Business
Banking on legacy – The risks posed by ‘stone age’ banking infrastructure

Source: Finance Derivative
By Andreas Wuchner, Angel Investor of Venari Security
Introduction
If you consider the most significant motivating factors behind cyber-attacks – the promise of large financial reward and the opportunity to cause maximum business and social disruption – it’s little wonder that banks and financial institutions are amongst the most inviting targets for would-be cyber criminals. In fact, according to IBM’s recent report, ‘banking and finance’ was the most attacked industry for the five years between 2015 and 2020 – surpassed only by threats to critical infrastructure in recent years. Successful attacks can provide aggressors with a mass of sensitive personal and financial information, and even access to people’s money itself. Furthermore, a suspension of withdrawals and deposits can cause huge social disruption and reputational damage.
As banks have reacted to years of new regulation and emerging technologies, they often operate with a hugely complicated and disparate technology estates. This provides malicious actors with a wealth of potential attack vectors. A small breach from anywhere in this network can have enormous consequences, and lead to entire systems being overrun. As such, it’s crucial that security teams operate with the highest-grade security possible, including ensuring the strongest level of encryption standards. Banks need to look beyond regulatory tick-box commitments and ensure they are taking proactive and preventative steps to monitor and combat malicious attacks across their entire network.

However, the ability to react to cyber-threats across a vast estate requires speed and flexibility to quickly react and update security protocols. The sheer volume of legacy infrastructure slows this process down considerably leaving many security teams in a vicious cycle.
The threat of legacy infrastructure
A sizeable proportion of the banking industry still maintains a reliance on systems first developed more than 40 years ago. In fact, many ‘core banking’ systems, like payments, loans, mortgages and the associated technologies, are still coded using COBOL (Common Business-Orientated Language), an otherwise defunct programming language that is older than the internet itself. In the UK and Europe, COBOL remains the ‘backbone of banking services,’ while in the USA, as much as 43% of banking systems are built on COBOL, meaning it underpins much of our financial system.
This presents a huge security risk. While code has been regularly updated over the years, these systems were built when security threats were far less sophisticated, less well-financed and the burden of data was far less pronounced. For several years, governments have pointed towards legacy systems, built using COBOL, as a major cybersecurity threat, incompatible with modern security best practices and solutions, including multi-factor authentication. For example, data from Kaspersky found that businesses with outdated technology are much more likely to have suffered a data breach (65%) than those who keep their technology updated (29%).
A further security consideration is the diminishing number of people who are trained in maintaining COBOL systems. Every year, experienced professionals exit the industry, making it increasingly difficult to service legacy technologies and creating significant delays in patching threats once they’re identified. This lack of supply of sufficiently trained experts, and the demand they face, makes any updates extremely expensive and time consuming.
Furthermore, legacy infrastructure is preventing the secure application of encryption, posing its own distinct cybersecurity and regulatory risks. Encryption is often heralded as a silver bullet solution for data privacy and has been a continuing area of focus for regulatory bodies in recent years. However, banks remain guilty of poor deployment, maintenance and management of encryption – using outdated protocols and inefficient methods of analysing and understanding network traffic. This, coupled with legacy ‘core banking’ systems that are incompatible with modern encryption techniques, equates to a regulatory and security headache for security teams.
Adopting a new mindset
The risks posed by legacy systems and the volume of cybersecurity threats facing banks, mean a concentrated re-think of overall cybersecurity strategy is needed to prevent breaches and ensure data is protected long-term. Traditionally, banks have taken an ‘outside-in’ view – dedicating capacity, finances and knowledge to dealing with threats that are existing, known and well publicised. However, to aid long-term security, this should be superseded by an ‘inside-out’ proactive approach, whereby security teams are cognisant of their own internal systems and where the key vulnerabilities are found. Once banks have a detailed view of the security risks posed by their legacy systems, and specifically what data is threatened, they can address flaws, update these systems and build a stronger overall security posture.
The secure path ahead
Many of our successful high-street banks today have centuries of experience in dealing with social, economic and regulatory upheaval. However, the rapid development and deployment of technology continues to present a unique challenge. Many ‘traditional’ banks have built a complex technology infrastructure through decades of adjustment to new legislation and emerging technologies. While serviceable in the past, fintech start-ups are pushing the long-term viability of these systems to the limit.
Challenger banks have the luxury of being built from the ground-up, prioritising convenient digital services and features, and modern security processes. As the user base of these banks increase, customers are increasingly expecting these features and security from their existing banks, meaning even more complexity added to legacy infrastructures. As outlined by Deloitte, existing firms simply aren’t positioned to support the rising expectation of the market, exposing banks to additional risk and liability.
What’s more, it’s estimated that banks spend as much as 80% of their yearly IT budgets on the maintenance of legacy systems. While an immediate switch away from these systems is unrealistic, there is an opportunity to reduce wasted spend and divert spend towards modernisation efforts. However, while traditional banks may want to adapt quicker to technological advancements, they need to do so while continuing to minimise cyber risk and without jeopardising the security of their data or systems. This means placing cybersecurity at the heart of any modernisation efforts and maintaining a steady rate of change. As more of the technology estate begins to be modernised, the potential risks of regulatory non-compliance will also reduce.
Legacy systems need a considered update
Banking systems have heavily relied on legacy infrastructure for too long now, bringing difficulties in maintaining the highest-grade cybersecurity and in facilitating innovation. The risks presented by novel cybersecurity attack vectors and competition from new and emerging digital services offered by challenger banks are exacerbating these issues. As such, legacy systems need a managed modernisation in the long-term, facilitated in part by a managed redistribution of existing IT spend. However, to ensure long-term security overall, cybersecurity needs to be central to be at the very heart of modernisation efforts.
You may like
Business
Empowering banks to protect consumers: The impact of the APP Fraud mandate

