The New Ethics of Banking Technology
Has ethics kept pace with innovation?
Bernard Perchman, Team lead, MBA (IAB), M(Applied Finance), GAICD, BscH
Banking has always been a technology-driven business. The Australian Financial services industry is no exception, and ranks as one of the most technologically advanced in the world. In fact, with a typical technology spend amounting to over a fifth of total expenditure, Australian banks host some of the largest IT operations in the country. Such is the reliance on technology as a differentiator that in recent years the major incumbents have been technology vendors rather than rival banks.
Recent advances have presented new opportunities to the way that financial services manage their operations. In particular, two trends that have transformed the industry are offshoring (utilising staff in lower-cost-countries) and cloud (replacing data centers with infrastructure and data hosted by technology vendors). The efficiencies and economy that these trends offer are undeniable. However, the ethical challenges that these trends introduce are not as clear-cut. Indeed, the plethora of arrangements on offer defies any attempt at a simple classification. Nevertheless, it is possible to extract a common denominator to all of these relationships: the principal (a financial institution), delegates to an agent (a vendor) to accomplish work that it needs to do. The ethical dilemma stems from the extent to which the principal can influence the agent to act in the former’s best interests, and theorists refer to this as the principal-agent problem.
The industry’s governing body, APRA (Australian Prudential Regulation Authority) serves to enforce accountability. To clarify the fiduciary duties that set financial services apart from their vendors, it has delivered a number of technology-related papers, including CPS 231 on outsourcing and CPS 234 on information security. Two years ago, the Royal Commission into Banking investigated accountability at an unprecedented level, and Commissioner Haynes laid out six ethical guidelines in his conclusions on addressing industry misconduct. In order to clarify exactly whom these reforms were directed at, the Commission set up a Banking Executive and Accountability Regime (BEAR) to identify stakeholders. Ethical ownership is another aspect of the principal-agent problem. Does the onus lie with the board, the management team or the staff? Haynes is clear in his response that this is a cultural issue and holds that the entire organisation is responsible. In this article, we will simply refer to these as “decision makers” and focus on three of the guidelines most relevant to technology.
Guideline 5: deliver services with reasonable care and skill. Cloud providers deliver end-to-end infrastructure management. For some adopters, this mitigates the need to employ costly experts to manage their network, hardware and databases and the like. However, APRA takes a very clear stance that whilst the adopter delegates the competency, it cannot delegate the responsibility. The institution remains accountable for all operational, resilience, data management and security aspects. APRA requires that the institution prepare a full business case prior to outsourcing arrangements, which provides assurance that initial and ongoing due diligence is undertaken.
Herein lies the dilemma; does the institution have the skills and capabilities to demonstrate compliance of a third party, where it has limited visibility or control? As evidenced by recent high-profile data leakage scandals, the damage stemming from an inadequate cloud arrangement can rapidly erode the cost savings of such a cloud arrangement.
Cloud vendors have heeded calls from regulators, and nowadays provide the compliance disclosure upfront in their contracts. However, this is a fast-paced industry, and decision makers need to heed Hayne’s directive in the face of unanticipated change. In a cloud arrangement, who is responsible for ongoing staff training? What if the institution needs to implement a new technology, deploy to a new region, or comply with a new directive? Admittedly, cloud vendors are a magnet for highly skilled workers and can often pivot more quickly than their tightly-regulated clients can. This agility is often a key motivator for cloud architecture in the first instance. However, decision makers need to acknowledge the reduced level of control they will have over skill acquisition and retention. APRA anticipates this and under CPS 231, it mandates that institutions retain their own subject matter experts to monitor outsourced arrangements.
Guideline 6: When acting for another, act in the best interests of that other. This directive is primarily oriented towards the clients of financial institutions. However, it goes further to encompass employees, and by extension to outsourced arrangements. This begs the question of whether outsourcing per se – as a threat to local labour – is unethical. This is not the case. On the contrary, given the short-term nature of many banking projects, it is a more ethical alternative to hiring permanent staff based on an unpredictable pipeline of work and funding.
However, the dilemma lies in the degree to which the institution remains an employer, even if it ceases to be in a legal sense. Again, APRA’s mandate is clear; in CPS 231, it presents a range of accountabilities, including the monitoring of country specific risks and working conditions of these workers. Up until recently, the industry perceived outsourcing as a mechanism to commoditise workload by providing a workforce that scaled dynamically.
However, the COVID pandemic has exposed the flaws in this model. Suddenly, institutions discovered that lockdowns were disrupting outsourced labour supplies. They found themselves responsible for the unplanned security implications of work-from-home arrangements for outsourced staff. They were called upon to accommodate disruptions from ill health and unexpected carer duties such as home schooling. In short, the distinction, and therefore duty of care, between employees and outsourced staff has blurred.
Guideline 4: Provide services that are fit for purpose. This principle covers a wide range of capability but perhaps the most critical is the management of data. Legislature provided by APRA clarifies the expectation: regulated institutions retain responsibility for data and have to meet their Australian obligations regardless of how or where it is distributed. CPG 235 details all aspects of data governance, and in Sections 49 and 50 provides specific reference to outsourced arrangements. In response, many cloud providers have stepped up their Australian site presence. Interestingly, this phenomenon has become a threat to offshoring as institutions favour to retain their data onshore and utilise the consultants provided by the cloud vendor.
The ethical dilemma lies in the degree of confidence that cloud adopters have in entrusting their data to their vendors. Some aspects of the obligation, such as data security and retention, are obvious. However, CPG-235 goes beyond this. Institutions are accountable for update performance and non-repudiation. An institution could be in breach if it relied on graphically distributed hubs and a latency in data propagation through the cloud caused a transaction delay.
These three guidelines demonstrate the relevance of ethical decision making in an environment of technological change. Hayne’s guidelines need constant revisiting, and in his Royal Commission report conclusion, he calls out for periodic and ongoing review. Ultimately, every major technical decision needs a critical sounding board to consider ethical implications, and to spare decision makers from taking rash decisions that they will later regret.