Modernising Legacy Systems at Financial Institutions

Modernizing Legacy Systems at Financial Institutions
Modernising Legacy Systems at Financial Institutions

Managing Technical Debt Is the Key to Maintaining Momentum


Executive Summary

It has been three years since Protiviti published The Road to Renewal: Modernising Aging Core Systems at Financial Institutions. Technology and consumer expectations have both evolved considerably since that time. The cloud has matured and gained acceptance as viable infrastructure; architectures supporting microservices and application programming interfaces (APIs) have also matured to create new opportunities. Fintechs have chipped away at traditional banking services and, notably, increased the focus on the consumer experience. Big tech companies (Facebook, Amazon, Google and Apple) have emerged as important parts of the financial services ecosystem. Additionally, some of the core renewal projects underway in 2015 have been completed, and several new ones have been announced, providing valuable insights into the progress — or lack thereof — in this space. This update revisits legacy systems modernisation in light of these developments, examines recent case studies, and provides the latest thinking on the subject.

Virtually all products and services offered by financial services companies are technology-enabled, and the rapid evolution of mobile banking and digitisation of processing makes technology even more critical. The technology at the core of most financial institutions, however, is old and outdated — systems dating back to the 1960s — creating nonfunctional technology shortfalls, sometimes known as “technical debt,”[1] resulting in excessive maintenance costs, process and decision-making friction, degraded business agility, and more that can pose strategic risks.

As technical debt goes, the financial services industry (FSI) is an acute case. To address these risks, and manage technical debt, FSI companies need to modernise the legacy systems at the core of their processing environment. This paper, which discusses several core modernisation strategies and explains how organisations can choose which strategy offers the best approach to their specific needs, is intended to serve as a good case study for how to address this critical challenge.

The Need for Modernisation

Aging technology at the heart of the financial services industry has become a significant barrier to success. Incumbents, burdened with obsolete core systems, are struggling to compete with “born digital” market entrants with IT architecture built optimally from the ground up.

As newer technologies, such as the cloud and open APIs, move into the mainstream, it is becoming increasingly difficult for incumbents labouring under the weight of older, less agile systems to compete. Gartner reports that IT operating costs across industries have increased from 67 percent in 2013 to 71 percent in 2017, while IT spend dedicated to digital transformation has decreased from 13 percent to 10 percent.[2]

Accordingly, financial institutions with architecture spanning back decades are finding timely responses to market changes to be a challenge on par with trying to turn a battleship within the turning radius of a speedboat. Although incumbent financial institutions continue to dominate the financial services industry by virtue of their established customer bases, core modernisation or “renewal” is critical if institutions are to maintain their ability to compete given the new realities — specifically, the need for:

  • Simplifying complex operations to derive cost savings and improve customer experience
  • Allowing financial institutions to operate in a more agile manner

  • Adopting new technologies, such as cloud computing, to take advantage of new capabilities and save costs

  • Managing the risk and cost of maintaining aging infrastructures

Although functionally resilient, legacy core systems at most financial institutions lack the flexibility required to deliver the customer experiences consumers have come to expect in the digital age. As the need for speed, flexibility, bandwidth and functionality increases, the problem of trying to move forward on an aging core becomes more acute, resulting in system slowdowns, crashes, product launch delays and wasted money. The accumulation of this technical debt is an existential threat that can no longer be ignored.

In recent years, a number of the traditional banking software vendors, including Accenture, FIS, Fiserv, Infosys, Oracle, SAP, Tata Consultancy Services (TCS) and Temenos, have laboured to convince banks to replace their aging platforms with more modern technologies, while several new (banking-as-a-service) players, including the likes of 11:FS, Finxact, Nymbus and Q2, have also entered the fray. These activities have gained more traction in Asia, Australia and Europe than in North America, where relatively few banks have moved forward — partly because they are aware of notable failures that underscore the risks of these endeavors. Regardless of this “wait and watch” attitude of U.S. banks, a few well-known financial institutions have embarked on core modernisation efforts, with mixed results:

