Modernizing Legacy Systems at Financial Institutions

Managing Technical Debt Is the Key to Maintaining Momentum

Executive Summary

It has been three years since Protiviti published The Road to Renewal: Modernizing Aging Core Systems at Financial Institutions. Technology and consumer expectations have both evolved considerably since that time. The cloud has matured and gained acceptance as viable infrastructure; architectures supporting microservices and application programming interfaces (APIs) have also matured to create new opportunities. Fintechs have chipped away at traditional banking services and, notably, increased the focus on the consumer experience. Big tech companies (Facebook, Amazon, Google and Apple) have emerged as important parts of the financial services ecosystem. Additionally, some of the core renewal projects underway in 2015 have been completed, and several new ones have been announced, providing valuable insights into the progress — or lack thereof — in this space. This update revisits legacy systems modernization in light of these developments, examines recent case studies, and provides the latest thinking on the subject.

Virtually all products and services offered by financial services companies are technology-enabled, and the rapid evolution of mobile banking and digitization of processing makes technology even more critical. The technology at the core of most financial institutions, however, is old and outdated — systems dating back to the 1960s — creating nonfunctional technology shortfalls, sometimes known as “technical debt,”[1] resulting in excessive maintenance costs, process and decision-making friction, degraded business agility, and more that can pose strategic risks.

As technical debt goes, the financial services industry (FSI) is an acute case. To address these risks, and manage technical debt, FSI companies need to modernize the legacy systems at the core of their processing environment. This paper, which discusses several core modernization strategies and explains how organizations can choose which strategy offers the best approach to their specific needs, is intended to serve as a good case study for how to address this critical challenge.

The Need for Modernization

Aging technology at the heart of the financial services industry has become a significant barrier to success. Incumbents, burdened with obsolete core systems, are struggling to compete with “born digital” market entrants with IT architecture built optimally from the ground up.

As newer technologies, such as the cloud and open APIs, move into the mainstream, it is becoming increasingly difficult for incumbents laboring under the weight of older, less agile systems to compete. Gartner reports that IT operating costs across industries have increased from 67 percent in 2013 to 71 percent in 2017, while IT spend dedicated to digital transformation has decreased from 13 percent to 10 percent.[2]

Accordingly, financial institutions with architecture spanning back decades are finding timely responses to market changes to be a challenge on par with trying to turn a battleship within the turning radius of a speedboat. Although incumbent financial institutions continue to dominate the financial services industry by virtue of their established customer bases, core modernization or “renewal” is critical if institutions are to maintain their ability to compete given the new realities — specifically, the need for:

  • Simplifying complex operations to derive cost savings and improve customer experience
  • Allowing financial institutions to operate in a more agile manner
  • Adopting new technologies, such as cloud computing, to take advantage of new capabilities and save costs
  • Managing the risk and cost of maintaining aging infrastructures

Although functionally resilient, legacy core systems at most financial institutions lack the flexibility required to deliver the customer experiences consumers have come to expect in the digital age. As the need for speed, flexibility, bandwidth and functionality increases, the problem of trying to move forward on an aging core becomes more acute, resulting in system slowdowns, crashes, product launch delays and wasted money. The accumulation of this technical debt is an existential threat that can no longer be ignored.

In recent years, a number of the traditional banking software vendors, including Accenture, FIS, Fiserv, Infosys, Oracle, SAP, Tata Consultancy Services (TCS) and Temenos, have labored to convince banks to replace their aging platforms with more modern technologies, while several new (banking-as-a-service) players, including the likes of 11:FS, Finxact, Nymbus and Q2, have also entered the fray. These activities have gained more traction in Asia, Australia and Europe than in North America, where relatively few banks have moved forward — partly because they are aware of notable failures that underscore the risks of these endeavors. Regardless of this “wait and watch” attitude of U.S. banks, a few well-known financial institutions have embarked on core modernization efforts, with mixed results:

