DORA – Dependence of the financial markets on third-party service providers
With the introduction of the Digital Operational Act (DORA) in January 2023 and the necessary application from January 2025, the regulator has once again turned its attention to the outsourcing of IT services in the financial industry.
Objectives of DORA (as of 02/2024, source: BaFin presentation DORA for ICT service providers):
- Strengthening the security and operational resilience of the entire European financial sector
- Establishing uniform and consistent requirements for the entire financial sector
- Introduction of proportional requirements (principle of proportionality)
In recent years, BaFin has already created a serious and increasingly practicable basis by defining minimum requirements for risk management (MaRisk) on the basis of Section 25a of the German Banking Act (KWG) and, in greater depth, in the banking supervisory requirements for IT (BAIT). The increased audit activities of the supervisory authorities in recent years with a focus on the outsourcing management of financial institutions was already an initial preview of the necessary measures that will be introduced with DORA.
If one compares the known requirements from BAIT with DORA, the following five core contents can be identified:
- Broader scope of DORA: While the MaRisk BAIT amendment was mainly focused on banks and financial institutions, DORA extends the scope to a broader range of companies that can benefit from digitalization and outsourcing.
- More flexible compliance requirements: DORA focuses on making compliance requirements more flexible compared to the requirements of the MaRisk BAIT amendment. This allows companies to better adapt their outsourcing practices to their individual needs and the rapidly changing digital landscape.
- Greater emphasis on risk management aspects: In comparison, DORA places a stronger focus on integrating risk management practices throughout the outsourcing process. This includes a more thorough risk assessment, the identification and monitoring of risks throughout the outsourcing lifecycle and the development of risk mitigation and control measures.
- Consideration of international standards and best practices: DORA is more aligned with international standards and best practices in outsourcing and digitalization, which can lead to increased comparability and interoperability with companies from other countries.
- Greater involvement of supervisory authorities: DORA provides for increased cooperation and communication between companies and regulators to ensure effective monitoring and enforcement of outsourcing regulations.
Within the framework of DORA, finone and the necessary test situations with existing and future customers / users of finstreet, fintus and finted products will focus in particular on the following three topics:
- Risk management and assessment in outsourcing: A detailed analysis of the risks associated with the outsourcing of software and services and the development of effective risk mitigation and control measures.
- Compliance and governance in digital transformation: The design and implementation of compliance strategies and governance mechanisms to ensure that all outsourcing activities comply with legal requirements and standards.
- International collaboration and standardization: The integration of international standards and best practices into outsourcing practices to ensure smooth interoperability and comparability with companies from different countries.
As of today, finone does not define itself as a “Critical ICT Service Provider” (Art. 31 para. 2 DORA) – DORA currently sets lower standards than BaFin via the MaRisk amendment. The extended requirements for outsourcing agreements (in particular performance measurement of the service, mandatory termination support and effective monitoring – see also Art. 30 (3) DORA) are already the standard for finone customers and will probably not require extensive revision. On the customer side, we expect increased documentation in outsourcing management in this context, including the consideration of exit scenarios following a critical incident or termination.
Overall, DORA once again offers the opportunity to excel as a service provider and supplier in the financial sector. The supervisory authorities will increasingly tighten their grip on smaller providers. With the existing certifications in accordance with ISO 9001 (quality management), ISO 27001 (information management), IASE 3402 (internal control system) and the established processes for risk monitoring and reduction, finone considers itself well prepared for the stricter upcoming requirements. By carefully analyzing and implementing the requirements of DORA, companies can gain a competitive advantage and support their long-term growth.
Successful audit according to ISAE 3402
IT service providers in the financial industry are constantly confronted with increasing regulatory requirements. Outsourcing is now a frequent focus of regulatory audits. This makes it all the more important not only to comply with current rules and standards, but also to have them certified by independent third parties.
An important international auditing standard for IT outsourcing projects in this context is ISAE 3402 (International Standards for Assurance Engagements), which enables the outsourcing company to assess the internal controls of the service provider and thus gain a holistic view of its own internal control system (ICS).
finone GmbH was audited by an independent auditor in accordance with ISAE (Type 1) without any objections. The audit in accordance with ISAE (type 2) will take place at the end of 2024. finone thus once again meets the high regulatory requirements.
The outsourcing of components of IT and software products is defined by BaFin, for example, through the definition of minimum requirements for risk management (MaRisk) on the basis of Section 25a of the German Banking Act (KWG) and in more detail in the banking supervisory requirements for IT (BAIT) in narrow guidelines.
However, even when outsourcing to third parties, the responsibility remains with the company itself and is not transferred to the service provider. ISAE 3402 therefore offers outsourcing companies the opportunity to obtain the necessary information for their own internal controls or to make use of third-party audits.
ISAE 3402 distinguishes between two types of report:
- Type 1: The control objectives and their implementation are assessed.
- Type 2: In addition to the control objectives and their implementation, the operational effectiveness of the controls is analyzed.
Customers from the financial sector in particular were expected to request such a report from their service providers – which finone was happy to fulfill. Certification to ISO 9001 (quality management) and ISO 27001 (information security) took place early on in the company’s history. Due to finone’s focus on the financial industry with the successful finstreet and fintus brands, the decision was made to have an ISAE 3402 (Type 1 and 2) audit report prepared and externally audited as further documentation of internal efforts and established controls.
In addition to a statement by the company management assuring that the control system was correctly presented and that the control objectives were achieved with the controls implemented during the entire audit period, the ISAE 3402 report contains the following points, among others:
- Services and processes that were audited
- Period covered by the audits
- Information on the control objectives and the corresponding controls
Preparations began as early as 2023 and an auditor was commissioned, as a prerequisite for the audit is the preparation of the report by an independent body. When formulating the relevant processes and control objectives, finone was guided by the necessary control objectives of customers in the financial industry.
