Sigrún Davíðsdóttir's Icelog

One of the things that the HSBC whistleblower Hervé Falciani has pointed out is the mess the HSBC computer system was with all the inherent safety risks involved, not to mention that it made it difficult for the bank to have any meaningful overview.

There are several reasons why Falciani’s statement does not come as a surprise. The Anton Valukas’ report on Lehman tells i.a. the story of a big bank with a patchwork of computer systems and applications. And there have been several spectacular IT failures in banks, i.a. at the RBS in December 2013 when the bank admitted to underinvestment in IT “For decades…”

Also, over the years sporadically talking to people working on IT in banks, I got the clear idea that IT costs were a source of irritation for many managers: many of them found it difficult to understand the costs and what benefit could be derived from the suggested improvements. IT people are or at least were low in the banking pecking order.

Lehman – a patchwork of over 2600 computer systems

The share size of the Lehman system was staggering: “The available universe of Lehman e‐mail and other electronically stored documents is estimated at three petabytes of data – roughly the equivalent of 350 billion pages.” 

When Valukas set about to organise the operation of mining the Lehman system for his report he was faced with the daunting task of extracting information from a patchwork of over 2600 computer systems and applications. The way the report deals with this attempt and success in mastering the material feels to be a story told with some understatement. But the share size was only part of the problem (emphasis mine):

Many of Lehman’s systems were arcane, outdated or non‐standard. Becoming proficient enough to use the systems required training in some cases, study in others, and trial and error experimentation in others. In numerous instances, the Examiner’s professionals would request access to a particular system, expend the time necessary to learn how to use the system and only then discover that access to two or three additional systems was required to answer the necessary questions. Lehman’s systems were highly interdependent, but their relationships were difficult to decipher and not well documented. It took extraordinary effort to untangle these systems to obtain the necessary information. 

This was the system in a big bank where nothing was spared when it came to bonuses and pay. In a sense Lehman was like a palace with shitty basement toilets, which no one cared about because they were out of sight anyway. Except of course that an “arcane, outdated and non-standard” computer system poses a real security risk, which a ditto toilet does not.

IT staff – low in the banking pecking order

I have heard computer system staff in banks complain about the lack of IT understanding among those who hold the spending power. Those with such power were seen to weigh spending according to parameters of immediate visible effect. Spelling out the disasters that might happen, when nothing has happened for a long time or ever, can be a difficult bargaining position.

A case in point was the RBS computer glitch, which severely affected clients in December 2013. Following the incident RBS admitted the following: “For decades, RBS failed to invest properly in its systems… It will take time, but we are investing heavily in building IT systems our customers can rely on.” – It would be interesting to know exactly what was done and if this has been a sustained process.

This too late – and often too little – has unfortunately very much been the pattern: the promises to do better and invest in IT have come only after the public incidents. It would be interesting to know if the RBS IT staff had been fully aware of the problems and how much it had tried to avert senior managers to the problem.

From IT employees in banks I have over the years heard loud complaints about senior managers who have little understanding for the importance of keeping the systems up to date and investing in the proper IT infrastructure. Asking for funds for IT was (is?) normally met with complaints about costs.

One employee told me that managers were normally reluctant agreeing to costs for things unless they understood the issue at stake themselves and which could be shown to increase profits. Since the level of IT understanding among senior managers was generally low IT was generally seen as only cost.

Banking – where the science of big data has not been appreciated

As many banks in particular those that aim at speedy international growth, HSBC grew by i.a. buying banks. Its Swiss operation where Falciani worked had been bought; the same with the Mexican branch where HSBC was found to have facilitated money laundering for drug lords, resulting in fines of $1.9bn in December 2012.

Banks are in enterprises with old roots and many of them seem to suffer from lack of technical insight among their highest echelon of power. Many senior bank managers in their fifties and older have never been exposed to much technological stuff other than their smart phones.

Over the last many years many big banks seem to have been focusing on growth and inventing new financial products. The feeling is that RBS and Lehman are not the only banks where IT systems have lagged behind, not only in terms of security but also in terms of how to have the best systems for overview. How can internal audit i.a. be meaningful in an international bank with 2600 systems, some of which are “arcane, outdated and non-standard”? Or in a bank with IT underinvestment for decades?

If senior HSBC managers did not know at the time as they have insisted of the bank’s massive failures, both in Switzerland and Mexico, it is also because the proper technology was not in place and probably had not been thought to matter.

Big data, the ability to sift through and derive information from a large set of data can of course be used in many ways within a bank. One of many uses should be to keep track of behaviour that could potentially be criminal. With the kind of patchwork system Lehman had that would hardly have been possible.

True, Lehman collapsed over six years ago, Falciani was working at HSBC eight years ago but the RBS glitch happened only just over a year ago. Banks might have worked miracles on their IT systems lately but the doubt lingers on especially because the IT insight and understanding might still be lacking at the top.

*This post has been cross-posted with Fistful of Euros

Follow me on Twitter for running updates.