Meghaduta - Thinksoft Newsletter (July'13)

T r u s t t h e E x p e r t s

ISSUE 01 APRIL 2013

The Banking Growth Tsunami Is Coming!!

In the latter half of 2011 a report released by IBA-FICCI-BCG, titled "Being five-star in productivity--Roadmap for excellence in Indian Banking“ predicted that the Indian banking sector is poised to become the world's third largest in asset size by year 2025.

Said the report "The domestic banking industry is set for an exponential growth in the coming years with its assets size poised to touch USD 28,500 billion by the turn of the 2025 from the current asset size of USD 1,350 billion (2010)".

It further stated that “by 2025, the Chinese banks will have an asset size of over USD 1,15,000 billion, while that of the US will be around USD 1,00,000 billion.

According to the Boston Consulting Group’s Tripathi "domestic banks deploy 62 percent of staff in customer-facing roles as against the benchmark of 82 percent observed by BCG globally,"

The report stated that "On an average, our banks have about 20 percent of staff deployed in back office processing (for some banks, as high as 40 percent) as against a global best of 10 percent".

Many experts have also opined that nearly 30 % of all banking transactions will be through mobile phones.

Add to this the geographical and demographic factors, technology advancements and the advent of cloud based delivery models, and we can appreciate the scale and complexity of the tasks ahead of banks.

Thus there is tremendous need for our banks to improve their productivity, efficiency, quality and scale of operations which will help them to grow substantially.

It is this coming environment that makes all of us, serving the needs of the BFSI sector, look forward to a very exciting and challenging decade.

The Cloud Messenger

The adoption of the cloud platform has increased appreciably over the past couple of years. Improved infrastructure, wider solutions and provider- ecosystems along with clear RoI benefits have been the key drivers.

As the Cloud moves into the mainstream, its benefits in terms of IT simplification, consolidation and reduced operating costs need to be balanced with security and reliability concerns. The CIOs and IT teams are already grappling with these issues, but the new technologies and paradigms such as the Cloud and the Mobile space have brought these considerations under sharper focus.

Our Newsletter ‘Meghadūta’ - a Sanskrit term translated as "The Cloud Messenger" in English - will address the subjects of IT resilience, Risks and Security across the financial sector. These topics will highlight the measures organizations need to take when implementing IT systems and more importantly when moving part of their systems to the Cloud. More to follow …!

Asvini Kumar Managing DirectorThinksoft Global Services

Meghadūta ISSUE 01 APRIL 2013 2


modified. In short they should carry with them a mental map of the information flow within the legacy system. Testers with holistic domain knowledge will contribute significantly to obviating this challenge with a process that ensures the integrity of systems and test data.

Data confidentiality and test data management: Domain experts will positively impact this aspect where it is required to generate elements of test data that do not violate confidentiality requirements. The ideal scenario would be to run the testing environment with data procured from production systems. Banking secrecy laws and internal data protection policies inhibit the process. Having internal or external testers work with production data significantly increases the risk of violating “need to know” internal laws apart from the possible impact of reputational damage and loss of clients to poaching. Testers with a grasp of the idiosyncrasies of a domain would know what experimental samples are to be drawn from archived data (if available) and what needs to be masked, instead of running the whole universe.

Another aspect pertains to the access-control for test and development environments. A domain expert would be expected to generate and use realistic test data that is in line with the confidentiality requirements. It should be infeasible for anyone to even remotely infer the identity of a client from such dummy or masked test data!

Changing market and regulatory requirements: Intense competition amongst banking companies to acquire and retain clients raises new functionalities for existing IT systems in an ongoing manner. SBI offering “no breakage charge” for deposits placed for a minimum of 15 days is a recent case in point. Early closure of deposits earlier attracted a penalty. Apart from this, there are frequent changes in regulatory laws i.e. cash ratios and changes in the import and export permitted for categories of clients and or products.

As a consequence frequent product releases or changes/upgrades to existing systems often requiring multiple testing regimes, each year, are required. This phenomenon affects both banks with their own in-house IT systems and those that use standard solutions offered by third parties.

