Austrian Digital Finance Landscape 2024

In 2024 the Austrian Financial Market Authority (FMA) conducted a thematic priority for supervision on the “Austrian Digital Finance Landscape” as part of its current thematic priority for supervision on digitalisation to evaluate the level of digitalisation in business operations as well as the operational resilience (IT landscape, ICT interdependencies, cyber resilience) of undertakings in the Austrian financial market. The analysis also addressed preparations for the rules (DORA Gap Analysis) under the forthcoming Digital Operational Resilience Act (DORA). Entities had the opportunity as a result to make necessary improvements in implementing the new regulatory rules.

AI-based systems displaying strong growth

Digital transformation is advancing at break-neck speed in the Austrian financial market. Not only robotics and cloud services, but also AI systems are enjoying increasing popularity in operational business accompanied by a further intensification of competition. In order to be able to make use of the advantages of digital innovation, not only has the number of collaborations with FinTechs increased despite the market shakeout in the FinTech sector over the last three years, but the proportion of supervised entities cooperating with such start-ups has again increased. Apart from the continued high demand for qualified personnel with IT security expertise, supervised entities across almost all sectors are seeking to expand their data science capabilities, which suggests artificial intelligence (AI) systems are being used more intensively. Despite the continued momentum in the crypto area, increasing cost pressures and the search for yield-generating investments, supervised entities remain very cautious about investing in crypto assets.

Innovative technologies in use in almost all business areas

• Cloud services have grown particularly strongly in significance since 2018 and are used almost universally by entities in all financial market sectors. The ‘Software-as-a-Service’ service model (84%) and the public cloud usage model (80% of all cloud services used) are the most frequently used.
• The use of robotic process automation has also increased significantly and is already being used by two thirds of banks and half of all insurance companies to process repetitive forms and transfer data records to analysis systems.
• In contrast, Blockchain technology is still seldom used. Contrary to some planned expansions in 2021, in some case usage has even fallen due to a lack of specific use cases. Edge computing and the Internet of Things remain a niche market, currently only used by three credit institutions, three insurance undertakings, and one pension company.
• Automated data interfaces that promote digital collaboration are now used by practically all banks, payment institutions and insurers; the lowest proportion of use is among investment firms at 43%.
• The more digital technologies an entity uses overall, the more frequently it uses artificial intelligence. AI-based systems are strong growth areas. The plans communicated in 2021 about expanded use were met across the board. More than one quarter of supervised entities are already using machine learning in their operative business activities. The main areas for use are ratings systems, fraud analytics, and for assistance purposes in IT, administration and marketing. Expansion plans are conspicuously large in all sectors: By 2027 around three-quarters of credit institutions, payment institutions, insurance undertakings and investment fund management companies want to deploy machine learning technology. There are similarly ambitious plans for expansion in natural language processing: over the next three years CIs, PIs, and IUs, are striving for a usage level of well over 50%.

Digital communications channels are squeezing out conventional delivery channels

Conventional distribution channels are increasingly losing ground as a result of using digital distribution platforms, comparison portals, social media, chatbots and robo advice. Comparison portals have established themselves in almost all sectors as a pre-sales instrument since 2018. The proportion of sales through comparison portals and distribution platforms in most entities in percent remains in the single digit percentage range or less. However, further growth is to be expected in this area in the coming years.

Increasing professionalism of ICT security measures

The FMA’s DORA gap analysis shows that the Austrian financial market has already taken the most important measures to ensure DORA compliance, even if individuals entity are at vastly different stages of compliance. ICT third-party risk management has the largest outstanding need to act. Amendments to contracts as well as the establishing of a register of information of ICT service providers covering all contractual agreements about the usage of ICT services are currently still underway across all sectors, and are one the largest challenges presented by DORA. In this respect, Austrian financial entities were able to accelerate implementation and improve data quality by participating in the dry run of reporting to the register of information.

Increasing degree of connectedness with external service providers

The FMA’s dry run exercise revealed a strong degree of interdependency between Austrian financial entities and the ICT service sector: The FMA identified 7,952 service contracts of financial companies with 1,626 different service providers from 1,312 individual groups. These are based on 4,390 sub-service provider relationships up to the 5th level. The number of critical ICT service providers per entity is generally in double digits (for example, the average number of critical ICT service providers is 17 for credit institutions, 12 for insurance undertakings and 10 for investment companies). Almost two-thirds of major ICT-related incidents arise from third-party providers. This illustrates the usefulness of the DORA requirements for ICT third-party risk management and the European Oversight Framework of critical ICT third-party service providers.

System errors are the main reason for major ICT-related incidents

More than three quarters of major ICT-related incidents in the Austrian financial market are due to system errors (i.e. problems not resulting from cyber attacks, like software errors or network infrastructure outages). Cybersecurity-related reports only amount to a low single-digit amount in percentage terms. Denial-of-service attacks (DoS attacks), data exfiltration and manipulation by external attackers are the main causes. The remaining ICT incidents are due to process errors or external events; triggers included the crash of a central program library due to an error when setting up new cookies, problems migrating a data centre, interruptions during a disaster recovery test, the load on the central firewall due to the doubling of network traffic, the incorrect configuration of a setup service, the failure of a telecommunications provider’s SMS service, the failure of a market information service, performance problems on a gateway firewall, a faulty connection of a cable during a power outage test in a data centre or a telephony outage in customer service.

Implications for the FMA’s supervisory activities

The findings from this analysis have been fed into the FMA’s strategy for supervision as well as the FMA’s positioning in the legislative process at European level, and already taken into account when determining the priorities for supervision in 2025. The FMA’s Austrian Digital Financial Landscape also helps to FMA to identify trends regarding the deployment of innovative technologies when developing adequate supervisory tools, to identify concentration risks and potential channels of contagion, monitoring of the Austrian financial market’s cyber-resilience in a targeted manner, to reflect supervised entity’s digital risk profile in their risk scoring and to create as fair as possible competitive conditions among analogue and digital providers and products.

Austrian Digital Finance Landscape (Format: pdf, Size: 4,2 MB, Language: German)