When it comes to sheer IT “bling,” financial services is never outshone. High margins, deep pockets, and intense competition in investment, banking, and insurance have pushed these companies to the edge of just about any technology there is. Storage, grid technology, Web services, virtualization, VoIP -- you name it, financial services companies have bought it.
But firms in the financial services sector are driven by more than profit and time to market. Stringent regulations and governance requirements in the securities and banking sectors have raised compliance to the top of the stack.
The result is a two-edged sword: millisecond performance and rapid development to compete in a cutthroat market, while zealous regulators hover in search of mistakes.
Pushing IT to the limit
Financial services companies of all stripes pour money into performance. Today, with high-speed grid and clustering architectures, not to mention utility-based computing services from IBM, Sun, and others, money spent on HPC (high-performance computing) goes further than ever before.
At prime brokerage firm Merlin Securities, high-performance grid computing was a way to create new services that distinguished the startup from a crowded market of firms that serve more than 8,000 hedge funds. Amid deep-pocketed competitors such as Morgan Stanley, Merrill Lynch, and Bear Stearns, not to mention a sea of smaller firms, Merlin constructed a powerful, grid-based trading and reporting platform using dual-processor Dell PowerEdge 2850 servers, Oracle’s 10g database, and BEA WebLogic middleware, says Amr Mohammed, CTO of Merlin.
Using Web-based tools developed by Merlin on top of standard portfolio management tools and other investment software packages, customers can dive deep into their data, slicing and dicing performance relative to industry benchmarks, or sorting it by stock analyst, sector, or position. That’s allowed hedge funds not just to single out the performance of individual portfolio managers from a sea of trades but to track the value of an individual decision over time, says John Quartararo, managing director at Merlin.
With some hedge funds managing 5,000 to 12,000 stock positions, that’s a lot of data to crunch. But Merlin’s systems, including rackable Oracle databases, have had 100 percent uptime since they went live in January 2004, Mohammed says. Nonetheless, he admits, getting the Oracle database -- not to mention portfolio software and other applications -- up and running on 64-bit Dell servers in a clustered environment required considerable tweaking.
“We spent the better part of six months on that,” Mohammed says. In particular, shifting from batch processing to real-time reports created bottlenecks in the database, where the core business logic resides. That’s one reason Merlin moved to an Oracle rack implementation: to allow the company to add servers and scale performance easily.
The lessons learned go beyond startups such as Merlin, Mohammed observes. “It’s a decision every company has to go through: Do you want to spend a year migrating or take three to six months … and get it working right from the beginning?”
Leveraging legacy with SOA
Layer after layer of legacy systems send many financial services firms in the direction of SOA and Web services technologies. In fact, financial services customers make up 30 percent to 40 percent of the customer base for SOA tools and infrastructure, says Mindreef CTO Frank Grossman. “These are companies that have acquired so many different pieces. They need to consolidate systems, and XML is a great way to do that.”
Mindreef customer Wachovia, the nation’s fourth-largest bank, has a network of 2,500 branches, 6,000 ATMs, 3.9 million online customers, and legacy mainframe systems that, in some cases, date to the late 1980s or early 1990s, says Chris Brown, senior IT architect at Wachovia’s retail banking division.
In Wachovia’s retail operation, technology leaders latched onto SOA early as a way to expose core assets -- such as customer information, deposits, and money transfers -- as services. The transition to standards-based services has allowed the company to graduate from a rigid, homegrown online banking application to a third-party online banking product from Corillian, with services running on a version of IBM WebSphere for the mainframe z/OS platform.
With the help of MindReef’s SOA testing and compliance tools, Brown says that his staff is building service-based apps, including complex call center applications, and working on retiring expensive legacy integration solutions in favor of WebSphere. Eventually, Brown would like to retire Wachovia’s legacy back-end systems altogether, but that’s easier said than done.
“The investment in legacy, core systems is deep. You look at replacing those, and there are a lot of zeros after the 1,” Brown says.
In the meantime, exposing services in an SOA gives Wachovia agility. “It’s a nice way to try to expose [legacy systems] without having to rip and replace them. And the service interface gives us the ability to replace them gradually because you can take out the back-end system but keep the interface,” Brown says.
Security and compliance
Brian Babineau, an analyst at Enterprise Strategy Group, puts the compliance challenge succinctly: “You’ve got to look at technology to help mitigate failure to comply because it’s just too costly not to.”
Data security is the classic example. Banks and investment houses have always had to contend with the threat of fraud, but the growth of Web-based services and around-the-clock access, coupled with data privacy regulations such as California’s SB 1386 and guidance from the Federal Financial Institutions Examination Council, have put a premium on securing customer accounts and customer data.
At TD Banknorth, the focus on compliance and the need for security monitoring led to the adoption of security risk assessment technology from Skybox, says Robert Kirby, TD Banknorth’s manager of information security architecture. The product allows the bank to prioritize and understand its IT risk, so the most critical security risks rise to the top.
“It lets us decide what we need to do now and what we need to do in a reasonable time frame,” Kirby explains.
Kirby says that TD Banknorth soon hopes to be able to map application and database vulnerabilities, in addition to network holes, into the Skybox system, and to integrate Skybox with a trouble-ticket system.
That kind of planning is one reason that financial services companies consistently score best in SunGard’s measurements of security infrastructure, password protection, security policies, and employee training, says Jim Grogan, vice president of consulting product development at SunGard, a security products and services company.
“Financial services companies want to do due diligence on security but realize that they could spend an unending amount of money on it and still have potential for a breach. They’re getting smarter and doing a prudent amount of investment to do the level of security protection commensurate with the data they’re protecting,” Grogan says.
Regulations are turning financial services firms into compulsive pack rats. Changing guidance from governing bodies such as the Securities and Exchange Commission, federal regulations such as Gramm-Leach-Bliley, and customer privacy provisions have prompted financial services companies of all stripes to hold on to more data than ever before.
The challenge is to use technology to meet regulatory and legal demands, while also creating business advantage, Grogan says.
FirstMerit Bank has more than 16TB of data archived, with 14TB in just the past two years, says Dave Samic, senior network analyst at FirstMerit. Much of the data -- including e-mail archives, and customer and transaction records -- is tied to regulations. But the data crunch spurred FirstMerit to reform the way it does business.
Among other things, FirstMerit consolidated its server operations from branch offices to a centralized datacenter. “Regardless of the vertical you’re in, having those multiple copies all over the place is as inefficient as having the heat and the AC on at the same time,” Samic observes.
To better manage its storage needs, FirstMerit also deployed a SAN and IBM’s TotalStorage SAN Volume Controller virtualization solution, including IBM TotalStorage DS4400 storage systems and IBM eServer BladeCenters. Samic claims that he and one other full-time employee manage the center’s 250 to 300 virtualized servers. That’s allowed his staff of 20 to focus attention on application support and other vital areas.
Samic says he spends much less time on the road to FirstMerit branch locations now. And, in the long term, moving to virtualization has also insulated FirstMerit from fast-rising operational costs such as electricity, he says.
“Power and heat are gonna kill you. Look at California,” Samic says, referring to a recent heat wave that caused blackouts that knocked a number of companies, including News Corp.’s MySpace, offline. “These are things that people need to keep seeing.”