On 3 November 2017, the German regulator for the financial sector, the Federal Financial Supervisory Authority (“BaFin”), published a new circular titled Rundschreiben 10/2017 (BA) vom 3. November 2017 – Bankaufsichtliche Anforderungen an die IT (in English: Circular 10/2017 – Regulatory Requirements for IT-Systems – “BAIT”). The BAIT is available in German language at the BaFin’s website. The final version of the BAIT incorporates a number of revisions that result from the submissions made by stakeholders in the course of a prior public consultation.

Scope of the BAIT

The BAIT’s purpose is to give guidance on the BaFin’s interpretation of the statutory requirements under Section 25a(1) s. 3 no. 4 and 5 and Section 25b of the German Banking Act (Kreditwirtschaftsgesetz – KWG). The BAIT sets out the BaFin’s understanding of how reasonable technical/organisational features of IT systems used within financial institutions should look like, taking in particular into account the requirements for IT security and a sufficient emergency concept. The BAIT also addresses the increased engagement of third party IT suppliers that carry out a wide range of processes on behalf of regulated financial institutions, Section 25b of the German Banking Act.

The BAIT contains the following chapters:

  1. IT strategy
  2. IT governance
  3. Information risk management
  4. Information security management
  5. User authorisation management
  6. IT projects, application development
  7. IT operations (including data backup)
  8. Outsourcing and other sourcing of IT services

The BAIT does not establish a set of new obligations for banks and financial services providers in Germany (including German branches of non-EU banks and financial services providers) and/or their third party IT suppliers. By contrast, it contains a number of clarifications of already existing requirements under the German Banking Act and the BaFin’s more general circular Mindestanforderungen an das Risikomanagement – MaRisk (English: Minimum requirements for the risk management – “MaRisk”) which has been revised recently.

A rather innovative approach set out in the BAIT is the BaFin’s view that financial institutions shall appoint an Information Security Officer who shall report to the senior management at least on a quarterly basis, in any case when appropriate/needed. The Information Security Officer shall be responsible for all aspects of information security, both within the organisation and externally, i.e vis-à-vis third parties. The Information Security Officer shall monitor compliance with the financial institution’s IT-strategy and information security policies. To avoid potential conflicts of interests, the Information Security Officer shall be an independent body within the organisation. The BaFin takes the view that generally each financial institution shall appoint and maintain an internal Information Security Officer.

Outlook

The BAIT, which has become effective upon publication, complements the MaRisk, and will form the key legal document for future IT related regulatory activities in the banking sector in Germany.