The Clash Between Regulatory and Agile IT Practices Must be Resolved
Digitalization has been one of the most important drivers of change in recent decades, resulting in the growth of big tech companies into some of the world’s most valued enterprises.
Their growth and continued relevance can be directly traced to their agile capabilities. In fact, for both new enterprises with new business models and incumbent enterprises attempting to maintain a competitive advantage, the ability to quickly change and adapt is key to staying relevant. The banking industry is not immune from this fact.
To stay relevant in the future and survive in today’s digital world, banks need adaptive processes that allow for optimization, essentially becoming an IT company with a banking license. This can only be accomplished if IT is seen as a key organizational pillar as opposed to being relegated to what amounts to simply a cost center.
In transforming their IT operations to provide the agility today’s world demands, banks have adopted the best practices from tech companies such as Google, Netflix and Spotify.
Best practices like DevOps – Spotify’s model for agile organizations – is a prominent example of a continuous delivery practice embraced widely by the world’s big tech organizations that has migrated to the financial services industry. While this practice makes perfect sense, banks differ drastically from the tech organizations where practices like DevOps originated; one key differentiator is the fact banks are strictly regulated, both in their business practices and in their IT processes.
Often these new optimization practices end up clashing with the controls banks have put in place to mitigate risk. This can result in work-around fixes, which in turn add a layer of unnecessary waste and administrative burden, leading to major inefficiencies.
Transformation Within Banks
To stay relevant in this new playing field, special attention needs to be given to some key industry trends:
- Customer centricity. Across the financial services industry, a major shift has taken place in the positioning of the customer. Many current business models are centered on the customer to provide meaningful, relevant, real-time, omnichannel experiences. However, many incumbent banks are still relying on legacy systems, including batch-based mainframes, that are not able to keep pace with the demand for such experiences.
- New entrants to the market. New entrants like the already mentioned big techs and FinTechs are entering the banking market – some with completely new business models, others with strong optimizations. With the emergence of Open Banking, banks have to allow authorized external parties access to their systems to query customer data (or even execute transactions) on behalf of their customers.
In other words, there has been a shift of ownership of the customer data from banks to the customer. In turn, this has led to FinTech companies entering the banking market with entirely new propositions. For example, Apple will be introducing its Apple Pay Later service by the end of 2022, and both Adyen and Stripe have recently expanded their payments services with banking functionality. Currently these tech companies leverage advantages traditional banks have not been able to replicate. Notably:
- They’re not hampered by history and legacy in their IT processes in comparison to traditional banks.
- All their propositions are customer-centric from the start.
- They have been able to leverage automation as a key enabler from the start.
- They are integrated with the IT systems of multiple banks.
The result is a much more complex landscape that banks must operate within than ever before – instead of a closed, controlled environment, they must now fight to remain relevant in a global, fast-changing, interconnected ecosystem.
- Agility. In the past, the size of an enterprise was one of the key indicators of its relevance. Today, size and relevance are isolated indicators. The ability to change, cope and react in a rapidly evolving world dictates the relevance of an enterprise.
- Global regulations. The regulations and laws a bank must adhere to are ever-growing and becoming stricter each year. As a highly regulated industry, banks are aware of and equipped to adjust to these changing laws and regulations. However, by being forced to compete with big tech and FinTechs, the ability to adapt rapidly to these new laws and regulations is what differentiates a state-of-the-art bank from increasingly irrelevant competitors.
- War for talent. As incumbent banks evolve to more closely resemble IT enterprises with a banking license, they have encountered fierce competition when it comes to recruiting and retaining skilled engineers. Pay is no longer the main attractor, as many engineers have expressed a desire to create impact and engage in meaningful work. The current processes within many banks are not adequately designed to meet the needs and desires of today’s engineers.
Copying Netflix’s IT practices is not enough
Banks have recently invested heavily in trying to adjust their processes to align with those of the big techs and FinTechs.
What we see, however, is that traditional banks are lagging when it comes to speed of delivery and agility. As banks are highly regulated, the required documentation effort and compliance reporting creates drag. It’s obvious that a bank is different from a big tech like Netflix. For example, the risks Netflix faces from non-availability or non-paying customers have implications that differ drastically from a bank. As such, it would be almost naive for a bank to directly copy the way-of-work from big tech.
Banks are well-aware of the risks they face. Being compliant with all laws and regulations and risk mitigation are of utmost importance for the bank. After all, the penalties for failure can be as severe as losing their banking license.
That said, the work attached to regulatory compliance and risk mitigation has not changed much over the years, and as such, doesn’t exactly sit at the forefront of engineering. It’s more probable the engineering population of today wants to make meaningful and relevant contributions to consumer services, a concept equally as valued as how much they’re paid.
Opposing interests or not?
It seems like the engineering experience and the regulations the bank must adhere to are opposing interests. However, this doesn’t have to be the case!
The challenge is to bring the agile way-of-working into sync with the regulated business of the bank. This is not trivial and requires a lot of effort, including automation of adherence to risk and regulatory policies.
The risk and compliance automation:
There are some requirements for risk and compliance automation that must be addressed:
- It needs to be in real-time and relevant to all stakeholders. Most banks currently have to cope with multiple supervisors and regulatory bodies, often on a global scale. The cadence of the information needs of all these stakeholders differs, but is trending toward a real-time requirement. By exposing the relevant information on compliance and risk to these stakeholders in a real-time fashion, the need for long-lived audits will eventually disappear, giving these banks a competitive advantage. The data, its completeness and the gathering of it, must be audited, but not the underlying systems one-by-one.
- Guardrails must be invisible for the engineering community. Banks need the best-of-the-best IT talent, independent of their banking knowledge. That said, banks have a totally different risk profile compared to big techs. To get engineers working without extensive bank compliance, risk and regulation training, risk and compliance expertise has to be abstracted away from them. Engineers must work within specific guardrails in the banking industry; however, those guardrails need to be built in a manner that doesn’t stifle the creative process.
- Guardrails must be structured so they can’t be bypassed. Engineering processes can be flexible to a certain extent, but the guardrails set up need to be firm and should be audited regularly. The setup of these guardrails is of extreme importance as they ensure engineers comply with all regulations and standards required. If there is no possibility to bypass these guardrails, the engineering teams automatically comply with what is needed of them. The owner of the guardrails in that case should take the responsibility to gather and provide all needed evidence in a 24x7 fashion to the users of such information, internal and external.
This approach often requires a shift in the entire organization. Banks will need to work to create multidisciplinary teams of engineering, legal and risk controllers. These teams need to ensure that all obligations to the regulators and similar stakeholders are automated and fully traceable. The moment this is in place, all engineering teams should be able make use of this automation, allowing them to focus squarely on delivering creative solutions and value.
Agile IT practice and compliance go hand in hand when done right
While regulatory requirements put strong pressures on banks, there is room to be agile if IT processes are designed with compliance in mind. As shown, it’s not enough to simply copy best practices from tech companies. Rather, these practices need to be adapted with an eye toward a desired organizational outcome. When done right, however, the organization can eliminate unnecessary oversight and administrative burden, realize genuine efficiencies, attract and retain top-tier engineering talent and more.