1. T r u s t t h e E x p e r t s
ISSUE 01 APRIL 2013
The Banking Growth Tsunami Is Coming!!
In the latter half of 2011 a report released by IBA-FICCI-BCG, titled "Being
five-star in productivity--Roadmap for excellence in Indian Banking“ predicted
that the Indian banking sector is poised to become the world's third largest in
asset size by year 2025.
Said the report "The domestic banking industry is set for an exponential growth
in the coming years with its assets size poised to touch USD 28,500 billion by
the turn of the 2025 from the current asset size of USD 1,350 billion (2010)".
It further stated that “by 2025, the Chinese banks will have an asset size of over
USD 1,15,000 billion, while that of the US will be around USD 1,00,000 billion.
According to the Boston Consulting Group’s Tripathi "domestic banks deploy
62 percent of staff in customer-facing roles as against the benchmark of 82
percent observed by BCG globally,"
The report stated that "On an average, our banks have about 20 percent of
staff deployed in back office processing (for some banks, as high as 40
percent) as against a global best of 10 percent".
Many experts have also opined that nearly 30 % of all banking transactions will
be through mobile phones.
Add to this the geographical and demographic factors, technology
advancements and the advent of cloud based delivery models, and we can
appreciate the scale and complexity of the tasks ahead of banks.
Thus there is tremendous need for our banks to improve their productivity,
efficiency, quality and scale of operations which will help them to grow
substantially.
It is this coming environment that makes all of us, serving the needs of the
BFSI sector, look forward to a very exciting and challenging decade.
The Cloud Messenger
The adoption of the cloud platform has
increased appreciably over the past
couple of years. Improved infrastructure,
wider solutions and provider-
ecosystems along with clear RoI
benefits have been the key drivers.
As the Cloud moves into the
mainstream, its benefits in terms of IT
simplification, consolidation and reduced
operating costs need to be balanced
with security and reliability concerns.
The CIOs and IT teams are already
grappling with these issues, but the new
technologies and paradigms such as the
Cloud and the Mobile space have
brought these considerations under
sharper focus.
Our Newsletter ‘Meghadūta’ - a Sanskrit
term translated as "The Cloud
Messenger" in English - will address the
subjects of IT resilience, Risks and
Security across the financial sector.
These topics will highlight the measures
organizations need to take when
implementing IT systems and more
importantly when moving part of their
systems to the Cloud. More to follow …!
Asvini Kumar
Managing Director
Thinksoft Global Services
2. Meghadūta ISSUE 01 APRIL 2013 2
T r u s t t h e E x p e r t s
modified. In short they should carry with them a mental
map of the information flow within the legacy system.
Testers with holistic domain knowledge will contribute
significantly to obviating this challenge with a process that
ensures the integrity of systems and test data.
Data confidentiality and test data management:
Domain experts will positively impact this aspect where it
is required to generate elements of test data that do not
violate confidentiality requirements. The ideal scenario
would be to run the testing environment with data
procured from production systems. Banking secrecy laws
and internal data protection policies inhibit the process.
Having internal or external testers work with production
data significantly increases the risk of violating “need to
know” internal laws apart from the possible impact of
reputational damage and loss of clients to poaching.
Testers with a grasp of the idiosyncrasies of a domain
would know what experimental samples are to be drawn
from archived data (if available) and what needs to be
masked, instead of running the whole universe.
Another aspect pertains to the access-control for test and
development environments. A domain expert would be
expected to generate and use realistic test data that is in
line with the confidentiality requirements. It should be
infeasible for anyone to even remotely infer the identity of
a client from such dummy or masked test data!
Changing market and regulatory requirements:
Intense competition amongst banking companies to
acquire and retain clients raises new functionalities for
existing IT systems in an ongoing manner. SBI offering “no
breakage charge” for deposits placed for a minimum of 15
days is a recent case in point. Early closure of deposits
earlier attracted a penalty. Apart from this, there are
frequent changes in regulatory laws i.e. cash ratios and
changes in the import and export permitted for categories
of clients and or products.
As a consequence frequent product releases or
changes/upgrades to existing systems often requiring
multiple testing regimes, each year, are required. This
phenomenon affects both banks with their own in-house
IT systems and those that use standard solutions offered
by third parties.
Frequent testing of the system results in cost over-runs for
the client.This is where a domain expert can add value by
estimating “correlations” of changes to existing data
systems and assessing the impact.Those changes that in
the domain expert’s opinion warrant further testing need
Domain Knowledge – The
Performance Edge
Technical knowledge relates to application-technology
platforms whereas domain knowledge relates to the
environment in which the application operates. It reflects
the wherewithal to execute day to day activities to achieve
desired outcomes. Though its importance cuts across all
industries, there are certain aspects that are unique to
testing banking applications
Unique aspects:
Specific and often unscheduled challenges are posed by:
1. Legacy systems and the complex landscapes in
which they operate.
2. Customer confidentiality requirements and data
exposure.
