Germany: BaFin study – even more effort due to supervision of value chains?

The German Federal Financial and Insurance Supervisory Authority (BaFin) recently published a final report on a study of the “Impact of changing value chains in the financial sector on IT security”.

The study examined three future scenarios based on three deliberately provoking theses and provides a small outlook on BaFin's future approach to IT security. The press release and final report are available in German.

The study and its scenarios

The University of Innsbruck, which was commissioned with the research project back in 2019, put forward the following three scenarios:

1. The more interfaces, the more cybercrime
2. Financial market actors will concentrate on few sector-specific IT service providers
3. Large IT service providers will force banks to become mere regulatory risk-bearers

The scenarios alone make it clear that the study focuses primarily on the loss of control by banks associated with market concentration and the corresponding risks.

The first scenario was based on the assumption that each open API increases the surface exposure that could be targeted by cybercriminals. Parallels were drawn with security vulnerabilities in HSMs (hardware security modules, i.e., hardware for protecting cryptographic keys). As a result of the gradual expansion of functions, the interaction of these services became unmanageable and therefore vulnerable. This would also apply to payment service providers, as these are monitored (only) individually by BaFin, but their interaction with each other may not be comprehensively assessed in all cases.  In addition, the legal distribution of liability would, in principle, be suitable for disciplining market participants, but transaction costs in the form of litigation and insolvency risks would nevertheless be (partially) accepted and transferred to the responsible party or its insurance company instead of addressing the cause, i.e., the vulnerability of the interface.

The second scenario is essentially based on the assumption that there is a tendency in the entire IT sector to outsource structures to large IT service providers. This competitive pressure would be further increased by legal requirements for interoperability (in particular Sec. 48 and 52 of the German Payment Services Supervision Act ‘ZAG’) and ultimately lead to IT service providers becoming systemically relevant.

The third scenario would be a logical consequence of the second one: (large) IT service provider would gain insights into their customers’ business logic and customer bases. Amazon Pay and Apple Pay were cited as examples here, which in turn act as a payment service vis-à-vis customers while the banks behind them may fade into the background as mere transaction agents.

Findings of the studies

While the study showed that the market participants surveyed rated the scenarios as not unrealistic and largely complete, it also showed that associated risks cannot necessarily be mitigated by more supervision.

For example, with regard to the first scenario, the study clearly states that there is agreement among market participants that “new technical interfaces are not the weakest link and cybercriminals are currently successful with simpler methods” (referring to phishing) and that this “would be true for the foreseeable future”.

Regarding the second scenario, it was also noted that although there was a strong "pressure to migrate to the cloud” within the industry, this mainly affects the office environments and supporting systems and rather less the core payment services.

While the third scenario was also confirmed in essence, this did not result from the big tech companies learning from their client’s data, because according to “plausible reasoning” “there would not be much to learn”. Rather, their future market dominance in the payments sector will follow from their sheer market power in the IT sector and the associated advantages in recruiting experts, which is why local regulation could only delay concentration, not stop it.

The researchers also noted that while high complexity makes it difficult for BaFin to fulfil its IT oversight responsibilities, the key question of whether this complexity arises exogenously from processes outside the banks’ sphere of influence (i.e., outside BaFIN’s oversight authority) or endogenously from banks’ strategic and technical decisions remains “largely unanswered”.

Recommendations for action

The authors therefore make various recommendations for action to BaFin the first of which the regulator has already acted on. These recommendations include the following four points:

1. PSD2 gateway measurements and testing
2. Creation of a sector map
3. Better use of available information
4. Closer cooperation with data protection authorities and competition authority

Although the authors themselves conclude that the study itself did not reveal any urgent need for action, they nevertheless recommend that BaFin takes preventive action against possible exploitation of the PSD2 gateway, in particular whether it meets the requirements of Articles 30 and 32 (1) of Regulation (EU) 2018/389. This could be done by own “risk exercises”, i.e. by accessing the interfaces by means of forged as well as by means of real but revoked eIDAS certificates, or by organizing “bug bounties”, i.e. competitions and rules on impunity for private or third party programmers.

According to the study, the creation of a sector map would involve a great deal of effort on the part of companies and the supervisory authority as well, but would still make sense. Similar to the Digital Operational Resilience Act (DORA), a register with extensive information should be created and should not be limited to existing service providers or two layers of detail, but should include all associated service providers. BaFin has already made initial adjustments in this regard, according to which companies should report more information on subcontractors and present it in a better way.

Along with this, the supervisory authority should use its “great leverage” and request more data from supervised parties so that “increasing complexity is not worthwhile for market participants, for example, by disproportionately increasing the burden on supervised parties compared to that of the IT supervisor”. In addition, it should also make greater use of other data sources, in particular public sources such as press reports or, in the area of cryptocurrencies, publicly available ledger and blockchain data.

Ultimately, BaFin shall also work more closely with data protection authorities and the antitrust authority, for example through “daily communication” and “synchronization of supervisory tasks” (which could mean coordinated large-scale audits).

Practical impact

If the interfaces are only one of many and thereby for cyber criminals a cumbersome way of data exfiltration, the migration of office services has priority over payment services and the market power of big tech companies cannot be prevented by local regulation anyways, the question arises what benefit further obligations with high expenditure for companies as well as BaFin shall provide. 

Nevertheless, this does not seem to stop the authors of the study and BaFin from spending a lot of effort to create a detailed register and thus requesting even more information from companies. Companies must therefore be prepared to provide detailed information on their contractors, right down to distant subcontractors, and potentially prepare for ‘friendly’ exploitation of vulnerabilities. Additionally, it may be recommended to prepare the PR department even more precisely for any possible breaches in order to avoid negative press coverage.