On 16 August 2021, BaFin published the new version of its BAIT, the Supervisory Requirements for IT in Financial Institutions. The amendment came into force on the same date. BaFin is using this amendment to set out the overall conditions it now expects for secure information processing and information technology. There are no transitional periods because BaFin is not imposing any fundamental new requirements, but has clarified existing requirements.

Background to the amendment

Guidelines issued by the European Banking Authority (EBA) in November 2019 form part of the backdrop to the BAIT amendment. In its Guidelines on ICT and security risk management (EBA/GL/2019/04), the EBA had previously responded to the European Commission’s FinTech action plan and introduced standardised requirements for the entire single market: for credit institutions, investment firms and payment service providers. The EBA thus established the corresponding framework for the supervisory practice of the national competent authorities.

Together with the Deutsche Bundesbank, BaFin then examined whether, and to what extent, the BAIT would have to be supplemented and adapted. Experience gained from supervisory practice was also expected to be incorporated into the work. The IT expert committee, whose members are representatives of the trade associations of the banking sector, smaller and larger institutions, as well as BaFin and Bundesbank staff, was also closely involved in the amendment. The Federal Ministry of Finance also participated. A public consultation on the BAIT amendment was launched in autumn 2020. Because the content of the BAIT builds on the Minimum Requirements for Risk Management (MaRisk) , the BAIT amendment was developed in parallel with the sixth amendment to MaRisk, and both circulars were published at the same time.

Significant amendments

Even though there were no fundamental changes, some parts of the BAIT were expanded and adapted. In the new “Operational information security” chapter, for example, BaFin sets out requirements for the design of effectiveness controls of information security measures that have already been implemented in the shape of tests and exercises. Such effectiveness controls, for example gap analysis, vulnerability scans, penetration tests and simulated attacks, are a key element of any effective, sustainable information security management system. The institutions must verify the security of the IT systems regularly and on an event-driven basis. They must avoid conflicts of interest when they do so: for example, anybody involved in planning and implementing security measures cannot subsequently test them. The institutions have to analyse the results of such effectiveness controls, identify any need for improvement and manage risks appropriately.

The institutions are expected to document the new requirements in an internal policy that BaFin now calls for in the “Information security management” chapter. This chapter also contains requirements relating to logging and monitoring, in other words recording results and real-time monitoring, as well as the identification and analysis of security-related events. For example, potentially security-related information must be evaluated suitably promptly, using a rule-based approach, and must be held available for an appropriate period for subsequent evaluation. To do this, a portfolio of rules for identifying security-related events must be defined and updated.

The expanded AT 7.3 “Contingency management” in the new MaRisk forms the basis for the new BAIT chapter “IT contingency management”. It stipulates the establishment of restart, emergency operation and recovery plans for time-critical processes and activities. According to the BAIT, the institutions must verify annually that these three types of IT contingency plan are effective – based on an IT testing concept.

The new third chapter in the BAIT is called “Managing relationships with payment service users”. It is taken from the new circular “Supervisory Requirements for IT in Payment Services and Electronic Money Institutions” (ZAIT). Its content is also relevant for large parts of the BAIT target group.

Information security instead of IT security

It was also important for BaFin and the Deutsche Bundesbank to follow the objective of “information security” in the BAIT and not the – narrower – objective of “IT security”. Traditional IT security is limited to the field of information technology, whereas information security aims to protect relevant information, regardless of the form it takes. The area of information security therefore encompasses everything related to information processing. In the context of information security and information risk management (ISM/IRM), it is now spelled out more clearly that the business processes concerned must take effect across the entire organisation, and that it is not enough to provide adequate resources to IT operations and application development alone. The BAIT requirements now clarify, for example, that the institutions must develop a comprehensive training and awareness programme for their staff on the topic of information security.

The BAIT reflect the requirement in the EBA guidelines referred to earlier for a clear allocation of responsibilities by designating additional roles and tasks of information security and information risk management and differentiating them from responsibilities for business processes. Among other things, the organisational units that are responsible for the individual business processes are responsible for determining and documenting the protection requirements of the relevant processes. By contrast, information risk management is responsible for verifying this determination and documentation.

In light of the complexity of cyber threats, the BAIT now expressly emphasise how important it is for institutions to keep themselves informed about current external and internal threats and vulnerabilities, and to notify the management board about the risk analysis and changes in the risk situation. The BAIT chapter “Information risk management” now clarifies that threats and vulnerabilities must also be taken into account by information risk management if they could pose risks to the organisation.

Several BAIT chapters address requirements for physical security, as described in the EBA guidelines. For example, the institutions must develop a physical security policy, implement physical access controls and establish an adequate perimeter protection using state-of-the-art technology. Perimeter protection means protecting the area between the building and the property boundary.