3. Frequent changes to regulatory requirements that
impact the market.
Challenges for testers:
Legacy Systems: The changing environment and other
due-to-market’ and regulatory constraints often lead to a
complex system landscape. The documentation for the
functioning of a legacy system is often usually located in
different internal locations, if not outside the organization.
It is probable that the requisite documentation could be
misplaced and hard to find. Often, data dependencies are
implemented as batch or online interfaces.They also have
issues concerning the manner in which data is defined
and is perhaps not optimally designed. End-of-day
uploading of market data to determine portfolio values
and resulting ‘mark-to-market’ reports is a case in point.
These are usually processed as a batch apart from
exposing the in-house system to external applications like
Bloomberg or Reuters. This is an extremely crucial area
that impacts P&L reports apart from the settlement of
trades among professional counterparties. It carries a
large amount of reputational risk, which is a prized virtue
in this era of Financial Crisis and Solvency Criteria
assessment.
Testers are often hard pressed to produce realistic test
data that would address the above constraints. They must
know what results the input data would produce, where all
it would reside and in the process, what files would be
3. Meghadūta ISSUE 01 APRIL 2013 3
T r u s t t h e E x p e r t s
alone be executed! Those “assessed” as inconsequential
to the system may be “parked” for a future date or clubbed
with a larger system upgrade. The domain expert thus
brings to the table a cost-effective testing environment
over the application life-cycle.
Thus, the banking environment provides unique
challenges to testers. A multi-disciplinary approach, which
encompasses an industry view of testing, would serve to
overcome some of these challenges with significant
benefits to test-management apart from preserving data
integrity and reliability. In summary, domain knowledge
significantly enhances productivity, addresses technical
and industry specific jargon and enables one to
distinguish between critical and trivial issues thus
contributing to an overall improvement in user interface for
the client.
Prof V. Ravi Kumar
Information Security In Financial
Systems
The ever increasing penetration of information technology
coupled with rapid advances in analytics and processing
of big-data makes information security across domains
and financial systems in particular, ever more critical.With
large volumes of data moving around at lightening speeds
a small glitch anywhere on the way could be catastrophic.
Transactions are put through open counters, ATMs,
mobiles and the Internet by IT savvy customers and also
others having little knowledge of technology, banking or
finance.The source, destination and channels that handle
information need to be impregnable and incorruptible.The
challenges involved in providing adequate protection are
manifold, particularly in an environment where regulators
are different for different markets and institutions and with
the laws of the governing countries being equally diverse
and nuanced, largely falling under the ISO/IEC 27001,
27002 standards, COBIT* and the Sarbanes-Oxley Act.
Systems would crumble if information is not secure
enough in terms of integrity, accuracy, speed and
confidentiality.
Increasingly payments are being routed through IT
networks. Systems such as RTGS*, NEFT* and IMPS*
have emerged as channels for agnostic modes of funds
transfer. Credit and debit card payments are being
encouraged to avoid cash transactions. With smart
phones, wireless communications and virtual wallets
using NFC* technology cashless transactions are
becoming popular. E-commerce has become the order of
the day exposing everyone to all possible risks in
payments and settlements.
Thanks to the initiative of the Reserve Bank Of India (RBI)
with the active involvement of IDRBT and IBA the banking
system in India, which includes non-banking financial
companies has a reasonably secure information
management system that meets ISO 27001 standards. It
is to be continuously improved based on the PDCA*
Deming cycle.
Several initiatives have been taken to ensure the security
of transactions to minimize frauds and irregularities. The
Payment and Settlement system under RBI’s regulation
and supervision has earned credibility for its speed,
accuracy, and integrity thanks to its diligent
implementation using state of the art technology under
the Payment and Settlement Act 2007.
Considering the changing threat milieu and the latest
international standards, in April, 2010 RBI set up a
Working Group on Information Security, Electronic
Banking, Technology Risk Management and Tackling
Cyber Fraud under the Chairmanship of the Executive
Director Shri. G. Gopalakrishna. The Group delved into
various issues arising out of the use of IT in banks and
made its recommendations under nine broad heads; IT
Governance, Information Security, IS Audit, IT
Operations, IT Services Outsourcing, Cyber Fraud,
Business Continuity Planning, Customer Awareness
programmes and Legal issues.
A lot has since been done to secure the information flow
involving top management, IS audit and continuous
updating of technology and with the statutory backing of
IT Act 2000, basically from the service provider’s angle.
Yet, a lot remains to be done from the service takers angle
where customers are institutions and individuals. While
institutional customers are able to cope with newer
technologies by upgrading their own technology and skills
and by outsourcing such skills, the same cannot be said of
individual customers barring a few. However, there exist
some serious gaps in security systems. Unless and until
individual customers; many of them half literate, illiterate,
handicapped and very senior citizens are given
protection, information security measures will fall woefully
short, creating potential chaos and disrupting the entire
financial system.
