Digital Dependency in the Financial Sector

Title of this brochure Subtitle Digital Dependency in the Financial Sector Risks, Resilience and European Autonomy

2 Table of Contents Summary & Main Messages 3 Short-term: Preparing for Disruptive Scenarios 4 Long-term: Increasing Strategic Autonomy Requires a European Approach 4 Legislation and Supervision 5 Introduction 6 1 The Development of Digital Dependency Risks 7 1.1 The Financial Sector Runs on IT 7 1.2 Risks of Digital Dependency 9 1.3 Scenario Analysis 12 2 Risk Management at Financial Institutions and Suppliers 15 2.1 Financial Institutions Are Aware of Dependency Risks 15 2.2 Suppliers Are Taking Initiatives to Limit Dependency Risks 19 3 Supervision and Policy 22 3.1 Existing Legislation and Structures 22 3.2 Opportunities to Reduce Dependency Risks 24 AFM | DNB Digital Dependency in the Financial Sector

3 AFM | DNB Digital Dependency in the Financial Sector Summary & Main Messages The financial sector is increasingly dependent on external IT service providers to carry out its core processes. Digital infrastructure forms the backbone of virtually all business processes: from customer interaction and risk management to compliance and transaction processing. Artificial intelligence (AI) plays an increasingly important role in this. More and more institutions are outsourcing (parts of) their IT to external suppliers, including cloud service providers, software vendors, and AI model suppliers. This trend is partly driven by the increasing complexity of IT and cybersecurity, technological innovation, and economies of scale. Cloud computing has taken off significantly, with an ever-growing share of institutions' 'technology stack' being managed by external IT suppliers. The digital dependency of the financial sector brings considerable risks. Because institutions largely use the same providers and infrastructures, concentration and systemic risks have emerged. A few large, globally operating digital service providers, the so-called hyperscalers, have come to dominate the entire field in recent years. In the current harsh geopolitical climate, there is a risk that state actors could exploit dependency on digital services as a political pressure tool or instrument in a trade conflict. Through complex chains of subcontractors and shared infrastructures, disruptions and cyber incidents at IT service providers can affect multiple institutions simultaneously. These complex supply chains and limited visibility into underlying parties create an ecosystem risk that is difficult to manage. 'Vendor lock-in' makes it difficult and costly for institutions to switch or diversify risks, weakening their bargaining position and potentially driving up prices. Financial institutions and IT suppliers are aware of the risks and are taking measures to contain them. Institutions are developing exit strategies and continuity plans, and mapping out supply chain dependencies. 'Multi-vendor' strategies, containerization, and the use of open standards are cited by some institutions as examples to increase flexibility. However, these solutions remain costly and technically complex. Avoiding 'vendor lock-in' remains difficult. IT suppliers provide a high degree of continuity to make their services as reliable as possible. They also increasingly offer 'sovereign cloud' solutions where data, services, and management fall under European law and regulation. However, it remains to be seen to what extent these solutions actually provide effective protection against potential influence from non-European actors. Technical measures such as managing encryption keys in-house are said by some institutions to contribute to data security and continuity, but do not offer full protection against outages or data loss.

4 AFM | DNB Digital Dependency in the Financial Sector Short-term: Preparing for Disruptive Scenarios In the short term, the strong dependency on non-European IT providers is a given. It is important that institutions take measures to prepare for disruptive scenarios and, where possible, mitigate the potential impact. In the short term, sanctions or hybrid attacks could seriously disrupt services. • Institutions can collaborate with other institutions, and with IT suppliers and authorities in: – developing threat scenarios; – exchanging information on concrete threats and attacks; – conducting supply chain tests based on scenarios, including 'real life' testing. The AFM and DNB are willing to facilitate this cooperation where necessary. • It is important for institutions to be able to explain which choices they have made to ensure their data is sovereign and secure, possibly by using 'sovereign cloud' solutions from non-European cloud providers. • To prevent important and sensitive data from falling into the hands of third parties, institutions can take control of encryption key management as much as possible themselves. • Institutions can reduce their dependency by striving for a flexible IT service delivery setup. Examples include containerizing applications so they can run independently of suppliers, using open standards and open source solutions, and using multiple suppliers ('multi-vendor').

