Seventy per cent of banks globally still rely on legacy banking systems. That's not a stat from 2015 - that's now. And if you're a COO or CTO at a mid-market financial services firm, you probably didn't need me to tell you. You can feel it every month-end, every time a regulatory requirement changes, every time a good engineer hands in their notice.
What you might not have done - and I say this without judgment, because almost nobody does - is actually added up what it's costing you. Not the line item in the IT budget labelled "infrastructure" or "platform support." The real number. The one that includes the three analysts manually reconciling data because two systems don't talk to each other. The one that includes the security incident you nearly had in Q3. The one that includes the six-figure recruitment fee for the COBOL specialist you hired last year because nobody under 40 wants the job.
That number is almost always bigger than the modernisation programme you've been deferring. And it gets bigger every year you wait.
The widely cited figure is that enterprises burn around 40% of IT budgets maintaining legacy systems. In financial services, that number is often higher - industry analyses consistently place it at 60-80% for firms running core platforms more than a decade old. Let's use a conservative 65% for the sake of argument.
If your total technology spend is £4m a year - realistic for a mid-market wealth manager, specialist lender, or regional bank - roughly £2.6m goes to keeping existing systems running. That leaves £1.4m for everything else: new capability, regulatory compliance projects, security investment, AI readiness, the lot.
The bit that doesn't get discussed enough at board level is that this ratio doesn't stay static. It gets worse. Every year you don't modernise, the maintenance cost creeps up - vendor support contracts increase, the talent pool shrinks, integration workarounds multiply, and security patching gets more complex. So next year it's 68%. The year after, 72%. And the money available for anything forward-looking keeps shrinking.
I sat with a CTO at a specialist lending firm about eighteen months ago who described it perfectly. He said, "I've got a £3.5m budget and about £400k of actual freedom." We'd been talking for about an hour at that point, going through his vendor contracts line by line, and I remember thinking the number would be bad - but not that bad. He wasn't frustrated, exactly. More resigned. He'd been trying to make the modernisation case for two years and kept losing the argument to short-term cost concerns. The irony, of course, was that the short-term cost concerns were being driven largely by the legacy estate he was trying to escape.
That's the trap. You're not choosing to spend 70% on maintenance. You're trapped into it because nobody made the modernisation decision three years ago when it would have been cheaper and simpler.
The budget line items are only the start. In financial services, the costs that really compound are the ones that never appear on a single spreadsheet.
Compliance workarounds. If your systems can't produce the data a regulator needs in the format they need it, someone has to do it manually. I've seen firms with two or three FTEs whose entire job is essentially being a human integration layer - pulling data from one system, reformatting it, loading it into another, and reconciling the output. At a fully loaded cost of £65-80k per head, that's £200k+ a year on work that a properly integrated system handles automatically. And that's before you factor in the audit risk. Manual processes introduce errors. Errors in regulatory reporting introduce a category of risk that no board should be comfortable with.
Integration brittleness. Legacy systems rarely fail on quiet Tuesdays. They fail at month-end. They fail during regulatory reporting windows. They fail when a client-facing system needs real-time data from a back-office platform built to batch-process overnight. The cost isn't just the fix - it's the downstream impact: delayed client reports, missed filing deadlines, staff pulled off productive work to fight fires. One operations director I spoke with estimated that a single critical integration failure during a reporting window cost her firm roughly £120k in direct costs and management time. It happened twice in the same financial year. The second time, she told me, nobody was even surprised.
Security exposure. This one keeps CISOs awake at night. Legacy platforms accumulate known vulnerabilities faster than they can be patched - and some can't be patched at all because the vendor has moved on. The average cost of a data breach runs to $4.45m globally (IBM, 2023), but in financial services the figure runs higher because of regulatory fines and reputational damage. Even if you never have a breach, the cost of maintaining security around a legacy perimeter - compensating controls, additional monitoring, manual reviews - is substantial. I've seen firms spending £150-200k a year on security measures that exist purely because the underlying platform can't be brought up to current standards.
Talent cost. This is the one that creeps up on you. The engineers who know your legacy stack are getting older, more expensive, and harder to replace. The ones who could maintain it don't want to - maintaining a fifteen-year-old platform isn't exactly a career highlight. So you end up paying a premium for reluctant specialists while watching your best people leave for firms with modern stacks. One HR director at a mid-sized wealth management firm told me they'd calculated a £180k annual "legacy tax" - the difference between what they were paying to retain legacy-skilled engineers and what equivalent roles cost at firms running modern platforms. That figure didn't include recruitment costs when retention failed, which it did, twice, in the year we were talking about.
Legacy system costs don't stay flat. They compound. Every year, each of the cost categories above gets marginally worse. Vendor support gets more expensive or disappears entirely. The integration layer gets more complex as new regulatory requirements demand new data flows through old pipes. The security vulnerabilities accumulate. The talent pool shrinks.
Let me put some numbers around this for a mid-market financial services firm with a £4m annual technology budget. These are based on patterns we've observed across multiple engagements, not a single firm - but they're realistic, and I'd encourage you to hold them up against your own situation.
Year one (today): Legacy maintenance consumes 65% of budget (£2.6m). Hidden costs across compliance, integration, security, and talent add an estimated £500-700k that doesn't appear in the IT budget. True cost of the legacy estate: approximately £3.1-3.3m.