4. Meghadūta ISSUE 01 APRIL 2013 4
T r u s t t h e E x p e r t s
Some of the sensitive areas relate to threats from inside
the organization, from outsourcing agents with access to
sensitive information, inability of customers to seek quick
remedies once the fraud is reported, reluctance of
authorities and service providers to acknowledge their
lapses and provide relief as the process of seeking
adequate evidence to establish fraud is laborious. All the
more so, as it becomes difficult to trace the trail in IT
systems!
Despite checks and balances, ATMs, phone banking and
Internet banking are susceptible to skimming, phishing
and hacking. Accounts are hacked and amounts siphoned
away. Banking Ombudsmen refuse to interfere in cases of
net banking fraud leaving customers poorer and wary of
technology. Educated customers perhaps have some
ways and means to demand remedies. The same cannot
be said of the illiterate and semiliterate. Many with no
wherewithal to seek remedial action are left in the lurch.
With service providers not taking adequate steps in
educating them and minimizing potential risks the onus
lies with customers and the very identification of fraud is
rendered difficult.
Financial Inclusion under the banking system has been
the accepted policy of the Government of India (GoI) and
the Reserve Bank. There are some obvious challenges
from the information security angle which cannot be
underestimated. Further, the move of the GoI to introduce
a Direct Cash Transfer (DCT) Scheme intended to benefit
the poor and needy running into millions of rupees and
involving millions of people spread across the country
through banks and outsourced agencies using
Information Technology is a formidable task.
The success of the DCT scheme depends on various
parameters like provision of a Unique Identification (UID)
number to each and every beneficiary, having the facilities
for transfer of funds through mobile devices, internet and
other modes through the assistance of business
correspondents, availability of uninterrupted power supply
even in remote places, coordinating with various agencies
under whom the beneficiaries fall etc, without
compromising on the integrity and security of this data.
The four regulators; RBI, SEBI*, IRDA* and the PFRDA*
have to jointly address the issue of Information Security
and find ways and means to prevent e-frauds. They would
have to seek the help of some the major IT companies
and communication departments of the Government.
Prevention is always better than cure. Measures to protect
the data at rest and data in motion have to be
strengthened and customers have to be made aware of
the requisite precautions they have to take. The primary
onus of providing security should be with the service
provider.
*COBIT: Control Objectives for Information & Related Technology; a
framework for IT management & IT governance
*RTGS: Real Time Gross Settlement
*NEFT: National Electronic Fund Transfer
*IMPS: Interbank Mobile Payment Service
*PDCA: Plan-Do-Check-Act
*NFC: Near Field Communication
*IDRBT: Institute for Development and Research in Banking Technology
*IBA: Indian Banks Association
*SEBI: Securities and Exchange Board of India
*IRDA: Insurance Regulatory Development Authority
*PFRDA: Provident Fund Regulatory and Development Authority
Dr.T. V. Gopalakrishnan
Consultant
News Bytes
** Liquidity higher than others, round-the-clock and
off-exchange trading, successful self regulation for decades
and insulation from vagaries of equity and fixed-income
markets are intrinsic to FX markets. To preserve these
characteristics and the integrity of FX markets, a pre-emptive
regulatory strike, is necessary say regulators (Intelligent HQ
Business Network, January 12, 2012
** According to Susan Wachter of Wharton “a lot is left to the
discretion of regulators and it is not certain regulators would
spot a brewing crisis in time or have the political will to deal
with it. (Knowledge@Warton May 23, 2012)
** Bank regulators are placing renewed emphasis on stress
tests, which under the Dodd-Frank law must be conducted
annually on the largest banks in the country (‘Cloud seen in
Regulators’ Crystal Ball for Banks’, Floyd Norris in NYT
January 01, 2013)
**Avivah Litan, of Gartner, says banking institutions have
failed to address certain risks posed by social media,
including internal risks. Hackers often use social media sites
such as LinkedIn to identify employees who have privileged
access or administrative rights. Once identified, hackers
then target these employees and convince them, through
messages or posts, to provide critical network and/or
network access details, she explains. (Tracy Kitten on ‘Bank
info Security’ on January 24, 2013)
5. Meghadūta ISSUE 01 APRIL 2013 5
T r u s t t h e E x p e r t s
The Risky Business of Banking
The worst consequence of risk that a bank could face is
going out of existence! Every time this happens more
regulations are put in place. Banking business is all about
risk taking. Every banking activity involves management
of risk.
The risks banks face
The core business of a bank is to manage risk and
provide a return to shareholders in line with the accepted
risk profile. The credit crisis and the ensuing global
recession seem to indicate that the banking sector has
failed to tend to its core business. If it had done so
effectively, then credit default swaps would not have been
bought up with so much eagerness. If the banks had
attended to risk management, then there would not have
been a flood in the U.S. market of cheap short-term
interest rate mortgages that led to the so-called housing
bubble and the ultimate wave of personal bankruptcies
and home foreclosures.
The most significant risk factors behind bank failures
are 1: Liquidity risk, 2: Market risk, 3: Credit risk, 4:
Operational risk and 5: Others.
