Germany’s financial supervisor has published new rules and expectations on how financial services firms should identify, mitigate and manage risks stemming from internal and external information and communications technology (ICT) solutions and providers. This marks the biggest overhaul since the rules were first introduced in 2018.
The new proposed rules should also be read in conjunction with other changes affecting the German supervisory authority’s expectations for the compliance and risk function within financial services firms, as well as more wide-reaching prescriptive changes that are set to be introduced at the EU-27 level in the form of a new maximum harmonization regime on digital operational resilience across all financial services market sectors. Given the extent of these individual changes, as well as when taken together, existing and new firms operating in or through Germany will want to, together with their counsel, take prompt preparatory action.
On October 26, 2020, the German Federal Financial Supervisory Authority (Bundesanstalt für Finandienstleistungsaufsicht – BaFin) published its consultation (13/2020) on a Circular (Rundschreiben) amending the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT). The BAIT consultation is open for responses until November 23, 2020 – contrary to other jurisdictions it is not expected that the BaFin will make much in the way of changes to the BAIT as currently proposed. Firms, together with counsel, will want to therefore begin forward planning on how to comply with the changes to BAIT (as well as those taking place at the EU level or due to other domestic rules changes), many of which may require new resources as well as amendments to existing arrangements, notably with services providers, for existing as well as new policies and procedures as well as systems and controls.
The BAIT exists as a complementary component to BaFin’s Circular on Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk). The MaRisk, which is also subject to its own consultation process (14/2020) that began on October 26, 2020, sets out details (amongst other compliance requirements) for the IT requirements of the German Banking Act (KWG). The MaRisk and the BAIT should be read together. For (re-)insurance firms as well as pension funds, a similar BaFin regime exists as related to those firms (VAIT) and a similar BaFin regime applicable to asset management firms (KAIT).
It should be noted that the BAIT consultation marks the first major overhaul of the BAIT since 2018 and comes ahead of the EU’s framework, in the form of the Digital Operational Resilience Framework (DORA) for all financial services providers regardless of sector as well as, within the Banking Union, changes to the European Central Bank’s (ECB) own regime on cyber-resilience that the ECB has published, both in its central banking role and/or at the helm of the Banking Union’s Single Supervisory Mechanism (SSM). These EU efforts should also be read in conjunction with the global principles set out in the Financial Stability Board’s Report on Effective Practices for Cyber Incident Response and Recovery. For further information on the 2020 and 2017 updates to the MaRisk, please see our series of Client Alerts on these developments.
Consequently it is conceivable that BAIT, KAIT and VAIT as well as possibly MaRisk will be amended further as the EU’s DORA’s regime is introduced, particularly as DORA aims to be cross-sectoral and provide maximum harmonization of requirements and supervisory approaches across the EU-27. Even if DORA is set to make its debut during 2021 or 2022, firms subject to BAIT, KAIT or VAIT (as well as MaRisk and corresponding provisions applicable to other financial services firms in the scope of the German rules) will need to comply with content and supervisory expectations of BaFin in respect of those rules as well as the corresponding EU-level framework and respective rules that are superordinate to this domestic regime.
All of these changes, whether individually or taken together, will not only impact regulated financial services firms, which are in the scope of these amended frameworks, but also may equally require design and process changes for ICT service providers, including software as a service providers (SaaS), cloud-computing service providers and/or any other ancillary (including non-ICT) third-party service providers upon whom such regulated financial services providers rely. Consequently, regulated financial services providers that are affected by these changes may want to engage in early dialogue both to advance any change management requests or to confirm the resilience and compliance of existing arrangements as early as possible. Amendments to contractual as well as regulated outsourcing agreements, ranging from agreed service levels and/or key performance indicators (KPIs), may be required, and financial services firms may have to rethink or otherwise top-up previous outsourcing compliance assessments.
A background on BAIT’s building blocks and interoperation with other EU and domestic regimes
The increased reliance by financial services firms on ICT processes as well as third-party service providers is continuing to present challenges for financial services firms and the NCAs supervising them. To keep pace with this development, BaFin has introduced a range of supervisory measures in the last few years. BaFin first published its BAIT Circular at the beginning of November 2017. The EU’s CRD IV regime, which was transposed in the German Banking Act (KWG) introduced general rules on strategic steering and organizational requirements relating to governance, risk and compliance that are binding upon credit institutions and certain MiFID investment firms. For Banking Union supervised institutions, certain additional requirements have been introduced by the ECB-SSM. Germany’s MaRisk further specifies BaFin’s supervisory expectations of firms when complying with the KWG’s requirements. BAIT in turn provides clarifications of the MaRisk’s expectations as it applies to ICT-related risks and compliance obligations.
