Region

Jurisdiction

Regulator

2024-01-16 | Circular 05/2023 (BA) - Minimum Requirements for Risk Management (MaRisk)

Circular 05/2023 (BA) - Annotated Minimum Requirements for Risk Management (MaRisk)

The German Federal Financial Supervisory Authority (BaFin) issued Circular 05/2023 to establish a comprehensive framework for institutional risk management under the German Banking Act. The annotated text mandates robust internal control systems, group-level risk oversight, and standardized outsourcing practices to maintain adequate capital. It further prescribes sector-specific operational procedures for credit, trading, and real estate businesses alongside rigorous stress testing, data aggregation, and contingency planning requirements.

Germany

Federal Financial Supervisory Authority Germany

Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk) Explanatory notes to Circular 05/2023 (BA) 29 June 2023

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 2 of 119 Contents AT 1 Preliminary remarks..................................................................................................................................................................................................................................................................................... 5 AT 2 Subject matter ............................................................................................................................................................................................................................................................................................... 8 AT 2.1 Scope ................................................................................................................................................................................................................................................................................................... 9 AT 2.2 Risks .................................................................................................................................................................................................................................................................................................. 10 AT 2.3 Business transactions ................................................................................................................................................................................................................................................................. 11 AT 3 Joint responsibility of the management board members......................................................................................................................................................................................................... 14 AT 4 General risk management requirements ......................................................................................................................................................................................................................................... 15 AT 4.1 Internal capital adequacy ......................................................................................................................................................................................................................................................... 15 AT 4.2 Strategiess ...................................................................................................................................................................................................................................................................................... 19 AT 4.3 Internal control system .............................................................................................................................................................................................................................................................. 23 AT 4.3.1 Organisational and operational structure ................................................................................................................................................................................................................ 23 AT 4.3.2 Risk management and risk control processes ........................................................................................................................................................................................................ 24 AT 4.3.3 Stress tests ............................................................................................................................................................................................................................................................................ 25 AT 4.3.4 Data management, data quality and aggregation of risk data ....................................................................................................................................................................... 27 AT 4.3.5 Use of models ..................................................................................................................................................................................................................................................................... 28 AT 4.4 Special functions .......................................................................................................................................................................................................................................................................... 30 AT 4.4.1 Risk control function ........................................................................................................................................................................................................................................................ 30 AT 4.4.2 Compliance function ........................................................................................................................................................................................................................................................ 32 AT 4.4.3 Internal audit function ..................................................................................................................................................................................................................................................... 33 AT 4.5 Risk management at group level........................................................................................................................................................................................................................................... 35 AT 5 Organisational guidelines ...................................................................................................................................................................................................................................................................... 37 AT 6 Documentation .......................................................................................................................................................................................................................................................................................... 39 AT 7 Resources ..................................................................................................................................................................................................................................................................................................... 40 AT 7.1 Staff ................................................................................................................................................................................................................................................................................................... 40 AT 7.2 Technical and organisational resources .............................................................................................................................................................................................................................. 41 AT 7.3 Contingency management....................................................................................................................................................................................................................................................... 43 AT 8 Adjustment processes ............................................................................................................................................................................................................................................................................. 45 AT 8.1 New product process ................................................................................................................................................................................................................................................................. 45 AT 8.2 Modifications of operational processes or structures................................................................................................................................................................................................... 47 AT 8.3 Mergers and acquisitions ......................................................................................................................................................................................................................................................... 48 AT 9 Outsourcing ................................................................................................................................................................................................................................................................................................. 49 BT 1 Special requirements relating to the internal control system ................................................................................................................................................................................................. 58 BTO Requirements relating to the organisational and operational structure ............................................................................................................................................................................. 59

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 3 of 119 BTO 1 Credit business .............................................................................................................................................................................................................................................................................. 62 BTO 1.1 Segregation of duties, and voting ............................................................................................................................................................................................................................... 62 BTO 1.2 Requirements relating to credit business processes ........................................................................................................................................................................................... 67 BTO 1.2.1 Granting of loans ..................................................................................................................................................................................................................................................... 72 BTO 1.2.2 Further processing of loans ................................................................................................................................................................................................................................. 74 BTO 1.2.3 Credit processing control ..................................................................................................................................................................................................................................... 76 BTO 1.2.4 Intensified loan management ............................................................................................................................................................................................................................. 76 BTO 1.2.5 Treatment of problem loans ................................................................................................................................................................................................................................ 77 BTO 1.2.6 Risk provisioning ...................................................................................................................................................................................................................................................... 79 BTO 1.3 Requirements relating to the procedure for the early detection of risks and the treatment of forbearance............................................................................... 80 BTO 1.3.1 Procedure for the early detection of risks ...................................................................................................................................................................................................... 80 BTO 1.3.2 Treatment of forbearance ..................................................................................................................................................................................................................................... 81 BTO 1.4 Risk classification procedures ....................................................................................................................................................................................................................................... 83 BTO 2 Trading ............................................................................................................................................................................................................................................................................................. 84 BTO 2.1 Segregation of duties ....................................................................................................................................................................................................................................................... 84 BTO 2.2 Requirements relating to trading processes ........................................................................................................................................................................................................... 85 BTO 2.2.1 Trading ......................................................................................................................................................................................................................................................................... 85 BTO 2.2.2 Settlement and control .......................................................................................................................................................................................................................................... 87 BTO 2.2.3 Capturing in risk control........................................................................................................................................................................................................................................ 90 BTO 3 Real estate business .................................................................................................................................................................................................................................................................... 91 BTO 3.1 Organisational structure .................................................................................................................................................................................................................................................. 91 BTO 3.2 Requirements relating to real estate business processes .................................................................................................................................................................................. 92 BTO 3.2.1 Real estate acquisition or origination .............................................................................................................................................................................................................. 93 BTO 3.2.2 Processing and monitoring .................................................................................................................................................................................................................................. 93 BTO 3.2.3 Processing controls ................................................................................................................................................................................................................................................. 94 BTR Requirements relating to risk management and risk control processes .............................................................................................................................................................................. 95 BTR 1 Counterparty risks ........................................................................................................................................................................................................................................................................ 96 BTR 2 Market risk ....................................................................................................................................................................................................................................................................................... 98 BTR 2.1 General requirements ....................................................................................................................................................................................................................................................... 98 BTR 2.2 Market risk in the trading book .................................................................................................................................................................................................................................... 99 BTR 2.3 Market risk in the banking book (including interest rate risk).......................................................................................................................................................................... 99 BTR 3 Liquidity risk .................................................................................................................................................................................................................................................................................. 102 BTR 3.1 General requirements ..................................................................................................................................................................................................................................................... 102 BTR 3.2 Additional requirements relating to capital market-oriented institutions ................................................................................................................................................. 104 BTR 4 Operational risk ........................................................................................................................................................................................................................................................................... 107

