Conduct and IT Risk Supervision of Banks
Conduct and IT Risk Supervision of Banks
Harmonised protection in the integrated financial market
In Austria, banks are the central delivery channel for a wide range of financial products – from classical banking services, such as payments or loans, through securities all the way through to insurance products. Towards their customers, they are a provider of a wide range of products or services.
More than harmonised rules are required to ensure that consumers are reliably protected irrespective of the specific product or provider: A common approach to supervision is required that covers all financial services offered through banks. The decisive factor is that the products meet customers’ requirements, are explained transparently and are brokered in a fair manner.
A consistent supervisory framework is increasingly gaining in significance in the area of IT risks. The digitalisation of the financial market requires clear harmonised standards – both to strengthen cybersecurity as well as to ensure digital resilience. All market participants – especially consumers – profit from this.
The FMA’s Approach to Supervision: convergent, integrated and future-oriented
Back in 2018, the FMA took an important step towards convergent supervision by bundling the supervision of banks in relation to conduct topics in the areas of banking, investments and insurance services. A dedicated division for Conduct Supervision for Banks enabled a holistic view for conduct issues – across different products and legal forms.
Since 2025, conduct supervision has been fully integrated into the Banking Supervision department. Conduct-oriented and prudential supervisory approaches have been organisationally integrated. The result: a consistent, coherent supervisory framework throughout the entire banking delivery channel.
Since 2025, IT risk supervision of banks (LSIs), payment and e-money institutions has also been centralised in the division “Conduct and IT Risk Supervision of Banks”. It particularly focuses on rules set out in the EU’s DORA Regulation and the relevant EBA Guidelines. Reported ICT-related incidents, planned outsourcings and registers of information are systematically logged, analysed, and assessed in a risk-oriented manner.
Since April 2025, this division is also responsible for the ongoing conduct supervision of credit servicers. Since the entry into force of the Credit Servicers and Credit Purchasers Act (KKG; Kreditkäufer- und Kreditdienstleister-Gesetz), this new group of providers also falls under the conduct-based supervisory regime. Integrating this area into the existing division ensures the same customer protection, transparency and business practices-related benchmarks apply – regardless of whether the institution is a bank or a credit servicer. General information can be found on the page Credit Servicers and Credit Purchasers.
Synergies between Conduct and IT Risk: two perspectives, a common objective
Bundling conduct and IT risk supervision in a single division consciously draws together two perspectives that are inextricably linked in the increasingly digitalised financial world: The former focuses on observing conduct and distribution rules towards customers – while the latter guarantees secure, stable and trustworthy technical systems in the background.
Fair advice, transparent information and the reliable settlement of transactions also need sound IT processes. In contrast, IT outages or cyber incidents may directly affect the customer experience and confidence in the financial market. By linking both issues, the FMA strengthens its ability to recognise risks fully and to address them efficiently – in the interests of a modern, resilient, and customer-oriented financial market.
This holistic approach has been strengthened further by including the supervision of credit servicers. Particularly in the case of credit-related services such as the processing of non-performing exposures – it is paramount that both the conduct-related treatment of customers as well as the technical infrastructure (e.g. for processing data, communications and complaints handling) meet high standards.
This is how integrated supervision of technology, compliance and conduct emerges – in a tailored, efficient and future-proof manner.
