Daily processes large and small have seen a drastic shift of emphasis towards increased automation as evolving technology has permeated every aspect of people’s lives. Lars Schröder, senior engagement manager at SkySparc, explores the impact of transformational technological advances on central banks’ processes and the need for diligence amid ever-increasing cyber risk.
How did you receive your news this morning? And how did you pay for your coffee? The likelihood is that your morning routine has changed in one way or another over the past 15 years. It’s also likely automation will have played a big part in that change.
Many daily processes – not to mention entire industries, and indeed lives – have been transformed by digital technology innovation since SkySparc started delivering technology consulting services to the finance sector in 2002. Across SkySparc’s core client groups – central banks, commercial banks, asset managers and multinational corporates’ treasury departments – it has seen exponential growth in demand for systems and process automation, integration, testing and enhancement. Although each project has specific, individual drivers, a common objective of clients has been to operate more effectively and sustainably in an ever-faster, ever-more complex and dynamic world.
You might think central banks stand apart, separated from the frenzy of new apps, digitisation and the ‘animal spirits’ of the market. However, if that were ever true, it is now so only to a vanishingly small degree. Whether because of responsibilities for financial stability, payment systems, monetary policy, regulatory supervision or currency issuance, central banks are profoundly impacted by technology-driven changes that continue to disrupt and improve the personal and working lives of individuals. Central banks share many of the same priorities and challenges as commercial entities throughout the finance sector, as they seek to adapt to the constantly evolving landscape of the fourth industrial revolution.
Some established characteristics of central banks remain constant. Their critical importance to systemic stability – both in their national economies and with regard to the global financial framework – makes central banks and other public sector finance institutions more risk-averse than most. However, central banks are responding quickly and with purpose to technology-driven changes in the world around them. They are alert to new risks to systemic stability, and to opportunities provided by fintech innovation to enhance the efficiency of the services they provide to businesses and individuals.
Furthermore, they are reappraising their technology and operating infrastructures to fulfil existing and new roles to the high standards required of them.
The pace and scale of technology-enabled changes currently impacting companies and financial institutions is breathtaking, and very possibly unprecedented. Individually, the potential of application programming interfaces (APIs), cloud computing, blockchain or machine learning – to name just four areas of digital technology innovation – are far-reaching. Collectively, they have the power to create new business models, markets and even paradigms, displacing established market leaders, tried-and-tested market infrastructures and time-honoured business practices.
In this context, it is incumbent on all organisations to adopt a more explicitly outward-facing posture. Firms must be alert to the changing needs and priorities of clients and counterparties, ensuring existing services and processes are still fit for purpose, and developing strategies and capabilities to maintain their relevance and revenues into the future. For corporate treasury departments, this might mean payment analysts working with business units to replace reseller/franchise relationships in foreign markets with direct digital sales – and payment channels – to consumers. For asset managers, operations staff may need to work with custodian banks to get net asset value and other data supplied by real-time feeds, rather than end-of-day formatted PDFs, to help portfolio managers respond quickly to market shocks. Commercial banks are adapting to the open-banking era, deploying APIs to supply liquidity and balance data more interactively to enhance visibility and decision-making for corporate and institutional clients.
For central banks, the influence of technology innovation is barely less transformative. In many countries, this is a period of substantial infrastructure change, with instant payment systems being introduced in jurisdictions worldwide, often conducted in parallel with the renewal of real-time gross settlement systems, notably in Europe. Meanwhile, the advent of alternative digital currencies has significant implications for money supply, prompting internal IT teams to dedicate more time to helping analysts model different scenarios relating to consumer and business use of cryptocurrencies. Furthermore, central banks and other supervisory bodies are becoming more frequent consumers of technology to enhance and streamline regulatory oversight processes.
Across the finance sector, priorities and expectations of IT departments are pivoting toward the front end – in effect, collaborating more with internal and external partners to deliver value. IT skills, budgets and resources are being directed toward outward-facing or client-focused initiatives, and away from traditional support services.
In many respects, the IT and operations staff of large firms and institutions are being transformed from business supporters to business leaders as the deployment of technology has become more integral to the execution of core priorities and strategies. Previously separate, IT departments are now expected to closely integrate with other functions to contribute more fully and more persistently to strategy and customer value. Today, their list of challenges includes: improving collaboration with other departments and lines of business; aligning IT services and skills more closely with strategic goals; using knowledge of technology innovation to identify and refine solutions; and ensuring clients and end-users receive a unified, efficient experience across all interactions.
With fewer systems and applications hosted on-site than in the cloud, IT departments are becoming value-based service aggregators, selecting partners and service providers based on their understanding of evolving business needs. This shift of responsibilities is hardly less advanced in central banks than commercial organisations because of the wide-ranging nature of the changes they face.
Nevertheless, all financial institutions still depend operationally on robust, available, secure, scalable back-end systems and platforms. As such, they are looking more frequently for outsourced support services to take responsibility for operational efficiency and excellence at the back end.
