Information technology has increasingly been transformed in recent years from providing basic infrastructure for banking and insurance transactions to being a key technology for new value chains.

For BaFin, ensuring that banks and insurance undertakings can effectively tackle the new challenges posed by digitalisation is a matter of pivotal importance. At the end of 2017, BaFin therefore adjusted its administrative practice in relation to the practical experience required by management board members. BaFin thus provides greater flexibility for the appointment of IT specialists when it comes to weighing the increasing need for specialist knowledge against the requirements on the essential professional qualifications that the management board needs in order to fulfil its collective responsibilities.

Legal framework

The requirements relating to the professional qualifications of management board members are set out in section 25c (1) of the German Banking Act (Kreditwesengesetz) and section 24 (1) of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz) are always assessed with consideration for the individual credit institution or insurance undertaking concerned and with the principle of proportionality taken into account. This means that the requirements for the management of an undertaking with a complex business model and risk profile will be different to those for an undertaking that has less intricate business operations.

Three components of the professional qualifications requirement

In order to be considered professionally qualified under both the Banking Act and Insurance Supervision Act, management board members have to possess the relevant theoretical and practical knowledge of the banking or insurance business as well as management experience.

In order to facilitate the further development of IT know-how at management board level, the period spent gaining necessary practical banking or insurance business experience before assuming a management position may, where appropriate, be reduced to six months for individual assessments of suitability in future. If necessary, the prospective member of the management board should also use this period of at least six months to develop and expand their theoretical knowledge of banking or insurance business, as the professional qualifications requirement must already be fulfilled when they assume their position.

This administrative practice will make it easier for credit institutions and insurance undertakings to further diversify their allocation of responsibilities by creating special IT units and by appointing a management board member for the area of IT (often referred to as a "Chief Information Officer" or "CIO").

Extensive knowledge of IT

In order for such an easing of the practical experience requirements to be justified, the person responsible for the IT unit must be able to demonstrate extensive theoretical and practical knowledge of this field. BaFin plans to use the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) to determine the specific experience required by management board members specialising in IT. BaFin is currently working on a corresponding circular on the Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT – VAIT)¹.

Collective responsibility of all management board members

BaFin's move towards greater flexibility is limited due to the collective responsibility of the management board members and, in the case of credit institutions, the requirements for unanimous decisions – in particular, those approving large exposures and granting loans to board members pursuant to section 13 (2) and section 15 (1) of the Banking Act respectively. Regardless of the allocation of responsibilities, all members of the management board carry overall responsibility for a proper system of governance and are subject to the associated duties of care and statutory provisions on liability. While each member of the management board bears, first and foremost, full responsibility for their respective portfolio, they must nonetheless, in light of their collective responsibility, take action and attempt to find remedies, at the latest as soon as any indications of irregularities in another member's area of responsibility arise (principle of mutual oversight).

Collective qualifications

As a result of BaFin's change to its administrative practice, the collective qualifications of the management board will become a matter of greater importance. Therefore, BaFin will be paying particular attention to whether the board as a whole is sufficiently qualified while also taking the principle of dual control into consideration. This principle means, specifically, that more than just one management board member must be competent in each of the conventional areas of banking or insurance business, as any other arrangement would not be sufficient to ensure effective mutual oversight. As a result, it is easier to envisage the appointment of a management board member who is only responsible for IT in cases where the board consists of more than three persons who, moreover, have sound knowledge of banking or insurance business.

Notification requirements

For the assessment of suitability of CIOs, banks must provide a description of the specific position together with the details and documents to be submitted pursuant to section 24 (1) no. 1 of the Banking Act when notifying BaFin of having made an appointment or their intent to do so. As part of this process, the relevant competencies must be specified and the schedule of responsibilities must be included. In relevant cases, BaFin also intends to impose an additional reporting requirement on credit institutions for changes to the allocation of responsibilities.