The Intermediary – April 2025 - Flipbook - Page 76
T E C H N O L O GY
Opinion
Change now, or wait
until it’s too late?
A
t what point do
lenders call crunch
time on legacy
systems? It’s a hard
question to answer,
particularly for our
largest players, which have almost
always grown through a series of
mergers and amalgamations of
smaller lenders going back decades.
Santander, Lloyds Banking Group,
the Royal Bank of Scotland – to name
just three – have all grown through
acquisitions. It’s a familiar story across
the market.
The burst of activity changing
building societies into banks that
happened through the 1980s and
1990s drove a huge amount of brand
integration, but less technology
integration. Followed by the Global
Financial Crisis in 2008, another spurt
of amalgamations were forced on
both banks and building societies that
would otherwise gone to the wall.
It might sound farfetched, but with
back-end technology really starting to
replace back-office staff for many of
the more easily automated processes
from the 1980s, the industry’s reliance
on legacy technology platforms can go
back 30 to 40 years.
Ongoing reluctance
There are lots of good reasons for this,
not least because moving customers’
deposit accounts from one platform
to another is fraught with risk. Just
look at the absolute chaos caused
when TSB divested from Lloyds Bank
systems following its acquisition by
Spanish bank Sabadell in 2015. It took
until December 2018 for TSB to return
to business-as-usual. TSB has paid
£32.7m in redress to customers who
suffered detriment.
You can see why others are reluctant
to aempt a complete transfer to
new, modern and more cloud-based
platforms. Yet this leaves them facing
a real conundrum. There is enormous
risk if they do move to beer equipped
76
The Intermediary | April 2025
technology. There is enormous – and
growing – risk if they don’t.
Outdated legacy technology
poses serious risks to data security,
efficiency, compliance and customer
experience. Outdated soware is
more vulnerable to cyberaacks.
Weak security patches leave systems
exposed. Hackers target old systems
that lack modern encryption and
multi-factor authentication.
Dangerous implications
The costs that result when a company
suffers a data breach or cyberaack
can be eyewatering, and cover
anything from external IT and data
security consultants, legal advice,
customer redress, loss of revenue and
ransomware payments.
There are operational
implications too, both internally
and as a consequence of third-party
integrations. The Crowdstrike outage
last year highlighted just how severe
that can prove to be.
A statement issued by the Financial
Conduct Authority (FCA) in October
last year noted that between 2022
and 2023, third-party related issues
were the leading cause of operational
incidents reported to the regulator.
Following a review of the incident,
the FCA found that some regulated
firms affected by the outage also
provided services that supported other
regulated firms’ important business
services, increasing the impact of
the disruption. Firms which had
existing relationships and pathways
to share information with third-party
providers were able to respond quicker
during the outage.
The reality was that many firms
did not. Consequently, the regulator
told firms to identify single points
of potential failure within their
infrastructure and technology stack
and make the changes needed to
ensure future resilience.
Platforms and operating systems
are only part the issue. For some, the
AHMED MICHLA
is head of business
development at Cotality UK
The regulator told
firms to identify single
points of potential
failure [...] and make the
changes needed”
very pipework that supports some
of those older systems is unable to
cope with the volumes of data that
would indeed make for beer risk
management – if only the information
could be delivered through the old
infrastructure!
Part of this process has uncovered
the critical need for business
continuity plans that address
the scenario where a third-party
infrastructure and systems may fail.
We’ve seen lenders tighten their grip
on third-party service providers,
mainly opting to work with fewer,
larger firms. Many are now deciding
to have key partners that can deliver a
gamut of data solutions from net zero
to survey and valuation data.
We’ve also seen lenders keen to
procure systems on different builds
and devices, with different operating
systems, while some have considered
updating change management
processes for third-parties with deeplevel system access.
Lenders were told to get their houses
in order by March this year. It hasn’t
proven to be crunch time for phasing
out legacy systems, but it has woken
many up to the fact that the balance of
risk may now be tipping the other way.
The question for organisations is,
do they change now, wait to be told, or
wait until it’s too late? ●
