At the end of October, a Treasury Committee report in the UK said the frequency of online banking crashes and customer disruption had become unacceptable. Steve Baker, the Treasury Committee’s lead member for this inquiry was quoted as saying:

“The number of IT failures that have occurred in the financial services sector, including TSB, Visa and Barclays, and the harm caused to consumers is unacceptable. The regulators must take action to improve the operational resilience of financial services sector firms. They should increase the financial sector levies if greater resources are required, ensure individuals and firms are held to account for their role in IT failures, and ensure that firms resolve customer complaints and award compensation quickly. For too long, financial institutions issue hollow words after their systems have failed, which is of no help to customers left cashless and cut-off.”

Earlier this year, The Bank of England, The PRA and The FCA issued a joint discussion paper (DP 01/18) called ‘Building the UK financial sector’s operational resilience’. There is good reason to take an interest in the discussion about operational stability. The report at the end of October, and the discussion paper, is likely to lead to profound changes on the way financial institutions work. There will be big implications for the payment industry works.

New Regulation

The purpose of DP 01/18 is to start a dialogue with the industry, with the ultimate objective of achieving a ‘step-change’ in the operational resilience of every organisation. The UK authorities’ involvement shows their concern about how the interconnectedness of the financial system makes it vulnerable, and that they recognise the danger of operational outages including those arising from incidents. Dealing with these is important, and the paper sets out the Regulator’s concerns and approach. Their work will assess how the resilience and continuity of an organisation’s services might be maintained no matter what has disrupted them.

Financial services organisations will need to review the processes, practices and the culture needed to work effectively and achieve the increased level of operational resilience required.

Innovation and Testing

All financial institutions are investing in new technology as the era of mobile technology, Open Banking and the increasing use of APIs creates a highly dynamic market. The risk of using traditional approaches to testing is growing. While banks are busy deploying the latest technology and working with agile new suppliers, the fundamentals of their testing frameworks and methods are not commensurately advancing. Their current approach can be characterised thus:

• the absence of either a permanently available test hub or integrated test environment
• the use of armies of staff often hired from external, resource suppliers
• a focus on component-level testing with full end-to-end testing either impossible or extremely costly to achieve
• a per-project budgetary approach for both systems development and testing
• use of complex risk management structures and processes to identify and then mitigate the inherent risks in the current testing approach
• a lack of automated testing
• dependency on manual testing facilitated by a complex maze of simulators (‘stubs’), in-house developed tools and ad-hoc code
• frequent squeeze on the final testing stage – UAT – due to time and budget constraints.

This current approach means that banks are spending huge sums on testing: on people, on one-use test environments and especially on trying to mitigate the significant risks present. All banks are well aware of the damage to customer relationships, reputations and revenues that IT failures can cause, and of the key role of testing in avoiding these. A new approach is critical and long overdue.

What should a new approach look like?

Many people believe that automating the test process is the silver bullet, but is automation alone the answer? While more automated testing can decrease costs, increase efficiency and, critically, reduce risk, there is no point in banks simply automating existing bad processes. If you automate a bad testing process, no matter how well, it just becomes an automated bad testing process. Further, it is essential that testing reflects the real world, through a full end-to-end process with all its supporting interfaces and system idiosyncrasies.

The optimum approach is a combination of refinement and then automation. Banks need firstly to fundamentally review and change their approach to testing – simplifying things, investing to deliver improvements to their current practices and then embracing automation, taking advantage of the latest testing tools and techniques. This investment in testing technology must rationalise, simplify and automate their testing, providing a full regression testing capability in an always available manner.

For banks wanting to succeed, testing needs to go beyond automation, which alone is no guarantee of assurance. Only the proposed ground-up review of current approaches to testing, and a strategic investment in appropriate technology, will enable banks to move from the current state of basic payments testing to one of business assurance.