  • BBVA Compass, the U.S. banking arm of Spanish giant BBVA, completed its decade-long digital transformation at an estimated cost of more than €2.4 billion to establish itself as the global leader in legacy system modernisation.[3]
  • Deutsche Bank announced a US$1.1 billion initiative in 2015 to great fanfare, with the expressed intention of cutting the Bank’s 45 different operating systems to four by 2020. It has since eliminated 13 systems, but is having difficulty achieving its 2020 deadline due to cultural turbulence and implementation challenges.[4]
  • Zions Bancorporation became one of the largest U.S. banks to invest in core modernisation, spending more than US$200 million.[5]
  • Capital One began exploring the possibility of cloud infrastructure in 2013. In 2015, the Company started using the cloud for a limited number of small projects. In 2016, it announced a deal with Amazon Web Services and began migrating legacy applications to the cloud.[6]
  • In 2018, U.K. bank TSB became a cautionary tale when a catastrophic glitch in its effort to migrate from a legacy system at Lloyds interrupted service and compromised customer data, resulting in an investigation by the Financial Conduct Authority.[7]
  • Investment bank Goldman Sachs launched a “greenfield” fintech subsidiary, Marcus, in 2016 initially to make consumer loans[8] but is expanding now to other products and services as well.[9]

As a stopgap measure, many banks have taken the interim step of “bolting on” fintech solutions to create a digital facade. Many others have deployed wraparound service and customer engagement layers using low-cost tools such as robotic process automation (RPA) to reduce costs and squeeze a few more years out of their legacy infrastructure.[10]


Without the right leadership and mindset, companies risk becoming digital only on the surface. They make changes, embracing new technology solutions, which give the impression to the customer that they are engaging a digital-ready business. However, the business is not able to meet customer expectations because at its core the business is still analog in the way that it thinks and operates.

Jonathan Wyatt, Managing Director, Global Head of Protiviti Digital


As for the expected benefits of core modernisation, risk mitigation (mostly technological and workforce-related) is the most commonly cited, but FSI chief information officers (CIOs) and IT professionals also point to opportunities for revenue generation (via faster time to market and new opportunities for product and service innovation) and, to a lesser extent, reduced operating costs as primary drivers behind the need for this transformation (see the Top Drivers of IT Core Modernisation Initiatives section). Although not identified as a primary driver, regulatory compliance is a motivating factor for financial institutions, as modernised platforms provide a more suitable foundation for the compliance updates that the industry continues to face.

Click to enlarge

Archaeology of Legacy Technology

Mapping aging technology, including mainframe computers dating back to the 1960s, can seem like an archaeological dig, with layer upon layer of interdependent complex systems buried beneath a surface of new technology supporting websites, mobile solutions and advanced analytics. Most of these systems are written in COBOL, a programming language developed more than 60 years ago that’s supported by a dwindling workforce of aging programmers — many of whom are approaching retirement.

In most cases, these platforms reliably perform the functions they were designed to support, but each layer comes with its own technical debt. The monolithic design of these systems and the processes that support them, for example, are not well-suited to the fast-paced, agile nature of the digital world. As a result, organisations dependent on these aging platforms often find it difficult to respond to market opportunities or risks or adopt emerging technologies in a timely manner. In some cases, the platforms and their complex integrations also create security risks and compliance reporting challenges.

One of the biggest hurdles to overcome in making a case for core modernisation is the fact that while the technology might be outdated, it has worked well over the years. As long as ATMs continue to dispense money, why invest all the time, effort and resources to replace the 25 systems that had to be cobbled together to make that happen? This “If it’s not broken, why fix it?” attitude is reinforced by horror stories of past core modernisation failures that make IT and business leaders reluctant to embark on a highly disruptive, costly and prolonged modernisation process. Finally, the obscure nature of an aging core, labouring away out of sight and out of mind, simply makes it easier to say “no.”

While many companies choose to ignore or downplay the need for core modernisation, the reality is their born-digital competitors are better positioned to provide a good customer experience and dominate in the marketplace. They won’t be held back by the expense and damage to their reputation when aging systems can no longer be patched together.