Source: Finance Derivative
Thara Brooks, Market Specialist, Fraud, Financial Crime & Compliance at FIS
On the 7th October last year, the APP (Authorised Push Payment) fraud reimbursement mandate came into effect in the UK. The mandate aims to protect consumers, but it has already come under immense scrutiny, receiving both support and criticism from all market sectors. But what does it mean for banks and their customers?
Fraud has become a growing concern for the UK banking system and its consumers. According to the ICAEW, the total value of UK fraud stood at £2.3bn in 2023, a 104% increase since 2022, with estimates that the evolution of AI will lead to even bigger challenges. As the IMF points out, greater digitalisation brings greater vulnerabilities, at a time when half of UK consumers are already “obsessed” with checking their banking apps and balances.
These concerns have contributed to the implementation of the PSR’s (Payment Systems Regulator) APP fraud mandate, which was implemented to reimburse the victims of APP fraud. APP fraud occurs when somebody is tricked into authorising a payment from their own bank account. Unlike more traditional fraud, such as payments made from a stolen bank card, APP fraud previously fell outside the scope of conventional fraud protection, as the transaction is technically “authorised” by the victim.
The £85,000 Debate: A controversial adjustment
The regulatory framework for the APP fraud mandate was initially introduced in May 2022. The maximum level of mandatory reimbursement was originally set at £415,000 per claim. The PSR significantly reduced the maximum reimbursement value to £85,000 when the mandate came into effect, however, causing widespread controversy.
According to the PSR, the updated cap will see over 99% of claims (by volume) being covered, with an October review highlighting just 18 instances of people being scammed for more than £415,000, and 411 instances of more than £85,000, from a total of over 250,000 cases throughout 2023. “Almost all high value scams are made up of multiple smaller transactions,” the PSR explains, “reducing the effectiveness of transaction limits as a tool to manage exposure.”
The reduced cap makes a big difference on multiple levels. For financial institutions and payment service providers (PSPs), the lower limit means they’re less exposed to high-value claims. The reduced exposure to unlimited high-value claims has the potential to lower compliance and operational costs, while the £85,000 cap aligns with the Financial Services Compensation Scheme (FSCS) threshold, creating broader consistency across financial redress schemes.
There are naturally downsides to the lower limit, with critics highlighting significant financial shortfalls for victims of high-value fraud. The lower cap may reduce public confidence in the financial system’s ability to protect against fraud, particularly for those handling large sums of money, while small businesses, many of which often deal with large transaction amounts, may find the cap insufficient to cover losses.
The impact on PSPs and their customers
With PSPs responsible for APP fraud reimbursement, institutions need to take the next step when it comes to fraud detection and prevention to minimise exposure to claims within the £85,000 cap. Customers of all types are likely to benefit from more robust security as a result.
The Financial Conduct Authority’s (FCA’s) recommendations include strengthening controls during onboarding, improving transaction monitoring to detect suspicious activity, and optimising reporting mechanisms to enable swift action. Such controls are largely in line with the PSR’s own recommendations, with the institution setting out a number of steps in its final policy statement in December 2023 to mitigate APP scam risks.
These include setting appropriate transaction limits, improving ‘know your customer’ controls, strengthening transaction-monitoring systems and stopping or freezing payments that PSPs consider to be suspicious for further investigation.
