Banks between core systems, regulation and platform economics

What defines the sector

Banks sit at an unusually dense intersection: trust-driven business, a strict regulatory environment, IT estates spanning three generations — and a competitive landscape that today comes as much from platforms as from other banks.

Market structure ranges from universal banks through private banks, development banks, cooperative banks and savings banks to specialist institutions. At the centre of every bank sits the core banking system — Avaloq, OBS, agree21, oms or a proprietary stack — as the booking and master-data engine. Around it: payments, lending, securities, wealth management, corporate banking.

Supervision lies with BaFin and the Bundesbank, complemented by the ECB for significant institutions (SIs) and the EBA at the European level. The regulatory framework is dense: KWG, ZAG, GwG, MaRisk, BAIT, PSD2, ISO 20022, DORA, MiCA, ESG reporting. Every architecture decision is also a compliance decision.

Current challenges

What occupies banks today reads like a list of regulatory keywords — but behind each sits a concrete IT programme running alongside daily operations.

BAIT and DORA. Supervisory IT requirements — and from 2025 binding under DORA — demand systematic ICT risk management, third-party oversight, incident reporting within hard deadlines, threat-led penetration testing for SIs. That has consequences for architecture, supply chains and what a bank still does in-house.

ISO 20022 migration. SEPA, instant payments, SWIFT MX — payments are moving to the ISO 20022 standard step by step since 2023. Richer data model, more options, but also significant rework in legacy systems, in interfaces with corporate clients and in sanctions screening.

KYC, AML and digital identification. Remote identification via VideoIdent, eIDAS trust services, BUND-ID integration in retail, sanctions and PEP screening — the onboarding journey has become a small platform of its own. The Money Laundering Act, GwG guidance and supervisory expectations drive the data model.

ESG reporting. CSRD, the EU taxonomy and SFDR demand data spread across the loan book and the securities business — issuer emissions, sustainable-finance classifications, greenwashing risks. That data has to be collected, validated and surfaced to supervisors and customers.

Core banking modernisation. Mainframe decommissioning, moves to modern stacks or hybrid cloud strategies — transforming a core banking system is a multi-year programme with high visibility. The bank still has to deliver while it happens.

Embedded finance and Banking-as-a-Service. Banks become API providers for other business models. That requires API management, multi-tenancy, clear service levels, well-thought-out auth and audit concepts.

Why custom software

Standard core banking systems handle booking logic and master data well. But differentiation doesn't happen in the booking engine — it happens in the layers above: in advisory, onboarding, digital products and compliance pipelines. That's where custom software begins.

Banks differ markedly in business model, customer segments and regulatory depth. A private bank's onboarding follows different logic from a savings bank's branch network; a development bank works with very different lending processes from a universal bank. Standard software covers the common third — the identity-defining components are bespoke.

Concrete examples of custom building blocks common in banking IT estates:

• KYC workflows with document classification: capture, OCR extraction, plausibility checks, sanctions screening, hand-off to processing — with a complete audit trail.
• Custom credit decision engines: scorecards, rule sets, manual escalations — explainable down to the smallest field, because supervisors require traceable decisions.
• ESG reporting pipelines: aggregation from loan book, securities book and external sources, validated, signed off, transformed into CSRD and taxonomy reports.
• Migration bridges: when changing core banking systems or retiring island solutions — with data enrichment, mapping logic and a clean cut-over.
• Embedded finance APIs: multi-tenant, with rate limits, signed webhooks, a clean OAuth model.

Our position: we build the application and integration layer above the core banking system — auditable, documented, BAIT- and DORA-fit. The depth for banking processes, GwG requirements and ISO 20022 mechanics is ours; the bank's business model stays the customer's.