MaRisk is an acronym referring to the minimum requirements for risk management a circular by the German Federal Financial Supervisory Authority ( Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) providing concepts. Federal Financial Supervisory Authority (BaFin). Minimum Requirements for Risk Management (MaRisk) – Page 1 of BaFin Translation -. The present. BaFin publishes amended Minimum Requirements for Risk MaRisk are to be complied with by all institutions within the meaning of Section 1.
|Published (Last):||16 June 2008|
|PDF File Size:||17.32 Mb|
|ePub File Size:||11.55 Mb|
|Price:||Free* [*Free Regsitration Required]|
German financial services supervisor clarifies supervisory requirements on IT systems, processes and governance in financial institutions. The rapidly expanding provision of IT-based financial services as well as banks’ and financial institutions’ increasing internal reliance on IT processes put new challenges on supervisors.
To keep pace with this development, the BaFin has introduced a range of supervisory measures. Though the BAIT does not set forth legally binding requirements, it specifies the BaFin’s expectations on compliance with IT requirements in financial institutions. In this regard the BAIT has a significant impact on the market: In-scope firms will want to implement and adhere to the principles- based requirements of the BAIT as non-compliance might bring them into the supervisor’s focus.
In this regard, the BaFin has already announced in the January edition of its monthly journal, that it will “actively put forward in the discussion” the BAIT as regards the planned EU-wide harmonization of requirements on the management of IT risks.
For further information on the updates to the MaRisk please see our Client Alert which forms parts of this briefing series. In-scope firms include inter alia credit and financial institutions within the meaning of the KWG 9 as well as German branches of third country firms providing banking business or financial services in Germany third country branches.
The management board must define an IT strategy that is consistent with the institution’s business strategy and contains at least the minimum requirements specified in the BAIT. Amongst others, these requirements include the strategic development of the institution’s organizational and operational structure of IT and of the outsourcing of IT services, the responsibilities and integration of information security into the organization and the strategic development of the IT architecture.
In scope-firms must provide for a structure to manage and monitor the operation and further development of IT systems including related IT processes on the basis of the IT strategy IT governance. As part of this, the institution must ensure e. As part of information risk management, institutions must set up a catalogue of target measures which specifies and suitably documents the institution’s requirements for implementing the protection objectives “integrity”, “availability”, “confidentiality” and “authenticity” in the various categories of protection requirements.
The BAIT further specifies the requirements on the risk analysis and the reporting to the management board on information risks. It is the management board’s responsibility to agree an information security policy and to communicate this within the institution.
The information security policy should serve as the basis for more specific information security guidelines and processes in the institution. Further, an independent “information security officer function” must be established within the in-scope firm’s organization.
The information security officer is responsible for all information security issues within the institution and with regard to third parties and must report to the management body on the status of information security regularly, at least once a quarter, and on an ad hoc basis. Under certain conditions regionally active institutions and small institutions can appoint a joint information security officer.
Under the BAIT, user access management should be based on user access rights concepts.
By way of technical and organizational measures institutions must ensure that circumvention of the requirements contained in the user maridk rights concepts is excluded. The processing of access rights setting up, changing etc. Institutions must establish an organizational framework for IT projects and manage IT projects including the IT project portfolio in its entirety appropriately.
Major IT projects and IT project risks are subject to reporting to the management body regularly and on an ad hoc basis. Further, institutions must base their application development on defined and appropriate processes. Appropriate arrangements must ensure bafln after the application goes live the confidentiality, integrity, availability and authenticity of the data to be processed are comprehensively assured.
Applications must be tested on the basis of a defined testing methodology. Further, the BAIT specifies inter alia the processing of change requests for IT systems and the setting up of a data backup strategy.
Under the BAIT, risk assessments must be conducted prior to each instance of “other external procurement of IT services”.
According to the MaRisk Interpretative Guide Auslegungshilfe “other maeisk procurement of IT service” does not qualify as “outsourcing” within the meaning of the MaRisk. In light of the BAIT, institutions should prudently review and, where necessary, amend their IT arrangements and processes.