Frequent testing of the system results in cost over-runs for the client. This is where a domain expert can add value by estimating “correlations” of changes to existing data systems and assessing the impact. Those changes that in the domain expert’s opinion warrant further testing need

Domain Knowledge – The Performance Edge

Technical knowledge relates to application-technology platforms whereas domain knowledge relates to the environment in which the application operates. It reflects the wherewithal to execute day to day activities to achieve desired outcomes. Though its importance cuts across all industries, there are certain aspects that are unique to testing banking applications

Unique aspects:

Specific and often unscheduled challenges are posed by:

1. Legacy systems and the complex landscapes in which they operate.

2. Customer confidentiality requirements and data exposure.

3. Frequent changes to regulatory requirements that impact the market.

Challenges for testers:

Legacy Systems: The changing environment and other due-to-market’ and regulatory constraints often lead to a complex system landscape. The documentation for the functioning of a legacy system is often usually located in different internal locations, if not outside the organization. It is probable that the requisite documentation could be misplaced and hard to find. Often, data dependencies are implemented as batch or online interfaces. They also have issues concerning the manner in which data is defined and is perhaps not optimally designed. End-of-day uploading of market data to determine portfolio values and resulting ‘mark-to-market’ reports is a case in point. These are usually processed as a batch apart from exposing the in-house system to external applications like Bloomberg or Reuters. This is an extremely crucial area that impacts P&L reports apart from the settlement of trades among professional counterparties. It carries a large amount of reputational risk, which is a prized virtue in this era of Financial Crisis and Solvency Criteria assessment.

Testers are often hard pressed to produce realistic test data that would address the above constraints. They must know what results the input data would produce, where all it would reside and in the process, what files would be



alone be executed! Those “assessed” as inconsequential to the system may be “parked” for a future date or clubbed with a larger system upgrade. The domain expert thus brings to the table a cost-effective testing environment over the application life-cycle.

Thus, the banking environment provides unique challenges to testers. A multi-disciplinary approach, which encompasses an industry view of testing, would serve to overcome some of these challenges with significant benefits to test-management apart from preserving data integrity and reliability. In summary, domain knowledge significantly enhances productivity, addresses technical and industry specific jargon and enables one to distinguish between critical and trivial issues thus contributing to an overall improvement in user interface for the client.

Prof V. Ravi Kumar

Information Security In Financial Systems

The ever increasing penetration of information technology coupled with rapid advances in analytics and processing of big-data makes information security across domains and financial systems in particular, ever more critical. With large volumes of data moving around at lightening speeds a small glitch anywhere on the way could be catastrophic.

Transactions are put through open counters, ATMs, mobiles and the Internet by IT savvy customers and also others having little knowledge of technology, banking or finance. The source, destination and channels that handle information need to be impregnable and incorruptible. The challenges involved in providing adequate protection are manifold, particularly in an environment where regulators are different for different markets and institutions and with the laws of the governing countries being equally diverse and nuanced, largely falling under the ISO/IEC 27001, 27002 standards, COBIT* and the Sarbanes-Oxley Act. Systems would crumble if information is not secure enough in terms of integrity, accuracy, speed and confidentiality.

Increasingly payments are being routed through IT networks. Systems such as RTGS*, NEFT* and IMPS* have emerged as channels for agnostic modes of funds transfer. Credit and debit card payments are being

encouraged to avoid cash transactions. With smart phones, wireless communications and virtual wallets using NFC* technology cashless transactions are becoming popular. E-commerce has become the order of the day exposing everyone to all possible risks in payments and settlements.

Thanks to the initiative of the Reserve Bank Of India (RBI) with the active involvement of IDRBT and IBA the banking system in India, which includes non-banking financial companies has a reasonably secure information management system that meets ISO 27001 standards. It is to be continuously improved based on the PDCA* Deming cycle.

Several initiatives have been taken to ensure the security of transactions to minimize frauds and irregularities. The Payment and Settlement system under RBI’s regulation and supervision has earned credibility for its speed, accuracy, and integrity thanks to its diligent implementation using state of the art technology under the Payment and Settlement Act 2007.

Considering the changing threat milieu and the latest international standards, in April, 2010 RBI set up a Working Group on Information Security, Electronic Banking, Technology Risk Management and Tackling Cyber Fraud under the Chairmanship of the Executive Director Shri. G. Gopalakrishna. The Group delved into various issues arising out of the use of IT in banks and made its recommendations under nine broad heads; IT Governance, Information Security, IS Audit, IT Operations, IT Services Outsourcing, Cyber Fraud, Business Continuity Planning, Customer Awareness programmes and Legal issues.

A lot has since been done to secure the information flow involving top management, IS audit and continuous updating of technology and with the statutory backing of IT Act 2000, basically from the service provider’s angle. Yet, a lot remains to be done from the service takers angle where customers are institutions and individuals. While institutional customers are able to cope with newer technologies by upgrading their own technology and skills and by outsourcing such skills, the same cannot be said of individual customers barring a few. However, there exist some serious gaps in security systems. Unless and until individual customers; many of them half literate, illiterate, handicapped and very senior citizens are given protection, information security measures will fall woefully short, creating potential chaos and disrupting the entire financial system.



