Germany: BaFin's Supervisory Requirements For IT In Financial Institutions

Last Updated: 10 July 2018
Article by Katja Michel

German financial services supervisor clarifies supervisory requirements on IT systems, processes and governance in financial institutions

This Client Alert is part of series of briefings on supervisory guidance on conduct of business and organizational requirements in the financial services sector issued by the German Financial Services Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin). Please see our further coverage on inter alia "The German BaFin's changes to MaRisk and the impact on market participants" and the "Revised MaComp" on our Eurozone Hub website.

BAIT as "core component" for IT supervision in the financial services sector

The rapidly expanding provision of IT-based financial services as well as banks' and financial institutions' increasing internal reliance on IT processes put new challenges on supervisors. To keep pace with this development, the BaFin has introduced a range of supervisory measures.1

Amongst them and as "the core component for IT supervision of all credit and financial institutions in Germany",2 the BaFin has published the Circular on Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) at the beginning of November 2017.3 The BAIT clarifies the supervisor's expectations for firms' compliance with the requirements on secure IT systems and associated IT processes (as regard the integrity, availability, authenticity and confidentiality of data) as well as on IT governance.4

Significant impact

Though the BAIT does not set forth legally binding requirements, it specifies the BaFin's expectations on compliance with IT requirements in financial institutions. In this regard the BAIT has a significant impact on the market: In-scope firms will want to implement and adhere to the principles- based requirements of the BAIT as non-compliance might bring them into the supervisor's focus. This is even more true as the BaFin stressed in its letter to the associations (Anschreiben an die Verbände), which accompanied the publication of the BAIT, that IT governance and information security are of "equal importance" as firms' compliance with capital and liquidity.5

Irrespective of the BAIT's significance for the local German financial services sector, the BAIT is likely to also impact on the further development of supervisory requirements for IT in financial institutions on an EU scale. In this regard, the BaFin has already announced in the January 2018 edition of its monthly journal, that it will "actively put forward in the discussion" the BAIT as regards the planned EU-wide harmonization of requirements on the management of IT risks.6

Scope

The BAIT further details statutory requirements of the German Banking Act (Gesetz über das Kreditwesen (Kreditwesengesetz – KWG)) on the proper business organization (ordnungsgemäße Geschäftsorganisation) of institutions and the outsourcing of activities and processes from an IT point of view.7 As the BAIT builds on the BaFin's Circular on Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk), which itself further details (amongst others) IT requirements of the KWG, the BAIT and the MaRisk must be read together. For further information on the 2017 updates to the MaRisk please see our Client Alert which forms parts of this briefing series.8

The close link between the MaRisk and the BAIT is also apparent in that both Circulars have the same intended recipients: In-scope firms include (inter alia) credit and financial institutions within the meaning of the KWG9 as well as German branches of third country firms providing banking business or financial services in Germany (third country branches).10 The scope further e.g. extends to branches of German credit or financial institutions carrying out business internationally. Explicitly excluded from the MaRisk's and the BAIT's application are German branches of EEA firms which make use of the European "passport" for providing banking business or financial services in Germany.11 For those firms relocating operations to Germany as a result of Brexit or otherwise, the BAIT will apply to them regardless of whether such a firm sets up a third country branch"12 in Germany or, as is more likely, a fully standalone subsidiary.

Subject areas – an overview

The BAIT further details requirements on the following subject areas:

IT strategy

The management board must define an IT strategy that is consistent with the institution's business strategy and contains (at least) the minimum requirements specified in the BAIT. Amongst others, these requirements include the strategic development of the institution's organizational and operational structure of IT and of the outsourcing of IT services, the responsibilities and integration of information security into the organization and the strategic development of the IT architecture.

IT governance

In scope-firms must provide for a structure to manage and monitor the operation and further development of IT systems including related IT processes on the basis of the IT strategy (IT governance). As part of this, the institution must ensure e.g. that appropriate staff are available for information risk management, information security management, IT operations and application development (in particular) and that conflicts of interest and activities that are not compatible with each other are avoided within the structure of IT.