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 4 of 119 BT 2 Special requirements relating to the internal audit function ................................................................................................................................................................................................. 109 BT 2.1 Tasks of the internal audit function .................................................................................................................................................................................................................................... 109 BT 2.2 General principles relating to the internal audit function.......................................................................................................................................................................................... 110 BT 2.3 Planning and conduct of the audit .................................................................................................................................................................................................................................... 111 BT 2.4 Reporting requirement ............................................................................................................................................................................................................................................................ 112 BT 2.5 Reaction to identified findings ............................................................................................................................................................................................................................................. 114 BT 3 Risk reporting requirements ............................................................................................................................................................................................................................................................... 115 BT 3.1 General requirements relating to risk reports ................................................................................................................................................................................................................ 115 BT 3.2 Reports produced by the risk control function .............................................................................................................................................................................................................. 117

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 5 of 119 AT 1 Preliminary remarks 1 This Circular provides a flexible and practical framework for structuring institutions’ risk management on the basis of section 25a (1) of the German Banking Act (Kreditwesengesetz). Moreover, it specifies the requirements laid down in section 25a (3) of the Banking Act (risk management at group level) as well as section 25b of the Banking Act (outsourcing). Geared to maintaining internal capital adequacy, appropriate and effective risk management encompasses, in particular, defining strategies and establishing internal control mechanisms. Internal control mechanisms shall consist of an internal control system and an internal audit function. The internal control system shall comprise, in particular,

rules on the organisational and operational structure,
processes for identifying, assessing, managing, monitoring and reporting risks (risk management and risk control processes), and
a risk control function and a compliance function. Risk management creates a basis for the proper performance of the supervisory board’s (Aufsichtsorgan) monitoring functions and thus shall also include the adequate involvement of the supervisory board. Branches pursuant to section 53 of the Banking Act As there is no supervisory board for branches of enterprises domiciled outside Germany pursuant to section 53 of the Banking Act, these institutions must instead involve their corporate headquarters in an appropriate manner. 2 Furthermore, this Circular provides a qualitative framework for implementing relevant articles of Directive 2013/36/EU (Banking Directive – CRD IV) on institutions’ organisation and risk management. Pursuant to these articles, institutions shall especially have in place robust governance arrangements, effective procedures to identify, manage, monitor and report the risks they are or might be exposed to, as well as adequate internal control mechanisms. Moreover, they shall have in place effective and comprehensive procedures and methods which ensure that adequate internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process, or ICAAP). The adequacy and effectiveness of these procedures, methods and processes shall be assessed periodically by the supervisory authority pursuant to Article 97 of the Banking Directive as part of the Supervisory Review and Evaluation Process. Therefore, taking account of the principle of dual proportionality, this Circular provides the regulatory framework for qualitative supervision in Germany. With regard to the methods used for calculating the regulatory own funds stipulated