Complex, best-of-breed platforms – including for trading, treasury and portfolio management – still require varying levels of support, including for maintenance and upgrades, quality assurance, security, and performance monitoring and reporting. That said, supporting and maintaining these mission-critical back-end platforms has often been a struggle for financial institutions. Maintaining specialist internal support for sophisticated, deeply integrated platforms can impose a fixed, high cost on firms, without necessarily delivering the skills and insights required to keep such systems in optimal shape and fully upgraded.
In contrast, outsourced support services offer flexible, scalable access to specialists with up-to-the-minute knowledge and expertise that can be deployed as and when it is required within a comprehensive service-level framework. Today, while internal staff are increasing their front-end focus, the case for outsourced support becomes even stronger. In many ways, such arrangements are the template for the collaborations increasingly being established across the supply chain. While outsourced support suppliers underpin end-client trust by ensuring system security, availability and reliability, internal staff can focus on core priorities – speed to market, client responsiveness, new delivery models, and continuous service refinement and development.
As noted, some factors remain constant over time. A more outward-looking stance from central banks does not make them any less cognisant of operational risk. If anything, the opposite is true. A deep awareness of the broader implications for financial systems and structures of the hyperconnectivity of the digital age is apparent across the finance sector in general and within central banking circles in particular.
It is now well-established practice for central banks to take a leading role in monitoring and supervising the cyber security strategies of national financial systems, including the organisation and supervision of ‘war game’ exercises to test resilience. Individually and collectively, central banks are core partners with governments and financial market participants in the evolving fight against cyber crime. In parallel, central banks are taking a vigilant approach to their internal information security arrangements, all the more so since the 2016 breach at Bangladesh Bank, which enabled hackers to access the Swift network and request multibillion dollar transfers.
Systems maintenance is a critical but often overlooked element of any organisation’s cyber security defences. Institutions are under greater threat if their technology infrastructure is not regularly updated to include new bug fixes, code improvements and anti-virus measures. Cyber risk for the financial sector: A framework for quantitative assessment, published last year by the International Monetary Fund, warned that cyber criminals are now attempting to gain access to central bank systems through multiple points of weakness. The risks posed by out-of-date software were also highlighted in 2017 when the personal data of 143 million US citizens held by credit scoring firm Equifax was accessed via an application vulnerability – for which a fix had been made available.
The problem is not confined to the finance sector. According to solutions provider Tripwire’s 2019 Vulnerability management survey, 34% of European organisations have suffered breaches caused by unpatched vulnerabilities.
Despite their safety-first reputation, central banks have not always followed best practice. As with commercial entities or even private individuals, many central banks’ IT teams have tended to postpone systems upgrades until absolutely necessary – for example, when supplier support runs out. This approach has diminished in recent years, partly in response to the Bangladesh Bank hack, with many central banks and other public sector financial institutions introducing policies requiring all systems to be compliant with the most recent versions of widely-used applications and databases.
Alongside intensifying cyber security threats, increased audit scrutiny and accelerating technology innovation are dictating that mission-critical systems must upgrade more regularly to ensure compatibility with the most secure versions of applications such as Microsoft Windows and SQL Server.
The growing importance of security considerations has spurred the interest of central banks in standardising and automating the processes involved in implementing and testing system upgrades. It’s a well-known rule of automation that the more frequently you have to conduct a task, the keener you are to automate it, and central banks’ approach to system upgrades are no exception.
Critical to this streamlining effort is the generation of a library of automated test packages that can be reused in successive upgrades. In addition, automated pre-testing and unit testing can exponentially increase the number of scenarios tested, eliminating most errors before user acceptance testing by business users. Further, scripted deployment – as opposed to customisation for multiple environments – can eliminate most manual actions. Not only does this level of process automation cut time and cost, but will require less involvement from internal IT resources or business users.
This approach can help reduce upgrade projects to a matter of weeks, making them easily repeatable on an annual basis even for complex portfolio and treasury management systems. When one considers it was previously common practice for central banks and other users to upgrade these types of systems every four to five years, one quickly appreciates the positive impact annual upgrades have on cyber security defences.
Upgrade policies are only one element of any organisation’s cyber security strategies that must evolve continually to take account of the ever-changing motivations and techniques of cyber criminals. Other critical factors include the day-to-day monitoring of data and transaction flows with counterparties. Here, too, automation is playing a significant role in supporting staff facing challenging and evolving responsibilities. Operational risk reports have long been used by central banks to monitor any breaks or deviations in market data and other flows that could signify a security breach or critical system failure. Increasingly, the generation and distribution of these risk reports are being automated, shifting staff focus to rapid response to alerts or analysis of trends, rather than manual checking.
Conservative or not, central banks are in the eye of the storm when it comes to the impact of technology-led innovation on the financing needs and behaviours of individuals, companies and governments. They are redirecting their internal resources to where they can have the most beneficial influence. This is a challenging and complex process of reorientation and reallocation. But it is also driving central banks’ pursuit of much-needed efficiencies in terms of automating, streamlining and strengthening operational processes.