Anyone who remembers standing in line at a bank waiting to withdraw funds or hand a stack of bills and a deposit slip to a bank teller can attest that the advent of the digital age has transformed the financial services industry. The pervasiveness of the Internet combined with the emergence of API and microservice-driven applications have radically changed banking as we once knew it. Digital transformation has also given rise to a new generation of technology-driven financial services companies (known as “FinTechs”) that are forcing more traditional firms to modernize or risk extinction. Today, functions such as electronic bill pay, direct payroll deposit, automated money transfer, real-time monitoring of financial markets, and others too numerous to list are now considered routine. But are they?
Even as far back as 2018, the U.K.’s Financial Conduct Authority (FCA) reported that banks, on average, suffered an IT outage or security issue nearly every month. High-profile incidents involving financial institutions, including lengthy outages to payment platforms in New Zealand and the U.S., have made headlines. In the wake of high-profile outages suffered by cloud service providers over the past year that impacted financial institutions in addition to adjacent segments such as eCommerce and media, the shift to the cloud, which many financial institutions have embraced, has caught the attention of regulators.
Serving as proof are newly imposed rules in the U.K. that will require financial institutions (a.k.a. firms) to evaluate and implement solutions to test and monitor the availability of important/critical business services (IBS/CBS) in order to reduce risk. While mitigating risk makes sense at face value, the actual execution could be challenging, given most firms’ lack of visibility into the highly complex and distributed third-party ecosystems that power those services.
ThousandEyes offers solutions that are designed to help financial institutions ensure compliance with these new regulations and contribute to more consistent and high-quality digital experiences. And while firms in other regions of the world will inevitably face similar local regulations, here we look specifically at ThousandEyes’ capabilities in the context of the U.K.’s policies that went into effect in March 2022. Those may ultimately serve as a model for what has become a global issue, given the Internet’s scope and impact on international finance.
Third-party Ecosystems: Strategic Advantage or High Risk?
Global ecosystems of third-party applications, as well as application and communications service providers (ISPs, telcos, etc.), have become business-critical to firms, providing a combination of strategic advantages and business value both to the firms themselves and their consumers. Figure 1 illustrates the digital ecosystem that has developed around essential financial services functions in recent years.
While the advancements in functionality and sophistication have been empowering, both for financial institutions and their end customers, the associated complexities and mutual dependencies inherent in the applications themselves and the platforms upon which they’re built and operate represent a great deal of risk. They also represent significant financial and economic repercussions should any element that comprises these expanded ecosystems experience an outage or even degradation. Many online functions are, in fact, complex tapestries of applications, interwoven through APIs and distributed across multiple data centers, servers, and cloud infrastructures. What’s more, most of these are connected via the Internet with not an SLA in sight.
In short, a lot can go wrong when any of the associated components across that ecosystem (applications, servers, networks, data centers, cloud providers, etc.) fail.
Creating Resilience Within IBS/CBS Ecosystems
In March of 2021, the FCA, the Bank of England, and its Prudential Regulation Authority (PRA) jointly published “Operational resilience: Impact tolerances for important business service.” The paper outlined proposals designed to “improve the operational resilience of firms and protect the wider financial sector and U.K. economy from the impact of operational disruptions.”
The new regulations will make firms responsible for minimizing the effects of disruptions to important/critical business services across their entire ecosystems from a range of events, including cyberattacks, power outages, and other technical “glitches.” The key requirements, which must be met by March 2025, include:
- Identify important business services - More than an exercise in taking inventory of the most critical applications and services that comprise their ecosystem; firms will need to identify and assess current vulnerabilities that could affect operational resilience. Full path visibility to critical applications, for instance, will yield a list of transit services and providers that may not have been previously known but must now be accounted for by financial institutions.
- Set impact tolerances for the maximum tolerable disruption - Institutions will need to assess the impacts of outages and determine levels of acceptability. Some applications may have zero-tolerance, while others may be able to sustain longer periods of unavailability, provided there are workarounds. Understanding the key metrics will enable institutions to build thresholds into their alerting systems.