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 6 of 119 in the Banking Directive, this Circular’s requirements are designed in a neutral manner such that they can be met irrespective of the chosen method. 3 In line with the principles-based structure of the Minimum Requirements for Risk Management (MaRisk), proper application of the principle of dual proportionality by institutions also includes the demand that institutions, in individual cases, shall make more extensive provisions over and above particular requirements that are explicitly formulated in the Minimum Requirements for Risk Management if this is necessary to ensure that their risk management is appropriate and effective. Therefore, institutions which are particularly large or whose business activities are particularly complex, internationalised or exposed to risk shall make more extensive risk management arrangements than smaller institutions with less complexly structured business activities that do not incur any extraordinary risk exposure. The former institutions, on their own initiative, shall also incorporate into their considerations on an appropriate risk management structure the insights provided in the relevant publications on risk management issued by the Basel Committee on Banking Supervision and the Financial Stability Board. References to the EBA Guidelines in the MaRisk and the principle of proportionality Insofar as references are made in the MaRisk to the EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06), the requirements of these Guidelines may be implemented while taking into account the proportionality criteria set out in number 16 a. – d. 4 Moreover, this Circular implements Article 16 of Directive 2014/65/EU (Markets in Financial Instruments Directive, or MiFID) by way of section 80 (1) of the German Securities Trading Act (Gesetz über den Wertpapierhandel) in conjunction with section 25a (1) of the Banking Act insofar as the Directive applies equally to credit institutions and financial services institutions. This regards the general organisational requirements pursuant to Art. 5, as well as the risk management and Internal Audit requirements pursuant to Art. 7 and 8, the requirements relative to management responsibility pursuant to Art. 9 and to outsourcings pursuant to Art. 13 and 14 of the Directive 2006/73/EC (Implementing Directive for the Markets in Financial Instruments Directive). These requirements serve to achieve the objective of the Markets in Financial Instruments Directive, namely to harmonise the financial markets in the European Union in the interests of cross-border financial services and uniform investor-protection standards. 5 This Circular gives due consideration to the diversity of institutional structures and business activities. It contains numerous opening clauses which enable simplified implementation depending on the institution’s size, core business activities and risk situation. In particular, this permits flexible implementation for smaller institutions.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 7 of 119 This Circular is open to the ongoing development of risk management processes and procedures, provided that such development is consistent with the objectives of the Circular. In this context, the Supervisory Authority will maintain an ongoing dialogue with the industry. 6 Any reference in the MaRisk to significant institutions refers to institutions that have been classified as significant within the meaning of Article 6 of Council Regulation (EU) No 1024/2013 of 15 October 2013 (“SSM Regulation”). 7 The Supervisory Authority expects audits to be in line with the flexible overall structure of the Circular. As a result, audits have to be performed based on a risk-oriented approach. 8 The Circular is modular in structure so that any necessary adaptations to individual regulatory sections can be confined to the immediate overhaul of individual modules. A general part (the AT module) contains basic principles for structuring risk management. Specific requirements regarding the organisation of the lending, trading and real estate business are laid down in a special part (the BT module). Taking account of risk concentrations, this module also outlines the requirements for identifying, assessing, managing, monitoring and reporting counterparty and credit risk, market risk, liquidity risk and operational risk. Furthermore, the BT module provides a framework for structuring institutions’ internal audit function and for structuring risk reporting.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 8 of 119 AT 2 Subject matter 1 The institutions’ compliance with this Circular’s requirements is intended to contribute to the elimination of irregularities in the banking and financial services industries which may jeopardise the security of the assets entrusted to the institutions or impair the proper conduct of banking transactions or financial services, or which may create substantial disadvantages for the economy as a whole. When performing securities services and ancillary securities services the institutions must also comply with the requirements subject to the proviso that they protect the interests of the securities service customer.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 9 of 119 AT 2.1 Scope 1 The requirements set out in this Circular shall be complied with by all institutions within the meaning of section 1 (1b) of the Banking Act as well as section 53 (1) of the Banking Act. They also apply to the foreign branches of German institutions. They do not apply to branches of enterprises domiciled in another state of the European Economic Area pursuant to section 53b of the Banking Act. The requirements laid down in module AT 4.5 of this Circular shall be observed at group level by the superordinated enterprises or by the superordinated financial conglomerate enterprises of a group of institutions, financial holding group or financial conglomerate. Scope in the case of NPL ratios of 5% or above Certain requirements set out in this Circular only apply to institutions with (gross) NPL ratios equal to or greater than 5% at an individual, sub-consolidated or consolidated basis. These requirements are flagged accordingly in the individual modules (hereinafter referred to as “institutions with high stocks of NPLs”). The supervisory authority can also require institutions that do not have NPL ratios exceeding the 5% threshold but that eg have a material share of NPEs in an individual portfolio to comply with these sections. NPL ratio (non-performing loan ratio) The non-performing loan ratio is calculated by dividing the gross carrying amount of non-performing loans and advances by the gross carrying amount of the total loans and advances (in line with the definition of NPEs). NPEs (non-performing-exposures) NPEs are defined in accordance with the definition used in supervisory reporting. 2 Financial services institutions and large investment firms pursuant to section 2 (18) of the German Investment Institutions Act (Wertpapierinstitutsgesetz), which are required by section 4 of that Act to apply sections 25a and 25b of the Banking Act, shall comply with the requirements of this Circular to the extent that this appears necessary, given the institution’s size as well as the nature, scale, complexity and riskiness of its business activities, in order to comply with the statutory duties set out in sections 25a and 25b of the Banking Act. This shall apply, in particular, to modules AT 3, AT 5, AT 7 and AT 9.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 10 of 119 AT 2.2 Risks 1 The requirements set forth in this Circular relate to the management of an institution’s material risks. In order to assess whether or not a risk is material, the management board shall, regularly and on an ad hoc basis, gain an overview of the risks faced by the institution in the context of a risk inventory, with due and explicit account being taken of the impact of ESG risks (overall risk profile). The risks shall be captured at the level of the institution as a whole irrespective of the organisational unit in which they were caused. At least the following risks shall be considered material: a) counterparty risks (including country risks), b) market price risks, c) liquidity risks and d) operational risks. The risk concentrations associated with material risks shall likewise be taken into account. Appropriate arrangements are to be implemented for risks that are not considered material. Risk concentrations Besides risk exposures to single counterparties which constitute a risk concentration on account of their size alone, risk concentrations can arise both from a co-movement of risk positions within a risk type (“intra-risk concentrations”) and from a comovement of risk positions across different risk types (due to common risk factors or interactions between various risk factors of different risk types – “inter-risk concentrations”). Taking ESG risks into account ESG risks within the meaning of this Circular are environmental, social or governance events or conditions, which if they occur may potentially have significant negative impacts on the financial position and performance of a supervised entity. ESG risks thus act as risk drivers and can have an impact on the risk types set out in number 1 a)-d) as well as other material risk types. The assessment of the impact of ESG risks must be based on various plausible scenarios that are consistent with research findings. An appropriately long time period must also be chosen. Where meaningful and possible, a quantitative assessment must also be carried out. 2 In the context of the risk inventory, the institution shall examine which risks may materially impair its financial position (including its capital resources), financial performance or liquidity position. The risk inventory should not focus exclusively on the impact on the institution’s accounting or on de jure views. Holistic risk inventory The risk inventory shall also take account of risks arising from off-balance-sheet entities (eg risks from special-purpose entities not subject to consolidation). Depending on the institution’s specific overall risk profile, other risks, such as reputational risks, should be considered material, where appropriate.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 11 of 119 AT 2.3 Business transactions 1 Credit business within the meaning of this Circular shall basically mean the transactions pursuant to section 19 (1) of the Banking Act (asset items and offbalance-sheet items subject to counterparty and credit risk). Credit business Classification as credit business applies regardless of whether or not the relevant positions are to be used for securitisations. 2 A credit decision within the meaning of this Circular shall mean any decision on new loans, loan increases, equity investments, breaches of limits, the setting of borrowerrelated limits as well as of counterparty and issuer limits, prolongations and changes in the risk-relevant circumstances on which a credit decision was based (eg collateral, designated use). It is irrelevant whether or not this decision was taken solely by the institution itself or together with other institutions (syndicated credit business). Prolongations The term “prolongations” does not distinguish between external and internal loan period extensions (e.g. internal extension of loans granted external running lines of credit). Internal “loan control reports”, which serve only to monitor the loan during its maturity, is not classed as prolongation and, as a result, is not considered to result in lending decisions within the meaning of this Circular. Interest rate adjustments Any interest rate adjustments made after interest rate lock-in periods (that do not coincide with the original maturity) have expired can be considered part of the overall loan agreement, which have been assessed before the loan is granted. This is, therefore, generally not a separate credit decision within the meaning of this Circular. Deferments of payment Payment deferments do not constitute scheduled changes to the original lending agreement. They are designed, e.g. to provide short-term bridging for the period leading up to a reorganisation, and, as a result, constitute lending decisions within the meaning of this Circular. 3 Trading shall basically mean all trades based on a financial instrument pursuant to section 1 (11) of the Banking Act taking the form of a a) money market transaction, b) securities transaction, c) foreign exchange transaction, d) transaction involving tradable receivables (eg trading in borrower’s notes), e) commodities transaction, f) derivatives transaction, or Issuing business The initial issue of securities does not generally constitute trading within the meaning of this Circular. However, the first-time purchase of newly issued securities does constitute a trade within the meaning of this Circular. A simplified procedure may be used with regard to assessment of compliance with market conditions for first-time acquisitions (see comments in BTO 2.2.2 number 5). Classification of receivables as trading transactions