  • BBVA Compass, the U.S. banking arm of Spanish giant BBVA, completed its decade-long digital transformation at an estimated cost of more than €2.4 billion to establish itself as the global leader in legacy system modernization.[3]
  • Deutsche Bank announced a US$1.1 billion initiative in 2015 to great fanfare, with the expressed intention of cutting the Bank’s 45 different operating systems to four by 2020. It has since eliminated 13 systems, but is having difficulty achieving its 2020 deadline due to cultural turbulence and implementation challenges.[4]
  • Zions Bancorporation became one of the largest U.S. banks to invest in core modernization, spending more than US$200 million.[5]
  • Capital One began exploring the possibility of cloud infrastructure in 2013. In 2015, the Company started using the cloud for a limited number of small projects. In 2016, it announced a deal with Amazon Web Services and began migrating legacy applications to the cloud.[6]
  • In 2018, U.K. bank TSB became a cautionary tale when a catastrophic glitch in its effort to migrate from a legacy system at Lloyds interrupted service and compromised customer data, resulting in an investigation by the Financial Conduct Authority.[7]
  • Investment bank Goldman Sachs launched a “greenfield” fintech subsidiary, Marcus, in 2016 initially to make consumer loans[8] but is expanding now to other products and services as well.[9]

As a stopgap measure, many banks have taken the interim step of “bolting on” fintech solutions to create a digital facade. Many others have deployed wraparound service and customer engagement layers using low-cost tools such as robotic process automation (RPA) to reduce costs and squeeze a few more years out of their legacy infrastructure.[10]

Without the right leadership and mindset, companies risk becoming digital only on the surface. They make changes, embracing new technology solutions, which give the impression to the customer that they are engaging a digital-ready business. However, the business is not able to meet customer expectations because at its core the business is still analog in the way that it thinks and operates.
Jonathan Wyatt

As for the expected benefits of core modernization, risk mitigation (mostly technological and workforce-related) is the most commonly cited, but FSI chief information officers (CIOs) and IT professionals also point to opportunities for revenue generation (via faster time to market and new opportunities for product and service innovation) and, to a lesser extent, reduced operating costs as primary drivers behind the need for this transformation (see the Top Drivers of IT Core Modernization Initiatives section). Although not identified as a primary driver, regulatory compliance is a motivating factor for financial institutions, as modernized platforms provide a more suitable foundation for the compliance updates that the industry continues to face.

Archaeology of Legacy Technology

Mapping aging technology, including mainframe computers dating back to the 1960s, can seem like an archaeological dig, with layer upon layer of interdependent complex systems buried beneath a surface of new technology supporting websites, mobile solutions and advanced analytics. Most of these systems are written in COBOL, a programming language developed more than 60 years ago that’s supported by a dwindling workforce of aging programmers — many of whom are approaching retirement.

In most cases, these platforms reliably perform the functions they were designed to support, but each layer comes with its own technical debt. The monolithic design of these systems and the processes that support them, for example, are not well-suited to the fast-paced, agile nature of the digital world. As a result, organizations dependent on these aging platforms often find it difficult to respond to market opportunities or risks or adopt emerging technologies in a timely manner. In some cases, the platforms and their complex integrations also create security risks and compliance reporting challenges.

One of the biggest hurdles to overcome in making a case for core modernization is the fact that while the technology might be outdated, it has worked well over the years. As long as ATMs continue to dispense money, why invest all the time, effort and resources to replace the 25 systems that had to be cobbled together to make that happen? This “If it’s not broken, why fix it?” attitude is reinforced by horror stories of past core modernization failures that make IT and business leaders reluctant to embark on a highly disruptive, costly and prolonged modernization process. Finally, the obscure nature of an aging core, laboring away out of sight and out of mind, simply makes it easier to say “no.”

While many companies choose to ignore or downplay the need for core modernization, the reality is their born-digital competitors are better positioned to provide a good customer experience and dominate in the marketplace. They won’t be held back by the expense and damage to their reputation when aging systems can no longer be patched together.

Many organizations must face the reality that older legacy systems often don’t integrate well with the latest generation of technology — but find the prospect of addressing this acute form of “technical debt” daunting and fraught with risk. Banks are challenged to simultaneously make their systems more nimble and permeable (easily accessed and integrated), more customer-centric, more stable, and more secure to pave the way for fintech integration.
Ed Page

Exploring the Core

The IT core of a financial institution is not unlike a geological model of the earth, starting from its center where the oldest systems of record reside and radiating outward to a surface where applications support consumer banking, commercial banking, corporate processes and regulatory activities.

Most banks use multiple “core” banking systems, which can be defined as key pieces of IT infrastructure and serve as source repositories for information regarding customers, accounts and balances. Examples of core systems include customer information systems, demand deposit account (DDA) systems, savings systems, securities accounting systems, trading systems, payment systems and a variety of accounting systems that support various loan products (including installment loans, commercial loans, and mortgage and home equity loans). These core systems are responsible for delivering fundamental operations for accounts, loan payments and securities. This technology is central to an FSI company’s ability to deliver services to its customers.

