Limited budgets, archaic cultures, serious competition and a fast-changing cloud-based digital world: they all add to the challenge of creating and evolving flexible hybrid data centres. James Lawson speaks to Rakesh Kumar of Gartner Banks about how banks must invest their limited IT budgets wisely to innovate sufficiently with new channels, products and services to keep attracting customers – while still maintaining security and resilience in those core banking systems.
Despite constrained IT budgets, banks are under intense pressure to innovate in digital channels to fight new competitors while tougher regulation ramps up governance requirements. This places conflicting demands on their data centres, which must be fast yet secure, with the latest cloud systems working hand in hand with legacy mainframes.
Rakesh Kumar, managing vice-president research, at Gartner, refers to a “nexus of forces” simultaneously hitting
retail banks across Europe and North America. Chief among them is digital proliferation. Where banks used to deploy products and services via a few well-established channels, there are now many digital ones to cope with.
“Social, mobile, the internet of things (IoT) – each one of these forces is powerful in itself but together they create very interesting dynamics,” states Kumar. “Banks have to support a whole bunch of digital technologies for tasks like mobile payments or social messaging, through to things like wearable banking applications.”
Today, instead of logging in via mobile phones, young consumers might instead want to look at their Apple watch to check their bank balance or pay for their cinema tickets. New, nimbler start-ups and tech giants such as Google, Amazon and Facebook can easily deliver these services, and are huge and growing threats.
To compete, banks must offer everything from video chat for customer service to mobile fingerprint authentication. In areas like developing apps for iOS or Android and then supporting them operationally, speed and agility are paramount.
This drive for agility is a big reason for today’s wholehearted cloud adoption. This mental shift has seen cloud move from one of many options to the primary starting point for infrastructure and application deployment.
“Many of our large clients and the European retail banking sector in particular now have a cloud-first strategy,” explains Kumar. “What that means is when they look at a new application, change an existing one or launch a new product, their first reaction is, ‘let’s put this on the cloud and only then work back from there as to why perhaps it might not make sense’.”
Here, cloud could mean either an internal private cloud at a bank’s own or co-hosted data centre, or a public cloud like Amazon Web Services (AWS) or IBM Bluemix. But as well as requiring agile systems to support them, consumers’ multiple digital devices also create significant security challenges.
“A banking app on a mobile phone is linked to a cloud somewhere,” says Kumar. “But though that cloud is probably secure, is the mobile phone?”
Point of contact
Here, the mobile phone is the end point – and the weakness that hackers can exploit. “End-point detection becomes very important,” Kumar says. “You could spend a lot of money on firewalls and other physical security, but how do you secure the mobile phone?”
Every new customer device is another chink in the bank’s armour. With the IoT providing a way for any device to communicate with almost any other one, these security challenges will only become tougher.
To cope, banks and other financial services companies have had to develop real or near real-time systems that monitor customer-use patterns, work out what is normal and alert bank staff when they detect an exception that looks fraudulent.
For example, a payment app might be used in Washington DC today, London tomorrow and Prague the day after. Is the customer a road warrior or has someone stolen their log-in details? There’s a fine balance between protecting the bank and allowing customers the freedom to do what they want.
“If I’m stuck in Singapore Airport without a credit card, the first thing many people will do is go on Facebook and say what a lousy bank I have,” notes Kumar. “It may not be fair, but that’s what happens.”
That ability to monitor and rapidly detect issues on each end point then becomes another critical data centre requirement, requiring excellent analytics and serious horsepower.
“In order for banks to be more secure, they’ve got to run faster processes, higher network bandwidth and faster computers,” says Kumar.
Myriad technical advances from cheaper, faster flash (solid state) storage to improved virtualisation or containerisation of server hardware all help here. Kumar references software-defined networks, storage and databases as particularly important, giving greater flexibility and control over hardware systems. By virtualising storage rather than simply writing to a drive, it’s possible to manage that storage better, improve backup and recovery, and so on.
“Rather than just increasingly buying hardware where only 70% may be used, software can get you to maybe 95% use,” he explains.
The letter of the law
With governance standards requiring banks to hold multiple copies of data on multiple platforms, cloud comes in again as a way to back up legacy platforms quickly and securely. The faster and cheaper public cloud is also increasingly being used by banks to develop code for new products. However, few yet use it operationally.
“When those products are ready for use, most banks are still bringing them back in house, but it’s only a matter of time before many of those are running in the public cloud environment,” says Kumar.
Instead, banks tend to run private clouds at in-house or co-hosted data centres. However, these sleek new systems must still be linked securely to decades-older, mainframe-based core banking applications.
“So an application might be running in a private cloud but to access customer data, it has to go to the legacy database running on a mainframe in the in-house data centre,” notes Kumar. “This is much more common in banking and insurance than in most other industries out there.”
With complete legacy system replacement akin to fitting new wings to a flying aircraft, banks are instead bolting on their new, separate cloud systems to gain that extra agility and cope with digital channels. This requires a hybrid or ‘bimodal’ IT approach; bringing disparate systems running different code at very different speeds together to provide a flexible infrastructure.
That means any one data centre may actually mix legacy mainframes, private cloud servers and links to multiple public clouds. So a request for agile development might be shunted to AWS but a core banking request may be passed to the legacy systems.
Kumar refers to the mix of systems needed as “different data centre personalities”. “Accommodating these various personality types will require different methods for application development and a range of software tools to simultaneously satisfy all the different business requirements,” he says. “That’s where the hybrid model comes in.”
However, making bimodal perform reliably and securely can be very tricky indeed, with many well-publicised outages in the past few years at institutions like Royal Bank of Scotland, NatWest, Bank of America and Commonwealth Bank of Australia.
“Banks need to run those two IT environments with a degree of ‘glue’ that allows them to work harmoniously together as a single system,” says Kumar. “It’s a constant struggle in many sectors, but I would say that retail banking is the one that is struggling most.”
Added to that, lack of budget has often seen mainframe maintenance slashed to the bone, affecting reliability and also security. “Many of those banks have been cutting back on skills, processes and application development, and therefore these machines are creaking at the edges; they are surviving on minimal investment,” says Kumar.
“That means that a small change can lead to a significant outage,” he continues. “That’s fine if it’s contained within the mainframe. Customers might suffer a little if they can’t access their accounts for six hours or a day at the most. But if that system is connected to the public cloud, then the problem becomes much bigger, and certainly more of a governance issue around risk management and digital hacking.”
No legacy required
Unencumbered by legacy systems, challenger banks like Atom, OakNorth and Mondo have used cloud from the start to help create excellent digital experiences for their customers. But the incumbent retail banks are struggling to find the money to simultaneously manage and replace their old core legacy environment while pushing forward with digital initiatives.
“They are caught between a rock and a hard place,” says Kumar. “Investing in the core systems will take a serious amount of cash, which they really should be using to build up new applications in the cloud like mobile payments that appeal to new, younger consumers. It was challenging six or seven years ago even before we had the global crisis and, in the current economic climate, it’s much harder for them to find the money to do both.”
Even if they had the money, the banks still need to find the people and the development processes to make these enormous changes. According to Kumar, beginning to think and behave like tech start-ups will mean evolving a dinosaur-like IT culture in which new projects can take months to even get started.“That culture change is as big a problem as the financial one,” he says. “To gain speed, you have to worry less about security, resilience, processes or any other failure that may occur from developing too quickly. At least in my experience, many of the banking CIOs and other technical heads are struggling to change their own behaviour after 15, 20 or 30 years of working in the old ways.”