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 12 of 119 g) transaction in crypto assets and which are concluded in the institution’s own name and for its own account. Securities transactions also include transactions with registered bonds and securities lending, but not the initial issue of securities. Trading transactions also include - regardless of the underlying - any form of repurchase agreement. Re d): receivables are classed as trading transactions if the institution has an intention to trade them. The institution has to establish appropriate criteria for this purpose. Commodities transactions Regarding (e): commodities transactions shall include, in particular, trading in precious metals and commodities, as well as CO2 emission trading and electricity trading. Commodities transactions that constitute matched positions for the entire duration of the transaction as a result of outright agreements to accept or deliver the commodity in question at the time of performance do not qualify as commodities transactions within the meaning of this Circular. Traditional commodities transactions conducted by mixed-activity credit cooperatives (gemischtwirtschaftliche Kreditgenossenschaften) Corresponding implementation of the requirements for trading may be appropriate for traditional commodities transactions conducted by mixed-activity credit cooperatives depending on the nature, scale and riskiness of these business activities. 4 Derivatives transactions shall include forward transactions, the price of which is derived from an underlying asset, a reference price, a reference interest rate, a reference index or a predefined event. Guarantees/bank guarantees Guarantees/bank guarantees and similar instruments are not classified as derivatives within the meaning of this Circular. 5 Real estate transactions within the meaning of this Circular are transactions with real estate conducted on an institution’s own account and carried out with one of the following intentions: a) real estate acquisition or origination for the purpose of generating income through renting/leasing, b) real estate acquisition or origination for resale purposes (e.g. building contractor business), c) real estate portfolios for the purpose of generating income through renting/leasing or resale. In addition to direct real estate transactions, real estate transactions conducted on own account by subsidiaries of the institution within the meaning of section 290 of the HGB also count as real estate transactions of the institution if the assets of the subsidiary stem solely or predominantly from real estate transactions or participations Entering into parent-subsidiary relationships Entering into a relationship with a company that results in this company becoming a subsidiary is deemed equivalent to acquisition of real estate if the assets of the subsidiary stem solely or predominantly from real estate transactions or participations in real estate transactions.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 13 of 119 in real estate transactions. Companies over which institutions may jointly exercise a controlling influence are therefore deemed equivalent to subsidiaries. Real estate transactions predominantly conducted to serve an institution’s own business operations do not count as real estate transactions within the meaning of this Circular.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 14 of 119 AT 3 Joint responsibility of the management board members 1 All members of the management board (section 1 (2) of the Banking Act) shall be responsible for ensuring an institution’s proper business organisation and the further development thereof irrespective of the internal allocation of responsibilities. Taking account of outsourced activities and processes, this responsibility shall cover all material elements of risk management. Members of the management board can fulfil this responsibility only if they are able to assess the risks, including ESG risks, and take the necessary measures to limit them. These include developing, promoting, integrating and monitoring an appropriate risk culture at all levels within the institution and the group. The members of the management board of a superordinated enterprise of a group of institutions or a financial holding group, or of a superordinated financial conglomerate enterprise shall be additionally responsible for ensuring the group’s proper business organisation and thus also for ensuring appropriate and effective risk management at group level (section 25a (3) of the Banking Act). Risk culture The risk culture refers in general to the manner in which the institution’s staff (should) deal with risks in the course of their duties. The risk culture should promote the identification and conscious handling of risks and ensure that decision-making processes lead to outcomes that are balanced also from a risk perspective. An appropriate risk culture is characterised above all by the management board’s clear commitment to risk-appropriate behaviour, strict compliance by all staff with the risk appetite communicated by the management board, the accountability of staff for their risk behaviour and the facilitation and promotion of a transparent and open dialogue on risk-related issues within the institution. The institutions must establish procedures for monitoring whether staff are complying with the risk culture (e.g. with the aid of staff self-assessments). If shortcomings in the risk culture are determined in the course of this monitoring, the institution should remedy them by applying well-considered and results-focussed measures at an early stage. 2 Irrespective of the management board’s joint responsibility for ensuring an institution’s proper business organisation and, in particular, appropriate and effective risk management, each management board member shall be responsible for ensuring that appropriate control and monitoring processes are put in place within his/her respective area of responsibility.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 15 of 119 AT 4 General risk management requirements AT 4.1 Internal capital adequacy 1 Based on their overall risk profile, institutions shall ensure that their material risks, taking account of risk concentrations, are constantly covered by available financial resources (risk coverage potential), thus maintaining internal capital adequacy. Due and explicit account must be taken of the impact of ESG risks within the meaning of AT 2.2 number 1. Aggregation of immaterial risks If a number of risks are classified individually as immaterial but are material when aggregated, the procedures used to ensure internal capital adequacy must guarantee that these aggregated risks are taken into account in an appropriate manner. 2 Each institution shall establish an Internal Capital Adequacy Assessment Process (ICAAP). The procedures used for this purpose shall take due account both of ensuring an institution’s continuation as a going concern and of protecting creditors against economic losses. These objectives must be achieved by establishing procedures to ensure internal capital adequacy firstly from a normative perspective and secondly from an economic perspective. Structuring the internal capital adequacy concepts Details of how to structure the internal capital adequacy concepts can be found in the “Guidelines on the supervisory assessment of bank-internal capital adequacy concepts”, as amended. ESG risks from a normative and economic perspective The impact of ESG risks, first of all the risks arising from environmental risks particularly as a result of climate change and the transition to a sustainable economy, must be taken into account from both a normative and an economic perspective as part of a forward-looking consideration that takes into account the accompanying uncertainties. It is not enough to focus solely on available data histories. 3 Internal capital adequacy shall be taken into account both when defining strategies (AT 4.2) and when adapting them. Furthermore, suitable risk management and risk control processes (AT 4.3.2) must be established for implementing the strategies and for ensuring internal capital adequacy. 4 Institutions shall specify any material risks that are not included in the internal capital adequacy approach. The exclusion of a material risk shall be plausibly substantiated and shall be permissible only if the risk in question cannot be meaningfully limited by means of available financial resources (risk coverage potential) owing to its specific nature (e.g. illiquidity risk). It shall be ensured that such risks are appropriately factored into the risk management and risk control processes.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 16 of 119 5 If an institution does not have any suitable methods for quantifying individual risks that are to be included in the internal capital adequacy approach, it shall set a reasonable risk amount for these risks based on a plausibility check. The plausibility check can be conducted using a qualified expert judgement. 6 If observed developments from the past are factored into the procedure for quantifying risks, and if the observation period contains solely or predominantly periods of orderly and calm market conditions, due account must also be taken of the impact of greater parameter changes in the risk quantification. Orderly and calm market conditions The assessment of whether the observation period contains solely or predominantly periods of orderly and calm market conditions encompasses a comparison between market movements during the observation period and during periods lying further in the past (if relevant, also with similar markets, e.g. real estate prices in the USA/Japan/Spain) in terms of the impact on the risk amount. 