IT infrastructure and cyber security ‘critical’ for Student Loans Company future
Upgrades to key systems and cyber defence capability will be required so the non-departmental public body can continue to perform key functions, according to a major review
The Student Loans Company (SLC) will need to
prioritise
the development of its IT infrastructure and
cyber security
capabilities to
continue
performing its core functions, a major review has found.
A tailored review by the Department for Education into the
non
-
departmental
body detected a number of issues around its “fragile” IT setup and concluded that a complete transformation of the SLC’s IT would be needed in the next four years.
“It is widely
recognised
that the SLC still faces an efficiency gap.
Its
IT systems are outdated and drive complexity and cost,” universities minister Chris Skidmore said in the review’s foreword.
With about 3,500 employees and a student loan book totalling more than £135bn under management, the SLC’s operation is comparable to a medium-sized bank and services 8.5 million customers and two million applications per year, of which 93.5% are made online.
However, the report noted that a lack of alignment and
prioritisation
of shareholder requests to the SLC had resulted in a focus on operational issues rather than wider strategic risks.
“Millions of pounds worth of repayment collections are lost or ‘leaked’ every year due to SLC system inefficiencies, legal loopholes, error or fraud,” the review added.
A number of the SLC’s core systems are under-supported and/or out of date, the report stated, adding that the inflexibility of the technology architecture was an issue compounded by the niche nature of the skillsets required to manage and modify it.
The SLC also suffers from high levels of staff attrition – salaries are significantly lower than public sector roles elsewhere or similar roles in banks – with outsourcing providers hired to plug the gaps, the report noted.
“Millions of pounds worth of repayment collections are lost or ‘leaked’ every year due to SLC system inefficiencies, legal loopholes, error or fraud”
Department for Education review
As the SLC loan book grows, “the pressure and complexity of [the IT function] will increase significantly” and a number of high-level recommendations were outlined in the report as the body’s technology was deemed “not
fit
for a sustainable future”.
The IT estate at the company was built in the 1990s for a “much simpler, lower-volume service”, the report stated. A transformation
programme
has been developed to address many of the issues around key ageing IT systems, which have been plaguing the body for at least 10 years.
SLC’s strategy to transform its IT includes disaggregating and layering major system elements so new product deployment can be contained within modules, to enable change at a faster, lower risk and cheaper way.
However, the review
labelled
that workstream as “urgent” and reiterated that updating the IT infrastructure would be a “critical enabler for SLC business and delivery of any potential Post 18 Review reforms”.
Cyber security is another area where
modernisation
at SLC is urgent, according to the report, which noted that security threats could be “greatly reduced”, particularly through training of staff and seasonal contractors to be “cyber aware” of such risks.
Within cyber, the review also stated that the SLC will need to continue to work on a cross-government basis to evolve its preparedness and cited work with the National Cyber Security Council with simulations to test reactions to a
cyber security
breach as an example.
Data priorities
Making better use of analytics, big data and artificial intelligence is another area outlined in the report where the urgency level was set as “important”. It noted that the SLC had been working to get a better understanding of its approach to data, but argued that SLC’s
modelling
and analytics function was “fairly under-developed”.
“Whilst systems
stabilisation
must take priority, there are potentially significant gains in using smart diagnostics processes to understand trends in customer
behaviour
, flagging risky borrowers and
modelling
future pay and repay scenarios,” the report stated.
“The necessity to
maximise
loan book yield will increasingly drive this requirement for more intelligent use of customer data,”
it
added.
Other data-related areas where the urgency level was also important
include
sharing, where broader technical issues need to be resolved such as establishing government-wide agreements on data sharing protocols and systems interfaces.
The document noted that despite progress made around data sharing initiatives so far – for example, the body shares data with HM Revenue & Customs to detect fraud by locating benefits claimants based overseas – there is more to be done around working with departments to support decision-making and boost risk assessments.
IT-related areas outlined in the report where the level of urgency was also set as important included compliance to the General Data Protection Regulation (GDPR), so SLR needs to move from the current basic level of compliance to include
areas
such as targeted bulk data erasure, secure data transfer, as well as training and introduction of the cultural change required.
When it comes to digital improvements made around customer experience over the past 12 months, the report noted that the SLC was one of the first public sector bodies to introduce full customer service via social networks, with
propensity
to call reducing consistently.
But there is more to be done in digital service delivery, the report pointed out, as specialist product offerings are still predominantly made using paper-based methods.
Progress around digital has improved steadily as the SLC’s relationship with the Government Digital Service (GDS) improved over the past year, with more collaborative work between teams towards using digital platform Gov.uk.
