In financial services there are few undertakings that rival the complexity of an IT carve-out. When a bank divests a subsidiary, spins off a business line, or undergoes restructuring, the separation of technology systems becomes one of the most challenging aspects of the transaction. Unlike other industries, banking IT landscapes are highly regulated, deeply integrated and mission critical. A single oversight can create regulatory breaches, operational failures, or reputational damage.

In this article we will explore the hidden complexities that make IT carve-outs in banking uniquely demanding, and why early planning for both Day 1 readiness and long-term separation is critical.

1. Banking IT Landscapes Are Interdependent by Design

Most banks operate with decades of layered systems, including core banking, payments infrastructure, customer data warehouses, risk engines, and regulatory reporting tools. These environments are rarely standalone. Shared platforms and data flows between parent and carved-out entities mean separation is not as simple as “copying and pasting” technology.

• Core dependencies: Transaction processing, Anti-Money Laundering (AML)/Know-Your Customer (KYC) monitoring, treasury systems, and SWIFT connectivity often sit on shared infrastructure that serves multiple legal entities.
• Hidden linkages: Smaller components such as sanction-screening APIs, reporting databases, and shadow IT or end user computing tools (spreadsheets, macros, access databases), may be tightly coupled with enterprise systems and critical controls.
• Legacy integration: Many banks still depend on legacy core platforms and batch schedules that underpin customer records, finance, and payment systems. These environments, which are critical to the banks’ operations, are often difficult to support and maintain because they depend  on legacy, end-of-life hardware or obsolete software, with key skills and support staff difficult to recruit.
• Proprietary platforms: These add complexity of the environment  being separated, often leading to prolonged Transitional Service Agreement (TSA) periods and continued reliance on the parent’s systems, especially where they are linked to middleware components.
• Around-the-clock criticality: Payments, cards, digital channels, and fraud or AML checks run continuously, with hard deadlines for scheme cut-offs and end-of-day ledgers. Any carve-out must protect real-time services while also preserving overnight batch windows.

This interdependence magnifies both the cost and timeframe of an IT carve-out, increasing operational risk and requiring tightly coordinated data, scheduling, controls, and testing across both entities.

2. Regulatory and Compliance Pressures

Banks face unique regulatory scrutiny during carve-outs. Regulators expect uninterrupted compliance with capital adequacy, anti-money laundering, and data protection requirements, regardless of the transition.

• Data governance: GDPR and other privacy rules demand clear lineage, consent, and data residency controls, even as records are migrated or duplicated.
• Risk and reporting: Frameworks such as BCBS 239, IFRS 9, and COREP require continuous, accurate risk and financial reporting. Any disruption can trigger supervisory action.
• Regulatory oversight:  In carve-out scenarios, Regulators need to be kept informed of the approach that is adopted, including the separation plan and risk mitigation measures that are being employed.
• Operational resilience: In Europe, the Digital Operational Resilience Act (DORA) sets a higher standard for keeping services running through change. It is important to show that critical customer and operational services will continue during and after cutover, and that third parties are under proper oversight. Therefore, a register of IT suppliers should be kept, flagging those supporting critical functions, and ensure contracts allow audit access, incident support, secure data return, and a workable exit.
• Vendor contracts and negotiations: Treat the contract as a safeguard. It should allow the bank to audit the supplier’s work, get fast help when incidents occur, keep control of where data lives and receive practical support to exit or transition at a fair, capped cost. Prices should taper during the TSA, important changes should be flagged early, and penalties and liabilities should match how critical the service is.

Failure to uphold these obligations exposes the bank to fines, reputational harm, or, in extreme cases, regulatory intervention halting the carve-out. TSB in the United Kingdom. In 2018, a failed IT upgrade led to a £48.65m fine from the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) for operational-risk and governance failures, including poor oversight of outsourcing risks. The disruption affected branch, telephone, online and mobile banking, and a significant portion of TSB’s 5.2 million customers.