From 2024, finone will have an ISAE 3402 (Type 2) report prepared annually, which will then cover an audit period of an entire year. Control reviews will also take place in this context so that the report can be supplemented with additional control points if required.
The financial industry is one of the most regulated sectors in Europe. Together with our clients, we face up to the ongoing challenge.
Renaming from fintus to finone GmbH
fintus is now operating under the new name finone GmbH. The decision to change the name underlines the company’s strategy of joining forces under a common name following the successful merger with finstreet and positioning itself as a leading provider of B2B banking software and loan origination services.
Frankfurt, 04.09.2023
fintus successfully merged with finstreet at the beginning of this year to combine their strengths and create even greater added value for their customers in the financial sector. The renaming of the companies to finone GmbH is a decisive step in their integration process and an important milestone in order to jointly offer pioneering solutions for the financial industry under the company name finone in the future and thus strengthen their position in the DACH market.
Benjamin Hermanns, CEO of fintus, comments: “I am very pleased about this important step in our company’s history. By consolidating our resources under the new name finone, we are pooling our core competencies to jointly develop even better innovative solutions for our customers that set new standards and lead our customers to sustainable success.”
However, this is only a renaming of the company name fintus to finone; the name fintus will continue to be present as a brand. All products will therefore continue to be sold under the fintus brand, only the name of the parent company has changed. Our customers can therefore continue to rely on the proven service and expertise of fintus.
The management is looking forward to a successful future as finone GmbH. The renaming is an important step in the strategic development of the company and strengthens its position as market leader for standard enterprise software in the DACH region.
New corporate design of the finone Group: Uniform brand identities for fintus, finstreet and finted
Following the successful merger of fintus and finstreet, the finone Group presents its new corporate design. The uniform re-branding not only emphasizes the unity of the companies under the common umbrella company finone, but also the common goal of developing pioneering solutions for the financial industry as a group and growing together.
Frankfurt, 10.09.2023
The companies of the finone Group, including fintus, finstreet and finted, will now appear in a uniform corporate design. The redesign of the brands reflects the common identity and affiliation to the finone Group and underpins its common objective as a strategically oriented pioneer in the financial sector.
Benjamin Hermanns, CEO of fintus, says: “The introduction of our group’s new corporate design is not only a visual update, but also demonstrates our determination to set new standards in the financial sector together as a group.”
The leitmotif of the new corporate design is the ascending line in the logos, which stands as a central symbol for joint growth, consistency and togetherness of the companies. The colors of the already established fintus and finstreet brands remain unchanged in order to preserve their proven brand identities.
The introduction of the new corporate design represents a significant step for the Group in strengthening its position as an innovation leader in the financial sector in the DACH region. This redesign emphasizes uniformity without compromising the uniqueness and expertise of the individual companies. The Group looks to the future with great optimism, strengthened by a corporate design and the synergies that arise from a unified holding company.
Strong growth of the group: fintus bundles its own strengths with those of finstreet GmbH
fintus announces the acquisition of finstreet GmbH, headquartered in Münster, in January 2023. This underlines the growth course fintus embarked on in 2021, which is accompanied by the London-based private equity investor AnaCap Financial Partners. AnaCap has been investing in the European financial services sector for years. Its portfolio companies include banks, financial service providers and, in Germany, its current investments in WebID, MRH Trowe and past successful investments such as Heidelpay.
finstreet has specialized in overcoming digital challenges within the financial industry since 2014 and implements technical solutions and innovative business models – from individual order development to standardized software-as-a-service products. With around 90 employees and over 400 customers, including well-known financial institutions such as DZ BANK AG, the German guarantee banks, savings banks, national and Raiffeisen banks and a number of specialist providers, finstreet has been one of the champions in supporting digital change in the financial services sector for years.
The customers of fintus and finstreet benefit from the combined strength. Together, they will create a company with around 170 experts. Both companies will continue on their current course: On the one hand, the expansion of the low-code banking platform fintus, the successful products DialogOnline and eco.banking as well as the exclusive solutions individually developed by finstreet. This comprehensive offering will support customers better than ever before on the path to transforming their business model, including a high degree of automation.
The Group will also leverage the strength of the two companies to jointly develop existing standard products and create new joint products. The low-code banking platform from fintus will use components of the finstreet platform and provide its own functions for the expansion of finstreet products. The focus is on outstanding experiences for employees in financial institutions and their prospects and customers.
The finstreet management team around David Niedzielski (CEO), Dr. Holger de Bie, Patrick Lukas, Fabian Kammering, Tristan Zellner and Lutz Bigalke are looking forward to the collaboration. Niedzielski explains: “We are united by a shared vision of outstanding customer and user experiences as well as efficiency potential resulting from the digitalization of processes for financial service providers. Our future networked service portfolio will help us to further increase the speed of development and at the same time excellently fulfill all regulatory requirements that the industry focus entails. We are convinced that in the coming years a few relevant providers with the broadest possible thematic coverage will assert themselves on the market – together we will lead this trend.”
Anja Scheffka, COO of fintus, comments: “The companies’ teams complement each other extremely well. Joint projects were launched just a few days after signing the agreement. The preservation of their own corporate culture, coupled with curiosity about the future, unites the teams. Creating continuity and stability and further developing the shared values will be short-term tasks that we will successfully master together.”
Together, the management is looking forward to the coming year. The focus for 2023 is on accelerating the transformation of the financial industry, improving the customer experience and strengthening the company’s own team, combined with organic and inorganic growth, which is to be realized through further company acquisitions.