German financial regulator flags IT outsourcing risks

BONN, GERMANY — Germany’s financial regulator, the Federal Financial Supervisory Authority (BaFin), warns in a new report that market concentration in the outsourcing of IT services poses a rising threat.
A small number of specialized providers serve a large proportion of German banks and insurers, creating systemic risks.
BaFin President Mark Branson cautioned, “Institutions shouldn’t underestimate risk provisioning needs and should invest more than ever in operational security and stability.”
The watchdog details seven key risks capable of jeopardizing Germany’s financial stability in 2024. One new risk is concentration in IT outsourcing, with disruption at a few major providers potentially compromising numerous institutions simultaneously.
Other priority risks include significant increases in interest rates, corrections in the real estate markets, significant corrections in the international financial markets, defaults on loans to German companies, cyberattacks, and inadequate anti-money laundering controls.
BaFin also noted three overarching trends exacerbating risks: sustainability, digitalization, and geopolitics. The regulator said that operational dependencies and interconnectedness grow as technology permeates finance.
To mitigate outsourcing risk, BaFin closely monitors systemically important IT providers and responds rapidly to incidents. Still, oversight remains challenging as more services are outsourced, chains are fragmented, and concentration on dominant hyperscalers rises.
The regulator said that institutions must manage dependencies proactively, preparing contingency plans and exploring alternative providers. But many underestimate their reliance. As Branson stressed, profits should fund resilience.
With digitization accelerating, risks are likely to compound absent cooperation between regulators, finance, tech, and national security. Capacity-building via training programs and public-private partnerships is equally vital to safeguard the sector.