Erscheinung:18.03.2024 | Topic Measures Deutsche Bank AG: BaFin imposes administrative fine
The Federal Financial Supervisory Authority (BaFin) has imposed an administrative fine of 50,000 euros on Deutsche Bank AG. The fine was imposed because BaFin ascertained that the institution had communicated incorrect information regarding a major customer-relevant IT security incident occurring in the provision of payment services in 2023. Moreover, the bank had informed BaFin of the incident with a significant delay.
The administrative fine order is final and binding.
Background information
Financial institutions are obliged to inform BaFin without delay if a major operational or security incident occurs in the provision of payment services.
Once a company identifies an incident, it must classify the incident as either major or non-major within 24 hours at the latest. If all the necessary information is available, the company must categorise the incident without delay.
If an operational or security incident is deemed to be major, the payment service provider must report it within four hours (initial notification). The payment service provider must use BaFin’s reporting and publishing platform (MVP Portal) to submit the notification.
If an incident is categorised retrospectively as major, the company must send an initial notification to BaFin immediately after making this categorisation change.