Liquidity risk involves the ability to fund increases in
assets, manage unplanned changes in funding sources
and to meet obligations when required, without incurring
additional costs or inducing a cash flow crisis. In the
context of the other key factors, risk may be defined as
reductions in firm value due to changes in the business
environment. Market risk (Trading risk) is the change in
net asset value due to changes in underlying economic
factors such as interest rates, exchange rates, and equity
and commodity prices. Credit risk is the change in net
asset value due to changes in the perceived ability of
counterparties to meet their contractual obligations.
Operational risk results from costs incurred through
mistakes made in carrying out transactions such as
settlement failures, failures to meet regulatory
requirements, and untimely collections. Performance
risk encompasses losses resulting from the failure to
properly monitor employees or to use appropriate
methods (including "model risk").
What happens when a bank fails?
In the US context: -
The bank's main regulator will declare bank's health as
"unsafe or unsound." If the bank is state-chartered,
the regulator is the state banking supervisor. With a
national bank, it's the U.S. Office of the Comptroller of the
Currency. The regulator will typically find that the bank's
capital, needed to cushion against loan losses, is too low
and the amount of loans in default too high.
The regulator appoints the Federal Deposit Insurance
Corp. as receiver of the bank.This authorizes the FDIC to
seize the bank's offices, vaults and records and sell its
assets. The FDIC markets the failing bank to potential
buyers. Interested buyers submit bids.
FDIC officials and staffers visit the bank, usually on a
Friday after closing. Secrecy is maintained. Bank
employees don't know that a shutdown is happening until
the FDIC staffers arrive. The idea is to prevent a run on
the bank by panicky depositors. The FDIC staffers spend
much of the weekend reviewing the bank's books.
The FDIC announces the bank's closing and in most
cases, the transfer of its deposits and the sale of its loans
and other assets to a healthier bank. By Monday morning,
the bank typically reopens under the acquiring bank's
name. Customers' accounts and deposits are
automatically transferred.
The FDIC uses the proceeds from selling the bank's
assets to cover its liabilities, mainly customer deposits.
The deposit insurance fund covers the rest. Accounts are
insured up to $250,000 per depositor per bank. After the
financial crisis hit, the amount insured was increased
from $100,000 to the present level.
Banks fail primarily because of asset risk. Credit risk and
liquidity risk are highly correlated: significant asset risk
can lead to liquidity problems. Funding liquidity is
important. Sometimes the line that separates credit risk,
market risk, and liquidity risk can be vague, e.g. mortgage
backed securities.
Now failed banks have asset quality problems because of
1: Poor underwriting standards 2: Poor risk management
practices and 3: Poor management of the bank
A question arises why asset quality problems are not
visible to bank’s Management/Board?
"If a bank is serious about risk management, then it will
be serious from the top down” Before discussing this
statement in more detail, let’s first look at the events that
precipitated such a statement.
6. Meghadūta ISSUE 01 APRIL 2013 6
T r u s t t h e E x p e r t s
The chain of events that led to the global economic crisis
is outlined in figure 1. The resulting global economic
downturn led to a vicious cycle of companies failing or
downsizing, thus leading to unemployment, which further
reduced demand for goods and services. In addition,
banks across the globe retrenched and in place of the
liberal lending practices credit tightened across the
board. Governments stepped in with fiscal support—the
likes of which has never been seen in modern recorded
history. And now, everyone waits to see what will happen
with this never-before-tried experiment of flooding the
world markets with government money. L Ragavendra
Different people like to point fingers at different culprits.
Some experts put the blame on credit default swap
instruments that were sold worldwide with promises of
high returns and low risk. Others blame those who
promoted mortgage access to people who normally
would not qualify for a housing loan. But perhaps the
issue is more fundamental: The banks lost sight of the
requirement to manage risk effectively and, in many
cases; it is questionable if the basics of risk management
were ever put in place.
Source: A.T. Kearney analysis
Figure 1
Economic crisis: The timeline and chain of events
July 2007
Mortgage bubble in
U.S. real estate
market
• U.S. mortgage
market bubble
bursts
• U.S. home prices
continue to
decline,affecting
construction
segment
• Fed raises interest
rates to cool the
U.S. economy
• Rates on home
mortgages increase
refinancing
becomes difficult
July - Aug. 2007
Mortgage crisis
• Interest rates rise;
borrowers are
unable to refinance
debt
• Borrowers default
on mortgage loans
• Banks stuck in
market with
declining collateral
• Market mortgage
bonds increase
• More banks dispose
of assets, reduce
liquidity
Aug - Sep - 2008
Financial sector crisis
• Mortgage assets
are re-evaluated,
causing major
bankruptcies
(Lehman Brothers,
Merrill Lynch,
Wachovia)
• Stock market
collapses
• Major financial
institutions file for
bankruptcy; a crisis
of confidence
ensues
Oct - 2008
Recession in
developed markets
• Funding difficulties
force many
companies to
reduce costs
• Companies cut
production and
workers
• The real economy
falls
• Production and
consumption in
developed countries
decline
• Commodity prices fall
Sep - 2008
Liquidity crisis
• International capital
markets hit by
liquidity crisis
• Loan rates increase
• Financial institutions
and corporate
borrowers cannot
refinance debt
• Interest rates rise
• Major European
commercial banks
feel the pain
** Capital Adequacy standards not only protects against bad
loans but also protects against operational hazards such as
employee frauds and computer failures (The Economist
20.02.2013)
**The US government has moved to clarify its regulatory
stance on virtual currencies such as Bitcoin, confirming that
while users are not classified as money services businesses
(MSBs) subject to its rules, exchanges and administrators are.