3. The Day 1 Readiness Challenge

The most underestimated risk lies in Day 1 readiness, ensuring that the carved-out entity can operate independently the moment legal separation occurs. This includes:

• Critical systems: Payment gateways, trading platforms, AML monitoring, and customer support tools among others must be accessible from Day 1 without interruption. Identify the services that must not fail and run at least one end-to-end rehearsal with real volumes, defined  Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and a timed cutover script.
• Access management: Identity and access controls are often overlooked, yet improper setup can lead to both security vulnerabilities and failed regulatory audits.
• Licensing and contracts: Missing software licenses or incomplete vendor agreements can leave the new entity unable to run key applications. Verifying       that all licenses, entitlements and vendor approvals are in place for Day 1 will be critical throughout the program, including secure temporary dual-run rights and rapid escalation paths with suppliers.
• Regulatory engagement: Brief supervisors on the plan, provide evidence of testing results and agree incident notification paths ahead of Day 1. Regulatory reporting across risk, finance and cyber must be extended to include the acquired perimeter.

Inadequate Day 1 readiness can have severe consequences,, t including frozen customer accounts, failed trades, delayed reporting, or regulatory breaches, and once trust is lost it is hard and costly to rebuild. 

To reduce the risk: 

• Run a full-volume, timed rehearsal 
• Reconcile data before and after cutover 
• Verify licenses, certificates, domain name system (DNS) and access 
• Pre-brief regulators on timings and integration planning 

Avoid common pitfalls: 

• Untested manual workarounds
• Hidden integration dependencies 
• Missing vendor approvals 
• Expired certificates
• Rollback plans that have never been exercised

4. Transitional Service Agreements (TSAs): Lifeline or Liability?

Most banking carve-outs will require a TSA,  under which the parent company continues to provide IT services for an agreed period. While TSAs are essential, they also carry hidden risks:

• Escalating costs if exit strategies are not clearly defined
• Regulatory discomfort with prolonged dependency on a parent entity
• Innovation delay, as reliance on legacy infrastructure postpones modernization 
• Licensing and intellectual-property constraints (software rights, keys, vendor approvals) that do not automatically transfer

Without clear exit plans, TSAs tend to sprawl, resulting in timelines slipping, costs rising, ambiguous ownership of data and cutover, blurred security and recovery responsibilities, and hardening dependence on the parent. This can increase regulatory scrutiny and make the eventual separation even more complex. It is therefore crucial to establish a clear TSA exit plan with dates and owners and to track volumes and charges monthly, so costs fall as services wind down.

5. Execution Priorities for a Successful IT Carve-Out

The unique intersection of regulatory oversight, system interdependence, and operational risk makes IT carve-outs in banking one of the most complex change programs in financial services.  Several considerations support a successful carve-out, including:

• Map interdependencies across applications, data, and processes in detail to allocate them to projects for execution, with owners, milestones and Day 1 or post-Day 1 classification.
• Address legacy platforms and interdependencies by stabilizing interfaces, separating batch schedulers, and securing capacity/licensing to prevent ripple effects on payments, reporting, and controls.
• Enforce logical data separation from the outset: ring-fence data by legal entity, keep separate environments, databases and storage, use entity-specific encryption keys and access controls, block cross-entity data sharing, and maintain auditable access logs.
• Invest in robust Day 1 readiness and operations by setting milestones and a detailed cutover timetable, applying bank-wide change freezes during the Day 1 preparation window, defining clear go/no-go checkpoints with tested rollback and fallback plans, and running a staffed war room with communications for the transition and early-life support.
• Design TSA agreements with cost, compliance, and flexible exit in mind by setting clear scope and SLAs, defining declining volume/price schedules, fixing exit milestones and data cutover points, specifying knowledge transfer and access rights, establishing change control and audit rights, and enforcing penalties for missed milestones, cost overruns, and service breaches.
• Engage regulators early and maintain transparent communication.
• View the carve-out as a catalyst for modernization and value creation to rationalize applications, retire technical debt, and, where regulators allow, accelerate cloud migration to unlock cost efficiency, agility, and new revenue opportunities.

Conclusion

IT carve-outs in banking are far more than an exercise in technology separation; they are a test of resilience, compliance, and strategic foresight. The hidden complexity lies in balancing short-term continuity with long-term independence, all under close regulatory scrutiny. the watchful eye of regulators. Those who approach carve-outs with early, disciplined planning not only avoid operational and regulatory pitfalls but also unlock opportunities to reshape their IT landscape for the future.