IT expertise in banking boardrooms reduces risk, finds Europe’s central bank

The European Central Bank (ECB) will focus on how well equipped banking boardrooms are to understand and control risks emanating from IT operations.

Calls for senior IT executives to join the board are not new, but the latest report on IT risks from Europe’s banking regulator adds a strong voice to them.

In its annual report on banks’ IT risk assessments, the regulator said it would look more closely at the IT expertise of board members at banks, which are increasingly reliant on IT as they digitally transform.

The report, following self-assessments by banks, found that organisations that have a higher number of board members with IT expertise displayed positive characteristics. “These institutions report higher expenditures in terms of IT innovation and closer monitoring of IT risks,” it said.

It added that self-assessments from banks with more IT expertise at board level were more realistic, as “they report their bank’s IT risk levels and controls more prudently as worse”. In general, the ECB warned that banks were “too optimistic” in some IT risk areas.

Critically, banks with more IT expertise on the top table “present themselves as in better control in several IT risk categories, including a lower number of successful cyber attacks and less downtime of critical IT systems”, according to the ECB report.

One senior IT executive in the UK financial services sector, who has held senior roles at numerous banks, said IT executives are frank and honest, which is what the regulators want.

“When IT people go to a meeting, they will be technical and present data, whereas the business people are more political and put a spin on the messages,” he added. “The more IT people who get to the top, the better the industry will be. IT people are trained to be precise, with no room for emotions spun on top of the data.”

Major banks have been increasing their recruitment of top IT professionals from the IT supplies sector in an attempt to better understand the latest technologies.

Santander, for example, is continuing to populate its senior management teams with executives from suppliers. Its latest recruits in the senior tech team include former Amazon executive Sebastian Gunningham, who was appointed vice-chairman of digital banking subsidiary Openbank, and the co-founder of IT services giant Cognizant, Francisco D’Souza, who was appointed group strategic adviser for the development of Santander’s global IT platform. These followed an announcement in March 2019 when the Spanish bank recruited Aiaz Kazi directly from Google as its chief platform officer.

In its report, the ECB said it would also increase focus on the IT outsourcing activities at banks, including the use of cloud-based services. This comes at a time when there has been a flurry of significant deals that have seen banks move workloads into public clouds, including deals between HSBC and Amazon Web Services (AWS) and Deutsche Bank and Google.

The ECB also said it was placing greater emphasis on outsourcing activities – including cloud outsourcing – and their monitoring by banking institutions.

The report found that where data was compiled in early 2019, IT outsourcing expenditure had increased by 10% compared with the previous year. It added that cloud sourcing was growing fast. “Cloud outsourcing is becoming noteworthy, with 3% of the overall IT outsourcing expenditure reportedly spent on cloud.”

The ECB said several banks had reported losses due to unavailability and/or poor quality of outsourced services. “To solve such findings,” it said, “it would be desirable that the outsourcing management processes (including risk management) are improved, service level agreements are constantly monitored, and that institutions pursue a stricter and more comprehensive inclusion of outsourced processes into their internal control framework. This also includes regularly updating business continuity plans, as well as having adequate exit strategies in place.”

Meanwhile, the headache of legacy systems has not yet gone, despite the acceleration of fintech adoption at banks. Banks reliant on legacy systems, described by the ECB as end-of-life systems, for critical banking activities will also see increased attention and support from the ECB in decreasing their dependence on these systems.

“It is desirable that institutions continue working on simplifying their IT systems and ensuring sufficient agility,” said the ECB.