Virtual currencies do not have a legal tender status in any
jurisdiction (FinCen18.03.2013)
** Since 2010 Britain’s biggest banks – Barclays, Lloyds,
Royal Bank of Scotland, Santander and HSBC – have
collectively set aside about £14bn to cover the cost of
mis-sold payment protection insurance, making it the
costliest consumer scandal in the UK. (FT.Com, Jennifer
Thompson, Risk Management 2013.- March 18, 2013)
**Freddie Mac (FMCC) sues 15 banks over alleged
manipulation of LIBOR that makes the banks look healthy
while jeopardizing FMCC’s mortgage portfolio (Bloomberg
20.03.2013)
News Bytes
7. Meghadūta ISSUE 01 APRIL 2013 7
T r u s t t h e E x p e r t s
Business Risk Assessment - In
Rolling Out Newer Banking
Applications And Services
As long as banks operated in a regulated environment
they were risk averse. Being increasingly exposed to
domestic and international competition they are now
compelled to encounter various types of financial and
non-financial risks. Risks and uncertainties are integral to
life and more so to banking. A Bank as an institution is
based on the foundation of customer confidence, which
requires that it remains resilient to risks by managing
them proactively and robustly.
Driven by an exponential growth in technology and
increases in global financial interlinkages, apart from
credit risk and market risk, banks also face operational
risks. Not to forget the reputational risks which are poised
to overshadow the rest!. The main reasons could be
inadequate or failed internal processes, people and
systems, dilution of privacy or external events.
One of the key elements of managing a Bank’s
Operational risks is to ensure risks around implementing
and running its IT systems are managed effectively.
Implementation of any new applications is typically a
costly and risky proposition. Failure of core-system
projects adversely impacts both finances and business
opportunities. Failed projects lead other banks into
delaying their expansion to newer applications as they
assess the potential benefits of a new system against the
risk of failure.
Implementing new banking applications and introducing
newer services such as internet and mobile banking is a
complex task that consumes significant time and
resources. The key to success is to incorporate enough
flexibilities and understandings of the way businesses are
run so as to speedily adapt to unexpected requirements
and surprises along the way.
Software project implementation could encounter
various risks:
• Technical risks include problems with project size,
project functionality, platforms, methods, standards,
or processes. These risks may result from excessive
constraints, lack of experience, poorly defined parameters
or dependencies on organizations outside the direct
control of the project team.
- Take for example the lack of information on
parameters relating to loan interest calculation or
preclosure of term deposits that could cause testing
bottlenecks.
• Management risks include lack of planning, lack of
management experience and training, communications
problems, organizational issues, lack of authority, and
control.
- For example inexperience in project management can
result in lack of continuous monitoring of risks and
re-planning appropriate mitigations in line with the
project progress.
• Financial risks include cash flow bottlenecks, capital/
budgetary issues and return on investment constraints.
• Contractual and legal risks include changing
requirements, market-driven schedules, health & safety
issues, government regulation, and product warranty
issues.
- Not having earlier experienced a particular type of
failure it could be very frustrating to find that, at a
crunch, the product developer is unable to meet the
up-time or mean-time to repair commitments under the
contract.
• Personnel risks include staffing lags, lack of focused
experience, training problems, ethical dilemmas, moral
conflicts, staff conflicts and productivity issues.
- Large and multi country roll-out projects invariably
require multi-cultural teams – both internal and
external. In these cases absence of attention to cultural
sensitization, team building and language translation
requirements can cause significant issues around team
communication and requirements management. These
also lead to increased time for review and acceptance
testing phases.
• Other resource risks include unavailability or late
delivery of equipment & supplies, inadequate tools,
inadequate facilities, distributed locations, unavailability
of computer resources, and slow response times.
8. Meghadūta ISSUE 01 APRIL 2013 8
T r u s t t h e E x p e r t s
The key considerations for a successful modernisation
journey are:
1. Business Requirement Management: Requirements
should be captured and managed centrally, allowing
banks with multi–line business units or other global
bank entities to centralise their requirements and
prevent duplication of development efforts.
- A typical fallout of inadequate or lack of requirement
management is the scope creep during the UAT phase
of the project. This invariably leads to lot of rework,
slippages in schedules, increased costs etc.
