APRA warns against IT cost cutting

Zero tolerance when customer data is at risk.

See all pictures here »

Australia’s finance industry regulator has warned the banking sector against making dramatic reductions to IT budgets to meet unrealistic market expectations.

David Pegrem, Head of IT Risk at the Australian Prudential Regulation Authority told the iTnews Executive Summit in Sydney that there would be “no tolerance” for service outages at Australia’s banks and building societies due to neglected legacy systems.

Pegrem told the summit that despite restructures within the technology operations of several large banks, “we’ve not seen aggressive cost cutting in the IT environment".

“There is no evidence so far of a significant decline in IT budgets,” he said.

But he nonetheless expects “IT will need to share the pain” as cost pressures mount due to global economic tightening.

Pegrem said he did not want a return to the large-scale outages impacting banking systems in 2009 and 2010. Banks, he noted, had “significantly improved the resilience and availability” of systems in the years since, with a notable drop in system outages over 2011.

That work needs to continue, he said.

“We want to remind instititions against undertaking aggressive cost cutting that may undermine the progress made in the last few years on improving availability and resilience,” he said.

“The necessity of continuing to replace systems needs to continue and there is no tolerance to institutions running outdated, unsupported operating systems, hardware or software.”

He said he understood that the “programs of work” for upgrading legacy systems “can sometimes be large”, and that a more prudent course of action would be “implementation over a longer time frame” while funding is tight.

Pegrem hoped that boards recognised the risk any system outage presented Australians' trust in the banking system in a social networked world. 

“There is no place to hide from a Twitter or a Facebook concerning channels such as ATMs or online banking channels being down,” he said.

“The old days of having 24 to 48 hours to fix a problem before customers are affected are long gone. Not only that, but the bar is rising in terms of the expectations of customers and merchants, and the tolerance is falling for outages.”

The regulator supported Reserve Bank calls for formal reporting of all major retail payment system incidents, he said. He called for industry input as to where the banking system might be vulnerable from a technology perspective.

Pegrem summed up his presentation by reminding the audience that “there is an expectation of high availability and high resilience.

“Any solution you choose, whether internal, whether outsourced, or whether offshored, should result in higher availability and a greater level of resilience than you have now,” he said.

“There is no tolerance for known single points of failure, for poorly mapped business processes, for lost or poorly knowledge retention, for fixing bandaids rather than root cause solutions.”

The one proviso, he noted, was in the case of “unique, previously unexpected, unanticipated or unexplained events”, which in the very least are required to be “understood and managed”, with “actions are prudently determined before ensuring an orderly return to operations".

In a veiled reference to data corruption issues faced by major Australian banks following system outages in the last two years, Pegrem said APRA “prefers accuracy and certainty in return to operations rather than a rush to recovery that may only cause more or far reaching complications to occur".