BaFin demands higher hurdles for IT outsourcing
SECURITY INSIGHTS | 3 September 2020
In the August issue of the BaFin Journal, Raimund Röseler, Executive Director Banking Supervision, speaks about the current digital threat to the financial industry and what challenges BaFin sees in outsourcing to IT service providers.
According to the expert, Corona is also acting as an accelerator to digitization in the financial industry and brought to light shortcomings in the virtual processes of a number of banks. Most of these are due to carelessness in protecting and sharing data. The supervisory authority sees mistakes being made by both the banks themselves and the IT service providers used for outsourcing.
Basically, Röseler would rather see the data of companies in the financial industry “in the cloud of a service provider that knows a lot about security than on an old server in the basement of the bank.” However, outsourcing to global big tech companies in particular poses risks, as these companies have little interest in local regulations and cannot be sanctioned.
The outsourcing of central IT services and IT security in the financial industry is subject to the toughest regulatory requirements. They are even stricter when it comes to “material outsourcing,” as defined in BaFin’s Minimum Requirements for Risk Management (MaRisk AT9) and section 25b of the Banking Act (KWG).
As a result, IT service providers in the financial sector are already faced with strict requirements in terms of compliance, IT security, risk management, data protection, and reporting. Few service providers are able to fully meet these requirements. Röseler also calls for direct control and punitive options if needed to force IT service providers to comply with regulatory requirements.
As a long-established IT security provider in the financial industry, we are observing a clear trend toward stricter enforcement by BaFin when auditing outsourcing in IT security. This is increasingly prompting banks to assess outsourcing of this kind as material outsourcing from the start. Röseler’s call for control and enforcement options for IT service providers is an expression of this development. As a result, BaFin wants to raise the bar even higher. For this reason, banks must carefully examine which service provider can actually guarantee compliance with the requirements.
On the other side, however, IT service providers are also facing challenges. Anyone who wants to be perceived as a reliable partner in the financial industry may not shy away from a visit by BaFin. What’s more, an active exchange of information between IT service providers and the supervisory authority is now required in order to implement increasingly stringent requirements into user-friendly solutions. The financial industry can only benefit from such cooperation when products and service providers that meet BaFin’s requirements are clearly identifiable.