- At a crunch, during UAT it could be realized that as a
result of casual oversight, a crucial report was
overlooked during the requirement planning phase
2. Integrated Tooling Workbench: A standard set of
tools and technology will improve control over the
systems development lifecycle process
3. Design process: To effectively manage the risk of
disruption, time to market and cost to transform,
banks must combine a top-down approach with
the traditional bottom-up approach to legacy
modernisation
4. Build versus Buy: When deciding whether to build or
buy, banks should consider the fit between business
requirements and the available functionality in
packaged solutions. They should also consider the
effort required to customize a generic package or to
streamline and redeploy existing functionality.
5. Proof of concept: To validate the transformation
objectives, the bank should conduct a controlled
Proof of Concept (PoC) with its chosen design
principles and integrated tooling. The scope of the
POC should completely mirror all the elements that
will be faced during the full execution.
- Without the PoC, the bank may end up implementing
an application that does not meet its core requirements.
The bank may be expecting a Transaction Banking
System, but the application’s operational efficiency may
lie in Retail Banking.
- assumptions based on the halo around the developer
could be woefully off the mark, resulting in severe cost
and time overruns
6. Go live Planning: As modernisation is progressed
and new systems evolve, the old legacy systems
have to be decommissioned for the full benefit of the
cost to be realized. A decommissioning strategy
should therefore be defined at the outset of the
modernisation journey.
7. Testing and data migration: In most transformation
efforts, testing consumes significant resources, effort
and budget. Investing in a testing strategy and using
industrial–strength testing processes and facilities
can cut costs and reduce lag times in development
and deployment.
- A proper data migration strategy helps in mapping the
existing legacy data with the appropriate data field &
type in the new system. The ‘date of birth’ may be
maintained as a data field (instead of date field) in the
legacy system. An incorrect mapping of this in the new
system will create issues in validation of key
requirements like status (major or minor) of the client.
8. Managing change: To ensure that risk is adequately
managed, banks need to invest time and resources
in robust change management. Change will result not
only from the effect of modernisation programs, but
also from business–as–usual initiatives that have to
be accommodated within the transformation journey
News Bytes
** 25 years ago in Germany, derivatives trading was classed in
the same regulatory category as gambling, but with the added
disadvantage that a losing trader could ask for his money back
if a trade went the wrong way. (Finextra March 22, 2013: ‘25
years of German Exchange’ by Chris Pickles)
** SEBI introduces standardized labeling system to help
investors understand the risk profile of the Fund (ET Business
25.03.2013)
** Laiki bank the country’s second largest bank to be
gradually dissolved as part of the $ 13 billion bailout
package for Cyprus. Good assets to be absorbed by the
Bank of Cyprus. Raises issues of systemic risk for large
Russian investors (Reuters & ET 26.03.2013)
** The World Bank is ready to work closely with the BRICS
Development Bank to end poverty throughout the
developing world. (The Hindu March 27, 2013)
9. Arun Ramamoorthy
Practice Lead - Banking Practice,
Thinksoft Global Services
Meghadūta ISSUE 01 APRIL 2013 9
T r u s t t h e E x p e r t s
De-risking Financial Systems -
Through Knowledge And
Experience
It takes a great degree of expertise to understand the
complex business flows and the logic of numerous
business decisions that are implemented across financial
institutions.This is taken as a given but, with the increase
in internet facing and mobile based systems, the
requirements to change a financial institution’s core
systems are increasing. Changing such systems with
zero defects and high availability is indeed a big
challenge.
Greater is the challenge for IT departments to sync with
the rate of change in technology. This requires the
recruitment of talented and experienced technicians,
while also ensuring that there is enough expertise to
ensure that the changes implemented match requisite
business needs.
These issues were well illustrated last summer when the
American investment firm ‘Knight Capital’ lost over $450
million in trying to keep up with changes in high frequency
trading.
The issue they faced involved trading 150 stocks during a
45 minute period. The stocks were being ordered as
buy-high and sell-low when in fact it was meant to be the
other way around. As a result ‘Knight Capital’ saw a 75
percent loss of the share value during the 48 hours that
followed, forcing the firm to seek emergency funding.
Ten years earlier, Knight Capital experienced a similar
fault with their trading systems. Fortunately, on that
occasion, the speed of the processes that were creating
losses was not so high and that enabled the regulators to
benignly cancel all the trades impacted by such errors.
This time, however, the regulators chose not to follow that
decision because they viewed the error as being an
example of incompetence.
Being a recurrence of an earlier fault, how come Knight
Capital didn’t have it battened down and sorted out? The
answer is complex and lies with the business knowledge
required to minimize systems risks, as much as the
programming knowledge needed to implement high
frequency algorithms. In this case it was clear that the
system teams did not recognize the impact the issue
would have on the business – they misjudged, both, the
impact (in terms of losses) and the response under a
changed regulatory environment.