Some of the sensitive areas relate to threats from inside the organization, from outsourcing agents with access to sensitive information, inability of customers to seek quick remedies once the fraud is reported, reluctance of authorities and service providers to acknowledge their lapses and provide relief as the process of seeking adequate evidence to establish fraud is laborious. All the more so, as it becomes difficult to trace the trail in IT systems!

Despite checks and balances, ATMs, phone banking and Internet banking are susceptible to skimming, phishing and hacking. Accounts are hacked and amounts siphoned away. Banking Ombudsmen refuse to interfere in cases of net banking fraud leaving customers poorer and wary of technology. Educated customers perhaps have some ways and means to demand remedies. The same cannot be said of the illiterate and semiliterate. Many with no wherewithal to seek remedial action are left in the lurch. With service providers not taking adequate steps in educating them and minimizing potential risks the onus lies with customers and the very identification of fraud is rendered difficult.

Financial Inclusion under the banking system has been the accepted policy of the Government of India (GoI) and the Reserve Bank. There are some obvious challenges from the information security angle which cannot be underestimated. Further, the move of the GoI to introduce a Direct Cash Transfer (DCT) Scheme intended to benefit the poor and needy running into millions of rupees and involving millions of people spread across the country through banks and outsourced agencies using Information Technology is a formidable task.

The success of the DCT scheme depends on various parameters like provision of a Unique Identification (UID)

number to each and every beneficiary, having the facilities for transfer of funds through mobile devices, internet and other modes through the assistance of business correspondents, availability of uninterrupted power supply even in remote places, coordinating with various agencies under whom the beneficiaries fall etc, without compromising on the integrity and security of this data.

The four regulators; RBI, SEBI*, IRDA* and the PFRDA* have to jointly address the issue of Information Security and find ways and means to prevent e-frauds. They would have to seek the help of some the major IT companies and communication departments of the Government. Prevention is always better than cure. Measures to protect the data at rest and data in motion have to be strengthened and customers have to be made aware of the requisite precautions they have to take. The primary onus of providing security should be with the service provider.

*COBIT: Control Objectives for Information & Related Technology; a

framework for IT management & IT governance

*RTGS: Real Time Gross Settlement

*NEFT: National Electronic Fund Transfer

*IMPS: Interbank Mobile Payment Service

*PDCA: Plan-Do-Check-Act

*NFC: Near Field Communication

*IDRBT: Institute for Development and Research in Banking Technology

*IBA: Indian Banks Association

*SEBI: Securities and Exchange Board of India

*IRDA: Insurance Regulatory Development Authority

*PFRDA: Provident Fund Regulatory and Development Authority

Dr. T. V. Gopalakrishnan Consultant

News Bytes** Liquidity higher than others, round-the-clock and off-exchange trading, successful self regulation for decades and insulation from vagaries of equity and fixed-income markets are intrinsic to FX markets. To preserve these characteristics and the integrity of FX markets, a pre-emptive regulatory strike, is necessary say regulators (Intelligent HQ Business Network, January 12, 2012

** According to Susan Wachter of Wharton “a lot is left to the discretion of regulators and it is not certain regulators would spot a brewing crisis in time or have the political will to deal with it. (Knowledge@Warton May 23, 2012)

** Bank regulators are placing renewed emphasis on stress

tests, which under the Dodd-Frank law must be conducted annually on the largest banks in the country (‘Cloud seen in Regulators’ Crystal Ball for Banks’, Floyd Norris in NYT January 01, 2013)

**Avivah Litan, of Gartner, says banking institutions have failed to address certain risks posed by social media, including internal risks. Hackers often use social media sites such as LinkedIn to identify employees who have privileged access or administrative rights. Once identified, hackers then target these employees and convince them, through messages or posts, to provide critical network and/or network access details, she explains. (Tracy Kitten on ‘Bank info Security’ on January 24, 2013)



The Risky Business of Banking The worst consequence of risk that a bank could face is going out of existence! Every time this happens more regulations are put in place. Banking business is all about risk taking. Every banking activity involves management of risk.

The risks banks faceThe core business of a bank is to manage risk and provide a return to shareholders in line with the accepted risk profile. The credit crisis and the ensuing global recession seem to indicate that the banking sector has failed to tend to its core business. If it had done so effectively, then credit default swaps would not have been bought up with so much eagerness. If the banks had attended to risk management, then there would not have been a flood in the U.S. market of cheap short-term interest rate mortgages that led to the so-called housing bubble and the ultimate wave of personal bankruptcies and home foreclosures.

