Infosec Banking Regulation

A compilation of the main regulations and guidelines related to information security for the financial industry in Germany.

• Please refer to the folder highlights/ where the information security requirements have been highlighted for the corresponding regulations.

European Union

• DIRECTIVE 2013/36/EU, on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms

  • Art. 85: Operational risk
    • 1. Competent authorities shall ensure that institutions implement policies and processes to evaluate and manage the exposure to operational risk, including model risk, and to cover low-frequency high-severity events. Institutions shall articulate what constitutes operational risk for the purposes of those policies and procedures.
    • 2. Competent authorities shall ensure that contingency and business continuity plans are in place to ensure an institution's ability to operate on an ongoing basis and limit losses in the event of severe business disruption.

• Regulation (EU) No 526/2013, concerning the European Union Agency for Network and Information Security (ENISA): Cybersecurity Act, repealed by Regulation (EU) 2019/881.

• REGULATION (EU) No 575/2013, on prudential requirements for credit institutions and investment firms

  • (52) Operational risk is a significant risk faced by institutions requiring coverage by own funds.
  • Art. 4: Definitions
    • (52) operational risk means the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, and includes legal risk;
  • Basic indicator approach
  • Standardised Approach
  • Advanced measurement approaches

• DIRECTIVE (EU) 2015/2366, on payment services in the internal market: Includes provisions related to information security, strong customer authentication, and data protection for electronic payment transactions within the EU.

• REGULATION (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data: GDPR

• (EU) 2016/1148, concerning measures for a high common level of security of network and information systems across the Union NIS repeled by Directive (EU) 2022/2555.

• Regulation (EU) 2018/389, with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication: PSD2.

• DIRECTIVE (EU) 2018/1673, on combating money laundering by criminal law establishes minimum rules concerning the definition of criminal offences and sanctions in the area of money laundering.

• Regulation (EU) 2019/881, on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification

• REGULATION (EU) 2020/493, on the False and Authentic Documents Online (FADO) system.: The FADO system shall contain information on travel, identity, residence and civil status documents, driving licences and vehicle licences issued by Member States or the Union, and on false versions thereof.

  • PRADO's website

• REGULATION (EU) 2022/2554, on digital operational resilience for the financial sector: Requirements concerning the security the information and communication technology (ICT) supporting the business processes of financial entities.

• Directive (EU) 2022/2555, on measures for a high common level of cybersecurity across the Union: amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)

  • [Highlights](highlights/DIRECTIVE (EU) 2022.2555/README.md).

• Directive (EU) 2022/2557, on the resilience of critical entities:

  • Art 6. "Member State shall identify the critical entities for the sectors and subsectors set out in the Annex." form Juli 2023, Finanz und Versicherung are considered critial entities
  • Art. 8: "Member States shall ensure that Article 11 and Chapters III, IV and VI do not apply to critical entities" identified as Banking and Financial marked infrastructure. The obligation to cooperate and report(CHAPTER V) still remains.

• EU Artificial intelligence act (april 2021)

European Banking Authority (EBA)

• EBA/GL/2019/02: Guidelines on outsourcing arrangements
• EBA/GL/2019/04: Guidelines on ICT and security risk management
• EBA/RTS/2022/03: Regulatory Technical Standards on strong customer authentication and secure communication under PSD2
• Risk Dashboard
• Thematic Report on national financial education initiatives on digitalization, with a focus on cybersecurity, scams and fraud

Germany

• German Criminal Code: in particular

  • Section 202a Data espionage:

    • (1) Whoever, without being authorised to do so, obtains access, by circumventing the access protection, for themselves or another, to data which were not intended for them and were specially protected against unauthorised access incurs a penalty of imprisonment for a term not exceeding three years or a fine.
    • (2) For the purposes of subsection (1), data are only those which are stored or transmitted electronically, magnetically or otherwise in a manner which is not immediately perceptible.

  • Section 202b Phishing:

    • Whoever, without being authorised to do so, intercepts data (section 202a (2)) which are not intended for them, either for themselves or another, by technical means from non-public data transmission or from an electromagnetic broadcast from a data processing facility incurs a penalty of imprisonment for a term not exceeding two years or a fine, unless the offence is subject to a more severe penalty under other provisions.

  • Section 202c Acts preparatory to data espionage and phishing:

    • (1) Whoever prepares the commission of an offence under section 202a or 202b by producing, acquiring for themselves or another, selling, supplying to another, disseminating or making available in another way [...] incurs a penalty of imprisonment for a term not exceeding two years or a fine.

  • Section 202d Handling stolen data:

    • (1) Whoever procures, for themselves or another person, supplies to another person, disseminates or otherwise provides access to data (section 202a (2)) which are not generally accessible and which another person has obtained by an unlawful act for the purpose of personal enrichment or the enrichment of a third party or to harm another person incurs a penalty of imprisonment for a term not exceeding three years or a fine.

  • Section 203 Violation of private secrets

    • (3) A secret has not been revealed within the meaning of this provision if the persons referred to in subsections (1) and (2) give their professional assistants and those persons who work with them for the purposes of their professional training access to these secrets. The persons referred to in subsections (1) and (2) may reveal another’s secrets to other persons who are involved in their work or official duties to the extent that this is necessary in order to be able to use the service rendered by this other involved person; the same applies to other involved persons if they use additional people who are involved in the work or official duties of the persons referred to in subsections (1) and (2).
    • (4) Whoever, without being authorised to do so, reveals another’s secret which has become known to them in the exercise or on the occasion of their work as an involved person or in the performance of their duties as data protection officer for the persons referred to in subsections (1) and (2) incurs a penalty of imprisonment for a term not exceeding one year or a fine. The same penalty is incurred by whoever,
      • 1. as the person referred to in subsections (1) and (2), has not taken the necessary precautions to ensure that another involved person who has, without being authorised to do so, revealed another’s secret in the exercise or on the occasion of their work and has been formally put under an obligation to maintain secrecy; this does not apply to other involved persons who are themselves one of the persons referred to in subsection (1) or (2),
      • 2. as an involved person referred to in subsection (3), who uses another involved person who has, without being authorised to do so, revealed another’s secret in the exercise or on the occasion of their work and has not taken the necessary precautions to ensure that this person has been formally put under an obligation to maintain secrecy; this does not apply to other involved persons who are themselves one of the persons referred to in subsection (1) or (2) or
      • 3. as a person who, following the death of the person obliged to keep the secret as required by sentence 1 or subsection (1) or (2), reveals another’s secret which they had learned from the deceased or from their estate.

  • Section 261: Money laundering

    • (1) Whoever, in respect of an object derived from an unlawful act,
      • 1. hides it
      • 2. exchanges, transfers or takes it with the intent of preventing it being found, confiscated or its origin being investigated,
      • 3. procures it for themselves or a third party or
      • 4. keeps or uses it for themselves or a third party if they were aware of its origin at the time of obtaining possession of it
    • (2) Whoever hides or conceals facts which may be of relevance to an object as referred to in subsection (1) being found, confiscated or its origin being investigated incurs the same penalty.
    • (3) The attempt is punishable.

  • Section 263 Fraud

    • (1) Whoever, with the intention of obtaining an unlawful pecuniary benefit for themselves or a third party, damages the assets of another by causing or maintaining an error under false pretences or distorting or suppressing true facts incurs a penalty of imprisonment for a term not exceeding five years or a fine.
    • (2) The attempt is punishable.

  • Section 263a Computer fraud

    • (1) Whoever, with the intention of obtaining an unlawful pecuniary benefit for themselves or a third party, damages the property of another by influencing the result of a data processing operation by incorrectly configuring the computer program, using incorrect or incomplete data, making unauthorised use of data or taking other unauthorised influence on the processing operation incurs a penalty of imprisonment for a term not exceeding five years or a fine.

  • Section 303 Criminal damage

    • (1) Whoever unlawfully damages or destroys an object belonging to another incurs a penalty of imprisonment for a term not exceeding two years or a fine.
    • (2) Whoever, without being authorised to do so, substantially and permanently alters the appearance of an object belonging to another incurs the same penalty.
    • (3) The attempt is punishable.

  • Section 303a Data manipulation

    • (1) Whoever unlawfully deletes, suppresses, renders unusable or alters data (section 202a (2)) incurs a penalty of imprisonment for a term not exceeding two years or a fine.
    • (2) The attempt is punishable.

  • Section 303b Computer sabotage

    • (1) Whoever interferes with data processing operations which are of substantial importance to another by
      • 1. committing an offence under section 303a (1),
      • 2. entering or transmitting data (section 202a (2)) with the intention of adversely affecting another or
      • 3. destroying, damaging, rendering unusable, removing or altering a data processing system or a data carrier incurs a penalty of imprisonment for a term not exceeding three years or a fine.
    • (2) If the data processing operation is of substantial importance for another’s business, enterprise or an authority, the penalty is imprisonment for a term not exceeding five years or a fine.

• Banking Act (Kreditwesengesetz - KWG):

  • Section 24c Automated access to account details
    • (6) The credit institution and BaFin shall put in place state-of-the-art measures to safeguard data protection and data security, which in particular shall guarantee the confidentiality and integrity of the retrieved and transmitted data. The state of the art will be defined by BaFin in consultation with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) by a procedure of BaFin's choice.

• German Data Protection Act (Bundesdatenschutzgesetz - BDSG): This law supplements the GDPR and provides additional provisions for data protection in Germany.

• Payment Services Oversight Act (Zahlungsdiensteaufsichtsgesetz - ZAG): If the bank provides payment services, this act sets out specific requirements for the security of payment systems and customer data protection.

• Critical Infrastructure Regulation (KritisV): If a bank is classified as a critical infrastructure provider, it is subject to additional security requirements under this regulation.

  • Criteria to classify as a critical infrastructure provider

• BSI-Gesetz-BSIG (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik)

  • In particulare the Section 8a

• Geldwäschegesetz (Money Laundering Act)

  • Part 4 Transparency Register
    • Section 18 Establishment of the transparency register and the registrar entity. (5) The registrar entity establishes an information security concept for the transparency register, from which the technical and organisational measures taken to protect data are derived.

BAFin circulars

• Rundschreiben 05/2023 (BA)- Mindestanforderungen an das Risikomanagement - MaRisk

• Rundschreiben 10/2017 (BA) - Bankaufsichtliche Anforderungen an die IT - BAIT

• Rundschreiben 11/2021 (BA) - Zahlungsdiensteaufsichtliche Anforderungen an die IT von Zahlungs- und E-Geld-Instituten - ZAIT

  • (53) Beherrschung operationeller und sicherheitsrelevanter Risiken
  • (54) Meldung schwerwiegender Betriebs- oder Sicherheitsvorfälle
  • (55) Starke Kundenauthentifizierung

• Rundschreiben 4/2015 (BA) - Mindestanforderungen an die Sicherheit von Internetzahlungen (MaSI)

• Rundschreiben 10/2018 – Versicherungsaufsichtliche Anforderungen an die IT (VAIT) in der Fassung vom 03.03.2022