Challenge & opportunity: IT governance in banking

Software development in a digital bank has to meet strict governmental regulations for financial services. It's a challenge, but one that also brings performance benefits. Roman, our IT Process Manager, explains.

There are few industries that are as strictly regulated as the financial sector. These rules also impact the IT infrastructure, which today is essential for virtually all of a bank’s services and processes. Even more so for a digital bank like us, which is why regulatory governance of our software development has to be as effective as possible. Our IT Process Manager Roman emphasizes that IT governance is, of course, vital for any bank, because a breach would jeopardize its license and thus the foundation of the business.

IT governance creates added value

Regulatory compliance is a central quality feature for our software development in banking, and not just an annoying administrative add-on. This compliance also offers a competitive advantage, because it can act as a catalyst for technological developments. The integration of regulation into IT processes, which is indispensable anyway, can also bring strategic benefits. New digital approaches and more efficient processes are used, which promote more efficient software development and lead to positive changes for the organization. “Regulatory measures don’t just create rules, they also bring quality benefits,” Roman sums up. “Governance is not just extra work, it can also add value.” For example, overview statistics are now used, ensuring compliance with uniform standards. This also helps to improve data quality. A ServiceNow ITIL strategy supports the standardization of software development. In general, governance management provides valuable impetus to software development and IT as a whole. “It may well be that regulatory changes slow down development,” Roman concedes. “But we have to solve these problems. From that point of view, I also see myself as a process supporter.” Roman's responsibilities include not only regulatory issues, but also ensuring software and development quality. As the development and operations sides now merge under the DevOps paradigm, Roman assesses development quality using Google’s four DORA metrics, among others: “The idea is that software development should be transparent and high-performing.” We clearly benefit from this as a bank. But what are the actual drivers behind the enormous increase in the importance of software governance?

Increasing demands

Today, modern software development in banks simply has to meet significantly higher demands. Roman sees it like this: “Customers and companies have very high expectations. Software development is not like it used to be. Everything has to be faster, and it has to be more and more powerful.” New players such as FinTech startups are entering the market and raising users’ expectations for the range of functions. Combined offers with evaluations or payment services require complex solutions. Customers want instant feedback. Digital products are also becoming more important in light of shrinking margins in the traditional core banking business. Other factors include growing quality requirements for software operation and lifecycles, as well as security trends such as the replacement of the firewall approach or the focus on “advance persistent threat” attackers. Of particularly significance to Roman are the growing importance of microservices, DevOps and a departure from traditional release cycles. In response to these challenges, and as part of our Next Gen Tech initiative, ING will optimize our tooling and development processes. CI/CD approaches certainly increase efficiency and quality. “The software is not only tested at release, but already at every code change,” Roman explains. Trends such as low-code must also be taken into account. Thanks to this enabler, development now takes place on a broader basis: the business side brings specialist knowledge to digitalized processes.

Complex regulatory landscape

At the heart of governance are the requirements set by regulators, who are constantly introducing new developments. “The rules of state governance must be complied with in any case,” Roman continues. “We actually often exceed them though. At the same time, we have to ensure consistent development performance, otherwise our competitors get ahead of us.” Regulation is becoming increasingly complex and also has a distinctly international dimension. It starts with SOX, the US Sarbanes-Oxley Act (2002), which, as a reaction to scandals like the Enron case, lays down a multitude of regulatory provisions that are also relevant for banking IT. In Germany, banks must further observe the BaFin regulations BAIT (Banking Supervisory Requirements for IT) and MARisk (Minimum Requirements for Risk Management). At the EU level, the EBA Guideline is joined by the Schrems II ruling, with its implications for the outsourcing of software (cloud), and of course the General Data Protection Regulation (GDPR). “The point I want to make is that state governance today is almost always a software issue, as well,” Roman summarizes. “ING, as a system-relevant bank, naturally has particularly high requirements to meet here.”

Diverse approaches

The practical challenge for Roman is to translate these requirements into software processes. This also includes qualitative text analysis, for example, in the case of updated versions of regulations. “Changes to individual words are also taken into account, because the regulators will have obviously had something in mind,” explains Roman. When it comes to process management, he also takes private sector cloud governance into account, e.g. through initiatives such as the GAIA X consortium and the ECUC financial cloud coalition. The governance of our parent company in the Netherlands and the IT architecture at group level are also relevant. The implications have to be integrated into our local German governance, and corresponding documents created for this purpose. Specifically, it is about ensuring a uniform procedure in development, operation and automation. Measures such as the dual control principle, mandatory input validation or improved scan configurations are being introduced. “For instance, these may be automated tests that scan whether certain obsolete libraries or problematic open interfaces are being used,” Roman adds. But he has more in store. When looking into the future of his area of work, Roman sees support for the automated creation of script changes via API, and also for automated script deployment. New ideas and approaches to coding (governance as code) and version control systems are also on the agenda. All of these projects will benefit software development in general, even beyond pure governance. One thing Roman has already implemented is a tool for the development journey that creates clarity on governance requirements through visualized process routes – a kind of regulatory expert system for software development.

Visualization in the process tool

This solution maps all process steps and provides relevant regulatory information at every point of the development journey. Roman describes the efficiency gain for software development: “The tool captures the process route from A to Z. It also includes a representation of processes at the level of BPMN (Business Process Model and Notation).” Process-related activities, but also relevant contacts, provide our users with the necessary context. The solution is an important support for the development of assets such as the numerous microservices that are so commonly used nowadays. These are also becoming more widespread in our country in the form of so-called Self-Contained Systems (SCS). The regulatory aspects of development are presented in dozens of sub-items in a detailed flowchart of the development journey – such as tickets, test integration, monitoring, certificates, jump server for admin access to the production environment, actual coding, interaction of the assets and API deployment. Many other types of processes are also mapped in the tool, right down to the rather simple process of compliance conformity when setting up a desktop computer. New processes are constantly being developed (currently, e.g. SCS Operations and SCS Frontend Applications).

IT opportunities at ING

Our IT Process Manager Roman works in diverse areas of our company: in addition to governance, he also takes care of automation, statistical evaluations, process development and addressing software trends. Our working environment and culture are particularly important to him. In addition to the good processes at our digital bank, Roman sees an overall appreciation for IT: “Instead of being considered a cost factor like in other companies, IT is seen as a differentiator at ING.” This is also reflected in our individual training budget, which, true to the motto “do your thing”, prioritizes the development of our employees. Roman is currently planning a certification training for Microsoft Azure, among other things. The role of Process Manager is only one of many challenging areas in which IT professionals work.

Back to top