All these measures will invariably improve consumer experience, increasing customers’ confidence to transact online safely, as well as giving them peace of mind with quicker reimbursement in case things go awry.
Going beyond the APP fraud mandate
If the PSR’s mandate can steer financial institutions towards implementing more robust security practices, it can only be a good thing. It’s not the only tool that’s shaping the financial security landscape, however.
In October 2024, the UK government introduced new legislation granting banks enhanced powers to combat fraud. An optional £100 excess on fraud claims has been introduced to encourage customer caution and combat moral hazards, while the Treasury has strengthened prevention measures by handing out new powers to high street banks to delay and investigate payments suspected of being fraudulent by 3 days. The extended processing time for suspicious payments may lead to delays in legitimate transactions, making transparent communication and robust safeguards essential to maintain consumer trust.
Further collaborative efforts, such as Meta’s partnership with UK banks through the Fraud Intelligence Reciprocal Exchange (FIRE) program, can also aid the fight against fraud. Thanks to direct intelligence sharing between financial institutions and the world’s biggest social media platform, FIRE enhances the detection and removal of fraudulent accounts across platforms such as Facebook and Instagram, not only disrupting scam operations, but also fostering a safer digital environment for users. The early stages of the pilot have led to action against thousands of scammer-operated accounts, with approximately 20,000 accounts removed based on shared data.
Additionally, education and awareness are crucial measures to protect consumers against APP fraud. Several high street banks have upgraded their banking channels to share timely content about the signs of potential scams, with increased public awareness helping consumers identify and avoid fraudulent schemes.
Improvements in policing strategies are also significantly contributing to the mitigation of APP fraud. Specialized fraud units within police forces have enhanced the precision and efficiency of investigations. The City of London Police and the National Fraud Intelligence Bureau are upgrading the technology for Action Fraud, providing victims with a more accessible and customer-friendly service. Collaborative efforts among police, banks, and telecommunications firms, exemplified by the work of the Dedicated Card and Payment Crime Unit (DCPCU), have enabled the swift exchange of information, facilitating the prompt apprehension of scammers.
How AI is expected to change the landscape
The coming months will be critical in assessing these changes, as institutions, businesses and the UK government work together to shape security against fraud in the ever-changing world of finance.
While fraud is a terrifyingly big business, it’s only likely to increase with the evolution of AI, making it even more critical that such changes are effective. According to PwC, “There is a real risk that hard-fought improvements in fraud defences could be undone if the right measures are not put in place to defend against fraud in an AI-enabled world.”
Chatbots can be used as part of phishing scams, for example, and AI systems can already read text and reproduce sampled voices, making it possible to send messages from “relatives” whose voices have been spoofed in a similar manner to deepfakes.
Along with other innovations, tools and collaborations, however, the APP fraud mandate, UK legislation and FIRE can all contribute towards redressing such technological advances. Together, this can give financial institutions a much-needed boost in the fight against fraud, providing a more secure future for customers.
Business
After the tax deadline: Next steps for accountancy firms

