On 16 March 2017, BaFin – Germany’s financial regulator – held its fourth information meeting on the supervision of IT for banks with roughly 500 attendees. The press and media coverage (FAZ, Handelsblatt, Börsenzeitung) placed emphasis on the vulnerability of bank IT systems to attacks and the need for them to improve their IT security, whereas BaFin and the Bundesbank announced important details regarding future supervision and monitoring of bank IT, with keynote presentations on BAIT (supervisory requirements for bank IT), monitoring of IT matters in practice by banking regulators, and the implementation of the IT Security Act by means of the Federal Office for Information Security Act (BSI) and the Payment Service Directive (PSD) II.
On 21 March 2017 the expert conference “Customer identification and conclusion of contracts without media disruption took place. Two topics were in the focus of discussion: (1) video identification methods and (2) trust services (with a focus on qualified electronic signatures QES), following the overarching question if video identification and QES provide viable solutions for the digital future of banks. First, the legal frameworks have been presented with additional practical examples about introducing a video identification method and finally outlining application scenarios for trust-services.
In August 2016, the EBA published the draft RTS for consultation, and spelled out the details in a public hearing on 23 September 2016, especially regarding the points on “Use of strong customer authentication for account access (one-month discussion)” and “Using a risk-based approach as a replacement for the second factor”. On 23 February 2017, after taking account of 224 comments received back from the market, the EBA published the final version of the RTS. This means that depending on approval by the European Parliament, the RTS will come into force from November 2018 at the earliest.