Recently-launched Metro Bank has made headlines these last few months for more than one reason: it is the first high-street bank to launch in over 100 years; it follows a retail store model, offering longer opening hours and no weekly closing day; and virtually all of their IT is outsourced to a Managed Services provider.
The news of a bank outsourcing its IT does not come as a complete surprise, as many banks outsource certain functions such as software development, IT Support etc. There are elements of novelty in this choice, though – for instance the fact everything but security and the local networks and terminal devices is being outsourced, which puts a lot of technology in the hands of the provider.
It is also unusual that they have chosen a new provider, niu Solutions, which is a merger of four different IT and telecom providers and has little track record as a unified company. And finally, what is most interesting about Metro Bank’s set-up is that they are using a new ‘pay-as-you-grow’ Managed Service model that is highly-virtualised, flexible and scalable – something only a start-up is likely to have considered.
Some publications reported that the bank is using cloud computing, but they are probably mistaking the somewhat flimsy term with plain virtualisation. This is not a shared service – the bank has paid upfront for the hardware and has employed the provider to manage their systems, which run remotely from two data centres in the UK. While it’s likely that the provider will be looking to add customers to the model, there’s little doubt that Metro will insist upon a high degree of separation of “their” equipment in the provider’s datacentre to help minimise security risks.
With any financial firm, but particularly a retail bank, information security is an overriding concern. As well as the detailed personal and financial records they hold for their customers, there is also concern about who has access to the various financial systems that are used for recording and executing financial transactions.
Locating kit at a provider’s premises introduces a transfer of control issue, but Metro bank will mitigate that by ensuring data at rest is encrypted, and that the right security standards are enforced at the provider’s datacentres.
Clearly it is in the provider’s interest to supply a good and secure service to retain their clients and their reputation, and the advantage of dealing with a supplier is that roles and responsibilities should be clearly defined and contracted. This is in contrast to relying on internal staff – the assumption might be that this improves security, but it also introduces the risk that there is less formality and, consequently, fewer proper control measures.
The biggest concern in a modern bank is logical security, rather than physical. Access to accounts and key financial systems will be highly restricted and audited. Since operational security at Metro Bank is retained in-house, the risks of a provider’s rogue employee having the level of access necessary to steal data or using the system for criminal purposes is relatively low.
A concern in any outsourcing arrangement is the financial stability of your chosen partner. Such concerns would be particularly acute for Metro Bank as there would be serious repercussions if, for example, a company failure meant it couldn’t get access to its systems. Clearly Metro will have done its homework on its chosen provider and insisted on various safeguards and insurances.
The new ‘pay-as-you-grow’ model appears to be convenient especially because of its scalability potentials – after an upfront payment for hardware, the bank pays a cost per user and increases its spend as the client and user base grows.
With any new venture, it can be difficult to predict what the level of growth will be, and by adopting this model Metro will only pay for the growth as it’s achieved – rather than needing to make significant upfront investments to ensure growth isn’t hindered. Also, by leaving IT to the experts the bank is able to concentrate on customers and operations without having to worry about IT availability and support, sure of getting a high quality service thanks to SLAs.
This model is certainly interesting, but needs to show it can work in order to gain more trust among both banks and bank customers, and therefore be embraced by a larger number of companies. Retail banking is a better candidate for the model than, say, Investment Banking where the breadth of systems typically used and high-speed real-time requirements for data delivery might deter the organisation from being so bold.
Nevertheless, this innovation can create many benefits from a business point of view: if this model manages to work over time, it could create many more opportunities for service providers to enlarge their range of work, and for banks to embrace cost-efficiencies that will enhance their competitive value and, ultimately, their potential for success.