Long-term: Increasing Strategic Autonomy Requires a European Approach In the long term, it is important for Europe to become less dependent on non-European IT providers and achieve a greater degree of digital autonomy. Scenario analysis shows that a stronger European tech sector is needed, even if geopolitical tensions were to ease. A strong, autonomous, and innovative European tech market is desirable, both for resilience and for preserving European values such as privacy and inclusivity. Increasing digital autonomy exceeds the competencies of financial institutions and national financial supervisors, and requires action at the European level. • It is important to address the structural factors that have led to the emergence of digital dependency. The Draghi report provides concrete guidelines for this, which deserve follow-up. • To reduce dependencies on non-European IT service providers, full-fledged European alternatives must be developed. Where European alternatives are already available, financial institutions may consider using them. It is beneficial if institutions collaborate to overcome a potential 'first mover disadvantage' and create critical mass to promote the viability of European suppliers. • Regarding (generative) AI applications, European applications are already available for financial institutions. Using them can help prevent new 'vendor lock-ins'.

5 AFM | DNB Digital Dependency in the Financial Sector • The AFM and DNB support the development of the European Savings and Investments Union. For the development of the European IT sector, access to financing with a view to scaling up innovative enterprises is an important point of attention. Legislation and Supervision Legislators and supervisors have already taken the necessary measures to manage the risks of digital dependencies. The implementation of DORA strengthens the grip on risks of digital dependencies for service continuity, including the risk of cyberattacks on third parties and geopolitical risks. The DORA 'Register of information' increases visibility into third-party dependencies. Under DORA, critical IT suppliers are placed under an oversight framework that enables a form of direct European supervision. Other cross-sectoral European legislation also targets critical large tech parties. Although current legislation makes an important contribution to managing third-party risks, vulnerabilities remain. The AFM and DNB: • expect that institutions adequately manage third-party dependency risks and will pay particular attention in their supervision to preparation for disruptive scenarios; • consider it desirable that relevant supervisors (besides the AFM and DNB, for example the ACM and the RDI) intensify their cooperation regarding supervision of IT suppliers; • are conducting an analysis of the DORA 'Registers of information' aimed at mapping concentrations in the use of IT services for the Dutch financial sector. It is expected that institutions will use the information register as a tool to properly map their own concentration risks and dependencies; • are investigating to what extent financial legislation (including DORA) and supervision contain obstacles to using European IT suppliers and innovation. Identified issues may lead to policy initiatives at the European level, raising them with legislators, or implementing adjustments in supervision. This is to make it possible for institutions to weigh sovereignty against other characteristics when choosing a digital service provider; • are asking European governments and supervisory authorities to analyze whether DORA contributes sufficiently to resilience against geopolitical risks – and if not, to consider providing further guidance. In the long term, from a geopolitical perspective, one could also think of a cross-sectoral European cloud supervisor, which could act decisively to mitigate the risks of digital dependencies, for example by enforcing truly sovereign cloud solutions; • see opportunities to strengthen DORA in the long term. Among other things, the oversight framework for third parties could be made more binding if necessary, and more explicit requirements could be included for managing geopolitical risks with sufficient regard for innovation.