Year two (deferred): Maintenance share rises to around 70% (£2.8m) as support contracts increase and additional workarounds are needed. Hidden costs grow to £600-850k as at least one key engineer leaves and needs replacing at a premium. True cost: approximately £3.4-3.65m.
Year three (deferred again): Maintenance share hits around 75% (£3m). A security incident or near-miss triggers emergency spend. A regulatory change requires a manual workaround that needs three new hires. Hidden costs reach £750k-1m. True cost: approximately £3.75-4m.
By year three, you're spending effectively your entire technology budget just to stand still. And the modernisation programme you've been deferring? It's now larger, more complex, and more expensive than it was in year one - because you've accumulated three more years of technical debt, integration complexity, and organisational muscle memory around the old way of doing things.
Gartner estimates $2.3 trillion has been wasted globally on unsuccessful digital transformation, and a significant proportion of that waste comes from programmes deferred until the complexity made them unmanageable.
"We know our systems are old. But modernisation is expensive, disruptive, and carries its own risks. Keeping the lights on is the safe choice."
I hear this a lot. And honestly, I have some sympathy for it. If you've lived through a failed migration - and plenty of people in financial services have - the instinct to avoid another one is entirely rational. Average migration costs run to $1.75m and come in 18% over budget (CloudBees DevOps Migration Index, 2024). That's real money and real risk.
But keeping the lights on isn't the safe choice. It's the choice that feels safe because the costs are distributed and familiar. You're already paying for a failing strategy - it's just spread across a dozen budget lines, absorbed by operational teams, and normalised as "how things work here." The modernisation risk is concentrated and visible. The legacy risk is diffuse and invisible. That doesn't make it smaller.
If you want to move from knowing this to doing something about it, you need a business case that speaks in terms a CFO and a board can evaluate. Not a technology pitch. Not a "digital transformation" narrative. A financial model.
Start with the true cost of ownership for the current estate - not just the IT budget line, but the full picture. Maintenance contracts, internal support FTEs, compliance workaround costs, integration failure costs (frequency multiplied by average impact), security compensating controls, talent premium, and regulatory risk exposure. Most firms discover their true TCO is 30-50% higher than the number they've been reporting to the board. That gap alone is usually enough to get the conversation moving.
Then model what happens if the decision is deferred by one, two, and three years. Use your own numbers - the ones from this article are illustrative, but yours will be more persuasive. The compounding effect is what makes this powerful. A flat-cost argument is easy to defer. A compounding-cost argument creates urgency.
Be honest about the investment required and the timeline for return. In our experience, mid-market financial services modernisation programmes typically pay back within 18-30 months when hidden costs are properly accounted for. We covered the financial modelling in detail in The Replatform Reckoning - including a three-year TCO comparison showing legacy maintenance at $3-5m versus modern platform investment at $2-3m, with total three-year value of $25-30m against an investment of $2-3m.
Finally, present both scenarios - modernise and defer - with their associated risks quantified. The defer scenario should include the probability-weighted cost of a security incident, regulatory enforcement action, and critical talent loss. The modernise scenario should include realistic contingency for overruns and transition risk. When you put them side by side, the defer scenario almost always carries the larger risk-adjusted cost. Not always - there are situations where a firm is genuinely 18 months from a natural platform refresh cycle and the timing makes deferral sensible. But those situations are rarer than boards tend to assume.
The alternative to doing nothing is not replacing your entire technology estate in one go. I want to be direct about that, because the big-bang approach is the single biggest source of board-level resistance to modernisation - and frankly, boards are right to resist it. Ripping out and replacing a core banking platform, a CRM, a compliance system, and a client portal simultaneously is a recipe for the kind of failed programme that gives modernisation a bad name.
The firms that do this well start with the highest-cost or highest-risk element of the legacy estate. Usually that's the platform where the maintenance cost is most visibly escalating, or the one where a security vulnerability or compliance gap creates the most acute exposure.
A phased approach does three things. It reduces disruption - you're changing one thing at a time, not everything at once. It creates early wins that build confidence with the board and with operational teams who are understandably nervous. And - this is the bit I find most satisfying in practice - it allows the modernisation to be partly funded from the savings it generates. If phase one reduces your annual maintenance cost by £200k, that £200k funds a chunk of phase two. You're building momentum rather than asking for a single, terrifying cheque.
The Replatform Reckoning covers the vendor-by-vendor end-of-life timelines worth reviewing if you're running Sitecore, Optimizely, or legacy Kentico - useful context if you're trying to sequence which platform to tackle first.
If any of this resonates - and if you're running a financial services firm on platforms that are more than seven or eight years old, I suspect quite a lot of it does - the first step isn't commissioning a modernisation programme. It's quantifying what the current state is actually costing you.
We've put together a legacy cost assessment framework covering the six cost categories most commonly missed in financial services legacy estate assessments: maintenance labour, compliance workarounds, integration failure cost, security exposure, talent premium, and regulatory risk. It's designed so a CTO or COO can work through it and share it with a CFO or board member as the basis for an investment conversation.
Because the question your board needs to answer isn't "should we modernise?" - that answer is almost certainly yes. The question is "what is it costing us not to?" And once you can answer that with real numbers, the decision starts to make itself.