The most significant risk factors behind bank failures are 1: Liquidity risk, 2: Market risk, 3: Credit risk, 4: Operational risk and 5: Others.

Liquidity risk involves the ability to fund increases in assets, manage unplanned changes in funding sources and to meet obligations when required, without incurring additional costs or inducing a cash flow crisis. In the context of the other key factors, risk may be defined as reductions in firm value due to changes in the business environment. Market risk (Trading risk) is the change in net asset value due to changes in underlying economic factors such as interest rates, exchange rates, and equity and commodity prices. Credit risk is the change in net asset value due to changes in the perceived ability of counterparties to meet their contractual obligations. Operational risk results from costs incurred through mistakes made in carrying out transactions such as settlement failures, failures to meet regulatory requirements, and untimely collections. Performance risk encompasses losses resulting from the failure to properly monitor employees or to use appropriate methods (including "model risk").

What happens when a bank fails?

In the US context: -

The bank's main regulator will declare bank's health as "unsafe or unsound." If the bank is state-chartered,

the regulator is the state banking supervisor. With a national bank, it's the U.S. Office of the Comptroller of the Currency. The regulator will typically find that the bank's capital, needed to cushion against loan losses, is too low and the amount of loans in default too high. The regulator appoints the Federal Deposit Insurance Corp. as receiver of the bank. This authorizes the FDIC to seize the bank's offices, vaults and records and sell its assets. The FDIC markets the failing bank to potential buyers. Interested buyers submit bids.

FDIC officials and staffers visit the bank, usually on a Friday after closing. Secrecy is maintained. Bank employees don't know that a shutdown is happening until the FDIC staffers arrive. The idea is to prevent a run on the bank by panicky depositors. The FDIC staffers spend much of the weekend reviewing the bank's books.

The FDIC announces the bank's closing and in most cases, the transfer of its deposits and the sale of its loans and other assets to a healthier bank. By Monday morning, the bank typically reopens under the acquiring bank's name. Customers' accounts and deposits are automatically transferred.

The FDIC uses the proceeds from selling the bank's assets to cover its liabilities, mainly customer deposits. The deposit insurance fund covers the rest. Accounts are insured up to $250,000 per depositor per bank. After the financial crisis hit, the amount insured was increased from $100,000 to the present level.

Banks fail primarily because of asset risk. Credit risk and liquidity risk are highly correlated: significant asset risk can lead to liquidity problems. Funding liquidity is important. Sometimes the line that separates credit risk, market risk, and liquidity risk can be vague, e.g. mortgage backed securities.

Now failed banks have asset quality problems because of 1: Poor underwriting standards 2: Poor risk management practices and 3: Poor management of the bank

A question arises why asset quality problems are not visible to bank’s Management/Board?

"If a bank is serious about risk management, then it will be serious from the top down” Before discussing this statement in more detail, let’s first look at the events that precipitated such a statement.



The chain of events that led to the global economic crisis is outlined in figure 1. The resulting global economic downturn led to a vicious cycle of companies failing or downsizing, thus leading to unemployment, which further reduced demand for goods and services. In addition, banks across the globe retrenched and in place of the liberal lending practices credit tightened across the board. Governments stepped in with fiscal support—the likes of which has never been seen in modern recorded history. And now, everyone waits to see what will happen with this never-before-tried experiment of flooding the world markets with government money. L Ragavendra

Different people like to point fingers at different culprits. Some experts put the blame on credit default swap instruments that were sold worldwide with promises of high returns and low risk. Others blame those who promoted mortgage access to people who normally would not qualify for a housing loan. But perhaps the issue is more fundamental: The banks lost sight of the requirement to manage risk effectively and, in many cases; it is questionable if the basics of risk management were ever put in place.

Source: A.T. Kearney analysis

Figure 1Economic crisis: The timeline and chain of events

July 2007

Mortgage bubble in U.S. real estate market

• U.S. mortgage market bubble bursts

• U.S. home prices continue to decline,affecting construction segment

• Fed raises interest rates to cool the U.S. economy

• Rates on home mortgages increase refinancing becomes difficult

July - Aug. 2007

Mortgage crisis

• Interest rates rise; borrowers are unable to refinance debt

• Borrowers default on mortgage loans

• Banks stuck in market with declining collateral

• Market mortgage bonds increase

• More banks dispose of assets, reduce liquidity

Aug - Sep - 2008

Financial sector crisis

• Mortgage assets are re-evaluated, causing major bankruptcies (Lehman Brothers, Merrill Lynch, Wachovia)