6 AFM | DNB Digital Dependency in the Financial Sector Introduction Technological innovation and digitalization have fundamentally changed the financial sector. Financial institutions are increasingly dependent on external technology suppliers. Banks, insurers, and asset managers rely largely on a handful of large (mostly non-European) tech companies to support critical processes. Recent geopolitical developments and incidents have brought this dependency more sharply into focus. We are at a crossroads where digitalization is indispensable, but new risks have emerged around continuity, cybersecurity, and even sovereignty. The Dutch Authority for the Financial Markets (AFM) and De Nederlandsche Bank (DNB) consider it strategically important that, in the long term, the financial sector's dependency on non-European IT suppliers is reduced. Dependency on one or a few IT suppliers can lead to systemic risks: a disruption or incident at such a supplier can affect entire parts of the financial sector and thereby endanger the stability of the system or the interests of consumers. Ensuring a stable, sound financial market requires that dependency risks are visible and manageable. For the short term, the possibilities to substantially reduce dependency on non-European IT suppliers are limited, given the current lack of full-fledged European alternatives. It is important for institutions to focus in the short term on increasing their digital resilience and protecting themselves as well as possible against the risks that dependencies bring. For the long term, it is necessary to structurally strengthen the European tech sector and thereby actually reduce dependencies. This requires timely and targeted action from public and private parties. In this report, the AFM and DNB make a number of recommendations and outline next steps. The structure of the report is as follows. Chapter 1 first outlines the current situation: how deeply intertwined is the financial sector with third-party information technology? Subsequently, the main risks arising from these digital dependencies are described. We show what types of new vulnerabilities have emerged – from operational incidents to strategic lock-in – and we explore through scenarios how these risks could manifest in the short and long term. In Chapter 2, the focus shifts to practice: based on interviews and analyses, it becomes clear how financial institutions and their IT suppliers deal with the identified dependency risks. Finally, Chapter 3 focuses on the supervision and policy framework: We inventory existing legislation and initiatives, and make a number of recommendations to reduce dependencies and strengthen the digital autonomy of the financial sector.

7 AFM | DNB Digital Dependency in the Financial Sector 1 The Development of Digital Dependency Risks The financial sector is highly dependent on information technology (IT) to carry out its core processes, often performed by third parties. Digital infrastructure forms the backbone of virtually all business processes: from customer interaction and risk management to compliance and transaction processing. More and more institutions are outsourcing (parts of) their IT to external suppliers. This trend is partly driven by the increasing complexity of IT and cybersecurity, technological innovation, and economies of scale. The following paragraphs explain how these dependencies have developed (1.1) and what risks manifest (1.2). Finally, we look at possible future scenarios for these risks through scenario analysis (1.3). 1.1 The Financial Sector Runs on IT The digitalization of financial processes has been driven both by the desire to carry out processes more efficiently and quickly, and by external factors such as regulation and customer expectations. Digitalization offers institutions benefits, such as improved data quality, real-time insight into financial flows, and automated reports that support decision-making. These technological improvements make it possible to design processes to be scalable and flexible, which can contribute to, for example, international cooperation and competitiveness. Customer interaction largely takes place via apps, web portals, and automated chat services, while risk management and compliance also run on technology. Higher expectations regarding speed, cost savings, and service quality are pushing institutions to accelerate their digital transformation further. This prompted supervisors to impose stricter requirements on transparency, auditability, and risk management. The increasing dependency on IT also creates new vulnerabilities, such as cyberattacks and system failures, which in turn require security measures and effective incident response. There is a reciprocal dynamic: IT is both a means to meet external requirements and a factor that helps shape these requirements. More and more institutions are outsourcing (parts of) their IT to external IT suppliers. Institutions benefit from the expertise, innovative capacity, and scale and scope advantages of specialized suppliers, who can implement innovative applications faster and cheaper than internal teams. Furthermore, managing 'on-premises' IT infrastructure in-house brings risks and inefficiencies, such as having to arrange physical security, backups, and cyber resilience yourself. In public clouds, these aspects are secured by specialized providers, which benefits overall security and continuity. Outsourcing to third parties concerns not only support processes, but also touches the core of financial services. There are a number of critical infrastructures on which financial institutions rely heavily, such as public cloud, data centers for secure storage and hosting, technical networks for real-time transactions, and advanced cyber defense systems. An inventory by European financial supervisory authorities in 2022 showed that 9,000 of the 15,000 ICT service providers delivering services directly to financial institutions supported critical or important functions of these institutions.1

