The use of IT is of fundamental importance for the finance industry. After having already published two circulars on supervisory IT requirements for financial institutions and insurance undertakings in the past (BAIT and VAIT), the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) has now also published a circular on the supervisory requirements for IT in fund management companies (Kapitalverwaltungsaufsichtliche Anforderungen an die IT – KAIT) on 1 October 2019.
The new circular specifies the relevant rules set out in the German Capital Investment Code (Kapitalanlagegesetzbuch – KAGB), the German Regulation on the Rules of Conduct and Organisational Rules pursuant to the Capital Investment Code (Verordnung zur Konkretisierung der Verhaltensregeln und Organisationsregeln nach dem Kapitalanlagegesetzbuch – KAVerOV) and Delegated Regulation (EU) No 231/2013 (AIFM Level II Regulation). Also, KAIT substantiates BaFin’s earlier circular on minimum requirements for the risk management of fund management companies (Mindestanforderungen an das Risikomanagement von Kapitalverwaltungsgesellschaften – KAMaRisk).
In KAIT, BaFin deals with eight topics:
- Sustainable IT strategy;
- IT governance;
- Information risk management;
- Information security management;
- User access management;
- Requirements for IT projects and application development;
- Requirements for IT operations (including data backup); and
- Outsourcing and other external procurement of IT services.
IT Strategy: The management board should define an IT strategy. Such strategy must contain a certain minimum content, for example, verifiable objectives. Furthermore, the IT strategy should serve as the basis for the organisational and operational structure of IT.
IT Governance: Any business activity implemented or supported by IT should be operated on the basis of organizational guidelines, that is, on the basis of workflow descriptions. In the event of disruption of IT systems, contingency measures must be implemented.
Information risk management: To ensure a proper information risk management, the fund management company must define and coordinate tasks, competences, responsibilities, control and communications channels and it must set a catalogue of measures.
Information security management: The fund management company should agree an information security policy and an independent information security officer must be appointed. This information security officer is responsible for all information security issues within the company and with regard to third parties.
User access management: User access must respect the “Need-to-Know” and the “segregation of duties” principles as well as avoid conflicts of interest. Approval and control processes should ensure compliance with the user access concepts. Further, it must be ensured that any non-personal access right can be traced back to an active person at all times.
IT projects, application development: Before a material modification to the IT systems is applied, a risk analysis must be carried out and tests performed. When developing an application, appropriate arrangements shall ensure confidentiality, integrity, availability and authenticity of the data to be processed.
IT operations, data backup: Disruption management shall be documented regarding the processing of the disruption, analysis of causes and identification of solutions. An orderly process for the analysis of possible correlations between disruptions and of their causes must be in place. A data backup strategy must be set out in writing.
Outsourcing, external procurement of IT services: A risk assessment must performed both prior to an external procurement of IT services and on a regular basis. The contractual arrangements should take appropriate account of the measures derived from this risk assessment.
The requirements set out in KAIT are not exhaustive. On a case-by-case basis, fund management companies may be required to take additional precautions.