Many organisations must face the reality that older legacy systems often don’t integrate well with the latest generation of technology — but find the prospect of addressing this acute form of “technical debt” daunting and fraught with risk. Banks are challenged to simultaneously make their systems more nimble and permeable (easily accessed and integrated), more customer-centric, more stable, and more secure to pave the way for fintech integration.

Ed Page, Managing Director, Protiviti Financial Services Industry Technology Consulting Practice Leader


Exploring the Core

The IT core of a financial institution is not unlike a geological model of the earth, starting from its center where the oldest systems of record reside and radiating outward to a surface where applications support consumer banking, commercial banking, corporate processes and regulatory activities.

A Simplified Model for Banking Infrastructure

A financial institution can have as many as 1,000 applications within the enterprise.

Most banks use multiple “core” banking systems, which can be defined as key pieces of IT infrastructure and serve as source repositories for information regarding customers, accounts and balances. Examples of core systems include customer information systems, demand deposit account (DDA) systems, savings systems, securities accounting systems, trading systems, payment systems and a variety of accounting systems that support various loan products (including installment loans, commercial loans, and mortgage and home equity loans). These core systems are responsible for delivering fundamental operations for accounts, loan payments and securities. This technology is central to an FSI company’s ability to deliver services to its customers.

Benefits of Core Modernisation

Most core modernisation projects are going to be cost-justified using one of the three “top drivers,” or benefits, mentioned earlier: risk mitigation, revenue generation or cost savings. To those three, however, we would add a fourth: customer experience. This section explores each of these benefits in more depth, drawing on the experience of some prominent FSI examples.

Customer Experience

Customer experience is increasingly critical in today’s digital world, and while the core systems are rarely the direct user interface to consumers, they do supply essential services to the customer-facing platforms. Too often, the interfaces to the core systems are difficult to use or not fit for the purpose, so they can impede a bank’s ability to create the seamless experience that consumers have come to expect or to respond to market opportunities quickly. Capital One has made improving the customer experience — from natural language search to mobile apps to rapid account onboarding — the primary focus of its core modernisation and cloud migration initiatives. Customers can open and close an unlimited number of accounts, according to their individual needs, using the bank’s Capital One 360 online account management feature.

In many cases, banks have wrapped the core systems with a services layer to make customer-facing platforms more user friendly, but this often results in a complex infrastructure that supports a digital veneer, rather than an organisation that is digital to the core.

Revenue Generation

As new technologies, such as the cloud and APIs, enable innovation and reduce the time it takes to launch new products and services, an increasing portion of the business case for core system replacement is being derived from growing revenue opportunities. The concept of open APIs that can be shared outside the enterprise with ecosystem partners is an emerging approach to assembling capabilities to provide new products and services. That could lead to entirely new business models and revenue sources that will be difficult to respond to with today’s legacy systems. BBVA Compass, for example, actively solicits collaboration with fintech startups, touting its open APIs and “sandbox” testing environment as fertile ground for new technologies, such as Dwolla’s transfer payment tool and FutureAdvisor, an automated portfolio analysis and investment advisory service.


Customers take for granted that all the traditional and digital elements of a business will work flawlessly together to create a single unified experience for them. They expect companies to embrace new technologies and social trends the moment they become popular. And if they don’t, the competition is only a click away.

Jonathan Wyatt, Managing Director, Global Head of Protiviti Digital


Cost Savings

Some studies estimate that cost savings ranging from approximately one-quarter to one-third of IT operating costs related to core processing can be achieved through a combination of lower-cost computing platforms and application rationalisation.[11] These savings may be achievable in situations where core modernisation transformations are aimed at consolidating several stand-alone applications and optimising the costs associated with core applications and hardware processing. This type of consolidation also helps banks to reduce significantly the portfolio of systems that require maintenance, which further lowers maintenance and integration costs.

