“15 different types of spaghetti”

The most recent failure of UK bank RBS, and its group of companies, to process 600,000 payments, illustrates yet again the major problems underlying the IT systems of not just the banking sector, but any industry where there have been multiple, often rapid mergers and acquisitions.

One RBS executive reportedly said to the UK’s BBC that the bank’s systems we like “15 types of different spaghetti”. To my knowledge, and from my experience of the industry, that is a significant underestimate of the complexity.

RBS, before the financial crash of 2007/8, when it had to be bailed-out by the UK government to the tune of £46 billion, was for a short time the largest bank in the world. Its size came from a rapid period of acquisitions, most notably under the direction of CEO Fred Godwin, who became known as ‘Fred the shred’, reflecting the bank’s penchant for divesting itself of personnel in the newly acquired subsidiaries in order to boost profits, and thus the share price.

Sadly the rapidity of mergers and the loss of people who understood the IT systems of the acquired companies did not bode well for RBS trying to operate and report as a group.

In 2012, for several weeks, 6.5 million customers of RBS and its Nat West and Ulster Bank subsidiaries  could not use their online banking facilities, some could not make mortgage payments, and others outside the UK could not withdraw cash. This not only resulted in a loss of face and confidence, but a £56 million fine from the UK regulator.

The problem was diagnosed as software incompatibility which became apparent following a software upgrade, amplified by the fact that the bank didn’t have contingency processes in place to mitigate the problems.In December 2013 more than 1 million RBS, Nat West, and Ulster Bank customers found they could access their accounts after what appeared to be a similar failure, but with a different system.

Finally to June 2015, after the bank had reportedly spent the originally planned £2 billion on upgrading its systems, plus another £750 million, 6% of the transactions to be processed overnight failed because ‘the file could not be read properly’.

Having spent the majority of the last three years working around FINTECH, principally in the UK banking sector, I can only say I am not surprised.

Most of the major banking core back-end systems were written several decades ago, based around batch processing, are robust, well documented and supported. However, the ‘front-ends’ to those systems for on-line access, such as via the internet and latterly mobile devices, have not been built as well, and their desire for near real-time processing is fundamentally at odds with the back-end systems.Add to that RBS, like the majority of banks following mergers and acquisitions, is running multiple back and front-end systems, and has had to write ever more complex code to integrate those systems together, the numbers of different spaghetti types could be many multiples of 15.Sadly for us as bank customers RBS' recent predicament is just an example of what can (and will) go wrong.

My thoughts about RBS’ exposure to such problems are that during ‘rationalisation’ following its acquisitions, it lost much of the knowledge regarding the integration of systems within the IT systems of its subsidiaries. Furthermore integration between the systems of the business units was done tactically, and not as part of a planned strategic investment. Thus, when upgrading central and cross-business systems, not all can be tested properly before the upgrades are applied. This was compounded by a lack of mitigation plans, which could have led to a faster resolution of the resulting problems.

To be fair to RBS, it has put a ‘shed-load’ of somewhat belated investment into getting its systems together, and it put it's 'hands up' very quickly to the failure.  Another bank I worked with had a server it didn’t dare switch off, because at the time it did not know which other systems across the bank and its subsidiaries that the server’s information supported. Having looked at them all in a lot of detail, there are only two large banks I would feel confident with to handle my data, without a major mishap such as at RBS, and even those have some problems with their manual processes.

So what is the answer? Well thankfully it is already happening in the all banks reviewing/renewing their systems, and doing it in a planned and measured way. Not ‘on-the-fly’ to meet the next financial reporting date. Those in industries outside banking should not be complacent, the problems experienced by RBS are not sector specific. Need I remind my colleagues stuck in airport lounges of upgrade problems on the UK's air traffic control system, run by NATS?

Will we see a repeat of the repeat of RBS’ problems at it, or other banks, or in other industries? Yes, there are at least 350 different types of pasta in the world.

