Consultation BAIT

Revised Banking Supervisory Requirements for IT

On August 16, 2021, the revised “Supervisory Requirements for IT in Financial Institutions” (BAIT) were published in the BaFin circular. The circular implements the “Guidelines on security measures for operational and security risks under the PSD2” and the EBA’s “Guidelines on ICT and security risk management” at national level. Along with this, the “Minimum Requirements for Risk Management” (MaRisk) and the “Payment Services Supervisory Requirements for the IT of Payment and Electronic Money Institutions” (ZAIT) were also amended.

Tougher requirements for credit institutions

With the amendment of the BAIT, credit institutions are faced with new and more stringent requirements. In particular, there are three new chapters.

One significant change is the increased consideration of operational IT security. With a separate and new chapter, this is moving further into focus. The implementation of the specified requirements practically requires the operation of a security information and event management system (SIEM). This also includes the establishment and operation of a Security Operations Center (SOC). Operationally, regular checks must be carried out, such as deviation analyses (“gap analyses”), vulnerability scans, penetration tests and the simulation of attacks (“red teaming”). The new requirements result in the establishment of a professional cyber security infrastructure and extensive, independent internal information security structures.

IT emergency management also has its own new chapter. In this chapter, the requirements are consolidated with those from section AT 7.3 of MaRisk in order to obtain uniform national requirements. In addition, the requirements regarding emergency planning and precautions, BCM, disaster recovery, and backup strategies, including the involvement of service providers, are being tightened up or made more precise.

The third new chapter is the chapter on management with payment service users, which originates from the amended ZAIT. This describes requirements for institutions to actively support and advise their payment service users on security-related risks, particularly on the issue of fraud.

Mastering new challenges hand-in-hand

The changes pose major challenges for the institutions affected. This concerns in particular the required know-how and the limited resources on the market. We gladly advise and support you in the implementation of the regulatory requirements for information security as well as in the preparation of required evidence.