7 Where an institution factors risk-reducing diversification effects within or between risk types into its internal capital adequacy approach, the underlying assumptions shall be derived from an analysis of the institution’s individual circumstances and shall be based on data that can be considered applicable to the institution’s individual risk situation. The diversification effects shall be estimated conservatively enough to be assumed to be sufficiently stable even in economic downturns or under market conditions that are unfavourable for the institution’s business and risk structure. The reliability and stability of the diversification assumptions shall be reviewed regularly and, where appropriate, on an ad hoc basis. Stability of diversification assumptions As a rule, sufficient stability may be assumed if diversification effects are taken into account, at most, to the extent that they also apply in economic downturns or under market conditions that are extremely unfavourable for the institution. 8 The institution shall be responsible for choosing the methods and procedures for assessing internal capital adequacy. The assumptions underlying the methods and procedures shall be plausibly substantiated. The specification of key elements of the internal capital adequacy management system and major underlying assumptions shall be approved by the management board. 9 The responsible expert staff shall review the appropriateness of the methods and procedures at least once a year. These reviews shall take due account of the limits and constraints arising from the methods and procedures employed, the underlying assumptions and the input data used in quantifying the risk. In this respect, the stability and consistency of the methods and procedures, as well as the robustness and significance of the risk calculation, shall be analysed critically. Review of the methods and procedures employed The institution shall ensure that it always has a full and up-to-date overview of the risk quantification methods and procedures employed. As all risk quantification methods and procedures are incapable of fully reflecting reality, the assessment of internal capital adequacy should take due account of the fact that the risk amounts contain inaccuracies – at both individual risk and aggregate level – or may underestimate the risk.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 17 of 119 If the risk amounts calculated using comparatively simple and transparent procedures are discernibly sufficiently conservative in terms of the limits and constraints of the procedures, a deeper analysis may be waived. If the methods and procedures, the underlying assumptions, parameters, or the input data are comparatively complex, an appropriate comprehensive quantitative and qualitative validation of these components and the risk results is necessary in respect of their use. External data Parameters determined on the basis of external data and assumptions taken over uncritically from other sources shall not be used in the calculation of the risk coverage potential and the determination of risk or the aggregation of risk data. This does not apply to reviews of the accuracy of the content of publicly available market information (interest rates, market prices, yields, etc). If the assumptions regarding parameters of the risk calculation or risk coverage potential calculation are based on external data, the institution shall be able to plausibly demonstrate that the underlying data appropriately reflect the institution’s true circumstances. If risk is determined based on calculations performed by third parties (eg investment fund companies), the institutions must request robust and significant information on this, especially on key assumptions and parameters and on changes to these assumptions and parameters. 10 If the relative complexity of the methods and procedures, the underlying assumptions or the input data makes a comprehensive validation of these components necessary pursuant to number 9, an appropriate degree of independence between the development and validation of risk quantification methods and procedures shall be ensured. The material validation results and any proposals for measures to deal with the known limits and constraints of the methods and procedures shall be submitted to the management board. 11 Every institution shall have in place a process incorporated into the performance and risk management for planning its future capital requirements and the capital available to meet these capital requirements. The planning horizon shall cover a suitably long period of several years. The institution shall also take due account of how changes in its own business activities or strategic objectives and changes in the economic environment during this period impact its capital requirements and capital. Potential Consistency between operational business planning and capital planning The capital planning of the institution shall be consistent both with the institution’s operational business planning, including the strategic framework on which this is based, and its business model.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 19 of 119 AT 4.2 Strategies 1 The management board shall define an economically sustainable business strategy outlining the institution’s objectives for each material business activity and the measures to be taken to achieve these objectives. This strategic development therefore presupposes a detailed, forward-looking analysis of the business model. When defining or adjusting the business strategy, the management board shall take account of both external factors (eg market developments, the competitive situation, the regulatory environment, changed environmental conditions and transition to a sustainable economy while factoring in possible developments over an appropriately long period) and internal factors (eg internal capital adequacy, liquidity, profit situation, staffing level or technical and organisational resources). It shall make assumptions with regard to how the relevant factors will develop in future. It shall review these assumptions at least annually and on an ad hoc basis; it shall adjust the business strategy as and when necessary. Audit activities of auditors of the annual accounts or the internal audit function The substance of the business strategy is solely the responsibility of the management board and is not subject to examination in the course of audit activities by auditors of the annual accounts or the internal audit function. The business strategy is to be drawn upon when examining the risk strategy in order to verify the consistency between the two strategies. The audit activities should also cover the strategy process set out in AT 4.2 number 5. Strategic objectives and measures to achieve them The description of the strategic objectives and the measures to be taken to achieve them define the key points of operational planning and must, therefore, be sufficiently specific to enable the objectives and measures to be plausibly incorporated into operational corporate planning. Analysis of the business model With the aid of the business model analysis, the institution should assess whether its business model can be maintained over an appropriately long period of several years. To do this, it is essential that the strategic policies defined for the period concerned and the business planning derived therefrom implement the targeted business model. The institution should thus be in a position to recognise the need to adjust the business model early on and apply necessary strategic management measures. Special strategic aspects Given the significance of IT systems for the functioning of processes within an institution, the institution, depending on the nature, scale, complexity and riskiness of its business activities, must also provide statements on the planned future arrangement of its IT systems. Significant institutions are, moreover, required to provide statements on options for improving capacities for aggregating risk data. Where there are extensive outsourcing activities, specifications in this regard are also required.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 20 of 119 Institutions with high stocks of NPLs shall define an NPE strategy plus an associated operational plan, and shall review these regularly. Institutions with a portfolio of leveraged transactions shall, when determining their strategy, also comply with the EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06), Section 4.3.2 (Leveraged transactions). 2 The management board shall define a risk strategy that is consistent with the business strategy and the risks resulting therefrom. The risk strategy – where appropriate divided into sub-strategies for the material risks while taking explicit and appropriate account of the impact of ESG risks – shall include the risk management objectives for the key business activities and the measures to be taken to achieve these objectives. In particular, the institution’s risk appetite levels shall be set for all material risks, taking account of risk concentrations. Risk concentrations shall also be taken into account with regard to the institution’s profit situation (profit concentrations). This requires the institution to be able to delineate its sources of income and quantify them (eg with regard to the terms and structural contribution in the interest book). Risk appetite In defining the risk appetite, the management board makes a conscious decision regarding the extent to which it is willing to take risks. The risk appetite can be expressed in many different ways. Besides purely quantitative specifications (eg strictness of risk measurement, global limits, definition of buffers for certain stress scenarios, risk indicators for ESG risks), the risk appetite can also be reflected in qualitative specifications (eg requirement for the collateralisation of loans, avoidance of certain transactions). Based on suitable risk indicators, explicit account shall also be taken of the impact of ESG risks when determining the risk appetite. 3 Institutions with high stocks of NPLs shall establish an NPE strategy aiming to reduce NPEs to a predefined target (assuming this is not the underlying business model) over a realistic but sufficiently ambitious time horizon. The following steps form the core building blocks for developing and implementing this strategy:

