Faltering steps
- Article 3 of 77
- Information Age, December 2000
The early failures of Internet banking provide important lessons for other sectors that think they are ready for ecommerce.
Online banking is going to be the new rock-and-roll for banks looking to save costs and offer new services to customers. Although there are only around 20 companies currently offering Internet banking services in the UK, research by investment bank JP Morgan predicts that the industry will be worth £1 billion across Europe within the next three years. And IT research firm Datamonitor predicts that 5.35 million people will bank online by 2004, compared to 1.05 million in 1999.
But so much depends on consumer confidence, and given the frequent bugs and glitches suffered by several of the UK’s leading online financial services providers, it is at a low ebb. “Offering banking services over the Internet breaks all of the security rules that banks have traditionally relied on,” says Martin Sutherland, head of the information security division at Smith Group. Their IT systems, he says, have traditionally been unconnected to the outside world and security used to just be about the internal audit of your employees and systems. “As soon as you connect your systems to the outside world, you give your customers access effectively to the crown jewels of the organisation.”
When insurance giant Prudential’s Egg launched in 1998, customers suffered long delays in trying to open accounts. At around the same time, the Halifax had to temporarily close its online share-dealing service after a regular software upgrade introduced a security flaw. In June 2000, Cahoot, the online banking venture owned by Abbey National, broke down 45 minutes after it was launched because of demand and volume issues and suffered further problems in its first week while computers were repaired. Barclays had to shut down its online service in August after around 10 of its customers were able to gain access to other people’s accounts. Dutch bank ABN Amro was forced to replace the software at the heart of its Internet banking service after a Dutch TV programme showed how hackers could manipulate client data and transfer payments into their own accounts.
“To some extent, it’s an unfair comparison,” says James Hart, director of European business affairs at efinance monitoring company Gomez. “When you go into a bank branch, you’ll sometimes be told the systems are down. No-one hears about it, though. On the Internet, though, there’s no such thing as privacy, so if there’s a problem, everyone hears about it.” So it’s not enough to produce systems as good as current in-house offerings – they have to be better and able to cope with many more concurrent users.
“The problem with dealing with demand is that it is very difficult to anticipate,” says Charlotte Hamilton, associate analyst at Forrester Research. David Webber, managing director at Lynx Financial Systems, agrees. Many of the technology tools being used have been around for a while and have been used trouble-free in other applications, he says. But online banking is an inherently far riskier proposition. “When you start dealing with potential capacities of 100,000 online users at the same time, that’s a significantly bigger challenge than many of the traditional call centre-based mortgage operations that have been launched,” he says.
Dirk Marzluf of First-e, which suffered similar performance problems when it started its UK offering, concurs. “If you’re setting up an ebank, make sure you have a good architect. The first version of any system is rarely perfect, but if you have a good architect, you can correct that. If you don’t, it’s very hard to correct.” His company had to completely overhaul their systems, removing the Brocat-built engine underneath and replacing it with Inprise Application Server and a custom engine built using Borland Jbuilder and PL-SQL to cope with the demand. The bank was also able to take advantage of the loosening of US export law to allow 128-bit encryption to be used in software and hardware sold to Europe. Says Marzluf, “we were using a European solution which didn’t scale well. 128-bit encryption is a standard and everyone in the US has been working on it so it scales a lot better. We were able to use an off-the-shelf system to replace the existing one.”
But Phil Ryan, head of information security at Peapod, argues that although volume and demand problems may have been a valid issue for the early entrants, it cannot be used as an excuse now. “Egg and others have been around for ages now and statistics about how many customers they’ve signed up have been freely banded around,” he says. “I don’t think this excuse holds water with companies coming up with offerings now. From what I’ve seen people have been hitting less than the figures that they’ve been expecting.”
“One of the design features you should build into these systems from day one is scalability, so as the service grows you can grow with it,” says Sutherland. “The technology you need for transactions over the Internet is not that complicated. You just have to configure it right.”
