IT threats must be addressed with appropriate IT security measures to reduce residual risks to an acceptable level. This is not just a matter of common sense. The supervisory authorities are also increasingly regulating institutes, IT service providers and FinTechs with the aim of creating uniform IT security standards. The German Federal Financial Supervisory Authority (BaFin) has defined requirements for information security in the form of BAIT (Bankenaufsicht IT). The MaRisk guidelines for IT in banks, which have been in force for a long time, have thus been specified.
The “Payment Service Directive 2” (PSD2), which applies throughout Europe, can certainly be understood as a further development of the Minimum Requirements for the Security of Internet Payments (MaSI). It requires payment institutions and service providers to comply with additional security requirements. The PSD2, for example, regulates account access for third parties for the first time and sets requirements for authentication (“strong customer authentication”).
In addition, the supervisory authorities impose reporting obligations on banks: IT security incidents must not only be reported to BaFin, but from 2018 also to the Federal Office for Information Security (BSI) if a critical financial infrastructure is affected.