Embracing regulation as a means to remediating the legacy tail
The Legacy Tail occurs in nearly application flow in every bank. It refers to technology or data solutions that are non-strategic but still provide relevant services and may be hard to decommission.
There are several reasons for the legacy tail to emerge, from lack of funding to mergers. Deadlines for regulatory compliance can also be a problem as banks rush to get systems working in time. Equally, the loss of knowledge capital can lead to legacy issues.
What started as a very good system becomes a risk as changes are made. Legacy tail problems have been around for years, but it’s particularly problematic as regulations tighten up and there are far higher requirements on banks to understand their own risks.
But can we make regulation our friend? Tighter regulations mean it’s no longer an option - banks musts show they are bearing down on the technology risks associated with the legacy tail.
“Whilst this has to be done, why not embrace it?” asks Frank Pottle, associate director of Risk, Compliance and Regulation at Hatstand.
Speaking at the recent Hatstand breakfast briefing in London, he noted how remediating legacy tail issues, as part of a wider look at reducing total cost of ownership, can be achieved while carrying out regulatory compliance efforts.
“Regulations are coming in thick and fast. Some of them now require, not as an option, but as a legally-binding obligation, that you have governance and that you have addressed legacy systems. You just can’t leave things as they were,” he said.
BCBS 239, for example, requires CIOs, CTOs and CEOs to sign that they have full knowledge of the risk of their systems. If they don’t have full knowledge and something goes wrong they could face fines, have licences revoked or even go to prison.
So while banks may not want to remediate a potential risk when it isn’t currently causing a problem, they should consider how and when they will do so. Regulation gives banks the perfect excuse to fix legacy tail problems before they balloon out of control, help them reduce risk and complexity in systems, lower running costs and, of course, improve compliance.