Benefits of Core Modernization

Most core modernization projects are going to be cost-justified using one of the three “top drivers,” or benefits, mentioned earlier: risk mitigation, revenue generation or cost savings. To those three, however, we would add a fourth: customer experience. This section explores each of these benefits in more depth, drawing on the experience of some prominent FSI examples.

Customer Experience

Customer experience is increasingly critical in today’s digital world, and while the core systems are rarely the direct user interface to consumers, they do supply essential services to the customer-facing platforms. Too often, the interfaces to the core systems are difficult to use or not fit for the purpose, so they can impede a bank’s ability to create the seamless experience that consumers have come to expect or to respond to market opportunities quickly. Capital One has made improving the customer experience — from natural language search to mobile apps to rapid account onboarding — the primary focus of its core modernization and cloud migration initiatives. Customers can open and close an unlimited number of accounts, according to their individual needs, using the bank’s Capital One 360 online account management feature.

In many cases, banks have wrapped the core systems with a services layer to make customer-facing platforms more user friendly, but this often results in a complex infrastructure that supports a digital veneer, rather than an organization that is digital to the core.

Revenue Generation

As new technologies, such as the cloud and APIs, enable innovation and reduce the time it takes to launch new products and services, an increasing portion of the business case for core system replacement is being derived from growing revenue opportunities. The concept of open APIs that can be shared outside the enterprise with ecosystem partners is an emerging approach to assembling capabilities to provide new products and services. That could lead to entirely new business models and revenue sources that will be difficult to respond to with today’s legacy systems. BBVA Compass, for example, actively solicits collaboration with fintech startups, touting its open APIs and “sandbox” testing environment as fertile ground for new technologies, such as Dwolla’s transfer payment tool and FutureAdvisor, an automated portfolio analysis and investment advisory service.

Cost Savings

Some studies estimate that cost savings ranging from approximately one-quarter to one-third of IT operating costs related to core processing can be achieved through a combination of lower-cost computing platforms and application rationalization.[11] These savings may be achievable in situations where core modernization transformations are aimed at consolidating several stand-alone applications and optimizing the costs associated with core applications and hardware processing. This type of consolidation also helps banks to reduce significantly the portfolio of systems that require maintenance, which further lowers maintenance and integration costs.

A second cost-reduction opportunity of core modernization relates to the potential for expanded straight-through processing (STP). With STP, which includes RPA, transactions that were previously subjected to a series of system validations are passed “straight through” the typical processing stages if they meet defined criteria, eliminating the need for manual exception reviews on these transactions. These transactions are identified as having a high degree of systematic accuracy and may not need an individual review by a specialist to ensure that the transaction was valid. By subjecting more transactions to STP techniques, banking processes can become less labor-intensive over time.

These cost-reduction benefits are appealing at a time when many banks believe that they have reaped all the noncore process efficiencies they can squeeze out of their operations.

Risk Mitigation

Keeping core systems in good working order requires significant and ongoing work. Legacy systems often lack adequate documentation, and the number of COBOL and Assembler programmers who have not yet retired diminishes every year, along with the FSI company’s ability to support these systems.

In addition to maintenance risks, most new products are being developed with an eye toward current and future technology, such as the cloud, APIs, blockchain and big data. Legacy systems, typically monolithic applications designed for daily batch processing, simply weren’t designed for the demands of today’s fast-paced, technology-enabled environment.

Another benefit of core modernization relates to regulatory risks. Since much of the data that supports the required regulatory reporting resides in aging core systems, modernization creates an opportunity to improve the speed and effectiveness of compliance risk management practices.


Customers take for granted that all the traditional and digital elements of a business will work flawlessly together to create a single unified experience for them. They expect companies to embrace new technologies and social trends the moment they become popular. And if they don’t, the competition is only a click away.
Jonathan Wyatt
COBOL has modules approximately 10 times larger than those used in the more modern languages. Due to its complexity and the fundamental importance of the systems that run on it, changing or adding to these systems becomes difficult and results in a further increase in the amount of tech­nical debt.
Ron Lefferts

Risks and Barriers to Success

Core modernization projects offer great promise, but they can go terribly awry if undertaken without a clear vision rooted in the business reality of the institution, a well-defined road map and solid program, and risk management. Every core modernization effort, regardless of scope, contains risks that should be recognized and mitigated. These include:

  • Customer service risks: Core systems enable many critical customer-facing services, such as payments, that need to be “always on.” These types of systems need to be handled with great care and detailed customer service considerations when they are replaced.
  • Regulatory risks: Regulatory compliance is similar to customer service in that it cannot be “switched off” — even as the systems that service the compliance requirements are put out to pasture. Before aging core systems are replaced, all existing regulatory controls must be present in the new systems.
  • Program fatigue: Like other large-scale, multiyear corporate initiatives, core modernization efforts are prone to program fatigue, which can set in during the lengthy change process.
  • Competing priorities: Due to the length and scope of core modernization work, these efforts can disrupt progress on other business priorities for months — or even years. That impact can make core modernization efforts unpopular with business sponsors who would rather invest time and money in their own innovation projects.