Assessment of the operating environment and external conditions,
Development of a strategy with short-, medium- and long-term targets, and
Implementation of the operational plan. Assessment of the operating environment and external conditions The following elements shall be taken into account: a) A comprehensive annual self-assessment to evaluate the actual situation (especially with regard to the magnitude and drivers of the NPEs, to the outcomes of NPE actions taken in the past, and to their operational capacities). The competent authority will require the institution to report the results of the selfassessment to it. b) External conditions (eg analyses of the environment to determine acceptable levels of NPEs and the associated risk coverage, NPE investor demand, the availability and coverage of specialised servicers, and the regulatory, legal and judicial framework), c) The impact of the NPE strategy on the capital (especially the inclusion of suitable actions in capital planning to ensure that the level of available capital will always enable a sustainable reduction of NPEs on the balance sheet). Development of a strategy with short-, medium- and long-term targets Development shall be based on an analysis of the strategic options available for its implementation. Institutions should consider including a combination of strategies

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 21 of 119 and action options (eg hold strategy, forbearance options, active portfolio reductions, changes in the type of exposure or collateral, foreclosures of assets, legal options). In addition, the strategy shall include time-bound quantitative NPE targets. When defining their short- to medium-term NPE targets, institutions shall establish a view of reasonable long-term NPE levels, both at portfolio level and at aggregate level, given their risk appetite. Targets shall be defined by time horizons (short-term – indicative one year – medium-term – indicative three years – and long-term), main portfolios and implementation options. Operational plan The operational plan shall define how the institution will operationally implement its NPE strategy over a time horizon of at least one to three years (depending on the type and scope of measures required). Implementation of the operational plan Progress in implementing the plan shall be reviewed quarterly using NPE-related key performance indicators (KPIs). The management board shall be informed promptly of material deviations from the operational plan, with appropriate remediation actions to be put in place. The competent authority will require the institution to report any material deviations from the operational plan to it, along with appropriate remediation actions. 4 The management board shall be responsible for defining and adjusting the strategies; this responsibility cannot be delegated. The management board shall see to it that the strategies are implemented. The level of detail of the strategies shall depend upon the scale, complexity and riskiness of the planned business activities. The institution may, at its own discretion, integrate the risk strategy into the business strategy. 5 The management board shall set up a strategy process which includes, in particular, the steps for planning, implementing, assessing and adjusting the strategies. To facilitate assessment, the objectives defined in the strategies shall be formulated in a way that allows their achievement to be meaningfully reviewed. The causes of any deviations shall be analysed.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 22 of 119 6 The strategies and, where appropriate, adjustments to the strategies shall be brought to the attention of and discussed with the institution’s supervisory board. The discussion shall also include an analysis of the causes pursuant to AT 4.2 number 5. Supervisory body committees Strategies should generally be addressed to each member of the supervisory board. If the supervisory board has set up committees, the strategies may also be passed on to and discussed with a committee. The preconditions for this are that a corresponding resolution was adopted to set up the committee and that the chair of the committee reports regularly to the entire supervisory board. Furthermore, each member of the supervisory body has still to be given the right to view the strategies passed to the committee in question. 7 The contents of and adjustments to the strategies shall be communicated within the institution in a suitable manner.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 23 of 119 AT 4.3 Internal control system 1 Depending on the nature, scale, complexity and risk content of its business activities, each institutions has to a) set up rules governing the organisational and operational structure, b) establish risk management and risk control processes, and c) implement a risk control function and a compliance function. AT 4.3.1 Organisational and operational structure 1 When designing the organisational and operational structure it shall be ensured that activities that are not compatible with each other are performed by different staff members and that conflicts of interest are avoided also when staff members change posts. If staff of trading or front office units move to back office units and control units, appropriate cooling-off periods shall be applied to activities that violate the ban on self-audit and self-review. Back office units and control units Back office units and control units within the meaning of this number are:

risk control function,
compliance function,
back office,
settlement and control. If the cooling-off periods would lead to a disproportionate delay in operating procedures, smaller, less complex institutions may establish alternative, appropriate control mechanisms. 2 Processes as well as the related tasks, competencies, responsibilities, controls and reporting channels shall be clearly defined and coordinated. Rights and competencies shall be assigned on a need-to-know basis and shall be swiftly adjusted, where necessary. This shall include regular and ad hoc reviews of IT access rights, authorities to sign and other competencies that have been assigned within appropriate periods of time. The periods of time shall depend on the significance of the processes and, in the case of IT access rights, on the protection requirements of the processed data. The same shall apply to interfaces to material outsourced activities and processes. Reviewing rights and competencies Access rights in connection with transaction accounts and material IT access rights shall be reviewed at least annually, and all others at least every three years. Especially critical IT access rights, such as those held by administrators, shall be reviewed at least every six months.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 24 of 119 AT 4.3.2 Risk management and risk control processes 1 Each institution shall establish appropriate risk management and risk control processes in order to ensure that the material risks, and explicitly the impact of ESG risks, and the associated risk concentrations, are a) identified, b) assessed, c) managed, d) monitored and communicated. These processes shall be factored into an integrated performance and risk management (Gesamtbanksteuerung). Suitable measures shall be taken to ensure that the risks and associated risk concentrations are effectively limited and monitored, taking internal capital adequacy and risk appetite into account. Limiting and monitoring of risks and associated risk concentrations Suitable measures to limit risks and associated risk concentrations can include quantitative instruments (eg limit systems, traffic-light systems) and qualitative instruments (eg regular risk analyses). Risks included in the internal capital adequacy approach are generally, where this is meaningful, limited and monitored on the basis of an effective limit system. Where risks cannot be meaningfully limited and monitored by a limit system, other, primarily qualitative instruments may be used. Intra-group claims Intra-group claims shall be duly taken into account in the risk management and risk control processes. Maintaining data on exposures and associated collateral The institution shall maintain the data needed for appropriate risk assessment, management and monitoring, and for the provision of information. This includes in particular data on collateral and on the relationship between collateral and the underlying transactions. In the lending business, the requirements of the EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06), Section 8.1 (General provisions for the credit risk monitoring framework) shall be additionally complied with. Depending on the type, complexity and risk content of the lending business, a qualitative analysis is sufficient for the macroeconomic analysis required in number 248. 2 The processes for identifying, assessing, treating, monitoring and communicating risks have to ensure that material risks – including those arising from outsourced activities and processes – can be identified at an early stage, captured completely and presented in an appropriate manner. To this end, the institution shall derive suitable indicators for the early identification both of risks and of potential consequences across different types of risk, which are based on quantitative and/or qualitative risk features depending on the nature of the risk type concerned.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 25 of 119 3 Risk reports on the business situation and risk situation, including existing risk concentrations, shall be submitted to the management board at appropriate intervals. Moreover, the management board shall inform the supervisory board about the business situation and risk situation, including existing risk concentrations, at least quarterly in an appropriate written form. Details on reporting the business situation and risks to the management board and the supervisory board are set forth in BT 3. 4 Material risk-related ad hoc information shall be promptly passed on to the management board, the responsible officers and, where appropriate, to the internal audit function, so that suitable measures or audit activities can be initiated at an early stage. A suitable procedure shall be established for this purpose. Duty to provide information to Internal Audit In the event that a department identifies irregularities that are relevant from a risk point of view, ascertains that material losses have occurred, or has a concrete suspicion that irregularities have occurred, it has a duty to inform Internal Audit. 5 The risk management and risk control processes, as well as the methods and procedures used to quantify risks, shall be reviewed regularly, and in the event of changing conditions their appropriateness shall be reviewed and adjusted if necessary. This applies in particular to plausibility checks of the outcomes and of the underlying data. AT 4.1 number 9 shall apply mutatis mutandis AT 4.3.3 Stress tests 1 Appropriate regular and ad hoc stress tests shall be carried out in respect of the material risks, which shall reflect the nature, scale, complexity and riskiness of the business activities. To this end, the material risk factors pertaining to the respective risks shall be identified and due account taken of the impact of ESG risks. The stress tests shall additionally cover the assumed risk concentrations and diversification effects within and between risk types. The stress tests shall also take account of risks resulting from off-balance-sheet entities and securitisation transactions. Stress tests In the following, the term “stress tests” is used as a generic term for the various methods via which institutions examine the individual potential risk they face with regard, inter alia, to exceptional but plausible events at each relevant level of the institution (eg at portfolio level, at the firm-wide level, at business unit level). The stress test programme includes sensitivity analyses (in which generally only one risk factor is varied) and scenario analyses (in which several or all risk factors are changed simultaneously in order to simulate a predefined event). Taking ESG risks into account Due account shall be taken of the impact of ESG risks over an appropriately long period that exceeds the regular risk observation horizon. This may also be achieved by carrying out separate sensitivity analyses, for instance. The insight thus gained shall be