• Stock market collapses

• Major financial institutions file for bankruptcy; a crisis of confidence ensues

Oct - 2008

Recession in developed markets

• Funding difficulties force many companies to reduce costs

• Companies cut production and workers

• The real economy falls

• Production and consumption in developed countries decline

• Commodity prices fall

Sep - 2008

Liquidity crisis

• International capital markets hit by liquidity crisis

• Loan rates increase

• Financial institutions and corporate borrowers cannot refinance debt

• Interest rates rise

• Major European commercial banks feel the pain

** Capital Adequacy standards not only protects against bad loans but also protects against operational hazards such as employee frauds and computer failures (The Economist 20.02.2013)

**The US government has moved to clarify its regulatory stance on virtual currencies such as Bitcoin, confirming that while users are not classified as money services businesses (MSBs) subject to its rules, exchanges and administrators are. Virtual currencies do not have a legal tender status in any jurisdiction (FinCen18.03.2013)

** Since 2010 Britain’s biggest banks – Barclays, Lloyds, Royal Bank of Scotland, Santander and HSBC – have collectively set aside about £14bn to cover the cost of mis-sold payment protection insurance, making it the costliest consumer scandal in the UK. (FT.Com, Jennifer Thompson, Risk Management 2013.- March 18, 2013)

**Freddie Mac (FMCC) sues 15 banks over alleged manipulation of LIBOR that makes the banks look healthy while jeopardizing FMCC’s mortgage portfolio (Bloomberg 20.03.2013)

News Bytes



Business Risk Assessment - In Rolling Out Newer Banking Applications And Services

As long as banks operated in a regulated environment they were risk averse. Being increasingly exposed to domestic and international competition they are now compelled to encounter various types of financial and non-financial risks. Risks and uncertainties are integral to life and more so to banking. A Bank as an institution is based on the foundation of customer confidence, which requires that it remains resilient to risks by managing them proactively and robustly.

Driven by an exponential growth in technology and increases in global financial interlinkages, apart from credit risk and market risk, banks also face operational risks. Not to forget the reputational risks which are poised to overshadow the rest!. The main reasons could be inadequate or failed internal processes, people and systems, dilution of privacy or external events.

One of the key elements of managing a Bank’s Operational risks is to ensure risks around implementing and running its IT systems are managed effectively. Implementation of any new applications is typically a costly and risky proposition. Failure of core-system projects adversely impacts both finances and business opportunities. Failed projects lead other banks into delaying their expansion to newer applications as they assess the potential benefits of a new system against the risk of failure.

Implementing new banking applications and introducing newer services such as internet and mobile banking is a complex task that consumes significant time and resources. The key to success is to incorporate enough flexibilities and understandings of the way businesses are run so as to speedily adapt to unexpected requirements and surprises along the way.

Software project implementation could encounter various risks:

• Technical risks include problems with project size, project functionality, platforms, methods, standards, or processes. These risks may result from excessive constraints, lack of experience, poorly defined parameters or dependencies on organizations outside the direct control of the project team.

- Take for example the lack of information on parameters relating to loan interest calculation or preclosure of term deposits that could cause testing bottlenecks.

• Management risks include lack of planning, lack of management experience and training, communications problems, organizational issues, lack of authority, and control.

- For example inexperience in project management can result in lack of continuous monitoring of risks and re-planning appropriate mitigations in line with the project progress.

• Financial risks include cash flow bottlenecks, capital/ budgetary issues and return on investment constraints.

• Contractual and legal risks include changing requirements, market-driven schedules, health & safety issues, government regulation, and product warranty issues.

- Not having earlier experienced a particular type of failure it could be very frustrating to find that, at a crunch, the product developer is unable to meet the up-time or mean-time to repair commitments under the contract.

• Personnel risks include staffing lags, lack of focused experience, training problems, ethical dilemmas, moral conflicts, staff conflicts and productivity issues.

- Large and multi country roll-out projects invariably require multi-cultural teams – both internal and external. In these cases absence of attention to cultural sensitization, team building and language translation requirements can cause significant issues around team communication and requirements management. These also lead to increased time for review and acceptance testing phases.

• Other resource risks include unavailability or late delivery of equipment & supplies, inadequate tools, inadequate facilities, distributed locations, unavailability of computer resources, and slow response times.



The key considerations for a successful modernisation journey are:

1. Business Requirement Management: Requirements should be captured and managed centrally, allowing banks with multi–line business units or other global bank entities to centralise their requirements and prevent duplication of development efforts.

- A typical fallout of inadequate or lack of requirement management is the scope creep during the UAT phase of the project. This invariably leads to lot of rework, slippages in schedules, increased costs etc.