“What we’re talking about is systems integration,” says David Sayer, a partner in the financial services team at PricewaterhouseCoopers. He says that for Internet banking the level of integration required is far higher than that for a normal integration job because of a need for more interfaces and other components. “As the middleware market matures companies will be able to cut their business into more segments and manage them better.” But Hamilton argues that the capabilities for building middleware technology between legacy systems and new channel interfaces already exist but that surprisingly few banks have put them in place. This is either through cost or because some banks are structured into product fiefdoms, making it very difficult to get cooperation between different product groups and an agreed spend on the development of such systems. “It’s not just a case of pushing individual products, but integrating the services for consumers’ ease of use online,” she says. “Banks have pushed to get their products out, not always thinking carefully about capacity and demand.”
Another reason has been a reluctance to outsource anything that is not a core competence, often where security is concerned. “There are a lot of technical people who’ve decided they are involved in security because they build websites or other Internet projects,” says Ryan. “It’s a bit like getting your medical advice from someone you meet in the queue at Sainsbury’s.” After all, a bank’s core expertise should be providing financial services and building the customer relationship. “They [online banks] would be best off in many circumstances bringing in outside help on the IT front and particularly in specialist areas such as security systems,” says Hamilton.
Much of the blame, however, must fall at the feet of high-level management and the processes by which they operate. Mistakes with Internet ventures can very easily damage reputation and brand and it is the obsession of executive management with getting to market as quickly as possible that has so often exposed the shortcomings of their ventures. Cahoot, for example, went from concept to launch in just three months, admittedly through relying extensively on outsourced providers, but it is now negotiating compensation with them for the damage to its brand after the launch fiasco. “It’s a very competitive market place now, so there is going to be an element of rushing things to the market place purely to beat the competitors,” argues Jim Spowart, chief executive of Intelligent Finance. “We took the decision to hold back and solve the problem, so we haven’t rushed it through.”
“There was a general sense that if you didn’t get on this particular bus, you were going to be left behind as an organisation. That’s what all the doom merchants were saying,” says Webber. “We got to the stage where we saw an enormous number of organisations in panic and following the pack.” The fact that the banks were using new technologies in a new medium was not the real reason behind their problems, argues Webber. Rather it was because executive management decided to neglect the core project disciplines that people have been using for generations in software development. “All these problems could have been avoided just by applying legacy project management and project discipline. All of these problems would have been identified by sufficient testing,” he says, identifying Intelligent Finance as ultimately doing the sensible thing by delaying its launch.
Ryan illustrates the different attitudes taken by those building online banking ventures and those responsible for managing them: “After building an e-commerce site, the planners say it’s time to test for security, modify things where necessary, and take expert advice on any changes. But the answer they often get is ‘we don’t have time for that, we’re going live tomorrow’.” That’s not to say, though, that banks have compromised security in their keenness to get to market. “The bogeyman of Internet security makes for some good public awareness stories,” quips Webber. “But any vendors or banks I’ve spoken to about this know that security is always right up there on their agenda. With most financial institutions, it’s priority number one.” Sometimes, though, it is the dubious tactics of parties working closely with management that are to blame, rather than management itself: “In the flurry of fervour of getting to market…. a lot of business consultants and a lot of unscrupulous vendors have taken the position that you can develop the technology at the speed of light, that there was a new Internet speed to the development process. The corollary of this is that a lot of organisations have probably abandoned some of the traditional skills in defining the strategic objective,” says Webber.
Lessons could and should have been learnt from Internet banking experience on the other side of the Atlantic. The turnover of Internet customers disgusted by the level of service from online banks in the US has now reached more than 50% a year, leaving many banks scurrying around looking for profits. In the UK, Smile.co.uk, the online banking venture of Cooperative Bank, is the only Internet bank to gain the prestigious BS 7799 Kitemark level of safety and security – a testament to the bank’s adherence to best practice. “They’ve had no adverse publicity and their Smile venture is highly successful,” says Webber. “If you go back to October/November, people in the general marketplace were saying they’re going too slowly, that they were going to miss the boat. But we all know that’s balderdash.”