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 26 of 119 appropriately incorporated into the institution’s strategy and, where meaningful and possible, into the risk management and controlling processes. 2 Regular and, where appropriate, ad hoc stress tests shall also be carried out in respect of the institution’s overall risk profile. Based on the nature, scale, complexity and riskiness of the institution’s business activities, suitable overarching scenarios shall be defined which reflect both institution-specific (idiosyncratic) and market-wide causes. Their combined potential impact on the material risk types shall be captured in a way that takes account of interaction between the risk types. 3 The stress tests shall also reflect exceptional but plausible events. Appropriate historical and hypothetical scenarios shall be defined. Additionally, the stress tests shall be used to analyse the impact of a severe economic downturn on the firmwide level of the institution. The institution’s strategic orientation and its economic environment are likewise to be taken into consideration when defining the scenarios. 4 In addition, the institution shall carry out reverse stress tests. Their content and implementation shall depend on the nature, scale, complexity and riskiness of the business activities and may be of a qualitative or quantitative nature. Reverse stress tests Reverse stress tests are carried out to examine what events could jeopardise the institution’s viability. Its viability may be assumed to be jeopardised if the original business model proves to be no longer feasible or sustainable. Reverse stress tests serve to complement other stress tests. Given their approach, reverse stress tests focus on a critical evaluation of the results. The results generally do not need to be taken into account when assessing internal capital adequacy. 5 The appropriateness of the stress tests and their underlying assumptions shall be periodically reviewed, at least once a year. 6 The results of the stress tests shall be critically evaluated. Institutions shall determine whether and, if so, what action is required. The results of the stress tests shall also be duly taken into account when assessing internal capital adequacy. Particular attention shall be paid to the impact of a severe economic downturn. Need for action An identified need for action does not automatically necessitate backing the identified risks with available financial resources (risk coverage potential). Alternative measures may be suitable, such as intensifying risk monitoring, modifying the limits or adjusting the objectives of the business strategy orientation. The identified risks have to be covered by available financial resources (risk coverage potential) in cases where the stress tests are consciously used to quantify internal capital requirements.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 27 of 119 AT 4.3.4 Data management, data quality and aggregation of risk data 1 The requirements set forth in this module are addressed to significant institutions and apply both at group level and at the solo level of each material legal entity of a group. The institution shall define institution-wide and group-wide principles for data management, data quality and the aggregation of risk data that shall be approved and put into force by the management board. Implementation of the principle of proportionality The requirements of this module shall be implemented in an appropriate manner that reflects the nature, scale, complexity and riskiness of the institution’s business activities. Aggregation of risk data The term “aggregation of risk data” refers to the end-to-end process chain beginning with the collection and recording of data, then its processing, and ending with its evaluation based on certain criteria and the reporting of risk data. 2 The data structure and data hierarchy shall ensure that data can be identified unequivocally, compiled and evaluated, and that they are available in a timely manner. Where possible, uniform naming conventions and identifiers for data shall be defined and communicated within the institution. Where different naming conventions and data identifiers are in use, the institution shall ensure that data are automatically reconcilable. 3 The institution shall ensure that risk data are accurate and complete. The data must be evaluable according to different criteria and should, where possible and meaningful, be aggregated automatically. The use and scope of manual processes and interventions shall be substantiated and documented, and shall be limited to the level necessary. The quality and completeness of the data shall be monitored on the basis of suitable criteria. To this end, the institution shall formulate internal requirements relating to the accuracy and completeness of data. Evaluability according to different criteria Evaluability covers not only risk categories and risk sub-categories but also, inter alia, the categories business area, legal entity, type of asset, sector and region; further categories may be necessary depending on the risk in question. It must also be possible to carry out multi-dimensional evaluations according to combined categories in an appropriate manner. 4 The risk data shall be reconciled with other information available at the institution and subjected to plausibility checks. Procedures and processes shall be set up to reconcile the risk data with the data in the risk reports to allow data errors and weaknesses in data quality to be identified. Other information available at the institution The reconciliation and the plausibility checks of the risk data shall be carried out, for example, against data from accounting and, where appropriate, supervisory reporting. 5 The data aggregation capacities shall ensure that aggregated risk data are available in a timely manner, both under normal circumstances and in times of stress. The institution shall define the timeframe within which the aggregated risk data must be available taking into account the frequency of risk reports. Risk data in times of stress The data which must also be available in a timely manner in times of stress include:

counterparty and credit risk at firm-wide/group level,
aggregated exposure to large corporate borrowers,