As a result, the BAIT is BaFin’s primary rule-making instrument setting out its supervisory principles of how relevant firms should approach the identification, mitigation and management of information and communication technology (ICT) and security risk management. BAIT applies to operations of firms in and from Germany and will be of interest to both existing firms as well as new entrants. For further information on the 2017 BAIT Circular please see an earlier Client Alert in this series detailing the impact of those changes.
The proposed changes to BAIT add further details regarding IT security and aim to follow the European Banking Authority’s (EBA) publication of new guidelines on their ICT security risk management in November 2019 (the EBA ICT Guidelines), which have been in force since June 30, 2020. The EBA’s ICT Guidelines set out standardized requirements concerning the management of internal and external ICT security and risks for credit institutions i.e. banks, investment firms and payment service providers.
The EBA’s ICT Guidelines are binding upon the EU member states’ National Competent Authorities (NCAs) i.e. in Germany BaFin, even where the majority of measures, in the form of supervisory expectations subject to a comply or explain approach, are addressed to market participants. Consequently, BaFin and the Bundesbank concluded that there was a need to amend the BAIT so as to bring the domestic framework in line with the EU-27 wide framework. As part of the implementation of the EBA’s ICT Guidelines, BAIT’s amendments aim to reflect the EBA’s principles on operational ICT security measures as well as ICT-specific emergency management procedures.
In addition to the consultation proposing general amendments to the BAIT framework so as to bring it in line with that of the EU approach, targeted amendments are introduced which set a new focus in BAIT on operational information security and emergency management measures. These changes are also accompanies by a more broadly drafted focus concerning customer relationships with those payment service providers that are supervised under Germany’s transposition of the EU’s Payment Services Directive 2 (PSD2) i.e. in the Payment Services Supervision Act (Gesetz über die Beaufsichtigung von Zahlungsdiensten – ZAG) and emergency management. The changes to BAIT’s focus on payment service providers follow the EBA ICT Guidelines replacing the 2017 EBA Guideline on security measures for operational and security risks PSD 2.
Following the close of the BAIT consultation period, BaFin and the German Federal Central Bank (Bundesbank) will publish the final updated version of the BAIT, although a target date has not yet been published, possibly to accommodate general coordination with the changes being proposed to MaRisk. Affected financial services firms operating in or through Germany may need to, depending on their licenses and competent supervisors, consider the interplay of compliance with the EU-27 and Banking Union specific rules, as well as Germany’s domestic framework set out in BAIT and related BaFin supervisory expectations.
Key considerations arising from the BAIT consultation
The BAIT proposal, in the form being consulted upon, in addition to new thematic areas that it introduces, sets a new much more prescriptive supervisory tone. Some key changes include expectations and responsibilities that are to reflect a:
- top-down approach, whereby responsibilities for compliance increase through levels of seniority of management;
- holistic compliance requirement, meaning BaFin will assess the overall compliance with BAIT and related supervisory expectations in its entirety;
- tailored compliance approach reflective of individual needs and risk drivers, requiring that relevant arrangements evidence much more granularity in the environment they operate in and the risks they aim to identify, mitigate and manage; and
- more periodic (and prescriptive) review process, prompting firms to undertake much more in the way of periodic as well as ad-hoc reviews of the efficacy of the suitability of the design and the running of relevant arrangements by using KPIs and diagnostics where possible.
The new BAIT sets new thematic areas with targeted expectations on digitalization and reliance, cybercrime, and the impact of natural disasters and pandemic preparedness, which collectively complement but also amend existing areas that BAIT addresses and expects firms to reflect in their ICT-risk management frameworks. As a result, BAIT’s thematic chapters, much like the EBA ICT Guidelines, address the following areas (all of which have been amended slightly, save for the KRITIS module, which was last updated in 2018):
- IT strategy;
- IT governance;
- ICT risk management;
- ICT security management;
- Operational ICT security arrangements (new to BAIT);
- Access control and permissions management;
- ICT projects and application management;
- ICT operations;
- ICT outsourcing and use of third-party ICT providers and their solutions;
- ICT emergency management procedures (new to BAIT);
- Customer and counterparty relationships when dealing with payment services providers and payment services users (new to BAIT); and
- ICT rules on critical infrastructures (covering financial market infrastructures as well as more generally) (also referred to as the KRITIS module).
