Summary
- Crosskey Banking Solutions Ab Ltd sells more than a named core-banking product. The customer buys a continuing processing relationship: account and customer records, payments, lending workflows, card and wealth modules, open-banking interfaces, file exchange, release updates, regulatory change work, incident handling and operational support that would otherwise have to be funded and governed inside a bank.
- The public evidence supports the outsourcing thesis, but with limits. Crosskey is a wholly owned Bank of Aland subsidiary based in Mariehamn, its parent reports EUR 33.8 million of 2025 external IT income and a 379 full-time-equivalent Crosskey workforce, Crosskey says its platforms power the daily banking of one in five Finns, and named customers or contracts include S-Pankki, POP Bank, Aktia, Handelsbanken and Lansforsakringar Bank. The same public record also shows project cyclicality, high fixed staff cost, and thin recent IT segment profitability.
- The commercial tension is not whether a small bank can send a file to an outside processor. It is whether the outsourced platform lowers total cost and compliance burden without creating a dependence that becomes hard to audit, hard to exit, hard to localize and hard to explain when a system, regulation or payment scheme changes.
A regional bank considering Crosskey begins with a deceptively small operational question. A corporate customer uploads a payment file. A branch officer opens a customer record. A mobile app asks for a balance. A payment engine confirms whether an account exists, whether a customer is allowed to initiate a transfer, whether the data has the right format and whether a response can be returned within the promised window. On the screen, this looks like ordinary banking. In the back office, it is a chain of ledgers, certificates, file references, customer identifiers, account controls, payment messages, sanctions and fraud checks, scheme rules, audit trails, reconciliations and incident routines.
The economic unit in this article is the core-banking processing file. That phrase is deliberately narrower than "banking platform" and wider than one technical file. It means the continuing operational unit a small or regional bank buys when it decides that a specialist should process, validate, route, store, update and support the records and messages that make ordinary banking possible. The visible artifact may be an account statement file, a customer payment initiation, a balance download, an API call, a credit lifecycle event, a card authorization, a PSD2 request or a loan portfolio record. The purchased object is the discipline around those artifacts: keeping them correct, compliant, available and upgradable.
That unit becomes expensive as soon as the buyer counts all costs. A bank can hire developers, buy infrastructure, maintain databases, connect to payment rails, operate file-transfer services, monitor security, update PSD2 and instant-payment rules, run audit evidence, test disaster recovery, maintain customer and account data models, answer incidents, renew certificates, manage suppliers, and keep specialists available when a regulator, scheme, customer or board asks what happened. It can also outsource much of that burden, while keeping responsibility for governance and customer outcomes. The outsourcing choice is not free. It converts internal complexity into vendor concentration, contract oversight, data-protection accountability, exit risk and a need to understand enough of the black box to challenge it.
Public evidence is consistent with the thesis that Crosskey is paid when a smaller or regional bank believes this bargain is safer to buy than to build. Crosskey describes itself as a Nordic banking technology company delivering modular banking platforms as SaaS for banks and financial institutions. Its homepage says the solutions cover daily and transactional banking, payments, card management, NetBank, wealth management and open banking, and that the architecture is API-first. The Bank of Aland's 2025 annual report says Crosskey's solutions are used by one-sixth of Finland's population and by a growing proportion in Sweden; Crosskey's own updated website now says it powers the daily banking of one in five Finns. Those claims do not prove every customer outcome, but they do show the scale at which Crosskey wants to be judged.
The question is whether the public record proves the unit is worth paying for. It proves some important pieces. It proves institutional identity, ownership, product coverage, named customer adoption, scale claims, financial size, regulatory pressure, and the cost base of a specialist platform business. It also proves that the unit is not a magic margin machine. In 2025 the Bank of Aland IT segment, which encompasses Crosskey Banking Solutions Ab Ltd and S-Crosskey Ab, reported EUR 55.0 million of total segment income, EUR 33.8 million of external IT income after eliminations, EUR 56.8 million of total expenses, a EUR 1.8 million net operating loss, and an expense/income ratio of 1.03. In 2024 the same segment had a small EUR 0.7 million net operating profit. That is not the profile of a trivial software licence. It is a staff-heavy, project-heavy, regulated operations business where the supplier must keep investing even when project income falls.
What remains missing is equally important. Public evidence does not disclose Crosskey's customer-by-customer revenue, gross retention, renewal pricing, service-level penalty history, outage frequency, incident root causes, exact data residency by workload, cloud-provider concentration, exit-test results, customer satisfaction across all clients, or the profitability of individual platform modules. The evidence supports a cautious outsourcing thesis. It does not prove that every customer gets a lower total cost of ownership than an internal build, and it does not prove that dependency risk has been neutralized.
The file is the visible edge of a deeper bargain
The most useful public technical document for understanding the economic unit is not a glossy marketing page. It is a POP Bank-hosted Crosskey "PKI File Transfer Technical Description for software supplier" document. The document describes services such as UploadFile, DownloadFileList, DownloadFile and GetUserInfo. It describes certificate enrolment, renewal windows, production-environment requirements, compression of large content, response codes, account statement files, balance files, transaction files, e-invoice material, authority requests and production service URLs for Alandsbanken and S-Pankki. It even states that real-time balances and transactions can be downloaded through a direct call without first asking for a file list, while limiting requests with more than 50 accounts.
