Faltering steps

• Article 3 of 77
• Information Age, December 2000
• View the original article online

Page 1 | Page 2 | All 2 Pages

Online banking is going to be the new rock-and-roll for banks looking to save costs and offer new services to customers. Although there are only around 20 companies currently offering Internet banking services in the UK, research by investment bank JP Morgan predicts that the industry will be worth £1 billion across Europe within the next three years. And IT research firm Datamonitor predicts that 5.35 million people will bank online by 2004, compared to 1.05 million in 1999.

But so much depends on consumer confidence, and given the frequent bugs and glitches suffered by several of the UK’s leading online financial services providers, it is at a low ebb. “Offering banking services over the Internet breaks all of the security rules that banks have traditionally relied on,” says Martin Sutherland, head of the information security division at Smith Group. Their IT systems, he says, have traditionally been unconnected to the outside world and security used to just be about the internal audit of your employees and systems. “As soon as you connect your systems to the outside world, you give your customers access effectively to the crown jewels of the organisation.”

When insurance giant Prudential’s Egg launched in 1998, customers suffered long delays in trying to open accounts. At around the same time, the Halifax had to temporarily close its online share-dealing service after a regular software upgrade introduced a security flaw. In June 2000, Cahoot, the online banking venture owned by Abbey National, broke down 45 minutes after it was launched because of demand and volume issues and suffered further problems in its first week while computers were repaired. Barclays had to shut down its online service in August after around 10 of its customers were able to gain access to other people’s accounts. Dutch bank ABN Amro was forced to replace the software at the heart of its Internet banking service after a Dutch TV programme showed how hackers could manipulate client data and transfer payments into their own accounts.

“To some extent, it’s an unfair comparison,” says James Hart, director of European business affairs at efinance monitoring company Gomez. “When you go into a bank branch, you’ll sometimes be told the systems are down. No-one hears about it, though. On the Internet, though, there’s no such thing as privacy, so if there’s a problem, everyone hears about it.” So it’s not enough to produce systems as good as current in-house offerings – they have to be better and able to cope with many more concurrent users.

“The problem with dealing with demand is that it is very difficult to anticipate,” says Charlotte Hamilton, associate analyst at Forrester Research. David Webber, managing director at Lynx Financial Systems, agrees. Many of the technology tools being used have been around for a while and have been used trouble-free in other applications, he says. But online banking is an inherently far riskier proposition. “When you start dealing with potential capacities of 100,000 online users at the same time, that’s a significantly bigger challenge than many of the traditional call centre-based mortgage operations that have been launched,” he says.

Dirk Marzluf of First-e, which suffered similar performance problems when it started its UK offering, concurs. “If you’re setting up an ebank, make sure you have a good architect. The first version of any system is rarely perfect, but if you have a good architect, you can correct that. If you don’t, it’s very hard to correct.” His company had to completely overhaul their systems, removing the Brocat-built engine underneath and replacing it with Inprise Application Server and a custom engine built using Borland Jbuilder and PL-SQL to cope with the demand. The bank was also able to take advantage of the loosening of US export law to allow 128-bit encryption to be used in software and hardware sold to Europe. Says Marzluf, “we were using a European solution which didn’t scale well. 128-bit encryption is a standard and everyone in the US has been working on it so it scales a lot better. We were able to use an off-the-shelf system to replace the existing one.”

But Phil Ryan, head of information security at Peapod, argues that although volume and demand problems may have been a valid issue for the early entrants, it cannot be used as an excuse now. “Egg and others have been around for ages now and statistics about how many customers they’ve signed up have been freely banded around,” he says. “I don’t think this excuse holds water with companies coming up with offerings now. From what I’ve seen people have been hitting less than the figures that they’ve been expecting.”

“One of the design features you should build into these systems from day one is scalability, so as the service grows you can grow with it,” says Sutherland. “The technology you need for transactions over the Internet is not that complicated. You just have to configure it right.”

“What we’re talking about is systems integration,” says David Sayer, a partner in the financial services team at PricewaterhouseCoopers. He says that for Internet banking the level of integration required is far higher than that for a normal integration job because of a need for more interfaces and other components. “As the middleware market matures companies will be able to cut their business into more segments and manage them better.” But Hamilton argues that the capabilities for building middleware technology between legacy systems and new channel interfaces already exist but that surprisingly few banks have put them in place. This is either through cost or because some banks are structured into product fiefdoms, making it very difficult to get cooperation between different product groups and an agreed spend on the development of such systems. “It’s not just a case of pushing individual products, but integrating the services for consumers’ ease of use online,” she says. “Banks have pushed to get their products out, not always thinking carefully about capacity and demand.”

Another reason has been a reluctance to outsource anything that is not a core competence, often where security is concerned. “There are a lot of technical people who’ve decided they are involved in security because they build websites or other Internet projects,” says Ryan. “It’s a bit like getting your medical advice from someone you meet in the queue at Sainsbury’s.” After all, a bank’s core expertise should be providing financial services and building the customer relationship. “They [online banks] would be best off in many circumstances bringing in outside help on the IT front and particularly in specialist areas such as security systems,” says Hamilton.

Page 1 | Page 2 | All 2 Pages