Information risk management

As part of information risk management, institutions must set up a catalogue of target measures which specifies and suitably documents the institution's requirements for implementing the protection objectives ("integrity", "availability", "confidentiality" and "authenticity") in the various categories of protection requirements.

The BAIT further specifies the requirements on the risk analysis and the reporting to the management board on information risks.

Information security management

It is the management board's responsibility to agree an information security policy and to communicate this within the institution. The information security policy should serve as the basis for more specific information security guidelines and processes in the institution.

Further, an independent "information security officer function" must be established within the in-scope firm's organization. The information security officer is responsible for all information security issues within the institution and with regard to third parties and must report to the management body on the status of information security regularly, at least once a quarter, and on an ad hoc basis. Under certain conditions regionally active institutions and small institutions can appoint a joint information security officer.13

User access management

Under the BAIT, user access management should be based on user access rights concepts. By way of technical and organizational measures institutions must ensure that circumvention of the requirements contained in the user access rights concepts is excluded. The processing of access rights (setting up, changing etc. of access rights) must be documented "in a way that facilitates comprehension and analysis".

IT projects and application development

Institutions must establish an organizational framework for IT projects and manage IT projects (including the IT project portfolio in its entirety) appropriately. Major IT projects and IT project risks are subject to reporting to the management body (regularly and on an ad hoc basis).

Further, institutions must base their application development on defined and appropriate processes. Appropriate arrangements must ensure that after the application goes live the confidentiality, integrity, availability and authenticity of the data to be processed are comprehensively assured. Applications must be tested on the basis of a defined testing methodology.

IT operations

The BAIT further contains specific requirements for IT operations. Institutions must e.g. manage the portfolio of IT systems appropriately and set up processes for changing IT systems taking account of their nature, scale, complexity and riskiness. Further, the BAIT specifies inter alia the processing of change requests for IT systems and the setting up of a data backup strategy.

Outsourcing and other external procurement of IT services

Under the BAIT, risk assessments must be conducted prior to each instance of "other external procurement of IT services". According to the MaRisk Interpretative Guide (Auslegungshilfe) "other external procurement of IT service" does not qualify as "outsourcing" within the meaning of the MaRisk. It covers e.g. the one-off or occasional external procurement of goods and services, the procurement of services which is typically arranged by the institution (typischerweise bezogen) and which cannot be provided by the institution itself (neither at the time of external procurement nor in future) due to factual circumstances or legal requirements.14 Further, institutions' risk assessments are subject to the requirement of review and amendment (on a regular and ad hoc-basis) by the institutions.15 As regards contractual arrangements with external IT service providers institutions must further take "appropriate account of the measures derived from the risk assessment relating to other external procurement of IT services".

In light of the BAIT, institutions should prudently review and, where necessary, amend their IT arrangements and processes. Apart from the purely technical side, the BAIT's impact on institutions' general organizational set-up and governance arrangements must be analyzed and necessary amendments made. In this regard, particular focus should be on the establishment of the information security officer function. With the requirement of at least quarterly reporting to the management board the BAIT underlines the significance of this function within institutions' internal control framework.16

Further, the BAIT emphasizes once more the necessity that the management board displays the required IT competency and assumes the ultimate responsibility for financial institutions' compliance with the supervisory requirements on IT.

Outlook and next steps for in-scope firms

The BAIT provides practical guidance on the BaFin's expectations for compliance with IT requirements in financial institutions. For smaller firms, however, it might be difficult to identify which provisions allow for a flexible or simplified implementation.17 This is even more challenging as the Circular does not provide for a transitional period.18

Further, institutions must take into account that the BAIT and the MaRisk do not compile the supervisory expectations for compliance with the requirements for IT in financial institutions in an exhaustive way. In this regard, the BAIT explicitly states that "the depth and scope of the topics addressed in this Circular is not exhaustive" and that "institution(s) shall continue to be required to apply generally established standards to the arrangement of the IT systems and the related IT processes in particular over and above the specifications in this Circular".19 Further, specific IT requirements are set forth in various other pieces of financial regulation (e.g. the Markets in Financial Instruments Directive II and the Payment Services Directive II as well as local and EU implementing law). Besides this, EU and national regulators provide guidance on the application of IT requirements in different fields.20 In addition to the on-going supervisory dialogue, the European Central Bank is currently in the process of issuing uniform requirements and guidance on the management of IT risks for major banks.21