For the existing thematic areas, the new tone in the approach taken in the proposed version of BAIT that is under consultation will mean firms covered by BAIT will need to:
- Review their IT strategy to ensure that it is more aligned with ICT risk and mitigation arrangements, as well as a greater degree of monitoring and oversight in respect of the firm’s acquired ICT solutions, as well as the offering of third-party service providers, including cloud-based and SaaS solutions.
- Review their IT governance policies and procedures including the ownership of ICT- related developments and risks at the firm’s board and executive function levels so as to further strengthen ICT’s role as part of the overall “strategic steering” of the firm.
- Enhance the responsibilities and functions of the ICT security officer, especially as compliance responsibility also lies with that officer and the firm’s management as opposed to “just” the financial services firm itself.
- Reassess ICT access and control rights, as the requirements in the revised form of BAIT are far more prescriptive, including with respect to functional separation and the need to centralize the recording and management of access rights. The extent of these changes, given their wide and far reach, may prompt many firms to move to more digitized as opposed to manual-run multi-user/multi-system access management tools and processes.
- Slightly revise processes and procedures required to meet the much more granular requirements set out in the ICT projects and application management chapter, notably as it concerns testing management as well as quality assurance reviews of the integrity of coding.
- Introduce a targeted review and strengthening of documentation and non-documentation based procedures as they apply to the area of ICT-outsourcing given certain changes to this thematic area.
- Forward plan timing, outputs and KPIs and quality assurance metrics as well as sufficiently allocate resources to conduct more periodic and ad-hoc compliance reviews and audits under the revised BAIT regime.
Looking at the three new areas in more detail and their practical impact for firms:
Operational ICT security arrangements
The aims of this new thematic chapter are for firms to maintain robust and resilient ICT-specific risk identification and control frameworks. This requires the definition of ICT risk drivers, ICT risk appetite and tolerance levels, escalation and fallback measures as well as remedial action plans. The focus of these efforts apply not only to firm-internal as well as group-specific ICT solutions but also to those provided by outsourced services and third-party service providers more generally, including externally hosted ICT systems as well as data hosting, management and storage solutions.
Firms are expected to evidence use of advanced systems, such as, but not limited to, security information and event management (SIEM), as well as a permanently staffed security operations center (SOCs) in their operating framework, which may go beyond the operations of the ICT security officer. Therefore, firms are encouraged to automate the identification of ICT-security related events, notably unauthorized access, and to undertake prompt review and analysis of not only the threats but the exploited weaknesses in systems and controls and take remedial action.
Consequently, firms will have to ensure that their IT systems, IT processes and other parts of the information network should evidence strong integrity, availability and confidentiality of data, including use of encryption and workarounds of known weak points. Accordingly, firms will have to implement appropriate security measures that are subject to periodic and ad-hoc tests as to their integrity and resilience, as well as to maintain dedicated measures that can identify and evaluate dangers as soon as possible.
ICT emergency management procedures
This new thematic chapter requires affected firms to focus on their ICT emergency management procedures and processes, including specifically the resilience of their outsourced ICT resources and time-critical processes. Firms will have to ensure they can evidence their own resilience with emergency management procedures and the use of back-up sites, but equally implement measures that are coordinated with their outsourced as well as third-party service providers. A particular focus is set out in BAIT on firms’ design and implementation of recovery time objective and permitted downtime, as well as recovery plans, along with the related dependencies of internal and external services (including service providers).
Firms will be required to design and maintain an IT-resilience testing methodology and plan and to undertake periodic (and at least annual) reviews and testing of measures based on individual threat-based risk scenarios, as well as simulations relating to the disruption of activity at data centers. Firms are expected to evidence that in the event of a failure/disruption of a data center on which that firm relies, the relevant processes can be serviced for a specific period of time by an alternative data center.