Source: Finance Derivative
By Cameron Ford, UK General Manager of Silverfin
For many accountancy firms, tax season has ended. Now, leaders have a chance to reflect on their firm’s performance, how their people are feeling after the busiest period of the year, and consider how they might optimise people, processes and technology for the future.
As a former CFO with experience in senior accountancy roles across multiple firms, I know first-hand the challenges the year-end crunch presents. The intense weeks and months leading up to HMRC deadlines put immense pressure on infrastructure, exposing the limitations of legacy systems and the bottlenecks caused by manual workflows.
The post-busy-season presents a valuable opportunity to reassess and prepare for the next one. It’s also a time for firms to reflect on evolving client needs and proactively take action to deliver improved future outcomes. Firms should also evaluate whether their current technology is alleviating pressure during peak periods – or adding to the strain.
The risk of inaction
We are living in an era of profound technological change and fast-paced innovation. Firms that fail to evolve with the times will be left behind as more flexible and adaptive competitors race forward. The risk for slow movers is not just reduced competitiveness – its industry consolidation locking them out altogether.
For today’s leaders, the choice is no longer whether to transform – but which technologies to adopt. Accountancy firms now have access to an extensive array of powerful solutions. Data analytics tools are delivering insights to power better decision-making. Automation is streamlining workflows, reducing errors and freeing up valuable time to focus on strategic tasks. And the demand for fast, secure access to accurate and timely data is only growing.
Yet, as accountancy technology matures, new challenges are emerging that extend beyond traditional tech solutions as regulators become increasingly zealous. In the UK alone, two-thirds of current business taxes were introduced in the past decade, according to Thomson Reuters. That’s 13 out of 19 business taxes. The sheer pace of regulatory innovation demonstrates the need for accountancy firms to be agile and capable of transforming at speed, as their clients face an ever evolving and intricate tax landscape.
Future success depends on equipping firms with the ability to meet the demands of both customers and regulators, striking a balance that not only satisfies current expectations but also lays the groundwork for evolving future requirements.
Growing complexity
Corporate tax management illustrates the complex nature of today’s accounting landscape. Changing regulations, new post-Brexit tax requirements and global initiatives – such as the Organisation for Economic Cooperation and Development’s (OECD) Pillar Two, which introduces a global minimum corporate tax rate of 15% – are placing unprecedented demands on tax and accounting professionals.
The most effective response is to adopt specialised software that is designed to manage compliance and evolving regulatory requirements. While adopting new technology can seem daunting, it should be seen as an opportunity, not an obstacle. Yes, there may be initial friction and deployment challenges during the early stages of transformation, but these are temporary. As firms adapt to new tools and workflows, they unlock significant benefits – including streamlined processes, improved accuracy, and the ability to stay ahead of future changes in an increasingly dynamic tax environment.
AI transformation
AI is rapidly emerging as a game-changing technology for many industries, including accountancy. It’s true value lies in acting as a partner and collaborator, taking on the heavy lifting of repetitive manual tasks, freeing up valuable hours so accountants have more time to focus on building stronger client relationships.
To be effective, AI relies on accurate real-time financial data that is easily accessed and stored in a standardised format. But before even considering training a model, firms must solve their lingering data issues. With multiple bookkeeping and large volumes of inconsistent and duplicated data, firms often struggle to extract meaningful insights.
Resolving these issues requires integrating data from various bookkeeping systems using techniques such as cloud syncs and AI enrichment tools. Data must also be stored in a unified format, properly catalogued and free from duplication to maximise its value.
By deploying AI on a foundation of clean, reliable and up-to-date data, accountancy firms can enhance their performance during peak seasons and better manage the pressures of increased demand. Plus, digital transformation and the deployment of advanced accountancy and compliance software also put firms in a stronger position to respond to new complexities and challenges that will inevitably emerge in this dynamic marketplace.
Peak season may be over, but now it’s time to plan for the next one, anticipating customer needs and proactively adapting to shifting demands.
Business
Future-proofing financial services investment