A second cost-reduction opportunity of core modernisation relates to the potential for expanded straight-through processing (STP). With STP, which includes RPA, transactions that were previously subjected to a series of system validations are passed “straight through” the typical processing stages if they meet defined criteria, eliminating the need for manual exception reviews on these transactions. These transactions are identified as having a high degree of systematic accuracy and may not need an individual review by a specialist to ensure that the transaction was valid. By subjecting more transactions to STP techniques, banking processes can become less labour-intensive over time.

These cost-reduction benefits are appealing at a time when many banks believe that they have reaped all the noncore process efficiencies they can squeeze out of their operations.

Risk Mitigation

Keeping core systems in good working order requires significant and ongoing work. Legacy systems often lack adequate documentation, and the number of COBOL and Assembler programmers who have not yet retired diminishes every year, along with the FSI company’s ability to support these systems.

In addition to maintenance risks, most new products are being developed with an eye toward current and future technology, such as the cloud, APIs, blockchain and big data. Legacy systems, typically monolithic applications designed for daily batch processing, simply weren’t designed for the demands of today’s fast-paced, technology-enabled environment.

Another benefit of core modernisation relates to regulatory risks. Since much of the data that supports the required regulatory reporting resides in aging core systems, modernisation creates an opportunity to improve the speed and effectiveness of compliance risk management practises.


COBOL has modules approximately 10 times larger than those used in the more modern languages. Due to its complexity and the fundamental importance of the systems that run on it, changing or adding to these systems becomes difficult and results in a further increase in the amount of tech­nical debt.

Ron Lefferts, Managing Director, Global Leader of Protiviti Technology Consulting


Click to enlarge

Risks and Barriers to Success

Core modernisation projects offer great promise, but they can go terribly awry if undertaken without a clear vision rooted in the business reality of the institution, a well-defined road map and solid programme, and risk management. Every core modernisation effort, regardless of scope, contains risks that should be recognised and mitigated. These include:

  • Customer service risks: Core systems enable many critical customer-facing services, such as payments, that need to be “always on.” These types of systems need to be handled with great care and detailed customer service considerations when they are replaced.
  • Regulatory risks: Regulatory compliance is similar to customer service in that it cannot be “switched off” — even as the systems that service the compliance requirements are put out to pasture. Before aging core systems are replaced, all existing regulatory controls must be present in the new systems.
  • Programme fatigue: Like other large-scale, multiyear corporate initiatives, core modernisation efforts are prone to programme fatigue, which can set in during the lengthy change process.
  • Competing priorities: Due to the length and scope of core modernisation work, these efforts can disrupt progress on other business priorities for months — or even years. That impact can make core modernisation efforts unpopular with business sponsors who would rather invest time and money in their own innovation projects.

Though serious, these challenges are not insurmountable if managed with the proper understanding, preparation and assistance. The magnitude of these risks is less than the impact of delaying or avoiding a core modernisation project, which can rise to the level of a strategic risk simply by not being addressed in a timely manner.

Strategies for Core Modernisation

Every core modernisation project is unique, yet they all have two things in common: They take a long time, and they are expensive. A core modernisation effort can span several years, during which time internal and external environments can change, sometimes dramatically. New executives may arrive while old ones depart, and strategic priorities and budgetary conditions may change. For these reasons, it behooves FSI organisations committed to modernising their core systems to develop a road map outlining the specific modernisation strategy and the processes involved and the capabilities required during that period to ensure the success of their projects.

In addition to all of the traditional project management enablers and processes such transformational enterprise initiatives call for (CEO support, an internal project management office, etc.), core modernisation requires rigorous evaluations regarding crucial “who,” “what,” “when,” “where,” “why” and “how” questions: Why are we doing this? What is the business case? When should we proceed? What will the new enterprise architecture design be? Where will the technology be located (i.e., hosted and/or internal)? Who will help us (our technology and implementation partners)? How will we manage a project of this size in a risk-savvy manner? All of these questions should be asked and answered during the business case and road map development process.

The five briefly summarised strategies that follow represent the most common approaches to core modernisation in FSI companies. It’s important to note that these approaches are not mutually exclusive and may be combined for maximum benefit. In fact, the road map for many organisations may include aspects of several of these approaches. The “right” path forward for any organisation must be grounded in its current state, its organisational objectives and its risk appetite.

