Published On: 10. September 2024

These are the requirements that banking supervision places on banks’ IT

In 2017, the German Federal Financial Supervisory Authority (BaFin) issued the circular “Banking Supervisory Requirements for IT” (BAIT), which sets out requirements that banks and credit institutions must comply with in terms of information security.
The BAIT requirements now comprise a total of 12 chapters, which include both governance and technical measures.
We will show you what steps you need to take as a financial services provider to ensure BAIT compliance.

What is BAIT?

In 2017, the German Federal Financial Supervisory Authority (BaFin) sent out the first version of the “Banking Supervisory Requirements for IT” (BAIT).
Based on Section 25a of the German Banking Act (KWG), this imposes obligations on banks with regard to risk management and the establishment of internal control procedures. BAIT specifies the requirements that financial service providers must meet with regard to their information security.
These only apply to financial companies in Germany, although it should be noted that they must also comply with international regulations. BAIT is to be distinguished from MaRisk, the minimum requirements for risk management.
This is also a BaFin circular, but dates back to 2005 and deals primarily with the topic of risk management and does not address IT security in more detail.

Current changes to BAIT

Two updates supplement the original circular from 2017.
Requirements for critical infrastructures were added in 2018.
The new section contains measures to achieve the KRITIS protection targets.
Once certain thresholds are reached, banks are considered critical infrastructure.
These are 15 million transactions for cash supply and 100 million transactions for account management.
As a result of the NIS2 directive, financial companies with more than 50 employees or an annual turnover of more than 10 million euros are now also considered critical infrastructure.
Three new chapters were added in 2021: Operational information security, IT emergency management and management of relationships with payment service users.
Security measures were further specified and requirements on outsourcing were added.

BAIT requirements at a glance

Below we give you an overview of the 12 chapters of BAIT.

  • IT strategy The management must define a sustainable IT strategy that includes goals and concrete measures to achieve them.
    This includes defining responsibilities, emergency management and a number of other points.  

  • IT governance This involves the implementation of and compliance with the IT strategy.
    Here too, responsibility lies with the management.
    It must ensure that guidelines are implemented and that those responsible are provided with the necessary resources.  

  • Information risk management

    This includes setting up appropriate monitoring and control processes to ensure the security of data.
    In addition, potential vulnerabilities must be checked regularly.

  • Information security management This includes measures to anchor IT security in an organization in the long term.
    A guideline must be adopted and communicated internally.
    Appropriate guidelines, processes and an information security officer are required for implementation.  

  • Operational information security This includes specific technical steps to ensure the security of digital workflows.
    In this way, relevant security incidents can be identified and appropriate measures initiated.
    Simulated attacks are also carried out to test security.  

  • Identity and rights management

    This ensures that only authorized users can access IT systems and sensitive data.
    BAIT requires an authorization concept based on the principle of least privilege.
    In addition, changes to users and authorizations must be documented.
    Appropriate software solutions can provide support here.

  • IT projects and application development An impact analysis is required before significant changes are made to systems.
    Data must continue to be protected and methods for testing applications must be defined.  

  • IT operations

    Organizations must accurately document the location of their systems and owners.
    This allows them to keep track of programs and components.

  • Outsourcing and other external procurement of IT services Before using external software and services such as cloud services, a risk assessment must be carried out, which must be reviewed regularly.  

  • IT emergency management An emergency concept must be developed that covers recovery and business continuity during emergencies.
    Corresponding dependencies within the IT systems and with external service providers must be taken into account.  

  • Management of relationships with payment service users Payment service users must be informed about potential security risks and given the opportunity to customize certain functions.
    Institutions must provide users with advice and set up appropriate communication channels.  

  • Critical infrastructure This section only applies to those organizations that have been classified as critical infrastructure.
    They must comply with the KRITIS protection objective and emergency measures.
    Payment transactions and cash supply must also be maintained in the event of an emergency.  

In addition, companies are obliged to comply with common standards such as ISO27001 and to adapt current technology.

Meet BAIT requirements with the BAYOOSOFT Access Manager

Automated solutions can reduce the organizational effort that BAIT requirements entail.
With the BAYOOSOFT Access Manager, the effort required for the identity and rights management section can be limited and still be mapped in an audit-proof manner.
It can be easily integrated into existing systems and helps to manage and document user accounts and access rights.

More information security with our Access Manager

Your solution for file servers, SharePoint, Active Directory and third-party systems – From standardizing user and access management to supporting the provision of IT services: Optimize entire process chains with the BAYOOSOFT Access Manager and sustainably reduce operational costs while increasing information security at the same time.

Is your company looking for a strong partner for management software solutions?

Contact us now and we will present our products to you without obligation. 

Sounds exciting? Why not share this article with your network?