BaFin - Navigation & Service

Erscheinung:18.01.2018 IT competency among management board members: BaFin adjusts decision-making standards for appointing IT specialists as management board members

The ongoing spread of digital technology means that IT is now a matter of vital importance that affects the risk position of credit institutions and insurance undertakings. For such companies, vulnerabilities in IT security can quickly develop into existential risks. Outdated IT structures and systems as well as inefficient technological processes associated with them can substantially undermine competitiveness. In recent years, IT has therefore increasingly developed from a basic type of infrastructure for banks and insurance undertakings to an indispensable tool for new value chains.

For BaFin, ensuring that banks and insurance undertakings can effectively tackle the new challenges posed by digitalisation is a matter of pivotal importance. It is therefore adjusting its administrative practice in relation to the practical experience required by management board members. In doing so, BaFin is providing greater flexibility for the appointment of IT specialists when it comes to weighing the increasing need for specialist knowledge against the requirements on the essential professional qualifications that the management board needs in order to fulfil its collective responsibilities.

Statutory framework

The requirements relating to the suitability of management board members are set out in section 25c (1) of the German Banking Act (Kreditwesengesetz – KWG - only available in German) and section 24 (1) of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG - only available in German) in abstract terms and varying undefined legal terminology. These requirements are therefore subject to interpretation. They are always assessed with consideration for the individual credit institution or insurance undertaking concerned and with the principle of proportionality taken into account. This means that the requirements for the management of an undertaking with a complex business model and risk profile will be different to those for an undertaking that has less intricate business operations.

Note:Legislation

Section 25c (1) of the KWG
"The management board members of an institution shall have the necessary professional qualifications, be trustworthy and dedicate sufficient time to performing their functions. A prerequisite for the professional qualifications of management board members is that they have adequate theoretical and practical knowledge of the business concerned, as well as managerial experience. A person shall normally be assumed to have the necessary professional qualifications if they can demonstrate three years' managerial experience at an institution of comparable size and type of business."

Section 24 (1) sentences 1 to 3 of the VAG
"Persons who effectively run an insurance undertaking or assume responsibility for other key tasks must be fit and proper. The fitness requirement includes a requirement for professional skills and qualifications, knowledge and experience that ensures sound and prudent management of the undertaking. This includes appropriate theoretical and practical knowledge of the insurance business and, if the person concerned is to take on management responsibilities, adequate management experience."

Three components of the suitability requirement

In order to be considered suitable (or "professionally qualified"/"fit") under both the KWG and VAG, management board members have to possess the relevant theoretical knowledge, practical knowledge and management experience.

If the legal presumption set out in section 25c (1) sentence 3 of the KWG cannot be made, BaFin conducts a comprehensive individual assessment to determine whether a person is professionally qualified to be a member of the credit institution's management board. The wording of section 25c (1) sentence 2 of the KWG requires such a board member to have theoretical and practical knowledge "of the business concerned". In the case of credit institutions, this can only be reasonably understood to mean banking business as defined in section 1 (1) of the KWG. Therefore, it is not sufficient if the person only has practical experience from fields that, while essential to the credit institution's operations, do not actually constitute banking business.

Pursuant to section 24 (1) sentence 3 of the VAG, each member of an insurance undertaking's management board must possess at least appropriate theoretical and practical knowledge of the insurance business.

In order to facilitate the further development of IT know-how at management board level, the period spent gaining necessary practical banking or insurance business experience before assuming a management position may, where appropriate, be reduced to six months for individual assessments of suitability in future. If necessary, the prospective member of the management board should also use this period of at least six months to develop and expand their theoretical knowledge of banking or insurance business, as the suitability requirements must already be fulfilled when they assume their position.

This administrative practice will make it easier for credit institutions and insurance undertakings to further diversify their allocation of responsibilities by creating special IT portfolios and by appointing a management board member for the area of IT (often referred to as a "Chief Information Officer" or "CIO").

