Financial firms pursuing digital transformation are adopting low-code software, a powerful method of simplifying and accelerating system development. But as with other information technology breakthroughs – from open sourcing to cloud computing to artificial intelligence – there is cause for caution.
Low code employs graphical user interfaces with drag-and-drop and point-and-click features, enabling non-technical “citizen developers” to build applications with pre-set blocks of code. Professional technologists can be called in at later, integration stages or to review apps to ensure that privacy and security standards are maintained.
The productivity benefits are clear: Low code can generate myriad apps serving workflows, data streams, onboarding, customer/user experiences and even AI and machine learning models. Gartner predicts that by 2024, such tools will account for 75% of all new software solutions, a majority of them produced by non-technologists. Gartner publications in this area include How to Define and Guide Citizen Development Practices.
Tari Schreider, Aite-Novarica Group
There are, however, operational risks and potential unintended consequences when code is written outside IT department confines.
“You’ve heard of shadow IT,” says Tari Schreider, strategic adviser, Aite-Novarica Group, referring to activities that escape IT governance or risk controls. “With low code, we are creating ‘shadow code,’ and IT security organizations are going to have a tough time getting their hands around it.”
“We work with more than half of the 10 largest banks, and all of them, including our other clients, are using low-code technologies,” says Rhys Jones, global head of banking at low-code enterprise automation specialist Vuram. “If you are not using it, you are treading water or going backward.”
Douglas Sellers, managing director in consulting firm Protiviti’s Software Services group, notes that low code lets people with a deep understanding of their businesses proceed to build applications, bypassing the complexities and approvals that go along with direct IT involvement. “The chance of your new application getting the business part wrong is now a lot less,” Sellers observes.
Stephen Murphy, Genesis Global
By freeing up IT staff for more demanding assignments, “financial firms see how this technology is strategically important in terms of advancing innovation and reducing costs,” says Stephen Murphy, CEO of low-code platform company Genesis Global. “I believe low code is here to stay, and its use is only trending upward.”
Genesis, which in June announced a $20 million strategic investment from Bank of America, BNY Mellon and Citi, is the development partner for the Octaura consortium’s electronic trading platform for syndicated loans and collateralized loan obligations.
At an early stage of adoption, risk or security gaps may require attention, such as where auditing and testing protocols are not yet applied or built into a low-code platform.
Andrew Chin, chief data scientist, head of quantitative research and former chief risk officer of AllianceBernstein, says his concern is about citizen developers’ correct use of these platforms: They may be tempted to simply employ the resulting code without much thought.
“Users will still need to be educated on good code design, requirements gathering and testing,” Chin says.
Aite-Novarica’s Schreider identifies multiple risks, such as lack of formal testing of the platforms or individual apps, data leakage, inability to verify the provenance of data, and bypassing of security controls.
The solution, analysts say, is for risk managers to work in partnership with IT and application security teams.
Training and Governance
Sellers says that one way to avoid shadow IT is to select a firm-wide platform and to train users on it. “Citizen developers need to earn the latter part of the title, the basics of how to be developers,” he says, to go along with proper testing by a third party and maintenance of the apps over time.
Douglas Sellers, Protiviti
“If you don’t have governance,” Sellers adds, “you will end up in a big mess.”
Gartner software engineering analyst Saikat Ray stresses that there is no one-size-fits-all governance model. The values of speed and agility must be balanced with, and conform to, an enterprise’s compliance and security framework.
Gartner recommends an “adaptive governance framework” that guides safe and sound development practices across business units, in cooperation with IT. The firm suggests that business leaders – including in risk management and IT – identify citizen-developer “power users” and encourage them to evangelize on safe practices and on when IT support or oversight is required.
Financial firms are inherently risk-averse and therefore start with centralized governance, Ray says, but over time they may shift to a hybrid centralized/federated system of controls that allow for a desirable level of innovation.
Risk managers “have to be proactive and inject [themselves] early in the discussion process, asking about security risks or having a stake in the approval process,” Ray adds.
A solution may be found in low- or no-code platforms that have governance guidelines built in.
The Mendix platform “provides governance out of the box,” says lead field product manager Jon Scolamiero. It includes “tools that control who has access to the platform, who can build, who can release, what apps you already have and what apps are generating value.”
Jon Scolamiero, Mendix
“Low-code governance is a set of guardrails that ensure you are maximizing the value of the platform, and doing so securely, throughout the entire software development cycle . . . It’s the rules your organization has in place that allow citizen developers from across the organization to create apps that can contribute to your bottom line,” Scolamiero wrote in a June blog post.
An algorithmic trading and customization tool from BestEx Research and SpecTrust’s Trust Cloud are examples of specialized low- or no-code offerings.
Genesis Global’s specialist platform for finance professionals aims to both address risk management concerns and integrate with legacy systems, facilitate high-performance transaction processing and execute on high-volume data integrations. “If we can supercharge developers to transform their legacy infrastructure that is highly complex, that will be very powerful,” CEO Murphy says.
Vuram’s Jones emphasizes that risk managers need to keep in mind that because low code speeds up the development process, everything that precedes that action becomes even more critical.
“Low code will still require well written app requirements and a good vision of what the businessperson wants to deliver,” Jones says. “Low-code platforms do not build things for you that magically work.”
Katherine Heires is a freelance business journalist and founder of MediaKat llc.