Article originally published in The Intermediary Apr 2025 – page 76
At what point do lenders call crunch time on legacy systems? It’s a really hard question to answer, particularly for our largest players, which have almost always grown through a series of mergers and amalgamations of smaller lenders going back decades.
Santander, Lloyds Banking Group, the Royal Bank of Scotland – to name just three - have all grown through acquisitions. It’s a familiar story across the market. The burst of activity changing building societies into banks that happened through the 1980s and 1990s drove a huge amount of brand integration but less technology integration. Followed by the global financial crisis in 2008, another spurt of amalgamations were forced on both banks and building societies that would otherwise gone to the wall.
It might sound farfetched, but with backend technology really starting to replace back office staff for many of the more easily automated processes from the 1980s, the industry’s reliance on legacy technology platforms can go back 30 to 40 years.
Ongoing reluctance
There are lots of good reasons for this, not least because moving customers’ deposit accounts from one platform to another is fraught with risk. Just look at the absolute chaos caused when TSB divested from Lloyds Bank systems following its acquisition by Spanish bank Sabadell in 2018. It took until December 2018 for TSB to return to business-as-usual. TSB has paid £32.7million in redress to customers who suffered detriment.
You can see why others are reluctant to attempt a complete transfer to new, modern and more cloud-based platforms. Yet this leaves them facing a real conundrum. There is enormous risk if they do move to better equipped technology. There is enormous – and growing – risk if they don’t. Outdated legacy technology poses serious risks to data security, efficiency, compliance and customer experience. Outdated software is more vulnerable to cyberattacks. Weak security patches leave systems exposed. Hackers target old systems that lack modern encryption and multi-factor authentication.
Dangerous implications
The costs that result when a company suffers a data breach or cyberattack can be eyewatering and cover anything from external IT and data security consultants, legal advice, customer redress, loss of revenue and ransomware payments.
There are operational implications too, both internally and as a consequence of third party integrations. The Crowdstrike outage last year highlighted just how severe that can prove.
A statement issued by the Financial Conduct Authority in October last year noted that between 2022 and 2023, third-party related issues were the leading cause of operational incidents reported to them.
Following a review of the incident, the FCA found that some regulated firms affected by the outage also provided services that supported other regulated firms' important business services, increasing the impact of the disruption. Firms which had existing relationships and pathways to share information with third party providers were able to respond quicker during the outage.
But the reality was that many firms did not. Consequently, the regulator told firms to identify single points of potential failure within their infrastructure and technology stack and make the changes needed to ensure future resilience.
Platforms and operating systems are only part the issue. For some, the very pipework that supports some of those older systems is unable to cope with the volumes of data that would indeed make for better risk management – of only the information could be delivered through the old infrastructure!
Part of this process has uncovered the critical need for business continuity plans that address the scenario where a third party infrastructure and systems may fail. We’ve seen lenders tighten their grip on third party service providers, mainly opting to work with fewer, larger firms. Many are now deciding to have key partners that can deliver a gamut of data solutions from net zero to survey and valuation data.
We’ve also seen lenders keen to procure systems on different builds and devices with different operating systems while some have considered updating change management processes for third parties with deep-level system access.
Lenders were told to get their houses in order by March this year. It hasn’t proven to be crunch time for phasing out legacy systems but it has woken many up to the fact that the balance of risk may now be tipping the other way. The question for organisations is, do they change now, wait to be told or wait until it is too late?
