In the past, we saw a lot of skepticism around the maturity of low-code and no-code platforms (LCNC), and I get that. These platforms used to be limited in scope, but that’s changing. Today, we can all acknowledge their growing potential, especially when used alongside AI tools. They’ve transformed to support mission-critical operations in product configuration and workflow automation.
I see low-code enabling seamless data integration into artificial intelligence (AI) models, where data can flow directly into a large language model, for instance, to create data-driven APIs in a drag-and-drop interface. I envision low-code environments where large language models are just another component on the canvas that users can integrate with minimal effort, driving the rapid creation of data products and insights.
Okay, I could go on. As you can tell, I’m just as excited as everyone else (techies and non-techies alike) about the endless possibilities of AI and what it means for innovation at large. From a banking perspective, this is a turning point. But let’s not forget banks still have to manage the risk. KPMG’s 2024 report, “Low Code Adoption as a Driver of Digital Transformation,” indicates security is a primary concern, with 42% of surveyed global companies viewing it as the biggest challenge in low-code adoption.
Banks have always been very risk-averse because of the compliance and regulatory constraints under which they operate. They have been cautious about low-code platforms for fear of losing control over the generated code. A lot of the fear comes from the lack of transparency. They simply don’t know what the code looks like
Strategic adoption and market trends
Industry research will show you a significant gap between banks’ intentions to adopt AI-driven automation and their actual implementation. So, what has changed? Why are traditional banks more open to adopting LCNC solutions?
What’s changing is the availability of private instances of large language models. Banks are becoming more comfortable with using AI when they can deploy these models in a private cloud, ensuring that data doesn’t leave their ecosystem. This shift is slowly overcoming the hesitations banks had, and now we’re seeing more adoption of AI, and not just AI, but AI integrated within low-code platforms.
And that calls for caution.
Regulatory Scrutiny and Compliance Challenges
Low-code platforms empower a broader set of employees to participate in development, introducing unique security and compliance risks.
One of the primary concerns with LCNC solutions is shadow IT. This refers to employees creating applications outside the purview of IT departments. Although LCNC solutions make it easier for non-developers to build applications, the lack of oversight can lead to compliance issues and security vulnerabilities. In industries like banking, which have strict regulatory frameworks, this can be especially risky if these applications inadvertently expose sensitive data.
The key challenge in low-code/no-code adoption is who takes responsibility for managing risks associated with these platforms. How should banks structure their governance frameworks to address these risks while maintaining innovation speed?
With LCNC, it’s not always clear who holds responsibility when something goes wrong. If a non-technical team creates an application that causes a breach or leads to data loss, is the responsibility on the development team, the IT department, or the business unit that built the app? This ambiguity can complicate internal accountability in large organizations like banks, where multiple teams may interact with sensitive financial data.
This is where governance becomes necessary. The real value comes from combining low-code capabilities with a comprehensive governance framework. KPMG’s report shows about 47% of surveyed companies have or plan to establish clear low-code guidelines and governance policies to monitor data access, enforce secure coding practices, and manage application lifecycle security.
Banks need to establish clear governance protocols that specify who is responsible for managing the lifecycle of LCNC-developed apps. This includes setting up processes to evaluate security vulnerabilities, ensuring that all applications undergo the same rigorous testing as traditionally developed software, and maintaining oversight even when apps are created outside the IT department.
Banks also need to invest in upskilling both their technical and non-technical staff to realize the benefits of LCNC platforms while managing the risks. LCNC platforms make it easier for non-technical staff to create apps. However, banks must still ensure that these employees are properly trained in basic security protocols, compliance issues, and risk management principles. Without this foundational knowledge, non-technical staff may inadvertently create apps that introduce vulnerabilities into the bank’s systems.
IT teams, meanwhile, need ongoing education to understand how to best govern and support LCNC initiatives, balancing innovation with security.
The role of in-house technical teams in a world of low-code/No-code tools
For banks relying heavily on their technical teams, how can they verify the right choice in low-code solutions?
They should look at the underlying platform. Is it generating proprietary code or something more open? Does it align with their broader technology strategy? Banks don’t want to get locked into a platform. We recommend that they perform due diligence on the technology to ensure alignment with their strategy, so they don’t find themselves tied to something difficult to exit.
The biggest pain point for banks is integration. It doesn’t matter whether the project is related to product catalog, customer systems, or modernization; integration and orchestration always require significant effort and cost due to their complexity.
Those familiar with Zafin may have seen our latest product capability, IO Canvas. What we’re doing with IO Canvas, our low-code platform, is addressing these issues head-on by significantly mitigating risk and speeding up time to value. We took a code-first approach when we built IO Canvas. We hand-wrote the foundational code to ensure scalability for some of the world’s largest banks. Our low-code layer runs on this proven foundational platform, which means banks can be confident in their ability to scale.
IO Canvas generates code that banks can see, control, and understand. This means that it removes the barrier to entry, as it isn’t a typical low-code setup where you’re constantly tied back to the platform. We provide banks with more control over their integration. They can modify the code directly without needing the platform every time.
Low-code and no-code platforms automate mundane processes and build complex applications. But just because someone can build a workflow doesn’t mean it’s ready to be deployed.
