Digitalisation is setting the pace for the financial industry. German financial players need to keep up in order to stay competitive. But they can only do so if they have their operational risks under control. Companies must not underestimate how operationally dependent they have become, particularly on certain service providers.

For years now, companies in the financial industry have been outsourcing services and fragmenting value chains. For example, some insurers have outsourced the entirety of their claims settlement processes or asset management to external service providers. Banks have also outsourced numerous tasks, in relation to account opening or lending processes, for example.

At the same time, concentration risks are growing. Some external service providers work for more than 150 different regulated financial institutions in Germany. Significant disruptions at these service providers could severely impact the financial sector.

BaFin monitors certain critical service providers particularly closely

Disruptions at service providers can already cause problems. For example, this year it came to light that German bank customers’ data had been stolen. This was possible due to a data leak at a service provider responsible for account switching.
BaFin has been monitoring certain critical service providers particularly closely for several years. The market power of some large international cloud service providers is immense. If these services were to be unavailable, the consequences would be severe. Companies must protect themselves against such risks. They need to ask whether it is possible to transfer their systems to another provider at short notice.

In the case of “software as a service” cloud solutions, this is difficult. Such services are very individualised and hard to substitute.

BaFin has therefore been monitoring the resilience of large cloud service providers for some time now. The Digital Operational Resilience Act (DORA) provides an important opportunity. This regulation will make it easier for us to influence cloud service providers in future.

Thanks to DORA, supervisory authorities in Europe will be much better placed to identify interconnections and market concentrations at service providers. And they will be able to monitor together critical service providers. All of this will increase the operational resilience of our financial system – which is key to successfully delivering the digital transformation.