By 
The Financial Conduct Authority (FCA) has published a report showing 92% of the UK’s financial services (FS) firms still rely on legacy technology.
Broken down, that’s 58% relying on “some” legacy infrastructure and apps, 33% admitting “most” of their technology is legacy, and just a measly 8% which say they aren’t weighed down by technology debt at all.
The FCA also reveals that 78% of FS firms’ data still lies in on-premise infrastructure. Of the 17% of FIs who do opt for the cloud, 11% use public, 5% private, and 1% hybrid.
As for executing new innovation ideas, the average time it takes to release an update to users takes the majority of FS firms (56%) at least six to 12 months. Only 2% said a new product roll out could take less than one month.
The average number of production changes implemented by an FI over 2019 was around 35,000. That’s roughly 95 each day.
For comparison, large technology companies like of Google and Amazon deploy “thousands” of updates per day, according to 2019 DevOps Research and Assessment (DORA) research.
The FCA’s latest report has based these findings on more than one million production changes implemented in 2019 by a sample of FS companies.
The UK regulator calls out Change Advisory Boards (CAB), which approved 93% of all major changes it reviewed in 2019.
The year also saw major changes double the failure rate of production changes overall. Whilst major changes accounted for 3.8% of failures, smaller changes accounted for less than half (1.6%) that failure rate.
“This raises questions over the effectiveness of CABs as an assurance mechanism,” says the FCA in its report.
Whilst only 1.6% of all changes FS firms implemented resulted in an incident, that rate still accounted for a total of 13,767 incidents in 2019 – 14% of which had a customer-facing impact.
According to FS firms’ incident reporting, in 2019, third-party incidents were a major bugbear, accounting for 18% of all incidents.
The report also highlights the extent to which FS firms rely on outsourcing. It says third-party teams delivered more than 30% of FS firms’ development activity.
Third parties are not immune to the inherent risks presented by technology change but most firms participating in this review did not track third-party changes” says the FCA in its report.
The regulator adds that firms feel third parties “often do not communicate changes to their customers, resulting in difficulty in tracking those changes”.
A solution included contractual agreements which could dictate stronger governance against service levels.
The FCA notes that, due to a 92% industry-wide reliance on legacy technology, “firms’ change management processes [are] still heavily reliant on manual review and actions”.
Based on the report’s results, the UK regulator determined a key correlation between legacy technology and more incidents following deployment changes.
“We observed a link between emergency changes and legacy infrastructure which may indicate that firms with higher proportions of legacy infrastructure were more likely to both use emergency changes and to have a higher proportion of those changes result in an incident,” it says in the report.
Legacy technology also featured as the third most common characteristic in a high-risk project.
It sits behind technologies not yet used by FS firms (second) and dependency on other projects’ delivery (first). And it ties with heavy dependence in third-party vendors.
It seems the report highlights something of a Catch 22. That FS firms will struggle if they rely too heavily on old on-premise architecture, but they will equally struggle if they rely too much on third-parties’ emerging technology.
According to the FCA, FS firms largely support the DevOps approach to production, which sees them carry out smaller changes gradually. Even if many of them are still encountering significant hurdles to do so.
In all, only 13% of firms use DevOps processes for all software delivery activities. Those firms which still rely heavily on legacy systems, as opposed to agile methodology, achieved lower adoption rates of their products throughout 2019.
To implement agile methodology, the FCA encourages a strong awareness of operating environments, a solid understanding of risk, and rigorous governance.
The regulator recognises that a consistently agile approach to deployments “requires significant time and upfront financial investment”.
It found that firms which had the lowest proportion incidents resulting from changes dedicated between 50-75% of their IT budget to technology change activities.
But in reality, FS firms on average dedicate 32% of their change budget to maintenance and upkeep, and 21% to satisfying regulatory and legal requirements. After that, 17% of the change budget goes towards improvements for external customers.
The FCA does recognise, however, that FS have “highlighted that major changes, specifically regulatory changes, are difficult to break into small changes”.
Which means agile methodology doesn’t always work in these institutions. Rather than suggest regulation needs to change, the FCA says “it’s important that firms understand that this isn’t a one-size fits all solution”.
Comments