In scope-firms should also take into account that the BaFin plans to supplement the BAIT by further modules specifying requirements on IT emergency management including testing and recovery procedures (IT-Notfallmanagement inklusive Test- und Wiederherstellungsverfahren). The German regulator further considers adding a new module to the BAIT for the providers of critical infrastructures (Betreiber Kritischer Infrastrukturen).22

As a result, firms that are within the scope of the BAIT will need to carefully identify and compile the IT requirements applicable to them as a result of the BAIT and multiple other requirements stipulated in EU and local regulation as well as supervisory guidance. Moreover, in-scope firms may want to review and update their IT arrangements, project governance policies and procedures to ensure that justifications for certain actions and compliance measures can be evidenced and explained to supervisors.

Footnotes

1 The BaFin has also established a separate organizational unit for IT supervision in the financial services sector within the BaFin (Group IT Supervision / Payment Transactions / Cyber Security). This unit is directly attached to the BaFin's Banking Supervision Division. 2 See BaFin Journal, January 2018, p. 17. 3 The original German text of the BAIT is binding. However, the BaFin has also provided an English version of the BAIT for information purposes on its website. The BAIT was prepared with the help of the BaFin IT Expert Panel (Fachgremium IT). Further, the final version of the BAIT takes into account a lot of comments from market participants during the consultation phase of the (draft) BAIT. 4 See BaFin's letter to the associations from 6 November 2017.

5 See BaFin's letter to the associations from 6 November 2017. 6 See BaFin Journal, January 2018, p. 21. 7 See sec. 25a para. 1 sent. 3 no. 4 and 5 and sec. 25b KWG. 8 Client Alert The German BaFin's changes to MaRisk and the impact on market participants", downloadable at dentons.com/en/EurozoneHub.

9 See sec. 1b KWG.

10 See sec. 53 para. 1 KWG.

11 See MaRisk, module AT 2.1 and BAIT, I. Preliminary remarks point 4.

12 See sec. 53 para. 1 KWG.

13 See BAIT, Interpretative Guide, p. 10.

14 See MaRisk Interpretative Guide, p. 33.

15 Together with the contractual details, where appropriate.

16 By way of comparison, under the MaRisk the compliance function must report to the management board at least annually (see MaRisk, module AT 4.4.2 point 7).

17 The BAIT enables the application of the principle of dual proportionality.

18 According to the BaFin, a transitional period is not set forth as the BAIT only clarifies pre-existing requirements.

19 See BAIT, I. Preliminary remarks point 2; as regards these standards, the BAIT explicitly mentions the IT Baseline Protection Manuals (Grundschutz) issued by the Federal Office for Information Security (BSI).

20 See e.g. the European Banking Authority's Recommendations on outsourcing to cloud service providers" from 20 December 2017 and Consultation Paper on "Draft Guidelines on Outsourcing Arrangements" from 22 June 2018.

21 See Börsen-Zeitung from 7 June 2018, issue 106, p. 3.

22 See BaFin Journal, January 2018, p. 21.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
27 Sep 2018, Conference, Budapest, Hungary

Dentons will be sponsoring the Future Law conference taking place on September 27 in Budapest. The event aims at providing a global view on the possible responses of legal industry to technological challenges and will host leading experts in the field.

2 Oct 2018, Other, London, UK

The Build-to-rent (BTR) market in the UK has grown substantially in recent years. In ever-increasing numbers, investors and developers are buying up land and properties for the purpose of BTR - benefitting from both value rises in their acquired assets and from rising rents.

2 Oct 2018, Other, London, UK

Dentons is pleased to invite you to register for a place at an interactive debate, "Is Franchising Good or Bad? And if so, for whom?", which is part of Dentons' International Retail Franchising programme.

 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions