Quick Take

The breadth of information and communications technology (ICT) services on offer to financial services firms continues to develop rapidly. In many ways COVID-19 has acted as a catalyst prompting fundamental change as firms move to embed hybrid and location-independent working arrangements and transition to more digitalised operating models, including when dealing with clients and customers.

Financial markets regulatory policymakers and supervisory authorities have begun to assess how to best supervise how financial services firms use ICT and how they engage with ICT service providers, in monitoring concentration and over-reliance risks. This is challenging and as a result, EU and national-level financial services regulatory and supervisory authorities have published various rulemaking instruments along with supervisory guidance. In Germany, the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht - BaFin) has introduced several supervisory measures in terms of specific rulemaking instruments focusing on ICT.1

According to BaFin, the "core component" of these measures in ICT supervision are set out in their "circular" (Rundschreiben) on "Supervisory Requirements for IT in Banks and Financial Services Institutions in Germany" (Bankaufsichtliche Anforderungen an die IT in Kreditinstitute und Finanzdienstleistungsinstitute in der Bundesrepublik Deutschland - BAIT). BAIT clarifies BaFin's supervisory expectations for in-scope firms and their compliance with the requirements on secure ICT systems and associated ICT processes (as regard the integrity, availability, authenticity and confidentiality of data) as well as on ICT governance.

BAIT was first published in November 2017 and has been updated successively since then. The most recent amendments were published in a draft form during October 20202, which ultimately entered into force in its final form in August 2021.3 These August 2021 amendments also serve to implement those ICT-specific supervisory outcomes as set at the EU-level, notably by the European Banking Authority (EBA) in its own "Guidelines on ICT and Security Risk Management", which entered into force on 30 June 2020.

The EBA's ICT Guidelines set out standardised requirements concerning the management of internal and external ICT security and risks for credit institutions i.e., banks, investment firms and payment service providers. The EBA guidelines are binding on the supervisory authorities in the individual EU Member States and thus, in Germany, on the BaFin. Most of the measures in the EBA's ICT Guidelines are ultimately directed at market participants who are subject to a "comply or explain" approach. An amendment to BAIT was therefore necessary to ensure these reflect the outcomes set in the EBA's ICT Guidelines notably on operational ICT security measures as well as ICT-specific contingency management procedures.

While there were no fundamental changes to concepts contained in BAIT, some parts were expanded and adapted. Three new chapters were added to the existing nine setting out requirements. Moreover, the scope and tone of what is covered has also shifted and broadened both in granularity and prescriptiveness. Specifically, BAIT's focus has moved from "IT security" which the BaFin concluded was limited to ICT security specific risks, to "information security" which aims to, as the BaFin has stated "aims to protect relevant information regardless of the form it takes. The area of information security therefore encompasses everything related to information processing. In the context of information security and information risk management (ISM/ IRM), it is now spelled out more clearly that the business processes concerned must take effect across the entire organisation, and that it is not enough to provide adequate resources to IT operations and application development alone. The BAIT requirements now clarify, for example, that the institutions must develop a comprehensive training and awareness programme for their staff on the topic of information security."

The requirements set out in the 2021 version of BAIT will also likely need to be updated in the future to accommodate further reforms introduced by the EU's cross-sectoral Regulation for a digital operational resilience act (DORA), which is (at the time of writing) largely expected (at the earliest) to become operational reality from 2024 onwards. This idea is supported by the fact that DORA aims for further full harmonisation – including across all regulated sectors in financial services. DORA driven reforms will however likely cause more fundamental changes to BAIT. Thus, for the immediate future financial services firms will have to meet the expectations in BAIT and MaRisk (more on that below) along with preparing for DORA's debut.4

This Background Briefing assesses the changes introduced in the August 2021 updates to BAIT and highlights changes to previous versions as well as some key considerations firms will want to take note of.

Scope of BAIT

ICT processes have become an integral part of financial service providers' operations, and reliance on third-party service providers is unavoidable. It is precisely this dependence on third-party ICT service providers and processes that makes it challenging to cope with the dynamic regulations. BAIT was intended to be one of the means to facilitate that and as such was first published by BaFin in November 2017.

BAIT further details statutory requirements of the German Banking Act (Gesetz über das Kreditwesen (Kreditwesengesetz– KWG)) on the proper business organisation (ordnungsgemäße Geschäftsorganisation) of institutions and the outsourcing of activities and processes from an IT point of view.5 Additionally, BAIT builds on the BaFin's Circular on Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk), which itself further details (amongst others) IT requirements of the KWG. As such, BAIT and MaRisk ought to be read together.