8 AFM | DNB Digital Dependency in the Financial Sector Artificial intelligence (AI) plays an increasingly important role within financial institutions in improving efficiency, accuracy, and customer focus. Whereas IT was traditionally used to automate processes and manage data, AI enables organizations to interpret and apply this data in a more advanced manner. This opens up new possibilities for improving operational processes, increasing customer focus, and strengthening risk management. AI is applied for various purposes, such as automated fraud detection, monitoring market risks, credit risk analysis, customer segmentation, transaction and incident monitoring, and cyber resilience. Chatbots and virtual assistants can enable faster and more personalized customer interaction, while machine learning algorithms are used to recognize patterns in large volumes of financial data. Compliance applications also contain AI: rules around anti-money laundering (AML) and Know Your Customer (KYC) can be complied with more efficiently through intelligent data processing, provided privacy is safeguarded and there is no discrimination. Cloud computing has taken off significantly. The rise of virtualization techniques2 made it possible for companies to make a gradual step from own data centers to cloud solutions. The promise of economies of scale, cost savings, and faster innovation made cloud attractive, especially for less critical applications such as test environments and customer portals. Large American providers began offering standardized infrastructure services and were therefore able to dominate the market. 2 This allows multiple 'virtual' computers to be created in software on one physical computer, so that hardware is optimally utilized. The shift from internal IT environments to outsourcing and external cloud solutions marks an important development, also within the financial sector. Although many institutions still use 'on-premises' data centers, sometimes managed in-house, but often also via rented or shared facilities such as co-location, hybrid models are increasingly chosen where external cloud environments play an increasingly larger role. The transition from traditional 'on-premises' IT infrastructures to cloud-based services reflects a structural shift in the way organizations manage and deploy technology. Within the cloud service model, we distinguish three main forms: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). These models increase in terms of outsourcing and transfer of operational management from the institution to the IT service provider (see Figure 1). Institutions can go higher or lower in the 'technology stack' in terms of the degree of outsourcing for different processes. Sometimes critical processes, such as transaction processing or customer data, remain internal without connection to the open internet. Less sensitive functions, such as email or HR systems, are outsourced to a cloud service provider. Other institutions adopt a full cloud strategy, whereby they largely (begin to) realize their information provision using cloud services. Innovative and specialized services are often developed 'cloud native', sometimes by the cloud service provider itself, but often also by specialized providers. Such services can therefore only be used as a 'SaaS solution', running on a public cloud platform. Sometimes it is possible to choose to use the institution's own infrastructure, or an alternative cloud service provider, but usually at higher costs or reduced functionality. An alternative is that institutions themselves develop services on the cloud provider's platform (PaaS), or if available, choose services that are not (only) available as a SaaS solution.

9 AFM | DNB Digital Dependency in the Financial Sector 1.2 Risks of Digital Dependency The increasing dependency on external IT service providers and cloud environments within the financial sector leads to concentration and systemic risks. Although there are many providers active, as more institutions use the same infrastructures and providers, a concentration risk emerges. A few large, globally operating digital service providers, the so-called hyperscalers, have come to dominate the entire field in recent years due to their scale and scope advantages and the broad functional range of services. Where institutions previously

Figure 1 Cloud Service Models On-premises or co-location Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Software-as-a-Service (SaaS) Applications Data Platforms Operating System Virtualization Servers Storage Network Managed by institution Managed by IT service provider Network

10 AFM | DNB Digital Dependency in the Financial Sector worked with multiple suppliers, they now often entrust their entire IT stack to a single hyperscaler. At the same time, systemic risk is growing, as the stability of the financial system becomes increasingly dependent on the robustness and availability of external IT suppliers. A disruption or (cyber) incident at one provider can affect multiple financial institutions simultaneously. Dependencies are no longer limited to individual institutions, but can, partly through chains of service providers, accumulate into risks at the systemic level. Fallback and recovery mechanisms may be inadequate if multiple parties share the same dependencies. Also the hardware on which the systems run is typically supplied by a...