Supervisors and regulators, too, must understand the ongoing digital transition. They have to analyse it from a legal and an economic perspective and determine whether and how they must act to safeguard financial stability and protect consumers – both at the level of supervisory administrative practice and at the legislative level.

Handling of IT risks

Whether internal IT glitches or cyber attacks, IT risks have the potential to be extremely explosive. In order to strengthen its capabilities in this area, BaFin is creating a dedicated unit that will deal with issues of IT security across the industry. Initially, BaFin's focus was on the banking sector. In cooperation with the Deutsche Bundesbank, BaFin has already scrutinised IT security during a number of on-site inspections at those institutions that are directly under German supervision. The outcome: banks have a lot of catching up to do when it comes to IT security.

In 2017, BaFin also gained an overview of the strengths and weaknesses of insurance undertakings in dealing with cyber risk. Dr Frank Grund, Chief Executive Director of Insurance and Pension Funds Supervision, said that initial results had shown that the approach taken to this issue by a considerable part of the sector was too unsystematic. Reason enough for BaFin to detail and explain its requirements for IT security at banks and insurance undertakings.

BAIT – Supervisory Requirements for IT in Financial Institutions

Like any other operational risk, IT risks are Pillar I risks that banks have to cover by maintaining sufficient capital. In addition to this, they have to manage these risks and in this way ensure IT security.

Published at the beginning of November 2017, the "Supervisory Requirements for IT in Financial Institutions" (Bankaufsichtliche Anforderungen an die IT – BAIT) set out in detail what BaFin expects in this area from credit and financial services institutions in Germany. Through the BAIT, BaFin has turned IT security into a management issue. The requirements are addressed to senior management and are intended to help institutions to ensure they have a proper system of governance for IT as well.

However, the BAIT are presented in the form of principles rather than a comprehensive catalogue of requirements. BaFin's aim is to create a clear and flexible framework for the management of IT resources, IT risk and information security. The BAIT are also meant to contribute to raising awareness of IT risk throughout the undertaking – including with respect to outsourcing providers. BaFin has also made transparent in the BAIT what it expects from the institutions in terms of managing and monitoring IT operations.

VAIT for insurance undertakings

In the course of 2018, BaFin will collate and flesh out its requirements for IT in insurance undertakings in a similar way in a document entitled "Supervisory Requirements for IT in Insurance Undertakings" (Versicherungsaufsichtliche Anforderungen an die IT – VAIT). Insurance undertakings, too, have to not only maintain adequate solvency capital to cover their IT risks, but also manage these risks appropriately; they owe this to their policyholders.

Security also needed for fintech companies

What applies to the established undertakings of the financial market also goes for fintech companies. No matter how much and what type of technology is used, BaFin always applies the principle of "same business, same risk, same rules". All providers in the financial market must give IT security the highest priority, because people entrust their money and data to them.

IT skills on management boards

A key concern for BaFin is to ensure that banks and insurers are able to master the challenges of digitalisation with confidence. In order to promote the further expansion of IT knowledge on the management boards of undertakings, BaFin at the end of 2017 amended its administrative practice on the professional qualification of management board members at insurance undertakings and banks under its direct supervision.

In the past, if IT specialists could not provide evidence of banking- or insurance-specific IT knowledge acquired over an extended period, it was difficult for them to be appointed to the management board. Now, a six-month period may be sufficient in specific circumstances.

Independently of this, however, all members of the management board, without exception, still carry overall responsibility and are subject to the due diligence requirements and legal liability rules this entails. "By balancing the requirements for basic professional qualification of all management board managers, which they need in order to exercise their overall responsibility, and the increasing need for specialist know-how, we, the supervisors, are allowing greater scope for appointing IT specialists at management board level", commented Dr Frank Grund, Chief Executive Director of Insurance and Pension Funds Supervision at BaFin.

Outlook

BaFin has demonstrated in the past, and will continue to do so, that it takes an open and very constructive approach to change and innovation – examples include fintech companies or the fit and proper requirements for chief information officers – but remains true to its role of supervisor and regulator. BaFin's President Hufeld explains that, given the many different voices of political debate, financial regulators and supervisors have a duty to raise awareness of old and new risks in the interests of both consumers and financial stability. "We'll have to wait and see to what extent we can make ourselves heard, although success will also depend on how successful we are at finding answers to new and in some cases far-reaching questions."

From BaFin's perspective, the following questions arise, for example: How can decentralised business models such as blockchain be supervised? How can BaFin protect the users and clients of such business models? And what will happen to traditional providers in the financial market if participants whose main sources of revenue are outside the financial sector offer financial products with the primary motivation of generating data, without being dependent on the revenue? Who will carry the risk? Are the entities under supervision even the right ones? How should supervisors and regulators deal with the phenomenon of big data analytics? These are some of the many digitalisation issues on which BaFin is working internally – for example in its "Innovations in Financial Technology" unit – as well as in regulatory bodies.