Legacy Systems in the Financial Sector: Compliance and Security

*# [Legacy](/services/legacy modernisation) systems in the financial sector: compliance and security *

Opened at: 21. January 2026 | Reading time: ca. 9 minutes

table of contents

• Introduction: The ticking time bomb in financial IT

• Yeah. The double challenge: security and compliance

• Security risks of legacy systems in banks

• Compliance nightmare: GDPR, PSD2 and Co.

• Modernisation strategies for the financial sector

• Case study: Successful [modernisation](/services/legacy modernisation) of a core bank platform

• Conclusion: Modernisation as a duty for the financial sector

1. Introduction: The ticking time bomb in the financial IT

The financial sector is the backbone of the modern economy. But in the cellars of many banks and insurance companies, legacy systems are still slumbering, some of which were written on mainframes and in COBOL decades ago. These systems are not only an obstacle to innovations such as open banking and digital customer experiences, but also a ticking time bomb in terms of security and compliance.

A survey revealed that 44% of banks still run on COBOL-based systems [1]. Keeping on this outdated technology is no longer an option. This article highlights the specific risks of legacy systems in the financial sector and shows ways of safe and compliant modernisation.

Two. The double challenge: security and compliance

No other industry is so heavily regulated and at the same time an attractive target for cyber criminals as the financial sector. Legacy systems are a double challenge here:

• **Safety:**Old architectures and programming languages provide a large attack area for hackers.

• Compliance: New regulatory requirements (e.g. GDPR, PSD2) are often difficult or not to implement with old systems.

3. Security risks of legacy systems in banks

• Fehlende Sicherheitsupdates: There are no security patches for many outdated operating systems and libraries.

• **Retired developers with COBOL and mainframes are retired. The knowledge of the maintenance and security of the systems is lost.

• Integratability: The connection of modern security solutions (e.g. for identity management or real-time fraud detection) to old systems is often complicated and incomplete.

4. Compliance nightmare: GDPR, PSD2 and Co.

Regulatory density in the financial sector is steadily increasing. Legacy systems are quickly becoming a compliance trap here:

• GDPR: Requirements such as the "right to be forgotten" are hardly feasible in monolithic systems where customer data is stored in countless places.

• PSD2 (Payment Services Directive 2): The directive requires banks to grant third-party access to account data via APIs (open banking). This is techni with encapsulated legacy systems