EXCLUSIVE: “Be Right Back!” – Otto Benz, Nationwide Building Society in ‘Discover Money20/20’

Nationwide’s Otto Benz shares the UK building society’s experience of creating a resilient payments stack and its approach to vendor management as the industry recovers from third-party-related meltdowns

The impact of repeated payments systems outages on consumers, prompting concerns about the safety of the UK financial system, has focussed the minds of regulators and lawmakers.

In 2019, the Prudential Regulation Authority (PRA) launched an industry consultation to drive consensus around mitigating a catastrophic failure that could bring business and consumer activity to a halt. Along came the disruption of the COVID pandemic in 2020 as if to illustrate why this mattered, and new rules requiring institutions to demonstrate appropriate resilience were introduced in 2022, with full compliance required by the close of March 2025.

Every UK financial institution took an urgent fresh look at their payments processing infrastructures and how to protect them against failure. Among them was the nation’s biggest building society Nationwide, which acquired the UK’s sixth largest high-street bank Virgin Money in 2024, giving it a combined customer base of more than 23 million savers, current account holders and businesses.

Like other institutions, Nationwide identified its important business services, set impact tolerances for maximum disruption, spotlighted operational vulnerabilities and then, says its Director of Payments and Customer Technology, Otto Benz, invested in enabling them to operate within those strict parameters.

As part of that process, Nationwide, like other institutions, had to calibrate the risk created by third-party suppliers of critical processes. Plug-and-play approaches bought from software-as-a-service providers have been very much in vogue over the past few years because they offer greater speed-to-market.

But in July 2024, a Juniper Research article questioned whether the UK’s financial industry had become over-reliant on them, commenting that a recent spate of outages, disabling several organisations simultaneously, had made it ‘obvious that the number of monopolies in many technological industries increases our vulnerability to outages and cybercrime’.

The article followed what was dubbed at the time as ‘the biggest IT outage in history’ when a faulty Microsoft security update was rolled out by specialist provider CrowdStrike. It prompted a Financial Conduct Authority investigation, whose report in October 2024 also noted the upward trend in third-party-related outages hitting UK banks.

Another three-day glitch in January this year, this time affecting Barclays account holders who couldn’t pay their bills and struggled to make their 31 January tax self-assessment deadlines, prompted MPs to write to the CEOs of nine top institutions, including Nationwide, demanding answers to the ongoing issue of meltdowns.

“Buying a solution, while it might seem simple at the outset, now comes with a load of additional considerations associated with managing the vendor”

Benz says, given the various competing concerns, the decision whether to build in-house or buy has never been more pivotal, and is something Nationwide spends considerable time on.

“You need to build if it’s specifically to your customers’ advantage, and buy if it’s technology that’s not specific to your needs,” he explains. “We generally try to buy solutions that are more of a commodity or where we can leverage somebody else’s investment as well as our own, as we have with our core payments platform modernisation programme.

“While in-house solutions might be more expensive or take longer to build, the packaged option, while cheaper, has the potential to tie you to the vendor, which you really need to be careful of.

“Whenever you buy something, you experience some degree of lock-in with the partner you’re using, but even if you invest in customisation, it could be cheaper and quicker to put live [than building in-house]. With a vendor solution – while cheaper to install and customise initially – you also typically have a smaller pool of configuration, system or product experts to call on, and it can be more expensive to maintain products.

“You need to watch out for what happens when you need to switch vendors – if a vendor changes commercially in a way that’s disadvantageous for our customers and members, for example. We always consider the exit approach.

“So, ultimately, it’s a bit of a trade-off between speed of implementation and that long tail where you’re potentially at risk of additional cost. We’ve experienced that with a number of our package solutions and sometimes you have to admit you’ve made a poor decision and restart – and your exit and contingency might actually lead you to more of a bespoke arrangement.”

The recent systemic issues and regulatory tightening mean institutions are asking probing questions around vendors’ own resilience.

“You need to ask if the partners you’re choosing have the ability to meet the enhanced expectations for institutional resilience of the Bank of England and Prudential Regulation Authority,” says Benz. “For critical business services like payments, larger institutions have to be able to recover and have a continuous operation within agreed impact tolerances.

“These are really tight. That forces you to consider if you need to change your partner if there is a risk of them failing. It also makes you consider what your backup and disaster recovery plans will be and how you know a potential vendor will be able to cope with that.

“Things like how you manage a Cloud solution or, in theory, multiple Cloud solutions, because you might be dependent on one but need to consider what happens if that is not there. All of this means that buying a solution, while it might seem simple at the outset, now comes with a load of additional considerations associated with managing the vendor.”

Nationwide began its migration to Cloud in 2023, to ‘simplify and reinforce’ its payments infrastructure – becoming one of the first UK financial services businesses to partner with software-as-a-service specialist Form3 from 2020 to support that process. That partnership is still going strong.

“In terms of balancing innovation, we’ve now got to a position where we tend to use built solutions with a fast pace of internal delivery for things where we are adding quite a lot of value to our customer experience, like our digital front end, our applications where the customers are really engaging with us via our apps.

“With our back-end solutions, we’re leveraging joint investments with partners to achieve regulatory compliance with very high performance and resilience.

“I think the innovation, even in that back-end where we’re relying on our partners, is really impressive – like our work with Form3 on our innovative, high-performance, resilient and compliant multi-Cloud back-end solution.” In some ways, Nationwide has learned what works through trial and error. It took us quite a while to get to the level of resilience customers and regulators in the UK now expect during the implementation of our payments modernisation journey,” says Benz. “We needed to look at each layer of our stack and understand the resilience components in that. Had we come to that earlier it would have been quicker to implement because when we started the journey we didn’t expect to have such high resilience requirements.

“So, my recommendation for others is to really consider the non-functional requirements and likely future use of their payments platforms,= and how those can be made effective, in their build-versus-buy decision.”

This article was published in Discover Money20/20 Europe 2025, Page 24-25