Source: Finance Derivative
Adrian Ah-Chin-Kow, Global Commercial Director at leading software escrow company, Escode, discusses how the financial services sector can prepare for the increasing investment ahead of the government’s industrial growth strategy, Invest 2035, ensuring resilience against technological risks.
The UK’s proposed Invest 2035 strategy sets a bold vision: to elevate the UK as a global leader in high-growth sectors. Financial services are at the heart of this roadmap, tasked with driving innovation, sustainability, and competitiveness. But as we look towards the future, it’s critical that the sector strikes a careful balance between embracing strategic investments and maintaining operational resilience in the face of an increasingly complex technological risk landscape.
The digital transformation currently underway in financial services is set to accelerate even further as organisations adopt new technologies like artificial intelligence, blockchain, and cloud computing. These innovations hold immense potential for growth and efficiency, but they also introduce new layers of vulnerability. For financial services to thrive in this environment, firms need to ensure their technology infrastructure is resilient, reliable, and capable of withstanding disruption.
Growing risks in a digital-first world
As government and industry push forward with initiatives to digitise the financial services ecosystem, the sector is becoming more dependent on technology than ever before. With this reliance comes the inevitable rise of new risks—risks that can threaten operations, customer trust, and even the stability of markets.
We’ve seen first-hand the consequences of technology disruptions in this space. When key software providers experience outages or security breaches, the ripple effect can be significant, disrupting not just the companies involved but entire networks of financial institutions that depend on those systems. The impacts of such disruptions, particularly in a sector where reliability is paramount, can extend beyond the immediate downtime, eroding investor confidence and creating long-term reputational damage.
In a world that is becoming more interconnected by the day, it’s crucial that financial services organisations are prepared for these challenges. Protecting against technology failures and ensuring business continuity must be top priorities for any firm that wants to remain competitive in the years to come.
Operational resilience: The foundation of future growth
The ability to withstand and recover from disruption is at the core of what will define successful financial services firms in the future. Operational resilience is no longer just a regulatory requirement—it’s a business imperative that builds trust with investors, customers, and stakeholders. The strategies needed to build this resilience are varied, but there are a few critical components every organisation should consider.
- Software Escrow: As financial institutions increasingly depend on digital tools, software escrow becomes a fundamental safeguard. We know how crucial escrow agreements are for protecting access to essential tools. If a provider fails or encounters insolvency, escrow ensures that critical software and intellectual property (IP) are held securely by a third party, ready to be released to the firm. In a sector where continuous access to technology is crucial, this arrangement offers peace of mind, ensuring core operations are protected from unexpected interruptions.
- Stress-testing and Business Continuity: Regular stress-testing and comprehensive business continuity plans are essential components of any resilience strategy. By simulating disruptions, firms can identify weaknesses in their operations and put in place measures to address them. Continuity planning ensures that businesses can continue to operate, even under extreme circumstances, helping to mitigate the impacts of unanticipated events and minimise disruption to clients and markets.
- Collaborative Resilience Standards: The interconnectivity of today’s financial ecosystem demands industry-wide standards. We’ve seen collaboration across both the private sector and with government initiatives become increasingly important. The UK’s Invest 2035 strategy offers an excellent foundation for fostering these partnerships, helping to establish resilience as a shared priority across the sector. We’re already seeing frameworks like the EU’s Digital Operational Resilience Act (DORA) lead the way in embedding resilience into the financial services supply chain. This kind of regulatory guidance helps institutions understand how to manage risks effectively, reducing overreliance on third-party providers and ensuring that firms can respond quickly to disruptions.
Collectively, these strategies reinforce the importance of being proactive rather than reactive when it comes to risk management. Operational resilience isn’t just about surviving the next crisis—it’s about building a foundation for long-term stability and growth in a rapidly changing environment.
Resilience as the key to securing Invest 2035
As we move towards Invest 2035, operational resilience will be the cornerstone of success. The financial services sector plays a pivotal role in driving economic growth and innovation, and its ability to adapt and respond to disruption will be key to maintaining the UK’s competitiveness on the global stage.
Embracing proactive resilience measures is the key to future success. By incorporating solutions like software escrow, stress-testing, and government-backed collaboration into their operational strategies, financial institutions can secure the UK’s position as a competitive, reliable investment hub.
Looking to the future, the ability to navigate these risks while maintaining operational integrity will determine whether financial services can continue to be the engine of economic growth in the UK. With the right safeguards in place, the sector can not only meet the goals of Invest 2035 but also build a reputation as a safe and dependable destination for global investment.

Empowering banks to protect consumers: The impact of the APP Fraud mandate

After the tax deadline: Next steps for accountancy firms

Future-proofing financial services investment

Future-proofing the workforce for AI innovations with continuous learning

The Sustainability Carrot Could be More Powerful Than the Stick!