To illustrate, both MaRisk and BAIT refer to the same group of intended recipients: in-scope firms. These include (inter alia) credit and financial institutions within the meaning of the KWG6 as well as German branches of third country firms providing banking business or financial services in Germany (third country branches).7 The scope further extends to branches of German credit or financial institutions carrying out business internationally. Explicitly excluded from MaRisk's and BAIT's application are German branches of EEA firms which make use of the European "passport" for providing banking business or financial services in Germany.8

Firms must take into account that BAIT and MaRisk do not constitute and exhaustive list of the supervisory expectations for compliance with the requirements for IT in financial institutions. In this regard, BAIT explicitly states that "...the depth and scope of the topics addressed in this Circular is not exhaustive" and that "...institution(s) shall continue to be required to apply generally established standards to the arrangement of the IT systems and the related IT processes in particular over and above the specifications in this Circular".9 Further, in addition to BAIT and MaRisk, further ICT-specific rules and compliance outcomes are set forth in various other pieces of financial regulation (e.g., the Markets in Financial Instruments Directive II (MiFID II) and the Payment Services Directive II (PSD II) as well as local and EU implementing law).

BAIT has been updated a total of two times since its original publication in 2017. The September 2018 BAIT update added the "critical infrastructure" (KRITIS) module to the requirements. This included measures to achieve the KRITIS protection goals for the financial sector, which, when fully implemented, serve as proof of implementation of the German IT Security Act (Zweites Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme – IT SiG)10.

The 2021 update to BAIT implements a number of changes set at the EU-level in particular concerning EBA's ICT Guidelines. Targeted changes were also made that place a new focus in BAIT on operational information security and contingency management. These changes are also accompanied drafting changes to broaden the focus concerning customer relationships with those payment service providers that are supervised under Germany's transposition of the EU's Payment Services Directive 2 (PSD2) i.e., into its Payment Services Supervision Act (Gesetz über die Beaufsichtigung von Zahlungsdiensten - ZAG) and emergency management.

Accordingly, a holistic view is emerging with which BaFin will in future also concentrate on assessing relevant risks outside the institution's own ICT arrangements. Banks must therefore not only structure and secure their own ICT operations as well as upstream and downstream processes, but also adapt their interaction with external service providers and sub-service providers to the BAIT rules.

Click here to continue reading . . .

Footnotes

1. The BaFin has also established a separate organisational unit for IT supervision in the financial services sector within the BaFin (Group IT Supervision / Payment Transactions / Cyber Security). This unit is directly attached to the BaFin's Banking Supervision Division.

2. Compared to the draft circular of October 2020, language adjustments have been made on the one hand. For example, the term "IT security" has been consistently replaced by the more comprehensive term "information security". In other places, deletions have been made to clarify that protective measures are to be applied comprehensively. In Chapter 6 on identity access management, for example, the addition that access must be assignable "even for non-personalised activities" has been deleted. The following is now shorter, but more unambiguous: "Accesses and accounts must at all times be unequivocally assignable to an acting or responsible person (preferably in an automated manner)".

3. The original German text of BAIT is binding. However, the BaFin has also provided an English version of BAIT for information purposes on its website. Non-binding English version available here. Binding German version available here. See also BaFin's article available here (from October 2021) as to the context for amendments.

4. However, these changes not only impact regulated financial services firms, but may also require changes to the design and processes of ICT service providers, including software-as-a-service (SaaS) providers, cloud computing service providers, and/or other external service providers (including those that are not ICT service providers) on which these regulated financial services firms rely. It is therefore advisable for in-scope financial services firms to engage in early dialogue with their ICT service providers to advance any amendments or to confirm the resilience and compliance of existing arrangements as early as possible. Amendments to contractual as well as regulated outsourcing agreements, ranging from agreed service levels and/ or key performance indicators (KPls), may be required, and financial services firms may have to rethink or otherwise top-up previous outsourcing compliance assessments.

5. See sec. 25a para. 1 sent. 3 no. 4 and 5 and sec. 25b KWG.

6. See sec. 1b KWG.

7. See sec. 53 para. 1 KWG.

8. See MaRisk, module AT 2.1.

9. See BAIT, I. Preliminary remarks point 3; as regards these standards, BAIT explicitly mentions the IT Baseline Protection Manuals (Grundschutz) issued by the Federal Office for Information Security (BSI).

10. Available here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.