This is not evidence that POP Bank's eventual core replacement is built from that specific old file-transfer interface. It is evidence of the kind of operational surface that makes bank outsourcing concrete. A bank's business rests on thousands of small transfers of machine-readable material: payment initiation, statement delivery, balance retrieval, card information, e-invoice exchange, certificate validation and exception handling. Each file type is boring until it fails. Then a payroll run is delayed, an accounting system cannot reconcile, a corporate customer cannot see a balance, an account holder receives the wrong status, or a bank must explain why a backend query returned nothing when a value was expected.
That is why the "processing file" is the right lens for Crosskey. The customer is not only buying a core ledger. It is buying the routines that keep the ledger connected to surrounding systems. Crosskey's transactional banking page says its platform covers payments, lending, deposits and customer management, built for real-time processing, regulatory compliance and long-term reliability. It lists onboarding, customer data, account management, payments, credit origination and loan servicing as connected workflows. The customer and deposit capability page describes a customer register, AML and KYC standards, deposit and account products, account management and credit approvals. The payments page adds SEPA instant credit transfers, ordinary SEPA transfers, Swedish rails such as RIX-ISO, RIX-Inst, Autogiro and Swish, international payments, automated compliance checks, reconciliation and 24/7 monitoring.
This bundle matters because a bank cannot make a clean boundary between "core" and "adjacent" in daily operations. A payment file depends on account state. Account state depends on customer identity, product configuration and available funds. A credit decision depends on customer data, scoring rules, auditability and loan servicing. A PSD2 request depends on consent, strong customer authentication, third-party-provider validation and traceability. A card authorization depends on scheme connectivity, account links, tokenization, fraud controls and settlement. A small bank that tries to build one piece eventually discovers that it must govern the chain.
Crosskey's commercial claim is that its chain is already built for the Nordic regulated reality. The homepage says Crosskey combines proven banking technology with modular design, implements and operates solutions with customers, and has deep Nordic expertise. The about page says banks face rising costs from digitalisation, stricter regulation, customer expectations, new competitors and cybersecurity threats; Crosskey's answer is an API-first, modular and AI-ready platform built through long-term collaboration. The words are marketing language, but the cost logic is serious. If a bank spreads platform cost across only one institution, every regulatory update and incident drill is its own fixed cost. If a specialist spreads the same update across several institutions, the economics can improve, provided the supplier maintains enough discipline and enough customer-specific understanding.
Identity, jurisdiction and ownership make Crosskey more than a vendor name
Crosskey Banking Solutions Ab Ltd is not an anonymous software brand. Public Finnish WHOIS data for crosskey.fi lists the holder as Crosskey Banking Solutions Ab Ltd, business ID 1906672-0, with the address Elverksgatan 10, 22100 Mariehamn, Finland. The Bank of Aland 2025 annual report lists Crosskey Banking Solutions Ab Ltd as a 100 percent-owned subsidiary with registered office in Mariehamn and field of operations "IT." The same report lists S-Crosskey Ab as a 60 percent-owned Mariehamn IT subsidiary. A NordLEI record lists Crosskey's LEI as 74370083CQBNQ6Y15227, status active, with registration at PRH through Finland's Business Information System.
The ownership context matters. Crosskey is owned by a bank, not by a venture-backed infrastructure startup. Bank of Aland's annual report describes the group as a bank with a fund management company and an IT company. It says the group is a supplier of modern banking computer systems for small and medium-sized banks through Crosskey. The chief executive's letter says Crosskey income decreased somewhat due to lower project income, but Crosskey remains strategically important and central to long-term growth. That makes Crosskey both a subsidiary business and part of the parent bank's operating model. It also gives customers a specific counterparty to assess: a Mariehamn-based Finnish group, listed parent disclosure, bank ownership, and a long record in Nordic financial services.
Crosskey's physical footprint supports the regional thesis. Its contact page lists Mariehamn, Stockholm, Helsinki and Turku locations. The annual report lists the Mariehamn head office at Elverksgatan 10, a Helsinki office at Unioninkatu 13, a Turku office at Lemminkaisenkatu 32 and a Stockholm office at Hollandargatan 13. Crosskey says it has 410-plus people powering banking solutions, while Bank of Aland's employee note reports 379 full-time-equivalent positions at Crosskey Banking Solutions Ab Ltd in 2025, up from 368 in 2024. This is not a tiny project shop attached to a sales website. It is a several-hundred-person specialist whose cost base is mostly people, delivery, support and platform maintenance.
The institutional form gives Crosskey credibility, but it also sharpens the governance question. A bank-owned supplier can understand banking from the inside, yet customers must still assess whether the supplier's priorities align with their own product roadmaps, pricing needs, regulatory risk and exit options. If a bank outsources to a global core provider, it may worry about being too small to matter. If it outsources to a Nordic specialist, it may get more domain fit but a narrower supplier market. If it outsources to a bank-owned specialist, it gets bank DNA and perhaps long-term orientation, but it still needs a contract that makes service quality measurable.
