The German Federal Supervisory Authority for Finance and Insurance (BaFin) recently published a final report on a study of “the impact of changing value chains in the financial sector on IT security”.
The study examined three future scenarios based on three deliberately provocative theses and gives a small insight into BaFin’s future approach to IT security. The Press release and final report are available in German.
The study and its scenarios
The University of Innsbruck, which was commissioned with the research project in 2019, proposed the following three scenarios:
- The more interfaces, the more cybercrime
- Financial market participants will focus on a few industry-specific IT service providers
- Big IT service providers will force banks to become mere carriers of regulatory risk
The scenarios alone make it possible to understand that the study mainly concerns the loss of control of banks linked to market concentration and the corresponding risks.
The first scenario was based on the assumption that each open API increases the surface area that could be targeted by cybercriminals. Parallels have been drawn with security flaws in HSMs (hardware security modules, i.e. hardware for protecting cryptographic keys). Due to the gradual expansion of functions, the interaction of these services has become unmanageable and therefore vulnerable. This would also apply to payment service providers, as these are (only) individually monitored by BaFin, but their interaction with each other may not be comprehensively assessed in all cases. Furthermore, the legal allocation of liability would in principle be appropriate to discipline market participants, but transaction costs in the form of litigation and insolvency risks would nevertheless (partially) be accepted and passed on to the controller or his/her company. insurance instead of dealing with the cause, ie the vulnerability of the interface.
The second scenario is essentially based on the assumption of a tendency throughout the IT sector to outsource structures to large IT service providers. This competitive pressure would be further increased by legal requirements for interoperability (in particular Articles 48 and 52 of the German Payment Services Supervision Act’ZAG‘) and ultimately lead to IT service providers becoming systemically relevant.
The third scenario would be a logical consequence of the second: (large) IT service providers would obtain information about the business logic and customer bases of their customers. Amazon Pay and Apple Pay have been cited as examples here, which in turn act as a payment service to customers while the banks behind them can step aside as mere transaction agents.
Conclusions of the studies
While the study showed that market participants surveyed rated the scenarios as not unrealistic and largely complete, it also showed that the associated risks cannot necessarily be mitigated by increased monitoring.
For example, with regard to the first scenario, the study clearly indicates that there is agreement among market players that “nNew technical interfaces are not the weakest link and cybercriminals are currently succeeding with simpler methods(referring to phishing) and that this “would be true for the foreseeable future”.
Regarding the second storyline, it was also noted that although there was a strong “pressure to migrate to the cloud“Within the industry, this mainly affects desktop environments and support systems and rather less basic payment services.
While the third scenario was also substantially confirmed, it was not the result of big tech companies learning from their customer data, because according to “plausible reasoning” “there wouldn’t be much to learn”. On the contrary, their future market dominance in the payments sector will stem from their sheer market power in the IT sector and the associated advantages in recruiting experts, which is why local regulation could only delay concentration, not stop it.
The researchers also noted that while high complexity makes it difficult for BaFin to fulfill its IT oversight responsibilities, the key question is whether this complexity stems exogenously from processes outside the banks’ sphere of influence ( i.e. outside the BaFIN supervisory authority) or endogenously from the banks “Strategic and technical decisions remain”largely unanswered”.
Recommendations for action
The authors therefore make various recommendations for action to BaFin, including the first on which the regulator has already acted. These recommendations include the following four points:
- Measurements and tests of the PSD2 gateway
- Creation of an area map
- Better use of available information
- Closer cooperation with data protection authorities and competition authority
Although the authors themselves conclude that the study itself did not reveal any need for urgent action, they nevertheless recommend that BaFin take preventive measures against possible exploitation of the PSD2 gateway, especially if it responds the requirements of Articles 30 and 32 (1) of Regulation (EU) 2018/389. It could be done by yourself”risk exercises“, i.e. by accessing the interfaces by means of falsified eIDAS certificates as well as by means of real but revoked eIDAS certificates, or by organizing “bug bountiesi.e. contests and impunity rules for private or third-party programmers.
According to the study, the creation of sectoral mapping would require a lot of effort on the part of companies and the supervisory authority, but would still make sense. Similar to the Digital Operational Resilience Act (DORA), a register containing detailed information should be created and should not be limited to existing service providers or two layers of detail, but should include all associated service providers. BaFin has already made initial adjustments in this regard, according to which companies should disclose more information about subcontractors and present them in a better way.
Along with this, the supervisory authority should use its “high leverage” and request more data from supervised parties so that “the increasing complexity is not worth it for market participants, for example by disproportionately increasing the burden of the monitored parties compared to that of the IT supervisor”. In addition, it should also make more use of other data sources, especially public sources such as news articles or, in the field of cryptocurrencies, publicly available ledger and blockchain data.
In time, BaFin will also work more closely with data protection authorities and the competition authority, for example via “daily communicationand “sSynchronization of monitoring tasks(which could mean large-scale coordinated audits).
While interfaces are just one of many interfaces and therefore a cumbersome way for cybercriminals to exfiltrate data, the migration of desktop services takes precedence over payment services and the market power of large companies. technologies can anyway not be prevented by local regulations, the question arises benefit from other obligations with high expenses for companies as well as BaFin has to provide.
Nevertheless, this does not seem to prevent the authors of the study and the BaFin from putting a lot of effort into creating a detailed register and therefore from asking companies for even more information. Organizations must therefore be prepared to provide detailed information about their contractors, down to remote contractors, and possibly prepare for “friendly” exploitation of vulnerabilities. In addition, it can be recommended to prepare the PR department even more precisely for possible infringements in order to avoid negative media coverage.