Byres puts heat on big banks to upgrade IT

APRA boss Wayne Byres yesterday embarked on an awkward process of publicly calling on the major banks to overhaul their anachronistic core banking platforms, warning that their current systems would not meet "fit for the future" prudential requirements.

In a presentation to the Curious Thinkers Conference in Sydney, Byres said that regulatory audits of the operating systems of 90 per cent of the banking sector had unearthed cases where banks had not funded remediation of critical systems that were classified as at "end-of-life".

"Moreover, there was also limited evidence of adequate escalation and clear reporting of these system health issues and the associated risks at executive and board levels," he said.

Byres said the complexity of systems and the continued reliance on manual processing meant that larger ADIs were struggling to map data lineages and aggregate customer information.

"Larger ADIs have begun to tackle this through the appointment of chief data officers and the development of enterprise data management frameworks," he said.

"A 'fit for the future' bank, however, would have long ago built the systems and have high quality data readily to hand for its own purposes.

"As things stand, significant investment will be needed to meet the new obligations."

Byres' commentary on the condition of core technology at major banking institutions will increase pressure on boards to confront the most daunting strategic challenge that has been consigned to the "too hard basket" across the industry for several decades.

The uprooting and replacement of obstinate legacy technology is likely to add billions to the expense lines of the major banks but also constitutes a prerequisite for their survival in the new era of open banking.

Banks have been given limited time to make the investment commitments because APRA is now moving to impose new standards on licensed deposit takers to ensure they are "cyber sound".

"Overall, our reviews suggested the health of the systems environment and associated risks have not been well understood by peak decision-makers as they should be," Byres observed.

"The issues we highlighted have not arisen overnight, and reflect a persistent under-investment over a number of years.

"Our reviews emphasise that, to facilitate new technology, investment budgets need to be increased, not just reprioritised."

Several of the major banks have already spent billions on programs to liberate their businesses from legacy issues that constrain the addition of digital capability to their operations.

The most adventurous and costly of these efforts was NAB's NextGen transformation program, which former chief executive Cameron Clyne promised would overhaul the bank's core banking systems.

However, large cost blowouts associated with the project forced Clyne's successor Andrew Thorburn to scale back the program.

"We have learned that we can't run multi-year commitments on technology projects …we have to focus on a few things that are significant and do them well," Thorburn told analysts in October 2014.

NAB's expensive effort stood in contrast to the approach taken by ANZ in the last decade.

ANZ's previous chief information officer Scott Collary said in July 2016 that the bank's 1970s edition of the Hogan system was "not holding us back from doing anything".

Byres' critique of the banking sector's sluggish investment in core platforms came as the regulator issued a new guidance paper on the use of cloud computing by banks.

New digital banks such as volt Bank and Judo Capital are entering long-term agreements with external providers of cloud services, raising concerns that operational risk is being outsourced to unregulated companies such as Fiserv and Temenos.

While such service providers already require formal certification from APRA, Byres indicated they faced greater scrutiny from the regulators as new digital business cases evolved in the Australian market.

He noted that external providers presented systemic risks for the banking system because of the prospect that a large number of ADIs could become "dependent on a few unregulated providers for critical services".

Byres said this introduced concentration risk that could increase the risk of contagion in the event of a service failure.

However, he said APRA would not stand in the way of the new business models, saying that cloud providers had improved their control environments and transparency in recent years.