then. But in 3 years thousands of individuals and businesses were badly hit again. 

Not the problem of one bank only

The technology failures are hitting the biggest banks and their systems all the time. Commonwealth Bank of Australia, which had a reputation of one of the most digitally advanced banks, got tarnished by an outage in payments and its online systems a week before.

In January another bank had a problem in the system linking the accounts. Industrial and Commercial Bank of China, the country's largest lender, faced the securities brokerages, that affected nearly 55 000 customers.

JPMorgan Chase and Co is also growing its cyber security after a series of high profile hacking attacks last year. The data on 76 million customers was stolen from its computer system. 

So what's wrong?

 “For a sector that spends significantly more on technology than most other sectors in the world, it is the least innovative, so there is a paradox here,"
          - Bill Michael, head of financial services in Europe at KPMG.

Banks are regularly spending their money on IT, but where does all money go? Mostly on maintaining the existing system and processes and only a quarter is spent on innovations.

The bank mainframes are driven with COBOL programming language that was created in 1959  for business use. Academic computer scientists were generally uninterested in business applications when COBOL was created and were not involved in its design. The language has been criticized throughout its life for its verbosity, design process and poor support for structured grogramming, which resulted in monolithic and incomprehensible programs.

The use of COBOL cripples the mind; its teaching should, therefore, be regarded as a criminal offense.
                                                                                         -Edsger Wybe Dijkstra

A weak, verbose, and flabby language used by code grinders to do boring mindless things on dinosaur mainframes. [...] Its very name is seldom uttered without ritual expressions of disgust or horror.
                                                                                         -Eric Steven Raymond

Moreover, COBOL standards have repeatedly suffered from delays: COBOL-85 arrived five years later than hoped, COBOL 2002 was five years late, and COBOL 2014 was six years late.

James O’Neill, senior analyst at Celent, predicts that within a decade most big banks will have to switch from using costly mainframe computers with overnight processing to much more flexible cloud-based services. If not, the shortage of developers trained in the COBOL that drives most bank mainframes will force them to make the switch. 

The right thing to do

In his interview for Financial Times, Francisco González, the former software engineer and CEO of Spain’s BBVA, said that after rounds of acquisitions, many large retail and commercial banks are tangled up in legacy systems which run the risk of breaking or presenting opportunities for intruders to gain access. At the same time, banks have to build on more features to present an attractive digital product to consumers. 

“My view is that many of them won’t make it,” he says. “They don’t know that. Most of the banks have started at the rooftop. How did they manage to work without the foundations and the floors? Just middleware — more spaghetti on the spaghetti . We are ahead of the pack and we aspire to be the disrupter, coming from the conventional world, the banking sector.”

And really BBVA is ahead. The competitors try to save money solving only urgent local problems and don't want to invest in the new system, as the old one still works. In contrast with competitors, BBVA has spent more than €850m annually on technology for the past few years, including the painful and expensive decision to replace legacy systems  with a modern data centre. 

What is more, the bank’s active Silicon Valley ventures arm has also invested in Coinbase, a bitcoin platform.

“The gap has to be filled by someone and we want to be one of the guys. BBVA Compass is the platform. We need to be a digital challenger in the States. We have installed all the platforms, and we can connect start-ups to it. BBVA Compass will roll out a complete universal bank in the digital world.”
                                                                                              - Francisco González

Can be a good example to follow. Don't you think?