- Implement mapping and testing with a level of sophistication necessary to avoid reaching those maximums - This requirement speaks largely to implementing tools and methodologies that will help ensure that those thresholds are not exceeded. Or if they are, then those tools and methodologies can and will provide a clear analysis and a path to resolution.
Of course, meeting these requirements will require investments in tools that provide the necessary real-time visibility, telemetry and analytics capabilities. With the U.K. policies about to go into effect, firms must now determine how to proceed. That’s where ThousandEyes comes in.
ThousandEyes Monitoring for Financial Services Ecosystems
ThousandEyes provides the tools and functionality necessary to help firms comply with the new U.K. regulations, including comprehensive visibility to and understanding of application performance and availability across their entire digital ecosystems. Any factor or event that may impact the availability and responsiveness of critical services can quickly be analyzed and, if necessary, resolved with the help of ThousandEyes.
With ThousandEyes, IT organizations can gain control over all aspects of customer experiences, including application performance and availability. Through visibility and analysis of network paths, routing behavior, DNS, CDNs, and other critical dependencies, operations teams can better understand issues such as latency or packet loss, as well as pinpoint the root cause of failures or outages anywhere along those paths and across the Internet.
Moreover, our application-layer testing and browser synthetics mimic user interactions with websites, making it possible to monitor the behavior of all transactions for any defined IBS/CBS. These types of capabilities are precisely what’s needed to comply with the new regulations.
At a high level, Figure 2 below illustrates the ThousandEyes vantage points, including Enterprise Agents and Cloud Agents, including where we and our customers deploy them. ThousandEyes Internet Insights™ is an additional layer of insight that can help meet and maintain compliance with the FCA/PRA mandates.
Deployed within the enterprise, Enterprise Agents generate KPIs related to internal systems and applications, whether in private data centers or virtual private cloud (VPC) environments. In this context, Enterprise Agents play a key role in monitoring the networks and applications within the IBS/CBS ecosystem that fall within the firm’s span of control through:
- End-to-end as well as per-hop visibility to both internal and external elements, whether connected via private (MPLS, etc.) or public (SD-WAN) infrastructure
- API/HTTP Server (Synthetics) calls from the different network segments, also across administrative domains
- 360-degree views of all services, as well as their different components
ThousandEyes manages and deploys Cloud Agents externally at strategic locations around the world, including in ISP data centers, in broadband or ISP networks, or inside cloud data centers maintained by hosting or SaaS providers. Cloud Agents:
- Provide multi-layer assessment of application behavior and availability for elements that are important components of end-to-end ecosystems that operate outside the firm’s control.
- Provide KPIs on transit providers and last-mile ISPs to better understand what end users and customers experience when using web applications.
- Close visibility gaps with cloud services, such as CDNs and DNS services, or hosting providers like AWS, GCP, Azure, or other often critical elements in the overall ecosystem.
ThousandEyes Internet Insights offers unique visibility and perspective into Internet health, including 24x7x365 visibility into network and SaaS application outages that may affect access to IBS/CBS resources. The intelligence gathered by ThousandEyes can be used by institutions to rapidly identify and solve issues with service providers based on concrete data obtained via ThousandEyes’ presence in ISP PoPs and SaaS data centers located in hundreds of cities worldwide. And it may provide additional insights to firms as to the root cause of applications not being available or performing to defined targets in specific geographies or within ISP footprints.
While it’s true that financial regulations related to online use have proliferated in recent years, many of those have pertained to cybersecurity (fraud, ransomware, data theft, privacy, etc.). The U.K. initiative is one of the first, if not the first, to holistically address service/application resilience, especially as it pertains to a financial institution’s responsibility for understanding and monitoring the extended ecosystems related to its applications and services. The standards currently being established will likely extend to all regions.
As applications continue to migrate to cloud-centric models and DevOps teams accelerate efforts to create competitive advantages for their firms, the challenges brought on by these various evolutionary forces will continue. However, organizations can at least take solace in the reality that there are tools at their disposal that will equip them to manage and even thrive within the new paradigms, whether forced by regulators into doing so or not.