Supervision and outsourcing
Implementation of the BAIT framework at a multi-client service provider
In recent years, BaFin's requirements for IT operations in banks have increased significantly. The key words here are the new MaRisk and BAIT, which were drafted in particular at the suggestion of the banking industry.
The "Bankaufsichtliche Anforderungen an die IT" (BAIT) formulate the expectations of the supervisory authorities for the management of the institutions with regard to the secure design of the IT systems and the associated IT processes. These include the
of data and the associated requirements for IT governance. The banks responded to this with a wide range of measures.
For us as an outsourcing service provider, the audit requirements on the client side resulted in a significant increase in the number of inquiries and questionnaires sent to us.
It was not possible to create synergies by dealing with individual queries and in the absence of overarching standards, especially for reporting. We have therefore implemented a uniform, binding set of rules for all our data center clients for the design of our services in terms of processes, controls, communication and a BAIT-compliant reporting system. The diverse measures resulting from our BAIT implementation affect both the internal view at EFDIS and the design of the technical, organizational and process interfaces to our customers.
Looking back, we consider the comprehensive implementation of the BAIT requirements to be a very challenging task. We also attribute the good results to the close cooperation with our clients, who actively participated in many workshops and formulated their interests, ideas and wishes. The resulting set of rules has met with great acceptance because it was developed jointly and not simply enacted. Dealing with risk management in its sometimes very formal facets was certainly challenging, but it also provided valuable insights and findings that are of daily relevance and use to us.
Today, we offer our customers an all-round BAIT-compliant service in the standard package to relieve the burden in the direction of supervision, auditing and review and clearly see this as a differentiating competitive factor.