KWG and BaFin: Ensuring financial stability with security

Tresorit supports financial services institutions doing business in the DACH region

As digitization sweeps through the DACH region, financial services institutions (FSI’s) must find secure and remote ways of complying with reporting and auditing rules set out in the Banking Act and BaFin regulations, creating IT systems that adhere to the newest rules.

The KWG and BaFin – The what, where, and why

The Bundesanstalt für Finanzdienstleistungsaufsicht (‘Federal Financial Services Authority’), commonly referred to as BaFin, is Germany’s financial regulator and is responsible for ensuring the stability and integrity of the German financial system. Its regulatory activities are, among others, based on the Kreditwesengesetz (KWG – ‘Banking Act’), which sets out guidelines for banks operating in the country. However, BaFin’s responsibilities reach beyond banking to monitor almost all financial service providers with German locations, including banks, brokerage firms, and insurers.

Due to the German federal system, the organization oversees institutions that operate across state borders within the country - local authorities monitor providers that work within a single state. The largest banks fall under the purview of the Single Supervisory Mechanism, in other words, EU-level oversight. BaFin is tasked with regulating and monitoring activities between these two administrative levels, encompassing most financial services in the country.

What are the implications of not complying with the KWG or BaFin guidelines?

The KWG sets out several reporting and auditing requirements for banks and brokerage firms. BaFin is responsible for monitoring how firms comply with these requirements. Beyond this, BaFin may create norm-interpreting binding regulations that flesh out the technical details of provisions only controlled at a higher level in various laws.

BaFin has a range of options at its disposal to carry out its supervisory duties, including compulsory reports, audits, and pre-announced or surprise on-site visits. Companies found to be non-compliant can be disciplined in various ways.

Primarily, BaFin will work with companies to resolve any identified problems. In more severe cases, it may take official action in the form of written notices (known as ‘serious objections’), cease and desist orders, administrative fines. In extreme events, BaFin can install caretakers to take over the management of a financial service provider or revoke operating licenses entirely.

BaFin is required to publish a list of offending institutions and disciplinary measures on its website. In May 2021, Invesco Ltd. was fined 260,000 euros, while in 2017, SKW Stahl-Metallurgie Holding AG was handed a 660,000 euro fine for administrative lapses.

How does Tresorit’s end-to-end encryption support KWG and BaFin compliance?

While it may seem that the German Banking Act/BaFin and encryption have little in common, this is not the case – after all, communicating sensitive reports and audit-related materials can pose an immense security risk in a security-driven industry.

Beyond auditing requirements, the KGW requires banks and insurers to practice risk management.

BaFin has detailed the technical specifications of these efforts (including risk management for computer systems) in MaRisk, Accordingly, “IT systems (hardware and software components) and the related IT processes have to ensure data integrity, availability, authenticity, and confidentiality.” Tresorit’s zero-knowledge, end-to-end encrypted secure cloud can support financial service provers in complying with BaFin guidance:

• Secure storage and backup: Zero-knowledge E2EE storage offered by Tresorit ensures data remains secure at rest and in transit. All information is stored in several storage centers to avoid data loss.
• Manage users and monitor file activity: The admin dashboard provides easy access to detailed activity reports, user management, authorized devices, team-based policies, and essential user statistics.
• Sharing attachments using secure links: Email attachments are insecure, especially when email traffic is not encrypted. Replace attachments with links from Tresorit to ensure data security. Never lose control over your data with passwords, expiration dates, and by disabling downloads.
• Easily integrate Tresorit into existing workflows based on Office 365: Tresorit brings speed-bumps to a minimum with its outlook integration, allowing users to share files without leaving their email client and automatically transforming any attachments into secure Tresorit share links.

Start securing your reports now with Tresorit.