Apart from the purely technical side, the BAIT’s impact on institutions’ general organizational set-up and governance arrangements must be analyzed and necessary amendments made.
In this regard, particular focus should be on the establishment of the information security officer function. With the requirement of at least quarterly reporting to the management board the BAIT underlines the significance of this function within institutions’ internal control framework.
Further, the BAIT emphasizes once more the necessity that the management board displays the required IT competency and assumes the ultimate responsibility for financial institutions’ compliance with the supervisory requirements on IT.
For smaller firms, however, it might be difficult to identify which provisions allow for a flexible or simplified implementation. Further, institutions must take into account that the BAIT and the MaRisk do not compile the supervisory expectations for compliance with the requirements for IT in financial institutions in an exhaustive way. In this regard, the BAIT explicitly states that “the depth and scope of the topics addressed in this Circular is not exhaustive” and that “institution s shall continue to be required to apply generally established standards to the arrangement of the IT systems and the related IT processes in particular over and above the specifications in this Circular”.
Besides this, EU and national regulators provide guidance on the application of IT requirements in different fields. In scope-firms should also take into account that the BaFin plans to supplement the BAIT by further modules specifying requirements on IT emergency management including testing and recovery procedures IT-Notfallmanagement inklusive Test- und Wiederherstellungsverfahren.
The German regulator further considers adding a new module to the BAIT for the providers of critical infrastructures Betreiber Kritischer Infrastrukturen. As a result, firms that are within the scope of the BAIT will need to carefully identify and compile the IT requirements applicable to them as a result of the BAIT and multiple other requirements stipulated in EU and local regulation as well as supervisory guidance. Moreover, in-scope firms may want to review and update their IT arrangements, project governance policies and procedures to ensure that justifications for certain actions and compliance measures can be evidenced and explained to supervisors.
Dentons is the world’s first polycentric global law firm. A top 20 firm on the Acritas Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways.
Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge.
Now the world’s largest law firm, Dentons’ bafn team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than locations serving plus countries.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. BAIT bafjn “core component” for IT supervision in the financial services sector The rapidly expanding provision of IT-based financial services as well as banks’ and financial institutions’ increasing internal reliance on IT processes put new challenges on supervisors.
BaFin publishes revised MaRisk 2017 including clarifications on outsourcing
IT strategy The management bafn must define an IT strategy that is consistent with the institution’s business strategy and contains at least the minimum requirements specified in the BAIT.
IT governance In scope-firms must provide for a structure to manage and monitor the operation and further development of IT systems including related IT processes on the basis of the IT strategy IT governance.
Information risk management As part of information risk management, institutions must set up a catalogue of target measures which specifies and suitably documents the institution’s requirements for implementing the protection objectives “integrity”, “availability”, “confidentiality” and “authenticity” in the various categories of protection requirements.
Information security management It is the management board’s responsibility to agree an information security policy and to communicate this within the institution. IT projects and application development Institutions must establish an organizational framework for IT projects and manage IT projects including the IT project portfolio in its entirety appropriately.
Outsourcing and other external procurement of IT services Under the BAIT, risk assessments must be conducted prior to each instance of “other external procurement of IT services”. Outlook and next steps for in-scope firms The BAIT provides practical guidance on the BaFin’s expectations for compliance with IT requirements in financial institutions.
Maris remarks point 4. Do you have a Question or Comment? Interested in the next Webinar on this Topic? Click here to marlsk your Interest.
BaFin – Expert articles – MaRisk: New Minimum Requirements for Banks’ Risk Management
Events from this Firm. More from this Firm. More from this Author. News About this Firm. In our latest European Securities Law Update we provide a high-level insight into the recently published technical standards relating to risk retention and disclosure requirements. The bafjn approach is that the court is likely to allow inspection if the open justice principle is engaged mqrisk there is a legitimate interest.
Ireland has for many years been the premier European location for activities to support the global cross border debt issuance market.
Ireland provides a responsible. Worldwide Europe European Union U. Energy and Natural Resources. Food, Drugs, Marusk, Life Sciences.
Media, Telecoms, IT, Entertainment. Real Estate and Construction.