Things are heating up in Frankfurt. The migration of Postbank's IT to Deutsche Bank's systems, officially declared as a done deal in July, has left Postbank customers and consumer advocates fuming. So many complaints have piled up since the beginning of the year that the financial watchdog, BaFin, felt compelled to release an extensive statement on Monday evening about the significant disruptions.

It's common for regulators in financial institutions to identify IT deficiencies, impose obligations on the affected parties, and demand higher capital requirements. However, a regulatory slap like this is not so common. It illustrates how internally generated IT problems can severely affect banks. The increasing reports of cyberattacks sometimes obscure the fact that trouble can come from within as well.

BaFin, consumer protection agencies, and ombudsmen can attest to an abundance of complaints numbering in the thousands. Deutsche Bank has pledged to address the deficiencies. Regulators promise to investigate the disruptions in online and mobile banking, as well as the inadequate phone accessibility and lengthy processing times for matters such as debt enforcement, account closures, and savings deposit refunds. They threaten potential measures without going into detail. These measures could include additional capital requirements or the appointment of a special monitor within the institution to oversee the resolution of the issues. Even if these measures are not taken, the damage is substantial. Deutsche Bank, which has been trying to rid itself of various legacy issues in recent years, has acquired a new reputation problem.

The irony of the situation is that BaFin issued this reprimand just after falling victim to a cyberattack itself. Right before publicly scolding Deutsche Bank, BaFin experienced a Distributed Denial of Service (DDoS) attack, rendering its website inaccessible due to a flood of requests overwhelming the server.

Back in May, on the day of its annual financial press conference, a power outage temporarily crippled BaFin's IT systems. The cause was a power failure following a failed routine test of the emergency power supply. Four years ago, the European Central Bank had to take its BIRD website, which serves the harmonization of reporting, offline after a hacker attack. So, regulators must tread carefully when pointing fingers at those they oversee.