Though serious, these challenges are not insurmountable if managed with the proper understanding, preparation and assistance. The magnitude of these risks is less than the impact of delaying or avoiding a core modernization project, which can rise to the level of a strategic risk simply by not being addressed in a timely manner.

Strategies for Core Modernization

Every core modernization project is unique, yet they all have two things in common: They take a long time, and they are expensive. A core modernization effort can span several years, during which time internal and external environments can change, sometimes dramatically. New executives may arrive while old ones depart, and strategic priorities and budgetary conditions may change. For these reasons, it behooves FSI organizations committed to modernizing their core systems to develop a road map outlining the specific modernization strategy and the processes involved and the capabilities required during that period to ensure the success of their projects.

In addition to all of the traditional project management enablers and processes such transformational enterprise initiatives call for (CEO support, an internal project management office, etc.), core modernization requires rigorous evaluations regarding crucial “who,” “what,” “when,” “where,” “why” and “how” questions: Why are we doing this? What is the business case? When should we proceed? What will the new enterprise architecture design be? Where will the technology be located (i.e., hosted and/or internal)? Who will help us (our technology and implementation partners)? How will we manage a project of this size in a risk-savvy manner? All of these questions should be asked and answered during the business case and road map development process.

The five briefly summarized strategies that follow represent the most common approaches to core modernization in FSI companies. It’s important to note that these approaches are not mutually exclusive and may be combined for maximum benefit. In fact, the road map for many organizations may include aspects of several of these approaches. The “right” path forward for any organization must be grounded in its current state, its organizational objectives and its risk appetite.

  • “Greenfield” core system development: This approach requires starting from scratch with a modern, simplified core system and components. This may be the right approach for a brand-new company or one that spins off from an established FSI corporation. Goldman Sachs used this approach to create a core system for its Marcus consumer lending business.
  • Preserve and protect: This approach leaves existing core systems untouched while wrapping the core with a new layer of technology — typically, service-oriented architecture (SOA) — that can support current and emerging applications. Although SOA is an important innovation that should be part of any modernization effort, it has been especially popular among institutions that have substantial investments in legacy core infrastructure and want to mitigate the risk of change. Organizations deploying RPA use this strategy.
  • Simplify and rationalize: This approach focuses on taking the complexity out of the surrounding layers of the legacy environment, but leaves the central core in place and customer-facing layers unchanged. The simplification extends to business processes and back-office technology, as well as to the systems that support regulatory compliance functions. An institution may consider this approach when near-term cost reduction is the primary goal.
  • “Big Bang”: This “rip and replace” approach involves a complete overhaul of the aging core, replacing it with modern systems. A bold and potentially risky strategy, this is the approach that worked for BBVA, but failed spectacularly at TSB.
  • Phased migration: In this less drastic version of the Big Bang approach, a new core technology is implemented in an iterative fashion. This new core grows steadily until it is capable of handling all of the other existing layers of systems and applications, which then can be transferred over in a less disruptive manner. Capital One takes this approach.

The ultimate objective of each of the approaches described previously is to renew the core and critical systems so that all of the risks posed by those aging systems are mitigated, if not entirely eliminated. The less disruptive approaches save FSI companies from the steep challenges of a pure “rip and replace” approach, but they also may require further renewal efforts down the road.

Not all technical debt is bad. There are times when it is incurred with the purpose of bringing a product to market or responding to an emerging opportunity or risk more quickly. For example, a company may make a conscious decision to take on debt for a specific business outcome, such as debugging known problems now, with an action plan to “pay it back later” after more thoughtful consideration is given to a design that accommodates future requirements.
Jim DeLoach

Picking and Executing a Strategy

Core modernization requires thoughtful planning and disciplined execution. It is also important to note that it very likely represents only a portion of the technical debt that most financial services firms must “pay down,” so planning should be done in that broader context. But core modernization is likely to be one of the most acute and stubborn forms of technical debt, so it requires particular attention. With that in mind, here are some critical considerations.

