© Lens/556518320-stock.adobe.com
6. Risks arising from market concentration due to the outsourcing of IT services ↑
Companies within the financial sector are outsourcing more and more IT services to specialised providers. Outsourcings to cloud service providers in particular have become increasingly relevant. Outsourcing offers many advantages: companies that outsource activities and processes benefit from lower costs and can better concentrate on their core business. A further advantage lies in the fact that service providers, as specialists in their field, perform many services more efficiently and in some cases more securely than the outsourcing companies would be able to do themselves.
However, outsourcings give rise to increasing interconnectedness and thus to concentration risks, which can make the financial sector more vulnerable. This is particularly true when a small number of specialised IT service providers offer their services to a large number of companies in the financial sector. The problem may become more critical when these service providers themselves outsource activities and processes to a chain of other service providers.
Impact on a large number of companies
Due to this concentration on a small number of providers, even individual disruptions can have a serious impact on the financial sector. This would be especially problematic if it were to affect critical processes on which the companies of the financial sector depend, as it would restrict their ability to operate. A disruption occurring at a service provider may have a significant impact on a large number of supervised entities – regardless of the cause.
This can go so far as to render companies in the financial sector temporarily or permanently unable to use these services. It is often not possible to replace a service provider at short notice, particularly because the products offered by highly specialised IT service providers are not identical. Consequently, even if it is technically possible to switch service providers, it still takes some time to implement the change. Many companies are therefore effectively tied to their specialised IT service providers, especially if they use these providers’ software. Once dependencies have been created, it is difficult to dismantle them (see Risks in BaFin’s Focus 2024).
In addition, concentration risks can arise when service providers subcontract outsourced activities and processes to a chain of further service providers (sub-delegation). The outsourcing companies of the financial sector are often unaware of the dependencies and risks that result from sub-delegation. They are therefore hardly able to take any countermeasures.
Half of all outsourced activities cannot be reintegrated
These dependencies can also be seen in BaFin’s outsourcing database. Among other things, more than half of the companies subject to the notification requirement stated that they would not be able to provide their outsourced IT services themselves again.
More than two thirds of the companies that provided this information also stated that they would not be able to transfer the IT service to another IT service provider at all or would have great difficulty doing so. In general, financial entities draw on a range of services when they use IT service providers. The most common of these IT services are data storage, application services and services relating to software development (see Figure 11).
Figure 11: Categories of the most commonly used IT services
Source: BaFin diagram, as at 1 December 2024
Disruptions at CrowdStrike reveal vulnerabilities
In July 2024, the case of CrowdStrike showed the consequences that dependencies on IT service providers can have: a faulty update of an IT security tool at CrowdStrike, a US manufacturer of information security and cybersecurity technology, resulted in a worldwide IT disruption. The security tool was being used for numerous other IT services, such as Microsoft Windows, and led to crashes in these services.
Due to the global distribution of the tool, the incident affected many users, companies and systems and in some instances severely impaired business operations. Critical infrastructure such as airports, hospitals and energy companies were also affected; the German financial sector, on the other hand, was hardly affected at all.
The situation normalised within a few days, and the incident currently poses no risk to the financial market. In principle, however, such incidents can have serious consequences. For BaFin to be able to assess the extent of an incident, therefore, there must be transparency about the interconnectedness on the financial market.
Geopolitical risks exacerbate problems
The financial market for IT outsourcing in particular is dominated by a small number of providers, some of which are based outside Europe. If market-leading service providers concentrate their activities on particular industries or regions, this gives rise to additional risks. This can be the case, for example, if sanctions are imposed against a country, protectionist measures are taken by a country or there is political unrest in a region. All the companies that use services provided from there would be affected. The switch to an alternative provider, which would be difficult anyway, would not be possible. This could have negative consequences for the entire financial market.
The issue of data sovereignty is becoming increasingly important. In recent years, large cloud hyperscalers have started to offer financial entities the option of storing and processing data within certain geographical boundaries by means of the “sovereign cloud”. The objective is to achieve a stronger separation from parent companies based in third countries in terms of location, systems and staffing. This approach does not offer comprehensive protection against geopolitical risks in most cases, however.
Monitoring of systemically important IT service providers at national level
It is essential for BaFin to have an overall understanding of the interconnectedness in the outsourcing landscape of the German financial sector in order to strengthen the operational resilience of the financial market’s digital systems. Since the end of 2022, therefore, BaFin has been requesting information on (material) outsourcings from financial entities – regardless of the outsourced processes or products. Since then, approximately 2,200 supervised entities have notified BaFin of around 24,000 (material) outsourcings. This equates to about 11 material outsourcings per company. On average, one in every four or five cases involves IT outsourcing.
Figure 12: Average number of outsourcings reported to BaFin
Source: BaFin diagram, as at 1 December 2024
BaFin uses the data from the outsourcing database for cross-sectoral analyses – in particular to identify concentrations among individual service providers. Among other things, these analyses enable BaFin to visualise the relationships between financial entities and service providers on the German financial market. The resulting transparency makes irregularities visible. Moreover, BaFin can then focus on one individual service provider or one single financial entity and analyse its outsourcing activities.