- At a crunch, during UAT it could be realized that as a result of casual oversight, a crucial report was overlooked during the requirement planning phase

2. Integrated Tooling Workbench: A standard set of tools and technology will improve control over the systems development lifecycle process

3. Design process: To effectively manage the risk of disruption, time to market and cost to transform, banks must combine a top-down approach with the traditional bottom-up approach to legacy modernisation

4. Build versus Buy: When deciding whether to build or

buy, banks should consider the fit between business requirements and the available functionality in packaged solutions. They should also consider the effort required to customize a generic package or to streamline and redeploy existing functionality.

5. Proof of concept: To validate the transformation

objectives, the bank should conduct a controlled Proof of Concept (PoC) with its chosen design principles and integrated tooling. The scope of the POC should completely mirror all the elements that will be faced during the full execution.

- Without the PoC, the bank may end up implementing an application that does not meet its core requirements. The bank may be expecting a Transaction Banking System, but the application’s operational efficiency may lie in Retail Banking.

- assumptions based on the halo around the developer

could be woefully off the mark, resulting in severe cost and time overruns

6. Go live Planning: As modernisation is progressed and new systems evolve, the old legacy systems have to be decommissioned for the full benefit of the cost to be realized. A decommissioning strategy should therefore be defined at the outset of the modernisation journey.

7. Testing and data migration: In most transformation efforts, testing consumes significant resources, effort and budget. Investing in a testing strategy and using industrial–strength testing processes and facilities can cut costs and reduce lag times in development and deployment.

- A proper data migration strategy helps in mapping the existing legacy data with the appropriate data field & type in the new system. The ‘date of birth’ may be maintained as a data field (instead of date field) in the legacy system. An incorrect mapping of this in the new system will create issues in validation of key requirements like status (major or minor) of the client.

8. Managing change: To ensure that risk is adequately managed, banks need to invest time and resources in robust change management. Change will result not only from the effect of modernisation programs, but also from business–as–usual initiatives that have to be accommodated within the transformation journey

News Bytes** 25 years ago in Germany, derivatives trading was classed in the same regulatory category as gambling, but with the added disadvantage that a losing trader could ask for his money back if a trade went the wrong way. (Finextra March 22, 2013: ‘25 years of German Exchange’ by Chris Pickles)

** SEBI introduces standardized labeling system to help investors understand the risk profile of the Fund (ET Business 25.03.2013)

** Laiki bank the country’s second largest bank to be gradually dissolved as part of the $ 13 billion bailout package for Cyprus. Good assets to be absorbed by the Bank of Cyprus. Raises issues of systemic risk for large Russian investors (Reuters & ET 26.03.2013)

** The World Bank is ready to work closely with the BRICS Development Bank to end poverty throughout the developing world. (The Hindu March 27, 2013)

Arun RamamoorthyPractice Lead - Banking Practice,Thinksoft Global Services



De-risking Financial Systems - Through Knowledge And Experience

It takes a great degree of expertise to understand the complex business flows and the logic of numerous business decisions that are implemented across financial institutions. This is taken as a given but, with the increase in internet facing and mobile based systems, the requirements to change a financial institution’s core systems are increasing. Changing such systems with zero defects and high availability is indeed a big challenge.

Greater is the challenge for IT departments to sync with the rate of change in technology. This requires the recruitment of talented and experienced technicians, while also ensuring that there is enough expertise to ensure that the changes implemented match requisite business needs.

These issues were well illustrated last summer when the American investment firm ‘Knight Capital’ lost over $450 million in trying to keep up with changes in high frequency trading.

The issue they faced involved trading 150 stocks during a 45 minute period. The stocks were being ordered as

buy-high and sell-low when in fact it was meant to be the other way around. As a result ‘Knight Capital’ saw a 75 percent loss of the share value during the 48 hours that followed, forcing the firm to seek emergency funding.

Ten years earlier, Knight Capital experienced a similar fault with their trading systems. Fortunately, on that occasion, the speed of the processes that were creating losses was not so high and that enabled the regulators to benignly cancel all the trades impacted by such errors. This time, however, the regulators chose not to follow that decision because they viewed the error as being an example of incompetence.

Being a recurrence of an earlier fault, how come Knight Capital didn’t have it battened down and sorted out? The answer is complex and lies with the business knowledge required to minimize systems risks, as much as the programming knowledge needed to implement high frequency algorithms. In this case it was clear that the system teams did not recognize the impact the issue would have on the business – they misjudged, both, the impact (in terms of losses) and the response under a changed regulatory environment.

