In November 2017, the Federal Financial Supervisory Authority (BaFin) published new banking supervisory requirements for IT (BAIT) bringing long-awaited clarity to the digital requirements of MaRisk. With BAIT, the MaRisk issues were concretised in the context of information technology, whereby, for example, IT security and IT governance are considered to be just as important as issues of capital resources and liquidity management.
With the publication of the BaFin, the requirements come into force directly, without providing for an implementation period or preparation time. BAIT specifies the legal requirements of § 25a Paragraph 1 Sentence 3 Nos. 4 and 5 of the German Banking Act as well as the minimum requirements for banks' risk management. With the BAIT requirement "outsourcing and other external procurement of IT services" in conjunction with the increased outsourcing of activities and processes by financial institutions, Section 25b of the KWG has been becoming increasingly important.
As a result, the requirements for audits from 2018 onwards will be based on BAIT with immediate effect, which will likely result in further tightening of auditing practices. In the modular structure of BAIT, the requirements for information technology can be summarized as follows:
The requirements outlined above result in different areas of need and action. In the sections Governance and Control, the requirements increase, among other things, in terms of implementing information security systems (ISMS), establishing risk reporting (e.g. according to BCBS 239), regulating IT outsourcing and how individual data processing should be handled in detail. This is followed by the operationalisation of the topics in the organisational structure. In particular, existing IT processes need to be reviewed and adapted or rebuilt entirely if necessary. The effectiveness of these systems must also be evaluated using internal control systems (ICS). This in turn may result in the need to make adjustments to the IT landscape, especially with regard to security issues and data protection (DSGVO).
Companies are still obliged to comply with the usual standards when it comes to designing their IT systems and associated IT processes. In addition to the IT basic protection catalogue of the Federal Office for Information Security, these include the ISO/IEC 27000 series of the International Organization for Standardization and the International Electrotechnical Commission (IEC) or the PS 951 testing standards.
However, the current landscape of requirements is only a temporary snapshot. Further refinements to BAIT's modular structure have already been announced by BaFin. These focus on topics such as emergency management, BCM or cybersecurity (G7 - Fundamental Elements of Cybersecurity). Furthermore, an extension is to be made with regard to internationalisation and the issues of security measures for operational and security risks of the PSD2 Directive as well as the Ordinance on the Determination of Critical Infrastructures under the BSI Act (BSI Critis Ordinance - BSI Critis Ordinance) are to be dealt with.
SKS is here to support you navigate these complex and challenging issues with our comprehensive regulatory process know-how coupled with our extensive experience in IT audit and process implementation, e.g:
- Quick check for BAIT conformity (implementation recommendations and implementation)
- IT strategy expansion (e.g. regarding ISMS, BCBS 239, ...)
- Implementation of data security (ISMS) to meet BAIT requirements
- BAIT-compliant adaptation of IT processes and customized internal control system (ICS) structure, as well as underlying processes with a standardized reporting structure
- Development and adaptation of a BAIT-compliant authorization management system.
Let our extensive experience in the implementation, optimization and testing of IT processes, controls and organizations be the key to unlocking the optimal solution for your particular institution.