Conduct and IT Risk Supervision of Banks

Harmonised protection in the integrated financial market

In Austria, banks are the central delivery channel for a wide range of financial products – from classical banking services, such as payments or loans, through securities all the way through to insurance products. Towards their customers, they are a provider of a wide range of products or services.

More than harmonised rules are required to ensure that consumers are reliably protected irrespective of the specific product or provider: A common approach to supervision is required, the covers all financial services offered through banks. The decisive factor is that the products meet customers’ requirements, are explained transparently and are brokered in a fair manner.

A consistent supervisory framework is increasingly gaining in significance in the area of IT risks. The digitalisation of the financial market requires clear harmonised standards – both to strengthen cybersecurity as well as to ensure digital resilience. All market participants – especially consumers profit from this.

The FMA’s approach to supervision: convergent, integrated and future-oriented

Back in 2018, the FMA took an important step towards convergent supervision by bundling the supervision of banks in relation to conduct topics in the areas of banking, investments and insurance services. A dedicated division for Conduct Supervision for Banks enabled a holistic view for conduct issues – across different products and legal forms.

Since 2025, conduct supervision has been fully integrated into the Banking Supervision department. Conduct-oriented and prudential supervisory approaches have been organisationally integrated. The result: a consistent, coherent supervisory framework covering the entire banking delivery channel.

Since 2025, IT risk supervision of banks (LSIs ), payment and e-money institutions has also been centralised in the division “Conduct and IT Risk Supervision of Banks”. It particularly focuses on rules set out in the EU’s DORA Regulation and the relevant EBA Guidelines. Reported ICT-related incidents, planned outsourcings and registers of information are systematically logged, analysed, and assessed in a risk-oriented manner.

Since April 2025, this division is also responsible for the ongoing conduct supervision of credit servicers. Since the entry into force of the Credit Servicers and Credit Purchasers Act (KKG), this new group of providers also falls under the conduct-based supervisory regime. Integrating this area into the existing division ensures the same customer protection, transparency and business practices-related benchmarks apply – regardless of whether the institution is a bank or a credit servicer. General information can be found on the page Credit Servicers and Credit Purchasers.

Synergies between Conduct and IT Risk: two perspectives, a common objective

Bundling conduct and IT risk supervision in a single division consciously draws together two perspectives that are inextricably linked in the increasingly digitalised financial world: The former focuses on observing conduct and distribution rules towards customers – while the latter guarantees secure, stable and trustworthy technical systems in the background.

Fair advice, transparent information and the reliable settlement of transactions also need sound IT processes. In contrast, IT outages or cyber incidents may directly affect the customer experience and confidence in the financial market. By linking both issues, the FMA strengthens its ability to recognise risks fully and to address them efficiently – in the interests of a modern, resilient, and customer-oriented financial market.

This holistic approach has been strengthened further by including the supervision of credit servicers. Particularly in the case of credit-related services – such as the processing of non-performing exposures – it is paramount that both the conduct-related treatment of customers as well as the technical infrastructure (e.g. for processing data, communications and complaints handling) meet high standards.

This is how integrated supervision of technology, compliance and conduct emerges – in a tailored, efficient and future-proof manner.

In the Austrian Banking Act compliance and conduct requirements relating to the provision of banking services and when selling banking products, such as requirements in relation to complaints management and remuneration policy and practices. The following far-reaching conduct obligations exist in relation to the grant of loans for real estate loans. They range from principles for the granting of credit and valuation of residential property, the knowledge and skills of advisers through to rules for credit checks, dealing with payments in arrears and foreclosure as well are rules relating to remuneration policies.

Conduct rules in the provision of payment services covers among other items, the information requirements in Chapter 3, the rights and obligations in relation to the provision and usage of payment services pursuant to Chapter 4 as well as rules for complaints management in accordance with Chapter 5.

The leaflet produced by the European Commission to inform consumers about their rights when making payments in Europe pursuant to Article 38 of the Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018) can be found below.

Your rights when making payments in Europe (Format: pdf, Size: 333,8 KB, Language: English)

Credit institutions that provide also investment services on the basis of their legal licence pursuant to Article 1 para. 3 BWG such as investment advice, portfolio management on an individual basis and/or the receiving and transmission of orders (Article 3 para. 2 nos. 1 to 3 WAG 2018), are required to comply with Chapter 2 – Organisational Requirements of the Securities Supervision Act 2018 (WAG 2018; Wertpapieraufsichtsgesetz 2018), the regulations based upon it, as well as the directly applicable EU Regulations, in particular Delegated Regulation (EU) 2017/565. They cover on the one hand organisational requirements, such as the establishment of a compliance function, on the other hand a broad range of conduct rules when providing investment services.

The Insurance Distribution Direction (IDD ) and the delegated regulations based thereon contain conduct supervision rules for insurance mediation that are generally carried over from MiFID II and the Securities Supervision Act 2018 (WAG 2018). Pursuant to Article 21 para. 4 BWG credit institutions are required in the mediation of insurance contracts and insurance-based investment product to in particular observe the relevant rules set out in the Commercial Code of 1994 (Article 69 para. 2, Articles 1367 et seq.) as well as the national regulations issued on this basis (e.g. Professional rules for insurance mediation).

When manufacturing packaged retail investment products for retail investors and when distributing such products as well as insurance-based investment products to retail investors, credit institutions are required to observe the provisions in the PRIIPs Regulation, the PRIIPs Enforcement Act (PRIIP-VG ) as well as the directly applicable EU Regulations, in particular Delegated Regulation (EU) 2017/653. They prescribe, among other issues, that manufacturers must draw up a key information document (KID ) for such products. The distributor is also obliged to make the KID available promptly to the retail investor prior to the conclusion of the contract.

Within the scope of conduct supervision, the FMA checks compliance with the legal provisions using various supervisory tools. It uses a proven 3-level strategy that also involves the supervised credit institutions and parties representing their interests. This strategy covers the targeted monitoring of the market, structured dialogue with the market as well as the specific reviewing of individual legal entities.

This review is in the form of on-site inspections:

pursuant to Article 21 para. 5 BWG regarding insurance mediation by credit institutions,
pursuant to Article 90 para. 3 no. 3 WAG( 2018 with regard to the provision of investment services, and
pursuant to Article 4 para. 1 abbr title=”PRIIP-Vollzugsgesetz”]PRIIP-VG[/abbr] with regard to the obligations set out in the PRIIPs Regulation.

Furthermore, spot checks and management meetings are also conducted. Such supervisory tools are used in the case of the ad hoc identification of specific circumstances, for routine checking processes as well as to increase market standards as well as in particular to ensure that ongoing supervisory contact is maintained.

Management meetings and spot checks are furthermore in particular used as a follow-up measure following an on-site inspection.

Information Sources and Important Links

The FMA as part of the development of supervision publishes a range of circulars as a contribution towards ensuring legal clarity and the development of the law. In addition publications are drawn up with the market participants for the purpose of self-reservation, although this does not prevent all market participants from issuing strictier rules.

Integrated Banking Distribution Report

The Integrated Banking Distribution Report provides an overview about distribution activities of Austrian credit institutions in Austria during the 2021 financial year on the basis of the respective material legal bases. The data and key figures analysed show the significance of credit institutions in distribution of lending, insurance and investment products, in particular to consumers or retail investors in Austria.

Integrated Banking Distribution Report 2024 (Format: pdf, Size: 1,6 MB, Language: English)
Integrated Banking Distribution Report 2023 (Format: pdf, Size: 1,9 MB, Language: English)
Integrated Banking Distribution Report 2022 (Format: pdf, Size: 1,1 MB, Language: English)