Banks Running on Empty: Study Reveals U.S. IT Systems Unfit for Digital Future


Latest Global CRASH Report from CAST Exposes Risks in Applications: Many Institutions Operate Business Critical Systems Filled with Dangerous Flaws

March 24, 2016, New York, NYCAST, the global leader in software risk prevention and analysis, today revealed the findings of its latest CRASH* report, the world’s largest real-life study of software quality in enterprise applications. The report exposes that the overall quality of banks’ mission critical functions are POOR.

This financial sector specific CRASH report is comprehensive, analyzing 241 MLOC (241 million lines of code), across the 430 enterprise applications in the anonymous CRASH database. The report is based on the code submissions of 53 financial sector organizations, from 13 different countries, spanning Consumer Finance and Investment Banks.

The research uses five structural quality characteristics, or ‘health factors’; Robustness, Security, Efficiency, Transferability, and Changeability, and rates each with a maximum score out of four, benchmarking the structural quality of U.S. Financial Services applications.

Key findings from the 2016 CRASH report include:

  • The weakest link: core transactional systems. The operational backbone of banks, usually responsible for processing daily transactions, posting updates to accounts and other financial records, receive the worst overall health score. Businesses with low scores are more at risk for bottlenecks and scalability issues.
  • U.S. banks operate inefficient systems. Scoring the lowest in efficiency when compared to other regions, applications suffering in this category put institutions at a high risk for performance issues. Businesses are also struggling with transferability, i.e., applications can’t be easily be moved from one team to another.
  • Customer facing websites win the trifecta: least secure, least robust, least efficient. These applications rank second in poor health across the board.
  • Security comes out on top. Consumer finance institutions (52 percent) have more secure applications than Investment banks (18 percent) but overall the industry is clearly making security a priority. Although, implementing Agile for voluminous applications may cause more security defects than other development methodologies.

“For an industry whose bread and butter is managing risk for its stakeholders, banks could do a much better job of ensuring their internal systems are in better shape. IT departments are clearly addressing concerns such as security but they are not making strides in other areas such as robustness and efficiency, and that can seriously affect stability and performance down the line,” said Lev Lesokhin, Executive Vice President of Strategy and Analytics at CAST. “Banks are heavily invested in digitizing and modernizing their systems, but they are falling short on a lot of customer facing elements. It appears that short term solutions to address quality are helping but in the long run, they may hinder it,” concluded Lesokhin.

*CAST Research on Application Software Health


Health factors are defined as qualities of engineering soundness of IT software in terms of its architecture and code. The report defines quality as how well code is written and records and measures violations based on standard industry practices. These flaws are the defects most likely to cause operational problems such as outages, performance degradation, unauthorized access, or data corruption.

About CAST

CAST is the world leader in software analysis and measurement, with unique technology resulting from $130 million in R&D investment. CAST introduces fact-based transparency into application development and sourcing to transform it into a management discipline. More than 250 companies across all industry sectors and geographies rely on CAST to prevent business disruption while reducing hard IT costs and software risk. CAST is an integral part of software delivery and maintenance at the world's leading IT service providers. Founded in 1990, CAST is listed on Euronext (CAS) and serves IT intensive enterprises worldwide with offices in North America, Europe and India.

For more information about CAST: