Banks’ IT systems might not be fit for CCR: APRA

Speaking at the 2018 Curious Thinkers Conference in Sydney on Monday (24 September), the chair of the Australian Prudential Regulation Authority (APRA), Wayne Byres, urged the banks to upgrade their IT systems as they are ramping up risks for the financial services industry.

The “backlog of maintenance” work required on the banks’ anachronistic infrastructure demonstrates their “understandable” preference for investing in new technology-enabled products and services and cyber security, according to the chairman, but their existing “patchwork of systems” are not fit for future prudential requirements, such as the mandatory comprehensive credit reporting (CCR) regime.

Mr Byres cited Reserve Bank assistant governor Michele Bullock, who in July warned that technical problems can “disrupt commerce and erode trust of consumers in payment systems”. She referenced outages experienced by major banks Commonwealth Bank and National Australia Bank that affected access to ATMs, EFTPOS, internet banking and mobile banking services.

APRA’s technology risk team reviewed 90 per cent of the banking industry by assets, according to the chair of the prudential regulator, and found that in many instances the banks’ core systems had reached end-of-life or end-of-support “without funded remediation plans in place”.

“There was also limited evidence of adequate escalation and clear reporting of these system health issues and the associated risks at executive and board levels,” Mr Byres added.

The chairman said that these issues reflect “persistent underinvestment” in IT maintenance over a number of years.

More preparation required for CCR

As such, Mr Byres suggested that the banks could be under-prepared for the CCR regime, which requires the big four to provide 50 per cent of their CCR data to credit reporting bodies by 30 September 2018 and 100 per cent by the same date next year, even though Parliament is yet to pass legislation underpinning the regime.

“The complexity of systems and process environments and reliance on manual processes has made the mapping of data lineages, managing data quality and the aggregation of data difficult,” the chairman said.

“Larger ADIs have begun to tackle this through the appointment of chief data officers and the development of enterprise data management frameworks.”

He continued: “A ‘fit for the future’ bank, however, would have long ago built the systems and have high-quality data readily to hand for its own purposes.”

Given the current status of banking infrastructure, significant investments will need to be made by the banks to meet new prudential requirements, according to Mr Byres.

“Our reviews emphasise that, to facilitate new technology, investment budgets need to be increased, not just reprioritised,” the chairman said.

“They will also likely need to be maintained at a higher level than has been the case in the past.”

On the other hand, the chair of the Australian Retail Credit Association (ARCA), Mike Laing, said that the big four banks, along with a number of non-majors and fintechs, are committed to the CCR regime regardless of whether the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018 passes the Senate.

“Within the major banks, they have numerous projects that they’re trying to get done and CCR is a significant project. There’s a lot of IT spend and process change, so making it mandatory really pushes it close to the top of the pile,” Mr Laing said.

“The majors were always going to do it; it’s just taken longer than it has taken others. That doesn’t reflect any lack of intention to do it; it’s just about prioritisation.”

NAB was the first major bank to sign the “Principles of Reciprocity and Data Exchange” (PRDE) agreement, which ARCA said was designed in consultation with industry to facilitate the sharing of credit data among signatories by setting up a reciprocal data exchange.

“Change is coming”

Mr Byres during his speech at the Curious Thinkers Conference also announced a new APRA paper on cloud computing, which outlines steps to minimise the risks of cloud usage. Given the growing trend of outsourcing and partnering with technology providers will result in greater use of cloud-based systems, the chairman said “the prudential supervisors’ ability to ‘kick the tyres’ will be much harder in [the] future without new tools and methods”.

“Like everyone in the industry, APRA recognises change is coming. But sadly, our crystal ball is as cloudy as everyone else’s,” the chairman said.

“We are getting close to the point where it may be possible to offer banking without being a bank. Indeed, at least in concept, it is not inconceivable that a provider of transactional payment services in Australian dollars could emerge that does not have any presence in Australia.

“This will clearly test regulatory statutes and frameworks, which are built on the concept of a single authorised legal entity with a domestic physical presence, undertaking the bulk of critical services in-house. But if, like Uber, consumers flock to the service, can the law stand in the way?”

Mr Byres presented three possible future scenarios: agile fintechs could “eat into the market share” of financial incumbents; tech giants such as Amazon, Facebook and Google could “elbow” their way into the financial sector, as Capgemini recently warned; or incumbents could partner with, subsume or “eat up” smaller competitors using their regulatory and funding advantages.

“For an industry that has built many of its products and practices to take advantage of customer inertia, that ‘awakening’ will only increase the challenges,” the APRA chairman said.

[Related: Lenders committed to CCR regardless of legislation approval]