The public financials show a real business with thin recent segment returns
Crosskey's economics are easiest to see through the Bank of Aland segment disclosures. The group's 2025 year-end report says IT income fell EUR 1.3 million, or 4 percent, to EUR 33.8 million because project income was lower. The segment table shows more detail. In 2025 the IT segment generated EUR 54.9 million of IT income before eliminations and EUR 2.2 million of IT income in Corporate and Other, with EUR 23.3 million eliminated, leaving EUR 33.8 million group IT income. The IT segment's total income was EUR 55.0 million. Staff costs were EUR 32.5 million, other expenses EUR 20.3 million and depreciation/amortisation EUR 4.0 million, producing total expenses of EUR 56.8 million and a EUR 1.8 million net operating loss.
Those figures are useful because they reveal the platform cost structure. The biggest single line is staff. That is what one would expect from a regulated financial software and operations supplier: developers, application managers, product managers, infrastructure and operations staff, security specialists, project managers, account teams, compliance-aware engineers and support roles. Other expenses are also material, which is consistent with infrastructure, licensing, office, supplier and operating costs. Depreciation/amortisation reflects capitalized or acquired technology, office equipment and other assets. A core-banking processor does not scale like a pure consumer app. It must maintain people and controls before revenue arrives.
The year-on-year comparison also matters. In 2024 the IT segment had EUR 54.3 million of total income, EUR 53.7 million of expenses and EUR 0.7 million of net operating profit. In 2025 total income rose slightly, but expenses rose more. The parent attributed the external IT income decline to lower project income. That is the business model's vulnerable point. A large implementation, migration or regulatory project can lift income in one period; a lower project flow can expose the ongoing cost of keeping the platform ready. For a customer, this can be good or bad. Good, because a supplier with many customers and recurring operations can keep specialists employed and available. Bad, because a supplier with thin margins may need future price rises, more projects, cost discipline or broader customer wins to fund the same service ambition.
Crosskey's own December 2025 Tivi250 announcement says its turnover reached EUR 54 million in 2024 and that the Finnish list ranks the 250 largest IT and tech companies based on turnover. A Finnish company-information page from Asiakastieto reports Crosskey Banking Solutions Ab Ltd's 2025 revenue at EUR 55.5 million, a 1.5 percent increase, with 390 employees and an operating loss of EUR 1.9 million. Those are non-audited public-directory signals from the article's perspective, but they are consistent with the parent segment numbers: roughly mid-50s million euro activity, several hundred staff, and a near-breakeven or loss-making recent operating profile.
The pricing logic is only partly public. Crosskey's Verification of Payee page is unusually specific, saying the service uses SaaS-based pricing with a fixed base fee for platform access, operations and support, plus a variable component reflecting actual usage. The Swift Service Bureau page emphasizes predictable pricing and lower cost of ownership through shared infrastructure. The cards page says the fully managed SaaS model creates cost-sharing possibilities. The transactional banking page says the partnership model includes cost-sharing opportunities that help reduce total cost of ownership. These claims align with the segment economics: customers pay for a base of operational capability and then for usage, modules, implementation, change work or support. Exact prices are not public.
The customer's economic question is therefore not "is Crosskey cheaper than zero?" It is whether Crosskey's fixed fee, usage fee, implementation cost, governance work, integration work and switching friction are lower than the total cost of keeping equivalent capability in-house. For a small or regional bank, that total cost includes not only salaries and servers, but hiring risk, audit evidence, incident response, regulatory interpretation, scheme connectivity, vendor management, capital expenditure, release testing and the opportunity cost of asking scarce engineers to maintain commodity banking rails instead of building customer differentiation.
Customer evidence shows adoption, not perfect proof
The strongest public customer evidence is S-Pankki. Crosskey's S-Pankki case study says Crosskey delivered availability of 99.9 percent, 24/7 customer service via the eBanking channel, and more than 100 million transactions per year. The case says S Group wanted to launch a bank, that starting a bank required integration and alignment of the banking system and extensive data migration, and that Crosskey's core banking product and online bank supported customer management, deposits, loans, payments and business products. It says S Bank has worked with Crosskey since the launch of its banking operations in Finland in 2006.
For this article, the S-Pankki case is important not because it is independent proof of all service levels. It is company-authored customer evidence. But it is specific enough to show what Crosskey sells in the real world: a foundation for a bank's business, not a peripheral plug-in. S-Pankki did not merely buy a report generator. It bought core banking and online banking capabilities as part of a launch and growth story. An S-Bank annual-report note also helps explain S-Crosskey: S-Bank Plc owns 40 percent and Crosskey owns 60 percent of S-Crosskey Ab, an IT services company that sells banking information systems for banking and related activities and provides consulting services, mostly to S-Bank Plc. That structure makes the relationship more embedded than a simple software licence.
POP Bank is the next major core-banking signal. Crosskey's January 2022 press release says POP Bank signed a cooperation agreement with Crosskey on renewal of its core banking system, initially anticipated for 2025. It describes POP Bank Group as including 21 POP Banks, the digitally operating non-life insurer P&C Insurance Ltd, Bonum Bank Plc and POP Bank Centre coop. The release says POP wanted to combine personal and digital services, high customer satisfaction and quick decision-making; Crosskey's managing director described future-proof corebank, netbank, capital market and API platforms for POP Pankki. Bank of Aland's 2025 annual report later says Crosskey continued intensive work on the POP Banks implementation project and expected full production in 2026.