BaFin analyses the outsourcing relationships with regard to certain aspects of risk. Such aspects include the replaceability of the outsourcing provider, the duration of the outsourcing , the processing of personal data and the use of outsourcing for time-critical processes in the financial entity (see Figure 14). BaFin’s overarching aim is to strengthen the operational stability and security of the entities it supervises and particularly their technology platforms – and thus also the entire financial market.
Figure 13 shows a network graph: here, the nodes and dots represent the supervised entities and the service providers. The edges connecting the nodes represent business relationships between these companies.
Figure 13: Analysis of interconnections in terms of risk
On the basis of the outsourcing notifications, BaFin has used a risk model to determine average risk categories for the business relationships. These categories are reflected in the colours of the edges: red indicates higher risk and green indicates lower risk.
Source: BaFin diagram, as at 1 December 2024
Figure 13 shows, for example, that cooperative banks and savings banks are closely linked to the service providers in their respective networks. German asset managers, on the other hand, are closely interconnected; they outsourced processes and services to a relatively large number of different service providers.
However, BaFin can also focus on an individual service provider or financial institution and analyse its outsourcing activities.
Figure 14: Outsourcing relationships of individual companies in the financial sector
This diagram depicts not only supervised entities and service providers, but also subcontractors. Since the data reported does not allow an assessment of the risk of the business relationships between service providers and subcontractors, the affected edges are shown here in grey.
Source: BaFin diagram, as at 1 December 2024
Good risk management is key
Companies in the financial sector are also focusing on concentration risks in their risk management (see Risks in BaFin’s Focus 2024). In particular, they are aware of the risks associated with IT outsourcing. Some companies, becoming more sensitised, are bringing their outsourced activities and processes back into their own organisations (insourcing). Others are considering a multi-vendor strategy.
All in all, however, the use of outsourcing – especially to IT multi-client service providers – is continuing to rise. This is understandable, given the numerous advantages of IT outsourcing in particular. However, it also means a rise in risks for the financial market. It will be crucial that financial entities protect themselves through targeted risk management and that they minimise risks as far as possible.
For this reason, the European Digital Operational Resilience Act (DORA) requires the assessment and monitoring of third-party risks arising from the use of information and communication technology (ICT) – over the entire life cycle of such use.
Financial entities intending to procure IT services from third parties are required to carry out a risk assessment before concluding a contract. In this risk assessment, they must consider for example the extent to which they are dependent on the respective ICT third-party service provider and the risks that could arise from the contractual relationship. To ensure that they can manage ICT third party risks in a structured manner, financial entities must enter their ICT contracts in a register of information.
BaFin's line of approach
- BaFin will continue to analyse which activities and processes companies of the financial sector have outsourced and to which service providers these outsourcings have been made. These analyses are based on the sector-wide notifications of (material) outsourcings received on BaFin’s electronic reporting platform since the end of November 2022 as well as queries to selected companies about their overall outsourcings. BaFin will further improve the data quality in the outsourcing database and the forms that companies use to notify BaFin of their outsourcing arrangements.
- In addition, BaFin will also use the financial entities’ registers of information regarding all ICT contracts for its analyses. DORA requires companies to keep such registers. The information includes all ICT services – regardless of whether they support critical or important functions within the financial entity. The registers of information serve in particular to ensure the transparency of interconnections and concentrations in ICT services across the entire value chain. On this basis, BaFin can purposefully order monitoring measures directly for particular service providers.
- In 2025, based on its analyses of interconnections, BaFin will be implementing more monitoring measures for multi-client service providers operating across the sector. These monitoring measures will range from questionnaires on specific topics to monitoring interviews and inspections of the service provider lasting several weeks.
- BaFin will continue to use the outsourcing database as an early warning system: if serious incidents occur at (multi-client) service providers, BaFin warns the companies of the financial sector which, according to the outsourcing database, are using this service provider.
- For several years, BaFin has been monitoring large multi-client IT service providers working for companies in the financial market. It will continue with its monitoring measures for sector-wide multi-client IT service providers using a staggered monitoring concept.
- At the European level, BaFin is taking part in joint examination teams to monitor critical ICT third-party service providers under DORA that are relevant to the German financial market. These teams are each led by one of the three European Supervisory Authorities – EBA, ESMA or EIOPA – depending on the particular sector in which the ICT third-party service provider primarily operates. The monitoring will focus on cloud hyperscalers, for example.
- In addition, BaFin will continue to regularly engage in dialogue with cloud service providers about their technical developments and the associated supervisory expectations.
- BaFin will also continue to monitor current political developments and analyse its outsourcing data; this will enable BaFin to assess the extent to which geopolitical conflicts could affect financial entities’ outsourcings to service providers based in third countries.
More articles
Risks in BaFin's Focus 2025
Foreword by the President
Main Risks in BaFin’s Focus
1. Risks arising from corrections on the real estate markets
2. Risks arising from significant corrections on the international financial markets
3. Risks arising from corporate loan defaults
4. Risks arising from cyber incidents with serious consequences
5. Risks arising from inadequate money laundering prevention