Systems are only as good as the people who program
them and a majority of people who program them are
often technicians. The technicians will work to business
specifications and interpret them into programmable
workflows and processes. They are susceptible to
interpreting a business logic based on an incomplete or
incorrect specification. Business knowledge is crucial to
verify the specifications and possible system defects due
to incompleteness or errors. Furthermore, it can help
anticipate likely operational risks that identified-defects
can cause – i.e. the business criticality of defects – that
requires attention and urgency. Therefore, domain-aware
team members are required to visualize all the likely
failure scenarios and prioritize them by likely business
risks so that those with most impact can be addressed
immediately, with required resources.
Our experience over the years in testing financial
systems suggests that by getting business specifications
validated earlier by domain experts the likelihood of
critical flaws creeping into the systems at the time of
‘Going-live’ is significantly reduced.
Even with the need for a domain aware unit within the
project team being recognized, an important question still
remains - where should such expertise reside and how
can this unit be optimally built and utilized within a project
team.
Conclusion:
With ever-increasing complexity and increasing demand
for bigger, better and faster, the software industry is a
high risk business. When teams don't manage risk, they
leave projects vulnerable to factors that can cause major
rework; major cost or schedule overruns, or complete
project failure. Adopting a Software Risk Management
Program is a step every software manager can take to
more effectively manage software development
initiatives. Risk management is an ongoing process that
is implemented as part of the initial project planning
activities and utilized throughout all of the phases of the
software development lifecycle. Risk management
requires a fear-free environment where risks can be
identified and discussed openly. Based on a positive,
proactive approach, risk management can greatly reduce
or even eliminate the need for crisis management in
expanding to newer banking applications and services.
10. Meghadūta ISSUE 01 APRIL 2013 10
T r u s t t h e E x p e r t s
There are few options that we could evaluate:
a) Expand the Business Analyst team – while some
members write business specifications, the rest will
verify. How is one to decide, who will do what? Even
though the expanded BA team allows for domain
experts verifying the specification – it could
compromise the key requirement of verification-skills
and the need for them to be operating independently.
b) Create a separate unit of ‘Business Specification’
verifiers: While this unit can be created with domain
experts who have the required verification skills, they
would be one more entity to be managed – leading to
a need for greater coordination, further splits in
responsibilities and a strong likelihood of the an
overall increase in effort. It is certainly not a cost
effective option, even if it meets the need for
independence.
c) Early involvement of a domain-aware testing
team: The team (as a unit) would need to get involved
at the business-specifications stage itself. This is
feasible only if the team has the necessary domain
expertise to verify specifications. This could be
optimal as it allows for better streamlined
coordination across the project - compared to the
other two options and makes the testing team
responsible for quality throughout the lifecycle
thereby strengthening project governance. It allows
for greater re-use of scripts across various stages of
testing. All in all organizations can optimize their
testing costs by as much as 40%.
With financial authorities seriously reviewing the plan to
introduce “capital requirements” in banks to cover
operational risks (in addition to those for trading and
credit risks), the impact of systemic issues will no more
stay within the IT domain, but extend to a financial
institution’s business model.
In conclusion, the greatest challenge for any firm is to get
the business and technology arms of the organisation
working in unison; factoring in the geographic spread and
frequency of technology updates. The testing process is
the key to de-risking system changes. It is the one area
that the business and technology teams have to get right
by making testing a continuum and not just as a passing
phase or a one-shot activity.
With the likely tightening of regulatory requirements to
manage operational risks, ensuring that systems go live
first time right without causing any disruption is not only a
CIO responsibility, but a matter for the Board. With a
domain-ware testing team involved from start,
organizations can drastically reduce their “cost per defect”
and significantly reduce the operational risks caused by
system failures.
Anand Vyas
Vice President – Sales, UK & Europe
Thinksoft Global Services
Export Excellence Award 2011-2012
Thinksoft was awarded the Export
Excellence award for the highest growth in
exports among IT/ITES units. The 19th
edition of the award organized by the Madras
Export Processing Zone (MEPZ) was
presented by Madhusudan Prasad,
the Additional Secretary Ministry of
Commerce on the 22nd of March
2013. Vanaja Arvind, Executive
Director, Thinksoft, received the
award on behalf of the management
of Thinksoft.
AWARD
Thinksoft in Media
Asvini Kumar, MD,Thinksoft Global Services
talks about the BFSI sector and the future plans
of the company in his interview with CNBC TV18.
11. Contributing Authors
T.V. Gopalakrishnan PhD. An Associate of the Indian Institute of Banking
and Finance and an erstwhile officer-in-charge of the Financial Action Task Force
attached to the Ministry of Finance, Govt of India.
V. Ravi Kumar; Professor of Finance. A mathematician by qualification, with
over 30 years in Banking and Financial Markets cutting across Sales, Trading,
Asset-Liability Management and Risk Management of Financial and Money
Market instruments!
L. Raghavendra An independent banking-technology consultant specializing
in business strategy, product development, regulatory changes and technology
adoption.
Meghadūta ISSUE 01 APRIL 2013 11
T r u s t t h e E x p e r t s
Quiz:
1. During 2012, which one of the following countries had a current account surplus; Australia,
France, Ireland, Italy, Portugal?