That sequence matters. A core replacement is not a press-release event; it is a multi-year migration. The 2022 announcement, the 2025 annual-report implementation note and the 2026 expected production language show the cost and risk behind the sale. When a bank changes core systems, it is not just choosing a feature list. It must migrate data, train staff, connect channels, test products, preserve customer service, manage regulators, and avoid breaking ordinary banking while replacing the machinery underneath. The public record does not yet prove POP's final production outcome, but it does prove that Crosskey had a major ongoing implementation.
Handelsbanken adds a different signal. Crosskey's April 2026 press release says it signed a long-term agreement with Handelsbanken for SaaS services managing a specific euro loan portfolio, and Bank of Aland's Q1 2026 interim report says Crosskey signed an agreement to take IT responsibility over from Samlink for Handelsbanken's remaining operations in Finland. This is not the same as a full bank core replacement. It is still relevant because it shows a large Nordic bank selecting Crosskey for a defined loan-management operation where continuity, migration capability and cost efficiency are central.
Aktia provides an open-banking signal. Crosskey's June 2025 release says Aktia, a Finnish asset manager, bank and life insurer, signed an agreement to use Crosskey's C Open PSD2 Dedicated Interface as a Service. The release says the cloud-based Open Banking service would simplify integrations toward third-party providers and customers. Crosskey's open-banking product page says the platform supports PSD2, is designed for PSD3 and PSR, provides consent management and data protection, and offers auditability, certificate validation, traffic control, monitoring, throttling and lifecycle management. Again, the public proof is adoption and product design, not customer-level outcome metrics.
Lansforsakringar Bank shows a wealth-management substitute edge. Crosskey's 2020 release says Lansforsakringar Bank selected a SaaS-based securities trading solution covering order management and execution, customer portfolio management, clearing and settlement for securities and mutual funds. The company linked the win to Crosskey and Model IT after Crosskey's 2019 acquisition of Model IT. That acquisition, disclosed by Bank of Aland, said Crosskey bought a Helsinki software company with OneFactor for asset-management customers and cFrame for insurance-sector customers, strengthening its offering for banks, asset managers, fund companies and insurance companies. Crosskey is therefore not only a deposit-and-payment processor. Its economic surface extends into capital markets, wealth and custody.
These customer records support the thesis, but they should not be overstated. Named customers show that Nordic financial institutions buy Crosskey for meaningful workloads. They do not disclose renewal rates, customer profitability, service incidents, implementation overruns, contractual penalties or comparative pricing against rival suppliers. A serious judgement treats adoption as evidence of market fit, not as a guarantee of superiority.
Why a regional bank might pay to avoid building
The argument for buying Crosskey is strongest when the buyer is neither a tiny fintech with a narrow product nor a large universal bank with massive internal technology resources. A small or regional bank wants modern channels, payment readiness, compliance updates, account and customer record integrity, product flexibility and enough scale to keep customer expectations. It may also want to preserve a local brand and branch or relationship model. The tension is that the customer sees one bank, while the bank has to fund a technology estate that looks more like a national infrastructure business.
A core-banking processing file becomes expensive because it is a promise to be boring under stress. The payment file must be accepted. The balance must be current. The certificate must be valid. The response must fit the scheme rule. The account statement must reconcile. The AML and KYC control must be embedded. The customer must not lose service during a migration. The bank must be able to show audit evidence. Every new payment rule, open-banking change, instant-payment expectation, data-protection interpretation or operational-resilience requirement becomes work. If the bank owns the stack, it owns all the work. If Crosskey owns the platform, the bank buys a share of that work, but still owns the decision to outsource and the duty to supervise.
The first benefit is shared expertise. Crosskey's about page frames its value around Nordic banking specialists who understand regulated reality. That matters because banking rules are not generic enterprise software requirements. Payments, card schemes, customer due diligence, strong authentication, privacy, operational resilience, accounting, lending workflows, investor protection and local market conventions all shape software design. A general-purpose integrator can write code. A financial-platform supplier should know which controls must not be improvised.
The second benefit is release discipline. Crosskey's product pages repeatedly emphasize modular architecture, API-driven integration, regulatory readiness, monitoring and partnership. A bank buying the platform is buying updates over time, not only initial implementation. This is central to the economics. The first version of a bank system is expensive, but the permanent cost is change: new EU rules, payment scheme deadlines, certificate renewals, new wallet integrations, security requirements, customer-channel expectations and board demands for faster product launch. A supplier with multiple banks can turn repeated regulatory change into a shared roadmap.
The third benefit is continuity. Crosskey's S-Pankki case study says the core product handles millions of customers and transactions with high accessibility. Its annual report discussion emphasizes stability and security; Crosskey says its customers have many end customers who trust stable and secure systems every day. Its homepage and about page provide scale claims: one in five Finns, 1 billion API calls per month, 1.9 billion transactions per year, and more than 50 million C ID logins per month. These figures are company claims, but they are specific. They suggest that the platform is sold on live operational volume, not only on roadmap slides.