Customer and counterparty relationships when dealing with payment services providers and payment services users
This new thematic chapter to BAIT was added to complement PSD 2 requirements applicable when financial services firms providing payment services pursuant to Section 25a and 25b of the Banking Act (Kreditwesengesetz – KWG) communicate with payment services users. The new requirements aim to drive increased user awareness concerning the security risks linked to payment services. The content of this chapter on BAIT is part of the consultation of the Circular Regarding Supervisory Requirements For IT In Payment Services (Zahlungsdiensteaufsichtliche Anforderungen an die IT – ZAIT), that is being run concurrently with that on BAIT.
In summary, while the changes to the existing thematic areas may require low to medium effort and resources to account for changes, the introduction of the three new chapters will require considerably more. Firms may wish to also forward plan how to comply with these immediate changes introduced by BAIT and the relevant supervisory priorities of BaFin for 2021 on how firms evidence compliance with BAIT, as well as the range of EU-level changes that have been published to date and which are likely to begin to take effect from 2021 through to 2024.
Outlook and next steps for BAIT in-scope firms
Regardless of a firm’s complexity, size and reliance on digital infrastructure and ICT, the range of global, EU-27, Banking Union-specific and NCA-driven changes focusing on digital operational resilience and ICT risks specifically ought to prompt firms, working with counsel, to take action. Some immediate next steps might include:
- Performing a global but equally business-line specific gap analysis that maps the extent of global, EU-27, Banking Union specific and NCA-driven changes (including BAIT’s and MaRisk’s new framework as a whole) and, absent such changes, assess which areas ought to be prioritized as part of a compliance action plan. Some of the factors firms may wish to consider are how the degree of non-compliance might impact on risks to the firm, on risks to clients/counterparties and on risks to recovery and resolution planning, which, if left otherwise unremedied, could result in further adverse regulatory and supervisory scrutiny from multiple supervisors.
- Assessing, especially for smaller and/or less complex firms, whether there are any permitted options to apply the relevant frameworks and supervisory expectations in a proportionate and/or simplified manner.
- Engage proactively with ICT service providers, including third-party and software as a service providers (SaaS), to ensure that any documentation and non-documentation based changes that are undertaken within a specific firm (including any individual business units) are equally reflective of any changes i.e. through change management requests or by procuring other evidence to support that existing amendments are sufficiently resilient and continue to comply with the new frameworks.
As a result, financial services firms and related stakeholders that are affected by the changes to BAIT, and also by concurrent changes across the EU-27, as well as those taking place in the Banking Union, may want to review and update their IT arrangements, project governance policies and procedures to ensure that justification for certain actions and compliance measures can be evidenced and explained to supervisors in a prompt and clear manner.
If you would like to discuss strategic options, in particular, how the BAIT requirements, EBA Guidelines or those of the ECB(-SSM) may affect your business as well as present opportunities for you or your clients more generally, please contact our Eurozone Hub key contacts.
- Public consultation regarding Supervisory Requirements for IT available here.
- Please see standalone coverage from our Eurozone Hub’s Insurance Union. In summary, VAIT, which was published on July 2, 2018, aims to detail the minimum supervisory risk expectations that relevant firms should apply when complying with the general obligations in the German Insurance Supervision Act (VAG). The VAIT offers some greater flexibility and firms’ ability to apply some of the rules in a manner that is proportionate to its risks and is in line the aims of BaFin’s Guidelines on the minimum requirements for the organization of insurance undertakings (MaGo). See analysis on related changes here.
- See coverage from our Eurozone Hub available here.
- Available here.
- Available here in respect of 2020 updates and here in respect of 2017.
- Supervisory Requirements For IT In Financial Institutions, version of September 14, 2018, available here; BaFin’s Circular on Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk), available here and see coverage from our Eurozone Hub (July 2018) here; BaFin has also established a separate organizational unit for IT supervision in the financial services sector within BaFin (Group IT Supervision / Payment Transactions / Cyber Security). This unit is directly attached to BaFin’s Banking Supervision Division.
- The original German text of the BAIT is binding. However, BaFin has also provided an English version of the BAIT (NB this may be outdated) for information purposes on its website, available here.
- See coverage from our Eurozone Hub (July 2018) available here.
- Available here.
- See also our Eurozone Hub coverage on prolonged pandemic preparedness available here.
- See point 11 and the Draft Guidelines of the Circular on Supervisory Requirements For IT In Payment Services (Zahlungsdiensteaufsichtliche Anforderungen an die IT – ZAIT).
- The BAIT enables the application of the principles of dual proportionality.