Create a Balance Sheet for Technical Debt

Firms should identify where technical debt exists in their companies, including the potential need for core modernization, and prioritize the debt based on its impact to existing processes and organizational goals. The balance sheet should be reviewed and updated frequently, and used to create organizational transparency to this otherwise hidden problem.

Understand the Organization’s Goals and Risk Tolerance

There are a number of potential goals that might be ascribed to core modernization. In fact, it’s likely a combination of objectives related to organizational agility, cost reduction, risk mitigation and customer experience. These must also be juxtaposed against the organization’s risk tolerance and willingness to absorb change. Answers to these questions not only help frame the business case for change, they also provide the context for selecting the appropriate modernization approach for a given enterprise.

Educating Executive Leadership

Organizational leaders need to be educated on the cost — both actual and opportunity — and risk of technical debt, including the acute problem of core modernization. Only with this understanding will there be the necessary support and active sponsorship for change.

Future-Proof Target Solutions

Technology is evolving at an increasingly rapid pace. That is a critical design consideration for the target state. Organizations should anticipate that change will continue to be the norm, and build for adaptability. One way to approach this is to break monolithic applications into smaller pieces. Creating services and API architectures is an intelligent approach to enabling agility. This approach may also offer a migration strategy for incrementally addressing technology debt.

Wherever Possible, Break Implementations into Bite-Size Pieces

There is a time and place for Big Bang implementations, but they should be the exception, not the rule. Borrowing from the practices of agile software development, implementations should be frequent and incremental. That provides a number of benefits, including risk management, earlier benefit realization, and the ability to learn and adjust from implementations along the journey. This practice also positions organizations to adapt to change in a world where transformation is no longer a project but a core competency that must be mastered to survive.


Core modernizations are multifaceted, expensive, time-consuming and risk-laden. Organizations should recognize the associated risks — both in addressing and ignoring this acute form of technical debt — and be prepared to mitigate them; what they shouldn’t do is postpone their critical renewal efforts indefinitely because the risks are seen as too great. Continuing to accumulate technical debt by serving outdated core and support systems can grind progress to a halt, stymie innovation and drive business to competitors. Despite the size and difficulty of IT modernization, the strategic risks of operating with an aging core are far greater than the project risks of renewing the core. And recent experience has shown that project risks can be mitigated through careful planning, including the mapping of current capabilities and matching them with a core modernization strategy to achieve desired outcomes.

The consequences of failing to innovate are hardly trivial. The emergence of technology-enabled competitors who, unfettered by legacy technology, are able to develop and deploy new products and services faster and more efficiently threatens to leave behind older, more established companies, and especially those that perennially struggle to build innovation into their IT budgets.
Ed Page

Protiviti’s global IT consulting practice helps CIOs and IT leaders design and implement advanced solutions in IT governance, security, data management, applications and compliance. Protiviti works to address IT security and privacy issues and deploy advanced and customized application and data management structures that not only solve problems but also add value to organizations. Technology will drive your future. With Protiviti, you can be confident it will take you where you want to go.

Protiviti helps companies make the promise of digital transformation a reality. We work collaboratively with you to create a deep understanding of the risks and opportunities presented by emerging technologies and think creatively about how you can use these technologies to improve business performance. Drawing on experts in data and analytics, technology, internal audit, business process, risk, and compliance, we tailor teams of professionals to fit the specific requirements of your transformation program. These professionals work side-by-side with you at any or all stages of a transformation program, delivering confidence that the people, processes and technologies involved converge to create value in the future.

Protiviti’s global financial services team brings a blend of proven experience and fresh thinking through a unique 50/50 mix of homegrown talent combined with former industry professionals, including risk and technology executives, commercial and consumer lenders, compliance professionals, and financial regulators. As a major global consultancy, we have served more than 75 percent of the world’s largest banks and many of the largest and mid-size brokerage and asset management firms, as well as a significant majority of life, property and casualty insurers, solving our clients’ issues across all three lines of defense within the business to meet the challenges of the future today.


Jonathan Wyatt is a Managing Director in London and is responsible for our operations in Europe.  Jonathan and has almost 30 years’ experience in Technology & Business consulting, helping organisation transform, embrace the latest technologies, whilst managing ...
Samir is a founding member of Protiviti, with over 25 years’ technology consulting experience.  He serves as the Global Lead of Protiviti’s Technology Strategy & Architecture segment, which partners with clients to increase the maturity of information ...