The fourth benefit is purchasing focus. A regional bank can put scarce management attention into credit, customer relationships, local deposits, advisory service, product design and risk selection rather than building the plumbing. That is especially relevant for banks that want to combine personal service with modern digital channels. POP Bank's announcement used precisely that language: combining personal and digital service, customer satisfaction and fast decisions. The commercial logic is that a local bank can remain local in proposition while outsourcing part of the heavy regulated machinery.
The fifth benefit is optionality. Crosskey does not sell only one monolith. It offers transactional banking, cards, wealth management, Swift connectivity, open banking, Verification of Payee, payments, lending, customer and deposit services, portfolio and custody services, asset management, fund management, and integrations. A customer may choose a full banking core, a PSD2 interface, a loan portfolio service, a securities trading service, or a Swift bureau. This lets Crosskey compete both as a core platform and as a module supplier. It also lets a bank reduce scope risk by buying a narrower service first.
The strongest counterargument is that buying optionality can create long-term dependency. Once data, workflows, staff habits, customer channels, product definitions, certificates, interfaces and audit routines are tied to a supplier, the bank cannot switch easily. Outsourcing reduces build cost, but it does not eliminate exit cost. In a core-banking context, exit cost is not an abstract procurement worry. It is the risk that a future board, regulator or merger partner wants to move, but the cost, time and operational danger of migration are so high that the bank must accept the incumbent's roadmap and pricing.
Regulation makes outsourcing both necessary and harder
Bank outsourcing is not a private convenience hidden from supervisors. The European Banking Authority's outsourcing guidelines define and assess outsourced activities, services, processes and functions, including whether they are critical or important. The EBA says the guidelines aim to harmonize outsourcing governance for financial institutions, including credit institutions, investment firms, payment institutions and electronic-money institutions. The 2019 final report integrated earlier recommendations on cloud outsourcing. In plain terms, a bank cannot outsource the core and then stop understanding the risk.
DORA raises the pressure. The European Banking Authority's DORA page says the Digital Operational Resilience Act creates an EU-wide oversight framework for critical ICT third-party providers to keep the financial sector secure and resilient against ICT disruptions. The EUR-Lex text of DORA requires financial entities to maintain and update registers of information covering contractual arrangements for ICT services from third-party providers, and to make those registers available to competent authorities on request. That is a direct relevance to Crosskey's buyers. A bank that uses Crosskey for critical processing needs documentation, oversight and evidence.
Crosskey's public material is clearly written for this environment. Its security capability page says security is integral to how solutions are designed, delivered and operated. It describes predicting, preventing, detecting and responding to risk; risk assessments covering technology, operations, suppliers and business processes; secure architecture; a secure software development lifecycle; continuous monitoring; escalation paths; incident handling; and alignment with Swift, GDPR, NIS2, AML, KYC, DORA, PSD2/PSD3 and open-banking regulatory expectations. The 2025 Bank of Aland annual report says Crosskey continued investing in security solutions and processes, that legal requirements such as DORA and NIS2 are driving the industry toward a stronger security focus, and that Crosskey completed PCI-DSS certification for the 13th year in a row.
This is material evidence, but not final proof. A supplier's security page shows its intended operating model. PCI-DSS certification shows a long-running card-data control discipline. Annual-report references to DORA, NIS2 and cybersecurity show management attention. What is not public is the detailed audit result, incident history, resilience-test scope, recovery-time performance, supplier register, subcontractor map or customer-specific control evidence. Banks buying Crosskey will see more than the public sees. The public article cannot assume those private documents are strong.
Regulation also creates demand for Crosskey's products. PSD2 forced banks to expose account information and payment initiation through regulated access. Crosskey sells PSD2 Dedicated Interface as a Service and premium API management. The Instant Payments Regulation and Verification of Payee requirements create new timing, scheme and verification burdens. Crosskey's VOP page says it manages regulatory alignment, technical updates, registry complexity, time-limit assurance and IBAN-to-BIC mapping, with a base fee plus variable usage. The Swift Service Bureau page says the service helps financial institutions avoid the cost and complexity of running Swift infrastructure in-house while preparing for instant-payment schemes such as SCT Inst, TIPS and RIX-INST. Regulation is therefore both a burden and a sales engine.
The paradox is that outsourcing can be the rational way to keep up with regulation while also making the bank more dependent on one outside firm's regulatory competence. If Crosskey updates correctly, customers avoid duplicated work. If Crosskey is late, wrong or too generic, multiple customers can share the same weakness. DORA's focus on critical ICT third-party risk exists because this concentration is not hypothetical. It is a feature of modern financial infrastructure.
Data locality is a watchpoint, not a conclusion
The assignment's controlled topics include cloud service dependency and data sovereignty. Crosskey's public evidence makes both relevant, but the careful conclusion is limited. Crosskey's homepage and product pages repeatedly use SaaS language. The Crosskey SaaS page says it delivers a modern hybrid SaaS platform for banks and fintechs, combining cloud-based and on-premise deployment. The open-banking page describes a cloud-based platform for PSD2 and open finance. The Aktia release calls C Open a smooth, future-proof cloud-based solution. The about page describes API-first, AI-ready platforms. This proves that cloud and SaaS are part of the public proposition.