2. Which one amongst the five would you associate with the discovery of the theory of probability, the
mathematical heart of the theory of risk; Albert Einstein, Benjamin Franklin, Blaise Pascal,
Leonardo da Vinci, Nicholas Bernoulli?
3. What was the approximate per capita income in India during 2012-13; Rs 3400, Rs 5700, Rs 6900. Rs 9400?
4. From which of the following words is the word ‘Bank’ derived; Basket, Barn, Bench, Bureau?
5. In 2010, how many times larger was the GDP of USA compared to that of India; 6 or 8 or 10, or 12?
6. According investment bankers, over the next decade, growth of infrastructure as a major growth-driver of the
region, especially Qatar would be linked to Corporate Summits, Manufacturing, Motor Racing or Soccer?
7. Which one of the following factors could be seen as a major contributor to the success of the mobile wallet
M-Pesa in Kenya; Low charges, Easy convertibility, Ease of recharge or Easy credit?
Please click here http://www.thinksoftglobal.com/meghaduta/apr13.php to take the quiz
?
Note: Register and tick or enter the answer in the assigned box. Seven entries with best responses will be chosen as per a lottery
draw and USD 100 will be donated to the chosen charity of each winner. Last date for responses - 30th June, 2013. Winners
will be communicated by email and their names published in the next issue.
12. Meghadūta ISSUE 01 APRIL 2013 12
T r u s t t h e E x p e r t s
Disclaimer: All the documentation and other material contained herein is the property of Thinksoft Global Services and all intellectual property rights in and to the same are owned by Thinksoft Global Services. You
shall not, unless previously authorized by Thinksoft Global Services in writing, copy, reproduce, market, license, lease or in any other way, dispose of, or utilize for profit, or exercise any ownership rights over the same.
In no event, unless required by applicable law or agreed to in writing, shall Thinksoft Global Services, or any person be liable for any loss, expense or damage, of any type or nature arising out of the use of, or inability
to use any material contained herein. Any such material is provided “as is”, without warranty of any type or nature, either express or implied. All names, logos are used for identification purposes only and are trademarks
or registered trademarks of their respective companies.
For more details visit, www.thinksoftglobal.com
India Parent Company
India
Thinksoft Global Services Ltd
HO: 6A, Sixth Floor, prince Infocity II,
No.283/3 & 283/4, Rajiv Gandhi
Salai(OMR), Kandanchavadi,
Chennai-600096
Tel: +91 44 4392 3200,
Fax: +91 44 4392 3241
Unit - Plot No. B-17, 2nd Main Road,
Phase II, MEPZ, SEZ, Tambaram,
Chennai-600045
511 & 512, Prestige Meridian I,
No: 29-30, M.G. Road,
Bangalore-560001
Citi Point, Unit Nos: B-601,
B-602 & B-603, 6th Floor,
Andheri - Kurla Road, Andheri East,
Mumbai-400059
Tel: +91 22 4015 8660 / 61 / 62,
Fax: +91 22 4015 8663
Branches:
UK
Thinksoft Global Services Ltd
26-28 Hammersmith Grove, London,
W6 7BA
Tel: +44 (0) 208 834 1086
Fax: +44 (0) 208 834 1102
Belgium
Thinksoft Global Services Ltd
Romeinsesteenweg 1022, 1780
Wemmel, Belgium.
Australia
Thinksoft Global Services Ltd
22 Mans field way, Kellyville, NSW, 2155,
Australia
Tel: +61 424 981 458,
E: sanjay.b@thinksoftglobal.com
Hong Kong
Thinksoft Global Services Ltd
Units 3401-2, 34th Floor, AIA Towers, 183
Electric Road, North Point, Hong Kong.
Cyprus
Thinksoft Global Services Ltd
229, Arch. Makarios III Avenue
Meliza Court, 4th Floor P.C. 3105
Limassol, Cyprus
Malaysia
Thinksoft Global Services Ltd
Level 33, Menara 1 MK,
Kompleks 1 Mont Kiara, No.1, Jalan
Kiara, Mont Kiara, 50480 Kuala Lumpur.
Subsidiaries:
Singapore
Thinksoft Global Services Pte Ltd
1. North Bridge Road, 19-04/05, High
Street Centre,
Singapore 179 094
Tel: 65 67200724, Fax: 65 67200725
USA
Thinkosft Global Services Inc
No. 38, 3rd Floor, Stark Business Suites,
500, Mamaroneck Avenue, Suite 320,
Harrison, NY 10528
Tel: 914 428 0500, Fax: 914 428 4001
UK
Thinksoft Global Services UK Ltd
26-28 Hammersmith Grove,
London, W6 7BA
Tel: +44 (0) 208 834 1086
Fax: +44 (0) 208 834 1102
Dubai
Thinksoft Global Services FZE
PO Box No.82840,
Dubai
T H I N K S O F T G R O U P