These are the requirements that banking supervision places on banks’ IT
In 2017, the German Federal Financial Supervisory Authority (BaFin) issued the circular “Banking Supervisory Requirements for IT” (BAIT), which sets out requirements that banks and credit institutions must comply with in terms of information security.
The BAIT requirements now comprise a total of 12 chapters, which include both governance and technical measures.
We will show you what steps you need to take as a financial services provider to ensure BAIT compliance.
What is BAIT?
In 2017, the German Federal Financial Supervisory Authority (BaFin) sent out the first version of the “Banking Supervisory Requirements for IT” (BAIT).
Based on Section 25a of the German Banking Act (KWG), this imposes obligations on banks with regard to risk management and the establishment of internal control procedures. BAIT specifies the requirements that financial service providers must meet with regard to their information security.
These only apply to financial companies in Germany, although it should be noted that they must also comply with international regulations. BAIT is to be distinguished from MaRisk, the minimum requirements for risk management.
This is also a BaFin circular, but dates back to 2005 and deals primarily with the topic of risk management and does not address IT security in more detail.
Current changes to BAIT
Two updates supplement the original circular from 2017.
Requirements for critical infrastructures were added in 2018.
The new section contains measures to achieve the KRITIS protection targets.
Once certain thresholds are reached, banks are considered critical infrastructure.
These are 15 million transactions for cash supply and 100 million transactions for account management.
As a result of the NIS2 directive, financial companies with more than 50 employees or an annual turnover of more than 10 million euros are now also considered critical infrastructure.
Three new chapters were added in 2021: Operational information security, IT emergency management and management of relationships with payment service users.
Security measures were further specified and requirements on outsourcing were added.
BAIT requirements at a glance
Below we give you an overview of the 12 chapters of BAIT.
In addition, companies are obliged to comply with common standards such as ISO27001 and to adapt current technology.
Meet BAIT requirements with the BAYOOSOFT Access Manager
Automated solutions can reduce the organizational effort that BAIT requirements entail.
With the BAYOOSOFT Access Manager, the effort required for the identity and rights management section can be limited and still be mapped in an audit-proof manner.
It can be easily integrated into existing systems and helps to manage and document user accounts and access rights.