It does not prove where regulated production workloads or personal data are located for each customer. Crosskey's public website itself is not a bank-processing system. DNS observed on 2026-07-05 showed crosskey.fi using Amazon Route 53 name servers, Microsoft-hosted mail exchange and TXT records for several services. The public website resolved through Webflow and Cloudflare, with response headers showing a Webflow region of us-east-1. crosskey.io, the Open Banking Market domain, resolved to Amazon Web Services addresses and used Amazon inbound mail. These records show public marketing and developer-portal surface dependencies. They cannot prove internal banking architecture, account-data residency, service quality or customer-data processing locations.
That boundary matters because data sovereignty risk is often overstated from public DNS. A bank website on a US-hosted edge does not mean customer core data is stored there. A marketing domain using AWS does not mean a regulated production ledger runs on AWS. Conversely, a local office in Mariehamn does not prove all data remains in Finland or the Aland Islands. The public record supports only a narrower claim: Crosskey sells SaaS and cloud-capable services into regulated banking, so customers must understand deployment, subcontractors, data location, access rights, encryption, audit rights, continuity and exit plans at contract level.
The Aland identity still has commercial value. Crosskey's registered office, offices in Finland and Sweden, Nordic customer base and bank ownership help it argue that it understands local banking, language, payment rails and regulatory expectations. For a Finnish or Swedish bank, this may be more persuasive than a global core provider whose closest product team is far away. But data sovereignty is not a slogan. It is a set of contractual and technical facts: where production data is stored, who can access it, which subprocessors exist, how backups are handled, how incident notices work, how regulator access is supported, how exit data is delivered, and how the bank validates those promises.
Supplier dependence is the real price of lower total cost
Crosskey's cost-sharing proposition is economically plausible. A small bank does not want to pay for every Swift update, instant-payment rail, open-banking interface, card-scheme requirement and security platform alone. It wants a specialist to carry the roadmap. But every cost-sharing model creates governance questions. Who chooses the roadmap priority? How are customer-specific changes priced? What happens when one large customer needs a migration that consumes delivery capacity? How does the supplier balance S-Pankki, POP Bank, Handelsbanken, Aktia, Aland's own bank, securities customers and new prospects?
The parent financials make this visible. Crosskey's IT segment lost money in 2025 despite meaningful revenue. The reason was not a collapse in demand; the parent specifically cited lower project income and higher expenses. That suggests a business where long-term platform obligations and staff costs persist even when project revenue changes. Customers may like this because it means the supplier keeps the platform alive. Investors may ask whether pricing captures the full cost of delivery. Buyers should ask whether thin margins could lead to future pricing pressure or slower discretionary development.
Customer concentration is another unknown. Public records name several customers, but revenue concentration is not disclosed. A supplier can be robust with a concentrated customer base if relationships are long and contracts are durable. It can also become vulnerable if one large implementation ends, one large customer insources, or a competitor wins a renewal. Crosskey's multi-customer evidence reduces the concern but does not remove it. The public record would be stronger if the parent disclosed recurring versus project IT revenue, customer concentration bands, contracted backlog and renewal rates.
Switching cost is the customer's version of concentration. S-Pankki has worked with Crosskey since 2006. POP Bank's project runs across several years. A Handelsbanken loan-portfolio service involves migration from Samlink responsibility. Lansforsakringar's securities trading project replaced incumbent systems and covered order management, execution, portfolio management, clearing and settlement. These are sticky workloads. Sticky workloads make a supplier valuable; they also make the buyer's exit plan more important.
The file-transfer evidence shows why. Once corporate software, certificates, file type codes, service URLs, customer records and account workflows are attached to a processor, moving is a practical program, not a contract signature. Data must be extracted, validated, mapped, tested and reconciled. Customers must be moved without losing service. Staff must learn new processes. Regulators and auditors must be satisfied. A failed migration can be more damaging than an expensive renewal. That gives the incumbent leverage, even when everyone acts in good faith.
The best defense is not pretending lock-in does not exist. It is making lock-in governable: clear service levels, incident reporting, audit rights, data-export obligations, escrow or continuity arrangements where relevant, subcontractor transparency, step-in or resolution plans, price-change rules, release-governance bodies, customer councils, and credible exit testing. Public evidence does not show how Crosskey contracts handle these items. It does show that regulation and product criticality make them unavoidable.
Competitors and substitutes set the price of trust
Crosskey competes against several kinds of alternatives. The first is the in-house build. A bank with enough scale can keep core banking, data platforms, payment integrations, customer channels and compliance tooling internally. That offers control and custom fit, but it requires permanent technology depth. For a smaller bank, in-house control can become fragility if key developers leave, if a major regulatory deadline arrives, or if old technology makes every change slow.
The second alternative is a global core provider. Temenos says its core banking platform serves more than 950 banks and offers end-to-end functionality, flexible deployment and SaaS where Temenos handles operations, updates, upgrades, support, risk, governance and security. FIS, Oracle, TCS BaNCS and other global platforms also compete in broader core banking. Global providers can offer product breadth and large installed bases. The tradeoff is fit, implementation complexity, pricing, and whether a small Nordic institution has influence over roadmap and local rails.
