denisismagilov - Fotolia

IT infrastructure and cyber security ‘critical’ for Student Loans Company future

Upgrades to key systems and cyber defence capability will be required so the non-departmental public body can continue to perform key functions, according to a major review

The Student Loans Company (SLC) will need to prioritise the development of its IT infrastructure and cyber security capabilities to continue  performing its core functions, a major review has found.

A tailored review by the Department for Education into the non - departmental body detected a number of issues around its “fragile” IT setup and concluded that a complete transformation of the SLC’s IT would be needed in the next four years.

“It is widely recognised that the SLC still faces an efficiency gap. Its IT systems are outdated and drive complexity and cost,” universities minister Chris Skidmore said in the review’s foreword.

With about 3,500 employees and a student loan book totalling more than £135bn under management, the SLC’s operation is comparable to a medium-sized bank and services 8.5 million customers and two million applications per year, of which 93.5% are made online.

However, the report noted that a lack of alignment and prioritisation of shareholder requests to the SLC had resulted in a focus on operational issues rather than wider strategic risks.

“Millions of pounds worth of repayment collections are lost or ‘leaked’ every year due to SLC system inefficiencies, legal loopholes, error or fraud,” the review added.

A number of the SLC’s core systems are under-supported and/or out of date, the report stated, adding that the inflexibility of the technology architecture was an issue compounded by the niche nature of the skillsets required to manage and modify it.

The SLC also suffers from high levels of staff attrition – salaries are significantly lower than public sector roles elsewhere or similar roles in banks – with outsourcing providers hired to plug the gaps, the report noted.

“Millions of pounds worth of repayment collections are lost or ‘leaked’ every year due to SLC system inefficiencies, legal loopholes, error or fraud”
Department for Education review

As the SLC loan book grows, “the pressure and complexity of [the IT function] will increase significantly” and a number of high-level recommendations were outlined in the report as the body’s technology was deemed “not fit for a sustainable future”.

The IT estate at the company was built in the 1990s for a “much simpler, lower-volume service”, the report stated. A transformation programme has been developed to address many of the issues around key ageing IT systems, which have been plaguing the body for at least 10 years.

SLC’s strategy to transform its IT includes disaggregating and layering major system elements so new product deployment can be contained within modules, to enable change at a faster, lower risk and cheaper way.

However, the review labelled that workstream as “urgent” and reiterated that updating the IT infrastructure would be a “critical enabler for SLC business and delivery of any potential Post 18 Review reforms”.

Cyber security is another area where  modernisation  at SLC is urgent, according to the report, which noted that security threats could be “greatly reduced”, particularly through training of staff and seasonal contractors to be “cyber aware” of such risks.

In data released under Freedom of Information (FoI) legislation earlier in 2019, the SLC revealed it was targeted in 965,639 attempts to infiltrate its systems in the 2017/18 financial year. The number refers to only three attempts.

Within cyber, the review also stated that the SLC will need to continue to work on a cross-government basis to evolve its preparedness and cited work with the National Cyber Security Council with simulations to test reactions to a cyber security breach as an example.

Data priorities

Making better use of analytics, big data and artificial intelligence is another area outlined in the report where the urgency level was set as “important”. It noted that the SLC had been working to get a better understanding of its approach to data, but argued that SLC’s modelling and analytics function was “fairly under-developed”.

“Whilst systems stabilisation must take priority, there are potentially significant gains in using smart diagnostics processes to understand trends in customer behaviour , flagging risky borrowers and modelling future pay and repay scenarios,” the report stated.

“The necessity to maximise loan book yield will increasingly drive this requirement for more intelligent use of customer data,”  it added.

Other data-related areas where the urgency level was also important include sharing, where broader technical issues need to be resolved such as establishing government-wide agreements on data sharing protocols and systems interfaces.

The document noted that despite progress made around data sharing initiatives so far – for example, the body shares data with HM Revenue & Customs to detect fraud by locating benefits claimants based overseas – there is more to be done around working with departments to support decision-making and boost risk assessments.

IT-related areas outlined in the report where the level of urgency was also set as important included compliance to the General Data Protection Regulation (GDPR), so SLR needs to move from the current basic level of compliance to include areas such as targeted bulk data erasure, secure data transfer, as well as training and introduction of the cultural change required.

When it comes to digital improvements made around customer experience over the past 12 months, the report noted that the SLC was one of the first public sector bodies to introduce full customer service via social networks, with propensity to call reducing consistently.

But there is more to be done in digital service delivery, the report pointed out, as specialist product offerings are still predominantly made using paper-based methods.

Progress around digital has improved steadily as the SLC’s relationship with the Government Digital Service (GDS) improved over the past year, with more collaborative work between teams towards using digital platform

Read more about IT in the public sector

Read more on IT for government and public sector

Data Center
Data Management