Systems are only as good as the people who program them and a majority of people who program them are often technicians. The technicians will work to business specifications and interpret them into programmable workflows and processes. They are susceptible to interpreting a business logic based on an incomplete or incorrect specification. Business knowledge is crucial to verify the specifications and possible system defects due to incompleteness or errors. Furthermore, it can help anticipate likely operational risks that identified-defects can cause – i.e. the business criticality of defects – that requires attention and urgency. Therefore, domain-aware team members are required to visualize all the likely failure scenarios and prioritize them by likely business risks so that those with most impact can be addressed immediately, with required resources.

Our experience over the years in testing financial systems suggests that by getting business specifications validated earlier by domain experts the likelihood of critical flaws creeping into the systems at the time of ‘Going-live’ is significantly reduced.

Even with the need for a domain aware unit within the project team being recognized, an important question still remains - where should such expertise reside and how can this unit be optimally built and utilized within a project team.

Conclusion:With ever-increasing complexity and increasing demand for bigger, better and faster, the software industry is a high risk business. When teams don't manage risk, they leave projects vulnerable to factors that can cause major rework; major cost or schedule overruns, or complete project failure. Adopting a Software Risk Management Program is a step every software manager can take to more effectively manage software development initiatives. Risk management is an ongoing process that is implemented as part of the initial project planning activities and utilized throughout all of the phases of the software development lifecycle. Risk management requires a fear-free environment where risks can be identified and discussed openly. Based on a positive, proactive approach, risk management can greatly reduce or even eliminate the need for crisis management in expanding to newer banking applications and services.



There are few options that we could evaluate:

a) Expand the Business Analyst team – while some members write business specifications, the rest will verify. How is one to decide, who will do what? Even though the expanded BA team allows for domain experts verifying the specification – it could compromise the key requirement of verification-skills and the need for them to be operating independently.

b) Create a separate unit of ‘Business Specification’ verifiers: While this unit can be created with domain experts who have the required verification skills, they would be one more entity to be managed – leading to a need for greater coordination, further splits in responsibilities and a strong likelihood of the an overall increase in effort. It is certainly not a cost effective option, even if it meets the need for independence.

c) Early involvement of a domain-aware testing team: The team (as a unit) would need to get involved at the business-specifications stage itself. This is feasible only if the team has the necessary domain expertise to verify specifications. This could be optimal as it allows for better streamlined coordination across the project - compared to the other two options and makes the testing team responsible for quality throughout the lifecycle thereby strengthening project governance. It allows for greater re-use of scripts across various stages of testing. All in all organizations can optimize their testing costs by as much as 40%.

With financial authorities seriously reviewing the plan to introduce “capital requirements” in banks to cover operational risks (in addition to those for trading and credit risks), the impact of systemic issues will no more stay within the IT domain, but extend to a financial institution’s business model.

In conclusion, the greatest challenge for any firm is to get the business and technology arms of the organisation working in unison; factoring in the geographic spread and frequency of technology updates. The testing process is the key to de-risking system changes. It is the one area that the business and technology teams have to get right by making testing a continuum and not just as a passing phase or a one-shot activity.

With the likely tightening of regulatory requirements to manage operational risks, ensuring that systems go live first time right without causing any disruption is not only a CIO responsibility, but a matter for the Board. With a domain-ware testing team involved from start, organizations can drastically reduce their “cost per defect” and significantly reduce the operational risks caused by system failures.

Anand Vyas Vice President – Sales, UK & EuropeThinksoft Global Services

Export Excellence Award 2011-2012Thinksoft was awarded the Export Excellence award for the highest growth in exports among IT/ITES units. The 19th edition of the award organized by the Madras Export Processing Zone (MEPZ) was presented by Madhusudan Prasad, the Additional Secretary Ministry of Commerce on the 22nd of March 2013. Vanaja Arvind, Executive Director, Thinksoft, received the award on behalf of the managementof Thinksoft.

AWARD

Thinksoft in Media

Asvini Kumar, MD, Thinksoft Global Services talks about the BFSI sector and the future plans of the company in his interview with CNBC TV18.

http://www.youtube.com/watch?v=CchXHh5LeWU

Contributing Authors

T.V. Gopalakrishnan PhD. An Associate of the Indian Institute of Banking and Finance and an erstwhile officer-in-charge of the Financial Action Task Force attached to the Ministry of Finance, Govt of India.

V. Ravi Kumar; Professor of Finance. A mathematician by qualification, with over 30 years in Banking and Financial Markets cutting across Sales, Trading, Asset-Liability Management and Risk Management of Financial and Money Market instruments!