The third alternative is another Nordic specialist. Tietoevry Banking describes itself as a market-leading provider of financial SaaS solutions for the Nordics and beyond, with thousands of experts and customers in 60 countries across payments, cards, fraud prevention, lending, wealth management and banking-as-a-platform. Samlink, now under Kyndryl ownership, presents itself as a banking partner for secure modernization, core banking, digital channels and compliance continuity. Evitec provides financial-sector software and consulting, especially in banking and mortgage-bank operations. These alternatives show that Crosskey is not alone in selling regional banking infrastructure.
The fourth substitute is a narrower module strategy. A bank may choose Crosskey for PSD2, Swift, VOP, cards or loan servicing while keeping a different core. That can reduce dependence on one supplier but increase integration complexity. It can also preserve bargaining power by avoiding a full-platform migration. Crosskey's own product strategy acknowledges this reality: it offers platforms and standalone services. A supplier that can win modules has more entry points, but a bank that assembles modules must maintain more architecture competence.
The fifth substitute is strategic simplification. A small bank can avoid offering every product, every channel and every market feature. It can partner for mortgages, avoid complex cards, use third-party wealth solutions, or keep a narrower balance sheet. That reduces core complexity but may weaken customer proposition. The more banks feel forced to match digital expectations, instant payments, open banking and mobile service, the more they need a processor like Crosskey or a rival.
Competition therefore does not disprove Crosskey's value. It sets the test. If Crosskey's Nordic focus, bank ownership, proven customers and modular SaaS lower implementation risk and total cost, it deserves a place on a regional bank shortlist. If a buyer needs global scale, a more standardized core, stronger public financial transparency or a different cloud strategy, rivals may be more credible. The public evidence supports Crosskey as a serious regional specialist, not as an unavoidable winner.
Non-official signals are useful but secondary
Crosskey's December 2025 Tivi250 release is a market signal because it locates the company inside Finland's IT-sector turnover rankings and claims EUR 54 million of 2024 turnover. Asiakastieto's public summary reports EUR 55.5 million of 2025 revenue, 390 employees, a 1.5 percent revenue increase, an operating loss of EUR 1.9 million and an equity ratio of 37 percent. Revelio Labs estimates higher global headcount using workforce data. LinkedIn describes Crosskey as having 201 to 500 employees and customers including Alandsbanken, S-Pankki, DNB and Marginalen Bank.
Those sources help triangulate scale, but they should not carry the main judgment. The audited parent annual report is stronger for segment economics and ownership. Crosskey's own product pages are stronger for what the company sells. Customer releases are stronger for named adoption. Non-official directories and workforce estimates are useful only where they are consistent with stronger evidence or where no better public source exists. In this case, they reinforce a mid-sized specialist profile but do not change the thesis.
Public technical records are similar. They show Crosskey controls its domain, uses DNSSEC, uses public cloud and SaaS vendors for public surfaces, and maintains visible mail-authentication records. They do not show internal security, data residency, customer uptime, architecture or control quality. The useful market signal is that Crosskey's public surface is consistent with a modern SaaS company using mainstream infrastructure and authentication controls. The unsupported leap would be to infer where bank data lives or how resilient core processing is. This article does not make that leap.
Public evidence
- Crosskey homepage: https://www.crosskey.fi/ supports the company's identity, modular SaaS positioning, product range, named customer logos, scale claims, one-in-five-Finns statement, 410-plus people claim, PCI statement and Nordic banking focus.
- Crosskey about page: https://www.crosskey.fi/company/about supports the strategic framing around regulatory cost, cybersecurity pressure, API-first platform design, 1 billion API calls per month, 1.9 billion transactions per year, and more than 50 million C ID logins per month.
- Crosskey contact page: https://www.crosskey.fi/company/contact supports the Mariehamn, Stockholm, Helsinki and Turku office footprint.
- Crosskey Transactional Banking Platform: https://www.crosskey.fi/solutions/transactional-banking-platform supports the payments, lending, deposits, customer-management, AML/KYC, credit logic, real-time processing and cost-sharing discussion.
- Crosskey Payments capability: https://www.crosskey.fi/capabilities/payments supports SEPA, Swedish rails, international payments, automated compliance checks, reconciliation and 24/7 monitoring claims.
- Crosskey Cards Platform: https://www.crosskey.fi/solutions/cards-platform supports issuer processing, PCI DSS infrastructure, lifecycle management, Visa/Mastercard processing and managed SaaS card service discussion.
- Crosskey Open Banking page: https://www.crosskey.fi/solutions/open-banking supports the PSD2, PSD3/PSR, consent, TPP, sandbox, API management and cloud-based open-banking discussion.
- Crosskey Verification of Payee page: https://www.crosskey.fi/solutions/verification-of-payee supports the VOP service, EPC five-second requirement, IBAN-to-BIC mapping, fixed-plus-variable SaaS pricing and operational model.
- Crosskey Swift Service Bureau page: https://www.crosskey.fi/solutions/swift-service-bureau supports the managed Swift connectivity, shared infrastructure, predictable pricing, instant-payment scheme and outsourcing-cost discussion.
- Crosskey security capability: https://www.crosskey.fi/capabilities/security supports the risk, monitoring, incident response, regulatory alignment and PCI DSS since 2013 claims.
