Threat, security measure, regulation
IT threats must be countered by means of suitable IT security measures in order to reduce the residual risks to an acceptable level – this is also referred to as bank compliance. This is not only dictated by common sense. Regulators are also increasingly regulating institutions, IT service providers and FinTechs with the aim of creating uniform IT security standards. With BAIT (Bankenaufsicht IT), the German Federal Financial Supervisory Authority (BaFin) has defined requirements for information security. This concretises the rules of MaRisk for banking IT that have been in place for a long time.
The “Payment Service Directive 2” (PSD2) ,which is valid throughout Europe, can certainly be understood as a further development of the Minimum Requirements for the Security of Internet Payments (MaSI). It makes additional security requirements mandatory for payment institutions and service providers. For example, PSD2 regulates account access for third parties for the first time and sets requirements for authentication (“strong customer authentication”).
In addition, the supervisory authorities impose reporting obligations on banks: IT security incidents must be reported not only to BaFin, but from 2018 also to the Federal Office for Information Security (BSI) if a critical infrastructure in the financial sector is affected. To sustainably strengthen the cyber resilience of financial market infrastructures, the ECB’s Euro Cyber Resilience Board published TIBER-EU in 2018, a framework for conducting recognized penetration tests across Europe.
Conformity and safety from the recognised assessor
In countless projects with supervisory authorities, institutes, IT service providers and association representatives, SRC’s consultants have built up extensive know-how. They pass this knowledge on to our clients in workshops, webinars, training courses, implementation plans and projects. SRC supports institutions, IT service providers and FinTechs in the application of common standards for the design of their IT systems and processes.
The German Federal Office for Information Security (BSI), the Payment Card Industry (PCI) and the German banking industry have recognised SRC as a security assessor. On this basis, SRC consultants will work with you to draw up declarations of conformity and safety reports that you can use to demonstrate compliance with regulatory requirements to auditors and supervisory authorities.
Experience, design, advice
The requirements are often only principle-based. Therefore, institutions, payment service providers and FinTechs need an interpretation of the regulatory requirements. The diverse experience in client projects and the exchange of information with regulators and stakeholders enables SRC to interpret the requirements, identify redundant regulatory requirements and consolidate them with the perspectives of other market participants.
You can rely on the evidence of regulatory requirements achieved together with SRC: You enjoy a high level of recognition and trust from the supervisory authorities, partly due to the large number of recognitions SRC has received.