Want to use a Nest Cam in the UK? - Register with the ICO

The announcement that Google’s smart homewares firm Nest has developed a motion-activated web cam for home security purposes sounds like a neat idea for those householders about to leave on holiday, or want to know what the au pair is doing in their bedroom when they are out at work.

However, householders using the Nest Cam technology in the European Union (EU) need to be aware that any images they capture of people are regarded under 95/46/EC as personal data, and as such, those that capture the images need to register with their country’s Data Protection Authority (DPA) that they are storing personal information, and potentially in order to comply with the registration, put up signs warning people in the house that they may be subject to recording of their activities.

The new device comes from developments following the acquisition of Dropcam by Nest in 2014 (which itself had only recently been acquired by Google). Motion-activated, it streams and then records live video to Google’s servers. It then ‘alerts’ those customers and then gives them access to the recordings for 10 or 30 days, for a ‘nominal’ amount of £8 or £24 per month respectively. So that’s the technology bit.

Now the legal aspect. Under the EU Directive 95/46/EU images of people, are personal data, and as such should only be managed by a Data Custodian who can ask a Data Provider to store it on their behalf, although the Data Custodian retains ultimate responsibility for the storage, access and even loss or breach of the data.

Now the fun bit, and why we need the forthcoming EU Data Protection Regulation (#EUdataP, #gdpr) without it being watered down over the next months.

Data Protection today (UK focused)
The Data Custodian is the person/organisation capturing the personal data, so the householder, and therefore Google (with the majority of it’s servers in the US), will be the Data Provider. But with a Nest Cam, it could potentially be argued that Google via Nest is the Data Custodian, but that misses the real issue of 'informed consent' for the data to be stored.

In either circumstance, under 95/46/EU personal data captured in the EU can only be ‘exported’ outside the European Economic Area (EEA) with the explicit consent of the data subject, easy when you fill in the bank loan application, but how do you get the ‘ne’er do well’ who is taking your iPad and jewelry from your bedroom to consent that their image can be stored by a hosting provider in US?

Simple fact, you need to alert them to the fact they are being recorded. Thus a sign such as we see in many ‘public places’ in the UK, stating that images are subject to recording, and who the is Data Custodian, is probably going to be required in houses installing a Nest Cam. Furthermore, taken to the limit of the UK law, the householder needs to register with the UK Information Commissioner’s Office  (ICO) – other EU countries have their own DPA - as a Data Custodian. The reason being if you are not the Data Custodian (in the UK), and you present evidence gathered without the data subject’s consent, that may be inadmissible in court.

Do you really want a Nest Cam? Of course you do, it will be fun when the smallest child says that the dog has eaten the cheese in the fridge. But please ensure you have registered yourself as a Data Controller with the ICO.

A Blackberry lollipop? - yes please

I don’t normally stray into the world of mobile devices, but the widely reported news that Blackberry’s next smartphone will run on Google’s Android OS rather than its own proprietary software is something to take notice of.
This is a very logical move following the development of Business Enterprise Server 12 (BES12) to manage enterprise mobile devices running on iOS, Windows Phone, or Android. Furthermore, back in February the company extended the server to work with devices running Android Lollipop.
From its inception Blackberry has been focused on the enterprise and with Enterprise Server has been the CIO/CTOs favoured ecosystem for mobile enterprise communications ever since.

However, despite the strength and maturity of its own OS and the associated software (IMHO the Blackberry Playbook was a great device), it has lost market share most notably to iPhones and the diverse range of smartphones running Android. Latest reports indicate the it only has 1.5% of the US market for new devices. With Microsoft now also offering credible enterprise-ready mobile devices, the writing is not just on the wall for Blackberry, but the ceiling and floor as well.

When Blackberry started as Research In Motion (RIM) it had to build it’s own devices and OS, nothing else was up to the security requirement of enterprise (particularly government) organisations.
Whilst I don’t expect an overnight drop in the (still amazingly common) sight of executives putting an iPhone or Samsung next to a Blackberry on the table at meetings, this is a useful announcement for the CIO/CTO, still juggling the three balls of mobile enterprise security, user preference and Bring Your Own Device (BYOD).