CIO interview: Gavin Scruby, SmartDebit

The CIO of SmartDebit speaks to Computer Weekly about the challenges of balancing innovation with regulatory compliance

As an IT chief in the finance sector, Gavin Scruby, CIO at SmartDebit, needs to balance two competing forces – the strong governance and compliance requirements of a regulated industry and the ability to innovate quickly.

In the past, data protection was largely ignored by non-regulated companies, according to Scruby. “The fear of GDPR [General Data Protection Regulation] is driving a lot of companies to pull this into mainstream processes,” he says. “It often seems that compliance is in opposition to the business.”

But as people learn about their rights and data protection becomes better understood, Scruby believes best practices for data protection will spread across the organisation into every department.

With GDPR and the UK Data Protection Act, Scruby says people are more concerned about their data. This can be advantageous in a small company like SmartDebit, he says, because it is easier to incorporate compliance requirements into its contracts.

Being able to innovate safely in a regulated industry requires the proper checks and balances to be in place, says Scruby. “We have to be very careful how to use new things to ensure that no customer data is accessed. But GDPR makes compliance a lot easier because you can define specific data contracts for customers.”

From an IT perspective, innovation means trying out new and exciting developments. For Scruby, it is important that his team has enough time to investigate new tech trends themselves.

“With day-to-day work, it is really hard to keep up to date with what’s really going on,” he says. “I use a good news aggregator and I follow the Amazon blogs and Information Commissioner blogs and various tech blogs. I try to ready these every day to see if there is anything new that’s relevant to me.”

Attending conferences takes too much time, says Scruby. “The pace of digital transformation is so fast, even being out of the office for a bit requires a lot of planning.”

He says the company does not make much use of cloud services, and where it does, it tends to make use of the service without making custom modifications. For instance, SmartDebit is a Salesforce user, but it does not plug much into it. “We use Salesforce’s own integrations, but we won’t build any more for ourselves,” he says.

As the public cloud companies evolve into fully fledged platform-as-a-service (PaaS) providers, Scruby says businesses need to take into account the greater risks associated with building on top of a cloud platform. “In IT, we have a problem of using an OS [operating system] that is out of date,” he says. “It is not happening in the cloud world yet, but people are starting to build on cloud APIs [application programming interfaces], and there will be incompatibilities.”

For instance, the June update of Google Cloud’s June 2017 depreciation list includes 20 services that will no longer be available after June 2018. Scruby says: “The cloud will be treated as a commodity and you will need to look at obsolescence in the cloud.”

API economy and PSD2

Similarly, many businesses are joining the API economy. The Second Payment Service Directive (PSD2) is coming into force next year and will open up banking APIs. “Everyone has their own API, but very few businesses have their own integrators,” says Scruby. Once third-party APIs are integrated into a company’s core systems, if they ever get changed, the integration must be done again, he warns.

“Our business customers want us to have integration with their systems. It is easy for the sales team to say that if we don’t offer the integration, they will lose the contract. But for us, there needs to be a lot of work done in API development to ensure everything is backward compatible.”

Scruby says a microservices architecture and a service-based model isolate some of the effects of changes to third-party APIs. “You are then able to turn things on and off and configure them so that customers pay for new functionality,” he adds.

Now the challenge for regulated industries such as banking is that they need to ensure their compliance position is not compromised by the third-party services and APIs they connect to.

“When you link to companies, you have to build this into your compliance chains,” says Scruby. “This becomes complex when you have customer contracts that stipulate where their data is held.”

Scruby says large companies are rightly worried about going to small startups for APIs because, within a few years, those APIs may not be there – or the company may not be there. “There are two ways that a large company can innovate,” he says. “It can either buy somebody or it can set up a few small teams and give them the flexibility to work in the way they want to seed new ideas.”

Although it is not a large company, SmartDebit has taken the latter approach. “We have small units that innovate, without access to customer data,” says Scruby. “They either use test data or anonymised data, so they can run closer to the wind.” Once the project is complete, the company can then run a risk analysis on the work to assess its suitability within the business, he says.

The risk of innovating quickly was highlighted when challenger bank Monzo fell over in 2016. According to the bank’s blog, this happened because of a configuration error in the migration of its Cassandra cluster. A day later, its card processor became disconnected from MasterCard, which affected Transport for London (TfL) customers because TfL was unable to process payments and blocked customers’ cards.

Reflecting on Monzo’s downtime, Scruby says: “Monzo innovates very quickly – but you can only go at a certain speed.” In other words, businesses increase the risk of a failure the faster they innovate.

Read more about the API economy

  • Integrating systems and data could pay off big, but publishing an API requires a lifetime commitment to monitoring its use.
  • Nordic bank Nordea prepares for the introduction of the latest banking regulations through a platform that is open to third parties.

As is best practice in business continuity, Smart Debit strives to ensure there is no single point of failure in its systems. Scruby says: “We have dual suppliers where we can, and for BACs [bankers’ automated clearing services], we have two suppliers, but they run over Vocalink – which is a single point of failure.”

For Scruby, security and flexibility are always in contention. He believes the PSD2, which EU member states must implement by 13 January 2018, will create new challenge. “It is very hard to open up APIs on a mainframe,” he says. But once the banks have the basic APIs – which they are mandated to do – it will be possible for people to start creating scripting rules that make use of these APIs.

For instance, Scruby believes that within a decade, open banking APIs will open up a whole industry to help consumers manage their finances automatically based on a set of predefined rules. He argues that this could be as disruptive to banking as eBay was in retail, creating an entirely new industry.

“Once the rule sets exist, you can use IFTTT [if this, then that] and link to Google Home or Amazon Alexa, enabling you to control finances in a fine-grained way,” says Scruby. For instance, it would be possible to provide an IOU rule to pay someone money.

Scruby says such a rule would move credit brokerages outside of traditional banks, so that anyone could offer a simple money-lending service to someone else.

Read more on CW500 and IT leadership skills