Regulatory requirements in the German banking system

In the course of the increasing digitalization of the world of work and life, German banks are facing new challenges. As a result, growing competition in financial services and customer expectations have been developing strong pressure to adapt and change for several years. New technologies such as artificial intelligence and the widespread use of cloud-based scalable services are accelerating digitization. Existing information technology support for banking processes is being further promoted.

As a result, banking system in Germany has been subject to significant regulatory change in recent years.

Data security, cybersecurity, data governance, third-party vendors, and data privacy in financial institutions are under constant scrutiny.

Furthermore, on 14 September 14 2018, the supervisory authority BaFin adopted the Bank IT Supervisory Requirements (BAIT) in the form of a circular (BaFin circular 10/2017) as a requirement for the use of the issued ICT system for the German banking industry.

BAIT is to be understood as a specification for the minimum requirements for risk management (MaRisk) for the introduction and operation of ICT systems in banks. Based on Section 25a (1) of the German Banking Act (KWG), this circular provides a flexible and practical basis for the technical and organizational equipment of institutions, in particular for IT resource management and IT risk management.

In Germany, BaFin requires banks to document all applications in use and their development in a way that is clear and comprehensible to knowledgeable third parties.

The documentation of the application includes at least the following contents: user documentation, technical system documentation, operational documentation; for example, versioning of the source code and requirements documents contributes to the traceability of the application development.

As part of the application development, appropriate security measures should be taken, depending on the protection requirements, to ensure that the confidentiality, integrity, availability and authenticity of the processed data are reliably guaranteed once the application is operational.

BaFin provides the following relevant safeguards: input verification, system access control, user authentication, transaction authorization, system activity logging, audit logs, security event tracking, exception handling.

In this regard, banks in Germany must define and implement a methodology for testing applications prior to their initial deployment and after significant changes. The scope of testing includes application functionality, security controls, and system performance under various stress scenarios. The entity responsible for the application is responsible for functional acceptance testing. The test environment for performing acceptance testing shall be consistent with the production environment in aspects essential to the test. Test activities and test results must be comprehensively documented.

Test documentation shall include at least the following items: test case description, documentation of the underlying parameterization of the test case, test data, expected test result, achieved test result, actions derived from the tests.

Banking regulation is not a completed process. Issuing regulations is one thing, monitoring compliance is another. But those who carefully comply with regulatory requirements are not only well prepared for the challenges ahead, but also benefit if all internal IT processes, accounting, data management or controlling function smoothly.