BaFin - Navigation & Service

Go to:

Covermotiv Risiken im Fokus 2024 AdobeStock GINGER Tsukahara 534089558

7. Risks arising from market concentration due to the outsourcing of IT services ⇧

Many companies of the financial sector outsource their IT services to external service providers. The outsourcing companies often benefit from lower costs and also have more capacities to focus on their core business. A further advantage lies in the fact that IT service providers, as specialists in this field, perform many services more efficiently and in some cases more securely than the outsourcing companies would be able to do themselves.

But the increasing interconnectedness and, above all, the concentrations among IT service providers can make this financial sector more vulnerable. In Germany, in some areas a small number of specialised IT service providers serve the majority of banks. The picture is similar in the insurance industry. Concentration risks arise from such IT multi-client service providers.

Disruptions at IT multi-client service providers can jeopardise the financial sector

If disruptions were to occur at IT multi-client service providers, multiple supervised institutions could suddenly lose access to their services at the same time. This would be especially problematic if it were to affect critical processes on which the companies of the financial sector depend as it would restrict their ability to operate. In an extreme scenario, problems at IT multi-client service providers could cause great harm to the financial sector.

Further risks can arise when outsourced IT services are sub-contracted. Disruptions at a sub-contractor can impact the entire value chain. The outsourcing companies of the financial sector often have difficulties estimating and managing the dependencies and risks that could result from such sub-contractings.

Multi-client service providers cannot be replaced at short notice

In a highly concentrated market, any disruptions at one multi-client service provider are further exacerbated due to the difficulties many companies of the financial sector would have transferring the outsourced IT services to the few other available service providers if they were unable to resume these IT activities themselves. As revealed in market assessments, this is often the case with cloud computing, for example, or with outsourced sub-processes in the payments area. In the case of some of the reported IT outsourcing relationships, the companies are in effect heavily dependent on the service provider. Particularly in cloud computing, which is dominated by only a few international providers, but also in other IT service areas, the following problem arises: competitors mostly lack the capacities to take over customers from other cloud suppliers at short notice. And even if there were other providers on the market willing and, above all, able to take on new customers, changing service providers would often be a very protracted process.

Companies of the financial sector are fully aware of the risks associated with outsourcing, not only in the area of cloud computing. Some are – where possible – bringing certain outsourced activities and processes back to their own companies while others are considering a multi-vendor strategy. All in all, however, the trend towards outsourcing processes particularly to IT multi-client service providers continues to gather pace. The risks resulting from these concentrations are on the increase. This underscores the importance of a targeted risk management system, both at the outsourcing companies and the service providers as well as at the systemic level.

BaFin' s line of approach

  • BaFin is already analysing which activities and processes companies of the financial sector have outsourced and to which service providers these outsourcings have been made. These analyses are based on the sector-wide notifications of (material) outsourcings received on BaFin’s electronic reporting platform since the end of November 2022. However, this notification requirement only applies to new outsourcings and changes to existing outsourcings but not to already existing outsourcings. BaFin reduces the information gaps resulting from this by carrying out random checks at supervised companies. At the same time it is encouraging the industry to notify all existing (material) outsourcings on a voluntary basis. Furthermore, BaFin is working towards achieving high data quality.
  • BaFin is analysing the outsourcing database in order to gain an overview of outsourcing relationships and identify ties and concentration risks on the financial market. As a result, BaFin is able to understand the concentration risks and mitigate them by monitoring service providers, for instance.
  • For many years, BaFin has been monitoring major multi-client IT service providers working for credit institutions and arranges for the Bundesbank to conduct inspections at these institutions. BaFin is also making preparations for even more inspections to be carried out at service providers in future.
  • BaFin uses the outsourcing database as an early warning system: if serious incidents occur at (multi-client) service providers, BaFin warns companies of the financial sector that, according to the outsourcing database, are using this particular service provider.
  • At the European level, BaFin is playing a key role in developing an oversight framework for ICT third-party service providers under DORA, and is greatly involved in its realisation. At the same time, it is ensuring that the framework for monitoring multi-client IT service providers already established at national level is being sufficiently and consistently implemented. This framework has been in force since January 2022 by way of the German Act to Strengthen Financial Market Integrity (Gesetz zur Stärkung der Finanzmarktintegrität).
  • BaFin is closely supporting various working groups, also at the global level, in order to establish an effective regime to monitor service providers for the financial market.

More articles

Risks in BaFin's Focus 2024
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from significant increases in interest rates
2. Risks arising from corrections on the real estate markets
3. Risks arising from significant corrections on the international financial markets
4. Risks arising from defaults on loans to German companies
5. Risks arising from cyberattacks with serious consequences
6. Risks arising from inadequate money laundering prevention

Trends

1. Digitalisation
2. Sustainability
3. Geopolitical turmoil

Download

Complete edition Risks in BaFin’s Focus 2024

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field