Extensive knowledge of IT

In order for such an easing of the practical experience requirements to be justified, the person responsible for the IT portfolio must be able to demonstrate extensive theoretical and practical knowledge of this field. Suitable forms of proof include, for example, evidence of relevant academic qualifications and professional experience.

BaFin plans to use its recently published Banking Supervisory Requirements for IT (Bankaufsichtliche Anforderungen an die ITBAIT) to determine the specific experience required by management board members specialising in IT (see BaFinJournal November 2017 (only available in German)). In addition, it is currently working on a circular outlining the Insurance Supervisory Requirements for IT (Versicherungsrechtliche Anforderungen an die IT – VAIT).

Collective responsibility of the members of the management board

BaFin's move towards greater flexibility is nonetheless limited due to the collective responsibility of the management board members and, in the case of credit institutions, the requirements for unanimous decisions – in particular, those approving large exposures and granting loans to board members pursuant to section 13 (2) and section 15 (1) of the KWG respectively. Regardless of the allocation of responsibilities, all members of the management board are, without exception, considered collectively responsible and are subject to the associated duties of care and statutory provisions on liability. While each member of the management board bears, first and foremost, full responsibility for their respective portfolio, they must nonetheless, in light of their collective responsibility and at the latest, take action and attempt to find remedies as soon as any indications of irregularities in another member's area of responsibility arise (principle of mutual oversight). Therefore, every member of the management board requires sufficient theoretical and practical knowledge of their company's banking or insurance activities so that they can fulfil these requirements.

In the KWG, the collective responsibility of the members of the management board has the specific characteristic of being formulated to entail a statutorily defined overall responsibility to ensure the proper business organisation of the institution (section 25a (1) sentence 2 and 25c (3) and (4a) of the KWG). Similarly, the management boards of insurance undertakings must also collectively ensure an effective system of governance pursuant to section 23 of the VAG.

The rules concerning the principle of collective responsibility constitute a supervisory requirement that receives particular emphasis in the relevant legislation and which is rooted in company law on duties of care and liability. Therefore, these rules are non-negotiable. The change to BaFin's administrative practice neither relieves the management board member from their responsibilities nor mitigates their duties of care.

Collective suitability

As a result of BaFin's change to its administrative practice, the collective suitability of the management board will become a matter of greater importance.

Therefore, BaFin will be paying particular attention to whether the board as a whole is sufficiently qualified while also taking the principle of dual control into consideration. This principle means, specifically, that more than just one management board member must be competent in each of the conventional areas of banking or insurance business, as any other arrangement would not be sufficient to ensure effective mutual oversight. As a result, it is easier to envisage the appointment of a management board member who is only responsible for IT in cases where the board consists of more than three persons who, moreover, have sound knowledge of banking or insurance business.

Notification requirements

For the assessment of suitability of CIOs, banks must provide a description of the specific position together with the details and documents to be submitted pursuant to section 24 (1) no. 1 of the KWG when notifying BaFin of having made an appointment or their intent to do so. As part of this process, the relevant competencies must be specified and the schedule of responsibilities must be included.

In relevant cases, BaFin also intends to impose an additional reporting requirement on credit institutions for changes to the allocation of responsibilities.

At insurance undertakings, every appointment or departure of a management board member necessitates the submission of an up-to-date overview of the management board's allocation of responsibilities to BaFin.

Note:Joint EBA and ESMA guidelines

The growing importance of information technology and security is also having an impact at European level. At the end of September, the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) published joint guidelines on the assessment of the suitability of members of the management body and key function holders in credit institutions (see BaFinJournal October 2017 (only available in German)). BaFin contributed towards the development of these guidelines. For the assessment of a person's theoretical knowledge, the range of fields of education considered relevant to the financial services sector has been expanded upon in comparison to the previous version from 2012, notably, with the addition of information technology. Furthermore the guidelines specifically identify information technology and security as areas in which the board must be collectively competent.

Please note

This article reflects the situation at the time of publication and will not be updated subsequently. Please take note of the Standard Terms and Conditions of Use.

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field