L. Raghavendra An independent banking-technology consultant specializing in business strategy, product development, regulatory changes and technology adoption.



Quiz:

1. During 2012, which one of the following countries had a current account surplus; Australia, France, Ireland, Italy, Portugal?

2. Which one amongst the five would you associate with the discovery of the theory of probability, the mathematical heart of the theory of risk; Albert Einstein, Benjamin Franklin, Blaise Pascal, Leonardo da Vinci, Nicholas Bernoulli?

3. What was the approximate per capita income in India during 2012-13; Rs 3400, Rs 5700, Rs 6900. Rs 9400?

4. From which of the following words is the word ‘Bank’ derived; Basket, Barn, Bench, Bureau?

5. In 2010, how many times larger was the GDP of USA compared to that of India; 6 or 8 or 10, or 12?

6. According investment bankers, over the next decade, growth of infrastructure as a major growth-driver of the region, especially Qatar would be linked to Corporate Summits, Manufacturing, Motor Racing or Soccer?

7. Which one of the following factors could be seen as a major contributor to the success of the mobile wallet M-Pesa in Kenya; Low charges, Easy convertibility, Ease of recharge or Easy credit?

Please click here http://www.thinksoftglobal.com/meghaduta/apr13.php to take the quiz

?

Note: Register and tick or enter the answer in the assigned box. Seven entries with best responses will be chosen as per a lottery draw and USD 100 will be donated to the chosen charity of each winner. Last date for responses - 30th June, 2013. Winners will be communicated by email and their names published in the next issue.



Disclaimer: All the documentation and other material contained herein is the property of Thinksoft Global Services and all intellectual property rights in and to the same are owned by Thinksoft Global Services. You shall not, unless previously authorized by Thinksoft Global Services in writing, copy, reproduce, market, license, lease or in any other way, dispose of, or utilize for profit, or exercise any ownership rights over the same. In no event, unless required by applicable law or agreed to in writing, shall Thinksoft Global Services, or any person be liable for any loss, expense or damage, of any type or nature arising out of the use of, or inability to use any material contained herein. Any such material is provided “as is”, without warranty of any type or nature, either express or implied. All names, logos are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

For more details visit, www.thinksoftglobal.com

India Parent Company

India

Thinksoft Global Services Ltd

HO: 6A, Sixth Floor, prince Infocity II, No.283/3 & 283/4, Rajiv Gandhi Salai(OMR), Kandanchavadi, Chennai-600096

Tel: +91 44 4392 3200,Fax: +91 44 4392 3241

Unit - Plot No. B-17, 2nd Main Road, Phase II, MEPZ, SEZ, Tambaram, Chennai-600045

511 & 512, Prestige Meridian I,No: 29-30, M.G. Road,Bangalore-560001

Citi Point, Unit Nos: B-601,B-602 & B-603, 6th Floor, Andheri - Kurla Road, Andheri East, Mumbai-400059

Tel: +91 22 4015 8660 / 61 / 62,Fax: +91 22 4015 8663

Branches:

UK


26-28 Hammersmith Grove, London,W6 7BA

Tel: +44 (0) 208 834 1086Fax: +44 (0) 208 834 1102

Belgium


Romeinsesteenweg 1022, 1780 Wemmel, Belgium.

Australia


22 Mans field way, Kellyville, NSW, 2155, Australia

Tel: +61 424 981 458,E: [email protected]

Hong Kong


Units 3401-2, 34th Floor, AIA Towers, 183 Electric Road, North Point, Hong Kong.

Cyprus


229, Arch. Makarios III Avenue Meliza Court, 4th Floor P.C. 3105 Limassol, Cyprus

Malaysia


Level 33, Menara 1 MK,Kompleks 1 Mont Kiara, No.1, Jalan Kiara, Mont Kiara, 50480 Kuala Lumpur.

Subsidiaries:

Singapore

Thinksoft Global Services Pte Ltd

1. North Bridge Road, 19-04/05, High Street Centre,Singapore 179 094

Tel: 65 67200724, Fax: 65 67200725

USA

Thinkosft Global Services Inc

No. 38, 3rd Floor, Stark Business Suites, 500, Mamaroneck Avenue, Suite 320, Harrison, NY 10528

Tel: 914 428 0500, Fax: 914 428 4001

UK

Thinksoft Global Services UK Ltd

26-28 Hammersmith Grove,London, W6 7BA

Tel: +44 (0) 208 834 1086Fax: +44 (0) 208 834 1102

Dubai

Thinksoft Global Services FZE

PO Box No.82840,Dubai

T H I N K S O F T G R O U P