Get ready for the coming BAIT audit

At the end of 2017, the German federal financial supervisory authority (BaFin) released a circular providing details about its requirements for IT security and processes at German credit institutions. Called BAIT, or Bankaufsichtliche Anforderungen an die IT, the circular defines what the regulator sees as adequate technical and organizational resources for IT systems. The focus is on information security and contingency management.

Now Germany’s systemically relevant financial services companies will be audited for their compliance to BAIT, and many are performing internal pre-audits to make sure that diverse IT systems are working together properly and they are able to demonstrate system continuity.

In the run-up to the audits, I want to share three points of advice for companies that will soon go under the BaFin microscope.

Discuss contracts and BAIT requirements with outsourcing partners

My first recommendation is to review contracts with your outsourcing partners and discuss the dependencies your company has with them. The goal should be to understand if your outsourcing partners are compliant with BAIT.

Companies can also conduct a risk evaluation for each outsourcing partner. To whom does that outsourcing partner sub-contract, and is that company also BAIT compliant? Are the data protection laws of your hosting provider’s home country stringent enough to meet BaFin requirements?

Let’s say an IT system fails. Is there an emergency communication plan in place for business continuity that is in line with your own plan? Is it written into the contract that the outsourcing partner must give priority to restarting your systems first in the event of failure (as opposed to your competitor bank)?

These are all questions your company will need to answer for your own business continuity and also for BaFin.

Get a data flow map from your outsourcing partner

Second, companies need a plan that maps the flow of data internally and at their outsourcing partners.  If a computer must be restarted due to a failure, companies need to make sure that the computer gets the data inflows it needs to do its job once it’s back up and running. This may sound basic, but sometimes data flows are not so clear due to the highly networked environment. That’s why they should be mapped in a chart or system.

Many companies have this level of detail about the applications they run inhouse, but not necessarily the same information about what’s happening at external hosting sites. For this reason, your company should begin now to receive the information from your outsourcing partners.

In the past, outsourcing partners were often focused on fulfilling their Service Level Agreements . Now they must do more. I do expect some credit institutions to change outsourcing providers in preparation for BAIT audits, or in its aftermath.

Data quality – are your interfaces working together

My third recommendation relates to data quality, something that was addressed in the BaFin’s Minimum Requirements for Risk Management, known as MaRisk. MaRisk was first published  in 2012 and revised in 2017, and the BAIT circular released  at the end of 2017 shows concretely the level of IT systems that must be in place to meet minimum risk management requirements.

Banks must be able to show that their IT system interfaces are working together properly and illustrate the dependencies in their information flows.

Call it dependency accounting, if you will. In the end, financial services companies have to be able to account for the risks that result from their data dependencies and to categorize those risks to show that business continuity is ensured. And this is more than just an exercise in appeasing BaFin. It is in the best interests of each and every financial institution.