What are the supervisory requirements that payment and e-money institutions must meet for the due and proper conduct of business in relation to the use of information technology and to ensure cyber security? This question is answered by BaFin’s new circular on Supervisory Requirements for IT at Payment Services Providers (Zahlungsdiensteaufsichtliche Anforderungen an die IT), or ZAIT for short (currently only available in German). The circular offers legal certainty by accommodating the specific rules set out in the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG). This represents a further addition to BaFin’s series of circulars covering the supervisory requirements for IT to be met by financial institutions, insurance undertakings and asset management companies (BAIT, VAIT and KAIT).

Up to now, the BAIT and the Minimum Requirements for Risk Management (MaRisk) have been applied by analogy to payment and e-money institutions. Going forward, the ZAIT will permit an even more tailored approach to the specific circumstances applicable to payment and e-money institutions, taking the principle of proportionality into account.

In terms of content, the circular is highly similar to the BAIT. Specifically, it includes the requirements set out in the guidelines on ICT and security risk management and the guidelines on outsourcing arrangements, both published by the European Banking Authority (EBA). ICT stands for “information and communication technology”.

Growing threat of cyber attacks

For example, the ZAIT sets out the supervisory requirements with respect to information risk and information security management. These are crucial to enhancing IT security at institutions in view of the constantly growing threat posed by cyber attacks. It is important that the institutions are able to identify security incidents quickly and take the necessary steps to safeguard normal business processes. To do this, they need to ensure effective risk management that is appropriate both to their individual business models and to their size.

In addition, the circular lists key requirements relating to IT operating processes, the IT infrastructure and business continuity management. These are primarily designed to ensure that institutions can guarantee high service availability levels and that the IT equipment used is basically state of the art. This is essential if vulnerabilities are to be avoided, especially in the case of software applications. In addition, all institutions must be able to demonstrate that they can restore their key operating processes within an appropriate period following interruptions.

Outsourcing IT processes

Another key section of the circular provides details of the supervisory requirements to be met by institutions that outsource IT processes or activities to other entities. For example, in practice institutions use cloud service providers to handle business processes, store data or simply to make their IT capacity more flexible.

Institutions must have considered the risks associated with such outsourcing arrangements before they commission a service provider. Since they remain responsible from a supervisory perspective for all outsourced IT processes and activities, they must monitor their service providers constantly to ensure that these perform the tasks they have been entrusted with in a due and proper manner, and must be mindful of outsourcing risks at all times.

BaFin to inspect implementation

BaFin will use supervisory IT inspections of payment and e-money institutions to monitor the ZAIT’s implementation.