Build vs Buy Software

ViClarity’s CEO talks to Compliance Matters on the benefits of buying software from experts rather than building in-house

Chris Hamblin of Compliance Matters recently spoke to Ogie Sheehy, the founder and CEO of Viclarity, the Irish risk and compliance software vendor. Also present was Paul Griffin, his firm’s commercial director. What followed was a classic argument over the dilemma that many compliance officers at medium-sized private banks and fund firms face: whether to build compliance software in-house or to go to a vendor.

Compliance Matters: Let us turn to the ‘build or buy’ dilemma. Over the years I’ve seen it time and time again in AML software. If you’re a very big bank, do you actually build the software yourself, because the vendor might not be around in 5 years’ time or the software may be unsatisfactory? It’s an eternal question. What do you have to say about that debate?
OS: It’s a common question. Having been in the selling seat for the last few years, specifically in the UK where it comes up a lot, specifically [among] the bigger customers that have 10 IT people sitting in a room, [the large firm normally says] “give us a good price or we build it ourselves.” They make great play of the fact that they have their own people.

Compliance Matters: People do build systems themselves, don’t they?
OS: They do. And I come from a corporate background; I’ve come from the build-yourself background which is why I set up ViClarity to start with, because people will invariably go out, spending massive budgets – millions – trying to develop something internally. Because they are in the [finance] business, the resultant system is typically over-engineered, it’s incredibly complex and it takes a huge amount of time to build and support.

Compliance Matters: And tries to please everyone.
OS: Exactly! Because you’ve got everybody coming at you internally in the business. It’s new, it’s untested. What we do is tried and tested. It’s light, in the sense that you don’t need servers, you don’t need data centres, you don’t need support staff, it’s all part of the package we provide. It’s a bit of a no-brainer, but at the same time it’s easy for me to say that on the buy-side. We did have a customer in the UK who went down the path of building internally, and they came back to us a year later and they’re now actively engaging with our software, because they tried the ‘build’ option and it didn’t work. You get too embedded in the business and, very often (and I’m speaking from direct experience in large US corporates) it’ll be over-engineered.

Compliance Matters: So the big problem is not seeing the wood for the trees?
OS: Correct.
Paul Griffin: It doesn’t take much Googling to find the litany of selfbuilt IT failures, not only among organisations but often among collective institutions or representative bodies that decide “we’ll go in and we’ll do something for our members.” They build a piece of software but it’s a bit like deciding to reinvent Excel and then do whatever the new system is supposed to do on that, instead of buying Excel and doing the finished product on it.
OS: I guess in the end it’s about knowing what you’re good at and knowing what you’re not. A particular organisation in Ireland, which was seen as an overseeing body, wanted to develop a solution. They weren’t a technical organisation. Some of our customers who were actively purchasing said “we want to wait to see what they give us.” They came out with a badly designed Excel spreadsheet – and that’s what you’re dealing with. That’s the kind of internal logic behind people trying to develop software themselves.

Compliance Matters: Which is the greater threat, a vendor going bust or the IT people at the financial institution leaving?
Paul Griffin: I would say that the latter is probably greater, because I’ve found that internally you generally have one developer or two developers and one PhD who’s very clever – they design the tools. I would say the risk of a single point of failure for an internally developed solution would be greater than an externally developed one in that [the firm] buys open source, so there’s no licence in customising software. We [at Viclarity] have escrow processes in place, so I would say there’s greater security around an external vendor than there is internally, because I could be the head of development at X fund and I’ve created this wonderful tool but then I leave, I haven’t told anyone how it works, I haven’t told anyone what the numbers mean, what the lights do, I’ve just gone. And suddenly the firm is left with this tool that’s maintained by one person with no contractual security around it at all, so actually I would say that ‘going external’ would be more secure than ‘going internal.’
OS: There’s something I’ve seen quite a lot. There’s this perception that [the firm] can do it more securely internally, especially in financial institutions, or some of the bigger corporates. The reality is that we [the vendors] can come in from the outside and provide you with a more secure online software product than you could yourself.

Compliance Matters: That’s surprising. I’d have expected the internal builders to be right at least about that.
OS: Well, we’re able to tell you that we’ve got a data centre in France, an ISO 27,000 accredited data centre, we’ve got full sitelevel disaster recovery, so if (God forbid) a plane hit one side of Paris it would automatically default over to the other side, so you’ve got continuity of service. A corporate won’t have that. It’ll have a little room with fans trying to keep the servers cool. There’s a lot of inherent risk.

Compliance Matters: What, even if it’s Barclays?
OS: They’d have a data centre, but you’ll find a lot of those services are outsourced, even if it is the likes of Barclays.

Compliance Matters: I’d have thought Barclays would have had an IT city in Finland or something like that.
OS: I can’t comment specifically on Barclays but I can certainly talk about Dell and Dell Online business because that’s where I came from before I set up the company. We had a data centre in Ireland. It was a pretty slick data centre, no doubt about it, and that’s probably the exception because it was supporting the Dell Online retail business. But most organisations of a medium size in financial institutions won’t have cyclical disaster recovery and server rooms like that. Meanwhile, we [Viclarity] can come in with a tool that says if you’ve got access to a high-speed broadband connection, we can connect you to a secure cloud-based platform and give you a solution.

* Ogie Sheehy can be reached on +353 (0) 87 1229601