  • “Greenfield” core system development: This approach requires starting from scratch with a modern, simplified core system and components. This may be the right approach for a brand-new company or one that spins off from an established FSI corporation. Goldman Sachs used this approach to create a core system for its Marcus consumer lending business.
  • Preserve and protect: This approach leaves existing core systems untouched while wrapping the core with a new layer of technology — typically, service-oriented architecture (SOA) — that can support current and emerging applications. Although SOA is an important innovation that should be part of any modernisation effort, it has been especially popular among institutions that have substantial investments in legacy core infrastructure and want to mitigate the risk of change. Organisations deploying RPA use this strategy.
  • Simplify and rationalise: This approach focuses on taking the complexity out of the surrounding layers of the legacy environment, but leaves the central core in place and customer-facing layers unchanged. The simplification extends to business processes and back-office technology, as well as to the systems that support regulatory compliance functions. An institution may consider this approach when near-term cost reduction is the primary goal.
  • “Big Bang”: This “rip and replace” approach involves a complete overhaul of the aging core, replacing it with modern systems. A bold and potentially risky strategy, this is the approach that worked for BBVA, but failed spectacularly at TSB.
  • Phased migration: In this less drastic version of the Big Bang approach, a new core technology is implemented in an iterative fashion. This new core grows steadily until it is capable of handling all of the other existing layers of systems and applications, which then can be transferred over in a less disruptive manner. Capital One takes this approach.

The ultimate objective of each of the approaches described previously is to renew the core and critical systems so that all of the risks posed by those aging systems are mitigated, if not entirely eliminated. The less disruptive approaches save FSI companies from the steep challenges of a pure “rip and replace” approach, but they also may require further renewal efforts down the road.


Not all technical debt is bad. There are times when it is incurred with the purpose of bringing a product to market or responding to an emerging opportunity or risk more quickly. For example, a company may make a conscious decision to take on debt for a specific business outcome, such as debugging known problems now, with an action plan to “pay it back later” after more thoughtful consideration is given to a design that accommodates future requirements.

Jim DeLoach, Protiviti Managing Director


Picking and Executing a Strategy

Core modernisation requires thoughtful planning and disciplined execution. It is also important to note that it very likely represents only a portion of the technical debt that most financial services firms must “pay down,” so planning should be done in that broader context. But core modernisation is likely to be one of the most acute and stubborn forms of technical debt, so it requires particular attention. With that in mind, here are some critical considerations.

Create a Balance Sheet for Technical Debt

Firms should identify where technical debt exists in their companies, including the potential need for core modernisation, and prioritise the debt based on its impact to existing processes and organisational goals. The balance sheet should be reviewed and updated frequently, and used to create organisational transparency to this otherwise hidden problem.

Understand the Organisation’s Goals and Risk Tolerance

There are a number of potential goals that might be ascribed to core modernisation. In fact, it’s likely a combination of objectives related to organisational agility, cost reduction, risk mitigation and customer experience. These must also be juxtaposed against the organisation’s risk tolerance and willingness to absorb change. Answers to these questions not only help frame the business case for change, they also provide the context for selecting the appropriate modernisation approach for a given enterprise.

Educating Executive Leadership

Organisational leaders need to be educated on the cost — both actual and opportunity — and risk of technical debt, including the acute problem of core modernisation. Only with this understanding will there be the necessary support and active sponsorship for change.

Future-Proof Target Solutions

Technology is evolving at an increasingly rapid pace. That is a critical design consideration for the target state. Organisations should anticipate that change will continue to be the norm, and build for adaptability. One way to approach this is to break monolithic applications into smaller pieces. Creating services and API architectures is an intelligent approach to enabling agility. This approach may also offer a migration strategy for incrementally addressing technology debt.

Wherever Possible, Break Implementations into Bite-Size Pieces

There is a time and place for Big Bang implementations, but they should be the exception, not the rule. Borrowing from the practises of agile software development, implementations should be frequent and incremental. That provides a number of benefits, including risk management, earlier benefit realisation, and the ability to learn and adjust from implementations along the journey. This practise also positions organisations to adapt to change in a world where transformation is no longer a project but a core competency that must be mastered to survive.

Conclusion

Core modernisations are multifaceted, expensive, time-consuming and risk-laden. Organisations should recognise the associated risks — both in addressing and ignoring this acute form of technical debt — and be prepared to mitigate them; what they shouldn’t do is postpone their critical renewal efforts indefinitely because the risks are seen as too great. Continuing to accumulate technical debt by serving outdated core and support systems can grind progress to a halt, stymie innovation and drive business to competitors. Despite the size and difficulty of IT modernisation, the strategic risks of operating with an aging core are far greater than the project risks of renewing the core. And recent experience has shown that project risks can be mitigated through careful planning, including the mapping of current capabilities and matching them with a core modernisation strategy to achieve desired outcomes.


The consequences of failing to innovate are hardly trivial. The emergence of technology-enabled competitors who, unfettered by legacy technology, are able to develop and deploy new products and services faster and more efficiently threatens to leave behind older, more established companies, and especially those that perennially struggle to build innovation into their IT budgets.

Ed Page, Managing Director, Protiviti Financial Services Industry Technology Consulting Practice Leader


Our Technology and Digital Transformation Services

Protiviti’s global IT consulting practise helps CIOs and IT leaders design and implement advanced solutions in IT governance, security, data management, applications and compliance. Protiviti works to address IT security and privacy issues and deploy advanced and customised application and data management structures that not only solve problems but also add value to organisations. Technology will drive your future. With Protiviti, you can be confident it will take you where you want to go.
Protiviti helps companies make the promise of digital transformation a reality. We work collaboratively with you to create a deep understanding of the risks and opportunities presented by emerging technologies and think creatively about how you can use these technologies to improve business performance. Drawing on experts in data and analytics, technology, internal audit, business process, risk, and compliance, we tailor teams of professionals to fit the specific requirements of your transformation programme. These professionals work side-by-side with you at any or all stages of a transformation programme, delivering confidence that the people, processes and technologies involved converge to create value in the future.

Our Financial Services Practise

Protiviti’s global financial services team brings a blend of proven experience and fresh thinking through a unique 50/50 mix of homegrown talent combined with former industry professionals, including risk and technology executives, commercial and consumer lenders, compliance professionals, and financial regulators. As a major global consultancy, we have served more than 75 percent of the world’s largest banks and many of the largest and mid-size brokerage and asset management firms, as well as a significant majority of life, property and casualty insurers, solving our clients’ issues across all three lines of defense within the business to meet the challenges of the future today.

[1]On the Road to Digital Transformation, One Map Does Not Fit All,” by Ed Page, The Protiviti View, June 4, 2018.
[2]Gartner, IT Key Metrics Data 2018: Executive Summary, by Linda Hall, Eric Stegman, Shreya Futela and Disha Badlani, December 11, 2017, pages 42-45.
[3]BBVA: Rebooting Banking for a Digital Economy, Capgemini Consulting, March 3, 2016.
[4]Inside Deutsche Bank’s ‘dysfunctional’ IT division,” by Sarah Butcher, efinancialcareers, April 20, 2018.
[5]Zions Selects Tata’s Platform for Core-Banking Upgrade,” by Sean Sposito, American Banker, November 5, 2013.
[6]Capital One rides the cloud to tech company transformation,” by Sharon Gaudin, Computerworld, December 5, 2016.
[7]TSB IT crisis: bank chief Paul Pester steps down with £1.7m payout,” The Week, September 4, 2018.
[8]Why Goldman Sachs Is Lending to the Middle Class,” by Zeke Faux and Shahien Nasiripour, Bloomberg Businessweek, June 29, 2018.
[9]Marcus by Goldman Sachs Announces Acquisition of Clarity Money,” press release, Goldman Sachs, April 15, 2018.
[10]Ibid.
[11]The Cost Benefits of Core Modernisation, by Robert Hunt, CEB TowerGroup, April 2014.