BaFin published the new BAIT on August 16, 2021, and the 6th amendment to the Minimum Requirements for Risk Management in Banks (MaRisk) came into force at the same time. The supervisory authority's main focus here is on extensions and clarifications to the IT risk requirements as a result of the new BAIT.
But what are BAIT anyway?
BAIT describe the regulatory requirements for IT, which specify the abstract statements of the minimum requirements for risk management in relation to information security at credit institutions and financial service providers. The main aim of BAIT is to protect companies from potential IT risks by taking preventive measures and establishing guidelines to minimize damage.
What does this mean for the industry?
Since the publication of the new regulations, the associations representing the interests of various institutions have been increasingly concerned with the significance of BaFin's new requirements and the legal implications for the industry. To this end, there have been various statements and discussion groups which, among other things, have obtained an extended transitional period for factoring institutions until December 31, 2022. This concerns the new features of the 6th MaRisk amendment, not the clarification of existing requirements. Specifically, this requires a prompt assessment and implementation of the existing and new requirements by the respective institutions.
Process design often proves to be difficult. The implementation of new innovative processes in existing software is often costly and laborious. Put an end to this - with our HENRI workflow generator! This allows you to design your processes flexibly, import new processes into the software at the touch of a button and activate them for immediate use.
How much am I affected? What does this mean for me?
The topic of proportionality and linear applicability for small institutions has been discussed many times. In principle, all institutions are affected by the new rules. However, the BaFin circular of October 2021 establishes proportionality by means of the general opening clause. This states that financial services institutions must comply with MaRisk to the extent that this appears necessary in view of the size of the institution and the nature, scope, complexity and risk content of its business activities. Nevertheless, every institution is required to deal with the issues and to document in writing the procedure and the extent to which it applies to its own credit institution. This documentation must be submitted in the event of an audit.
What does this mean for software manufacturers? What requirements must my current or potential manufacturer fulfill?
Basically, we see two main topics for software manufacturers that must be considered separately from each other with regard to BaFin's risk requirements.
- The organization and process design in product manufacturing: Software manufacturers specializing in the financial services sector must apply standards that meet the requirements of the supervisory authority as early as the product development stage. This requires regular revision and adaptation of existing processes.
- The performance and quality of the product itself: Irrespective of the product development, the quality of the product must be guaranteed to the extent that the software provides valid data for the various reporting obligations. Availability and performance must also be ensured.
We will look at what needs to be considered during software operation in another blog post.
How does NAVAX deal with these additional requirements?
NAVAX is IDW PS 330 audited and ISO certified. Our annual IT audit recently took place, which already covered all of the innovations that affected us last year. We have had regular audits of software development and maintenance carried out by an independent auditor since 2012.
In this way, we protect our customers and provide proof of the legal security and MaRisk compliance of our software (development). The audits are carried out on the basis of coordinated risk-oriented IT audit plans. Our auditor has undertaken to comply with all banking supervisory regulations and, in particular, to fully meet the requirements set out in Section 25b of the German Banking Act (KWG) and the current MaRisk amendment by BaFin.
Due to our bank-like auditing practice, we are only too familiar with the efforts and challenges imposed on the industry by the supervisory authorities. Nevertheless, we see significant added value in auditing, which leads to a continuous improvement process and actively supports us in designing our processes, particularly from a risk perspective, which naturally benefits our customers.
Conclusion
The additional requirements resulting from BAIT are primarily intended to protect companies from potential IT risks. They promote prevention and damage minimization. This is also important to us at NAVAX. We are ISO certified and IDW PS 330 audited.