Digitalization is not only a topic at Fintech companies, but increasingly also at traditional banks. For the Federal Financial Supervisory Authority (BaFin), IT security and IT governance have risen to the same level of significance as banks’ equipment with capital and liquidity. It has therefore completely redefined its regulatory requirements for the operation of IT in banks.
BaFin not only updated its MaRisk circular from 2012, but it also drafted a new circular that further details the general requirements of MaRisk by specific banking supervisory requirements for IT (BAIT). Most of the requirements are to be implemented immediately, since according to BaFin, they are only specifying existing laws. An implementation period up to October 31, 2018 only applies to newly imposed requirements introduced by MaRisk. As an example, the new rules stipulate the function of IT security officers in banks, who, in addition to advising management, will also be exercising their own rights such as reviewing IT service providers or investigating IT security incidents. The position has to be filled internally with the banks’ own budgets and equipment, but it is permitted to obtain external support. The BaFin aims as well to promote banks’ risk culture by subjecting in-house software developments of applications to the same type of risk assessment as for externally sourced software. When software is merely purchased externally (including maintenance and implementation), it has now been clarified that this may not be qualified as “outsourcing”. At the same time, the BAIT rules substantially raise the level of regulatory requirements for such external procurement, thereby reducing the difference to the more strictly regulated outsourcing. BaFin thus reacts to developments in the IT industry by defining cloud services as well as software sourcing via SaaS as regulated outsourcing due to the external operation of the applications. Finally, it will likely be important for the increasingly automated processes of Fintechs in the future that the actions of machine users must also always be attributed to a specific individual. Even fully automated processes still require an (automated) responsible person.
Anyone who is responsible for IT operations at a bank or is involved in banking IT operations as a service provider cannot avoid a detailed examination of the effects of MaRisk 2017 and BAIT on their services. This is already a requirement that is included in banks’ tenders for IT services with immediate effect.