Review and learnings: the IT function in financial services in 2020

Morgan Badoud Manager Digital Assurance, PwC Switzerland 05 Jan 2021

For several years, the emergence of new technologies has led financial institutions to rethink their internal organisations. The business strategies of these companies create new needs in terms of IT. The 2020 global health crisis has forced companies to adjust their priorities and initiate or accelerate projects to ensure quality of service and business continuity under these extraordinary conditions.

In the first quarter of 2020, during the performance of the regulatory audits, PwC Switzerland conducted an assessment of the IT organisation and IT governance of 107 financial institutions (‘FI’) across the country. The assessment also included an analysis of strategic IT projects at these financial institutions.

We aggregated and anonymised our results to create a benchmark that gives an overview of the IT organisation and IT governance of financial institutions and highlights the strategic aspects of each.

Our assessments are based on professional judgement rather than on quantifiable and objective data; therefore, they are subjective. The results we present are based on the analysis of a group of financial institutions in Switzerland, broken down as follows:

Break down of FIs

It is rethinking its priorities

Our assessment shows that the maturity level of financial institutions in terms of the organisation and governance of the IT department is in line with the regulator’s expectations: only 10% of institutions have not, or only insufficiently, defined the roles and responsibilities of the teams (development, infrastructure, help desk, etc.) within their IT department.
We also observe a change in the overall organisation of the company. Indeed, in recent years, IT managers have changed their direct reporting lines. We note that currently 50% of IT managers report to the Chief Executive Officer, 25% to the Chief Operations Officer and 25% to group level (for local entities of an international group).

Direct reporting line of IT managers

None of the IT managers of the 107 financial institutions in our survey group reports to the Chief Financial Officer, as they used to in the past. This reflects a shift in the perception of IT within these organisations. The IT function is no longer considered merely as a cost centre, but as a full-fledged operational department requiring the assignment of a member of management and, in some cases, the merger of IT and Operations. By prioritising the development of new solutions, FIs prefer to outsource purely operational aspects, either internally to nearshore or offshore sites or externally to specialised organisations.

Information systems security is evolving

Our analysis also looked at the security organisation, particularly the direct reporting line of Information Systems Security Managers (ISSMs).

Among the 107 financial institutions in our survey, we note that 45% of ISSMs report to the Chief Executive Officer, 21% to the Chief Information Officer or Chief Operations Officer, 27% to the group (for local entities) and 7% to the Chief Risk Officer (‘large banks’ only).

Once again, we observe a shift in the role of information systems security, which is increasingly becoming detached from the IT department. IT security – and especially cyber risk management – is now one of the main operational risks of financial institutions. These elements therefore have a separate and often direct escalation channel to the institutions’ senior governance bodies.

New technologies: two-speed integration

The above-mentioned changes with regard to IT are also reflected in the IT strategic priorities observed within financial institutions.

It appears that 65% of institutions outsource at least one key activity (as defined by FINMA Circular 18/03 ‘Outsourcing’) of their information systems to a third party or to an entity in the group. And this percentage has increased in recent years. Indeed, there is a very clear trend within companies: they now prefer to outsource recurring tasks, such as managing applications or infrastructure, and focus on research and development projects to expand their service offerings or reduce costs.

While blockchain, crypto, machine learning and robot process automation (RPA) have become increasingly common over the years, the implementation of these technologies is limited to only few institutions. Often driven by group strategies, their implementation at the local level remains rare: RPA (6%), blockchain (3%) and machine learning (1%) require a relatively heavy initial investment, and therefore can be profitable only for large transaction volumes. Their implementation and the adaptation of the internal control system to these new technologies discourage smaller category 4 or 5 institutions. In general, financial institutions lag behind other industries in these areas and favour a more ‘indirect‘ approach (e.g. alliances, strategic investments, etc.).

% of FIs that are implementing or have implemented the above initiatives

The impact of the health crisis on IT strategies

The health crisis has prompted businesses to rethink how they work: cloud solutions have been rapidly adopted by several financial institutions to manage capacity in response to the growth in remote working or to deploy instant communication tools. For example, while 40% of organisations were considering a cloud solution in March 2020, the figure stood at 65% in November 2020. The emergence of local cloud solutions in Switzerland that enable financial institutions to benefit from local servers while meeting legal requirements is a major reason for such progress.

Finally, in this period of health crisis, the development of virtualisation and the concept of working from home accelerated sharply in the first half of 2020. In our first survey, in Q1 2020, 17% of organisations mentioned the development of remote working in their IT strategy. In Q3 2020, during the follow-up phase of our analysis, 90% of FIs report they have adopted the concept of working from home to a significant extent.

Economic pressure and technological change continually push institutions to reimagine their organisations. IT and security departments, which used to act as purely support functions, have become key players in the ongoing transformation of financial institutions by focussing on the development of new solutions.

The health crisis has accelerated some organisational and strategic changes in recent months. But most companies were already thinking about these changes and this extraordinary situation may have only accelerated the realisation of key strategic projects.

Recommended actions

We recommend financial institutions pay particular attention to the following aspects when implementing a project:

A variety of complex and stringent banking secrecy, data protection, security and outsourcing regulations must be taken into account in a transformation/integration project. Make sure you have a clear view of the scope of your project, and identify the regulatory requirements that need to be considered.

Security and trust are critical aspects when developing a transformation project. Few banks allow sensitive data to be stored externally and it is equally difficult to trust suppliers to provide adequate security. Develop an information security concept in relation to the project, clearly defining the roles, responsibilities and security controls to be implemented.

The use of third parties is a common feature of IT projects. It requires a risk assessment and supplier management process to ensure the alignment of the business objectives and services delivered by the vendor. Identify the vendor risks and implement the controls necessary to monitor vendor services.

Regulatory and technological developments are driving FIs to adapt their IT systems. For a transformation project to succeed and benefit from the integration of a new technology, identify external dependencies and interdependencies in your application landscape and rethink your data model.

How PwC can help you

As a multidisciplinary company, we are especially well positioned to help you adapt to changing regulatory environments and to accompany you in transformation projects or in the implementation of new technologies:

  • Cloud: Our combined expertise in business, technology, risk and control will help you better understand how the cloud can transform your business.
  • Blockchain: We build trust in your solution and services by performing independent audits and assessments of the security and quality of your blockchain or digital asset based solution. We also use our advanced analytics tool with deep intelligence to produce transparency reports on your digital assets and blockchain transactions.
  • Project management: Based on 12 elements of control, our ‘Excellence in Project Management’ methodology allows you to get a precise assessment of the quality of project management (transformation, implementation, etc.).

#social#

Contact us

Yan Borboën

Yan Borboën

Partner Digital Assurance and Cybersecurity & Privacy, PwC Switzerland

Tel: +41 58 792 84 59

Jens Probst

Jens Probst

Partner Digital Assurance FS, PwC Switzerland

Tel: +41 79 372 57 88

Morgan Badoud

Morgan Badoud

Manager Digital Assurance, PwC Switzerland

Tel: +41 58 792 90 80