- Bank of Aland 2025 annual report PDF: https://assets.alandsbanken.com/pdf/result/arsredovisn2025en.pdf supports Crosskey ownership, group structure, operational narrative, DORA/NIS2 and PCI-DSS statements, product-area definition, segment income/expense/profit figures, Crosskey FTE count and office addresses.
- Bank of Aland 2025 year-end report PDF: https://assets.alandsbanken.com/pdf/result/en_resultat_jan-dec_25.pdf supports the 2025 external IT income, segment figures and lower project income explanation.
- Bank of Aland Q1 2026 interim report PDF: https://assets.alandsbanken.com/pdf/result/en_resultat_jan-mar_26.pdf supports the Handelsbanken transfer-of-IT-responsibility statement and Q1 2026 IT income/segment figures.
- Crosskey S-Pankki case study: https://www.crosskey.fi/resources/s-pankki supports the S-Pankki launch, core banking and online bank scope, 99.9 percent availability claim, 24/7 eBanking support claim and more than 100 million transactions per year claim.
- Crosskey POP Bank press release: https://www.crosskey.fi/resources/pop-bank-selects-crosskey-as-its-core-banking-system-partner supports POP Bank's core-banking renewal agreement, group composition and expected corebank/netbank/capital-market/API platform scope.
- Crosskey Handelsbanken press release: https://www.crosskey.fi/resources/crosskey-and-handelsbanken-signs-agreement-for-crosskeys-saas-based-loan-managagement-services supports the long-term loan-portfolio SaaS agreement.
- Crosskey Aktia press release: https://www.crosskey.fi/resources/aktia-chooses-crosskey-as-their-psd2-compliance-provider supports Aktia's selection of Crosskey's C Open PSD2 Dedicated Interface as a Service.
- Crosskey Lansforsakringar Bank release: https://www.crosskey.fi/resources/lansforsakringar-bank-taps-crosskey-for-complete-securities-trading-solution supports the securities trading solution, order-management, portfolio-management, clearing and settlement scope.
- Bank of Aland/GlobeNewswire Model IT acquisition release: https://www.globenewswire.com/news-release/2019/10/29/1936758/0/en/bank-of-%C3%85land-plc-s-subsidiary-crosskey-banking-solutions-ab-ltd-is-acquiring-model-it-oy.html supports the Model IT acquisition, OneFactor/cFrame context and expansion into asset-management, fund and insurance software.
- POP Bank-hosted Crosskey PKI File Transfer technical document: https://poppankki.fi/hubfs/POP%20Pankkiryhm%C3%A4/Web%20Services/PFT%20Technical%20Description%20for%20software%20supplier%202.3.3.pdf supports the concrete file-transfer, certificate, upload/download, account-statement, balance and transaction evidence.
- EBA outsourcing guidelines page: https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements supports the outsourced critical-or-important function and governance context.
- EBA DORA page: https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act supports the EU critical ICT third-party oversight context.
- EUR-Lex DORA regulation: https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng supports the register-of-information requirement for ICT third-party contractual arrangements.
- Tietoevry Banking Lokalbank release: https://www.tieto.com/en/newsroom/press-releases/2025/tietoevry-banking-enters-long-term-partnership-with-lokalbank/ supports the Nordic banking SaaS competitor context.
- Samlink banking partner page: https://samlink.fi/our-solutions/banking-partner-of-choice/ supports the Nordic core-banking and modernization competitor context.
- Temenos core banking page: https://www.temenos.com/products/core-banking/ supports the global core-banking and SaaS competitor context.
Facts that would change the judgement
The evidence supports the claim that Crosskey is paid for core-banking processing discipline, not merely software access. The public record shows a bank-owned Nordic supplier with named customers, meaningful transaction-scale claims, several hundred employees, multi-year implementation evidence, regulatory-security positioning and audited parent segment disclosure. It also shows why the supplier is valuable: a small bank can buy shared updates, continuity, integration experience and compliance competence instead of duplicating all of it internally.
The judgement would become stronger if Crosskey or its parent disclosed recurring versus project IT revenue, customer concentration, renewal rates, contracted backlog, customer-level service-level performance, incident frequency, average recovery times, implementation-budget outcomes, independent customer satisfaction, exit-test results and data-residency controls by service. It would also become stronger if the POP Bank implementation publicly confirmed full production, stable migration, customer-impact metrics and post-go-live service performance.
The judgement would weaken if Crosskey's IT segment continued to lose money while project income fell, if large customers delayed or cancelled migrations, if regulatory findings exposed weak operational controls, if repeated incidents affected customer banks, if customers reported difficult exits, if competitors proved lower total cost with stronger public service metrics, or if cloud and subcontractor disclosures showed concentration risk that customers could not govern.
The public record suggests that Crosskey's commercial value is real but conditional. It is most persuasive for banks that need Nordic financial-infrastructure depth, a modular route to modernization and a supplier willing to operate alongside customer teams. The thesis remains unproven without better metrics on recurring revenue quality, service availability, incident history, data-locality controls, implementation outcomes and exit portability. A processing file can make outsourcing rational; it can also be the first place dependency becomes visible.

