Anyone who has bought computer systems over the last 30 years has come up against the same dilemma – shall we go for a ‘best of breed’ packaged solution, or shall we build it internally, using the skills of the internal IT teams? It is the classic “Make or Buy” dilemma.

You talk about your requirements with IT. They look at the problem – it looks like a few database tables with a couple of front-end screens for data entry/update will do the job. Chuck in a couple of reports and hey - the job’s done. It won’t take more than a couple of months, tops. Surely that’s better than spending more money on what looks like an expensive solution from a vendor?

At the start of November 2017, BaFin published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT, see BaFinJournal November 2017).

The BAIT have now become the cornerstone of IT supervision for all credit and financial services institutions in Germany. The requirements are directed at the management boards of such companies. They specify what BaFin considers to be adequate technical and organisational resources for IT systems, particularly in relation to the requirements for information security and suitable contingency management.