Threat, security measure, regulation
IT threats must be addressed with appropriate IT security measures to reduce residual risks to an acceptable level. This is not just a matter of common sense. The supervisory authorities are also increasingly regulating institutes, IT service providers and FinTechs with the aim of creating uniform IT security standards. The German Federal Financial Supervisory Authority (BaFin) has defined requirements for information security in the form of BAIT (Bankenaufsicht IT). The MaRisk guidelines for IT in banks, which have been in force for a long time, have thus been specified.
The “Payment Service Directive 2” (PSD2), which applies throughout Europe, can certainly be understood as a further development of the Minimum Requirements for the Security of Internet Payments (MaSI). It requires payment institutions and service providers to comply with additional security requirements. The PSD2, for example, regulates account access for third parties for the first time and sets requirements for authentication (“strong customer authentication”).
In addition, the supervisory authorities impose reporting obligations on banks: IT security incidents must not only be reported to BaFin, but from 2018 also to the Federal Office for Information Security (BSI) if a critical financial infrastructure is affected.
Compliance and safety by an approved expert
In countless projects with supervisory authorities, institutes, IT service providers and association representatives, the consultants of SRC have built up extensive know-how. They pass this knowledge on to our customers in workshops, webinars, training courses, implementation plans and projects. SRC supports institutes, IT service providers and FinTechs in the application of common standards for the design of their IT systems and processes.
The German Federal Office for Information Security (BSI), the Payment Card Industry (PCI) and the German banking industry have approved SRC as a security expert. On this basis, the SRC consultants work together with you to draw up declarations of conformity and security reports, with which you can demonstrate compliance with regulatory requirements to auditors and supervisory authorities.
Experience, interpretation, consultation
The requirements are often only principle-oriented. Institutions, payment service providers and FinTechs therefore need an interpretation of the regulatory requirements. SRC’s extensive experience in customer projects and the exchange of information with supervisory authorities and stakeholders enables it to interpret the requirements, identify redundant regulatory requirements and consolidate them with the perspectives of other market participants.
You can rely on evidence of regulatory requirements obtained jointly with SRC: They enjoy a high degree of recognition and trust among the supervisory authorities, partly due to the large number of accreditations that SRC has received.