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 28 of 119

counterparty risk (resulting also from derivatives) – aggregated and allocated to individual counterparties,
market risk, trading positions and operational limits and limit utilisation levels including possible concentrations,
indicators of possible liquidity risk/shortfalls,
time-critical indicators of operational risk. 6 The data aggregation capacities must be sufficiently flexible such that ad hoc information can be shown and analysed according to different categories. This includes the possibility to show and analyse risk positions at a wide range of levels (business areas, portfolios, where appropriate individual transactions). Ad hoc information according to different criteria The capability to generate and analyse the risk positions by country, sector, business area etc. must likewise be ensured for ad hoc information requirements. To the extent possible and reasonable, it should be possible to break the main categories down to the individual transaction level. 7 Responsibilities shall be defined for all steps in the risk data aggregation process and appropriate process-related controls put in place. In addition, regular reviews shall be carried out to determine whether staff are complying with the internal rules, procedures, methods and processes. These reviews shall be carried out by a unit that is independent of organisational units that initiate and/or conclude transactions. Review by an independent unit The staff tasked with the review should, as far as possible, have sufficient knowledge of the IT systems and the reporting system. AT 4.3.5 Use of models 1 The provisions of this module apply to models used for the processes regulated in this Circular. They also apply to automated models, technology-based innovation and artificial intelligence. Models A model within the meaning of this module is a quantitative method, system or approach that applies statistical or mathematical theories, techniques or assumptions in order to process input data on quantitative estimates. These include bank-internal models that form the basis for decision-making at the institution, regardless of whether the models were developed by the institution itself or by a third party (e.g. models used in the lending business particularly for the granting and processing of loans, in risk classification processes, processes for quantifying risk within the internal capital adequacy framework, stress tests, assessment models or price determination models). However, models that fall within the scope of Regulation (EU) No 575/2013 (CRR) do not belong to this group of models.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 29 of 119 Requirements that exceed the requirements of this module are set out in AT 4.1 numbers 8, 9 and 10, AT 4.3.2 number 5, AT 4.3.3 numbers 5 and 6, BTR 2.1 numbers 3 and 4, BTR 3.1 number 2. The requirements of this module are governed by the complexity of the model, its significance in risk management and the risks associated with the application of the model. This applies in particular to the requirements relating to explainability under number 6. 2 The institution is responsible for choosing the models. The underlying assumptions shall be comprehensibly substantiated. The appropriateness and suitability shall be assessed and regularly reviewed before the model is deployed. This presupposes sufficient knowledge of the model concept, particularly with regard to material assumptions and parameters as well as input data. 3 The institution shall implement suitable processes that assure the quality of the underlying data. In particular, quality weaknesses in the underlying data should be identified and corrected. 4 The institution shall set out appropriate regulations for the use of the model results. Where relevant, these shall also contain statements regarding overrides. Overrides In the case of overrides, values that deviate from the model are set by directly modifying the model input or an interim/end result. 5 The institution shall critically examine the limits and constraints arising from the models being used, the assumptions on which these are based, and the input data and shall conduct a regular validation of the models. An appropriate review shall therefore be conducted to determine whether the model results are properly handled and whether the model is accurate enough for the intended purpose. The quality of the model results, in particular the accuracy, stability and consistency of the processes, shall be regularly analysed. Recalibration Depending on the model concept, recalibrations can exert a strong influence on assumptions and weightings. When analysing accuracy, stability and consistency, an examination should therefore be made of whether recalibration leads to changes in the quality of results and, if so, which changes these are. 6 In addition to accuracy, sufficient explainability must be ensured. This applies in particular to models that display characteristics of technology-based innovation and artificial intelligence. Explainability Models are considered explainable if interdependencies can be shown between input and output parameters.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 30 of 119 AT 4.4 Special functions AT 4.4.1 Risk control function 1 Each institution shall have an independent risk control function in place which is responsible for appropriately monitoring and reporting the material risks, taking due account of the impact of ESG risks. The risk control function shall be segregated organisationally, up to and including the management board level, from the organisational units that are responsible for initiating and/or concluding transactions. Separation of functions This is without prejudice to the special requirements regarding the segregation of duties set forth in BTO. Initiating and concluding transactions The units which initiate and/or conclude transactions include front office, trading as well as other units which are responsible for positions (eg treasury). As a general rule, this includes units which initiate and conclude non-risk-relevant credit business. In the case of institutions with no more than three management board members, the organisational segregation of the front office for non-risk-relevant credit business from the risk control function up to directly below the management board level shall generally suffice if there are no discernible conflicts of interest and the management board member in question has no concentration of responsibilities. 2 In particular, the risk control function shall perform the following tasks:

supporting the management board in all risk policy issues, in particular in developing and implementing the risk strategy and evolving a risk limitation system,
carrying out the risk inventory and drawing up the overall risk profile,
supporting the management board in developing and improving the risk management and risk control processes,
developing and improving a system of risk ratios and a procedure for the early detection of risks,
monitoring the institution’s risk situation and internal capital adequacy as well as compliance with the risk limits in place on an ongoing basis,
drawing up the regular risk reports for the management board,
assuming responsibility for the processes for passing on material risk-related ad hoc information promptly to the management board, the responsible officers and, where applicable, the internal audit function. NPE-related requirements to be met by the risk control function In the case of institutions with high stocks of NPLs, the risk control function monitors and measures the NPE-related risks and the progress made towards reaching the NPE targets on a granular and aggregate basis, using NPE-related key performance indicators (KPIs). These KPIs should include, but not necessarily be limited to, the following: a) NPE metrics, b) borrower engagement and cash collection, c) forbearance activities; d) liquidation activities, and e) other (eg NPE-related profit and loss items, foreclosed assets, outsourcing activities). The impact on both internal and regulatory capital requirements shall also be taken into account.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 31 of 119 The risk control function can employ other non-front-office units and the information provided by these to perform these tasks, provided that it performs plausibility checks on it. 3 Staff of the risk control function shall be granted all necessary powers and unrestricted access to all information needed to perform their tasks. In particular, this shall include unrestricted access at all times to the institution’s risk data. 4 The head of the risk control function shall be involved in important risk policy decisions of the management board. This task shall be assigned to an individual on a sufficiently high management level. This individual shall generally perform his/her tasks exclusively, depending on the institution’s size as well as the nature, scale, complexity and riskiness of its business activities. Exclusive performance of the tasks of head of the risk control function The exclusive performance of the tasks of head of the risk control function generally means the exclusive performance of risk control tasks directly below management board level (2nd level). This includes a clear organisational segregation of the risk control function from the back office up to directly below management board level. In the case of institutions with no more than three management board members, the risk control function and the back office function may be placed under combined management of the 2nd level, and this management may also be granted voting powers and powers of approval as long as this does not result in any discernible material conflicts of interest and this management neither initiates transactions nor is involved in customer relationship. Furthermore, in the case of such institutions, the tasks of head of the risk control function may also be assigned to the 3rd level as long as there is a direct reporting line to the management board level. With regard to the segregation of the risk control function at legally dependent foreign branches, BTO number 3 explanation 1 shall apply mutatis mutandis. 5 In the case of significant institutions and institutions under section 2 (9i) sentence 2 of the KWG that exceed the balance sheet threshold defined in sentence 2 of this provision, the exclusive performance of the tasks as head of the risk control function shall, in general, be carried out by a member of the management board. This person shall also be permitted to be responsible for the back office as long as there is a clear organisational segregation of the risk control function and back office up to below management board level. The said member of the management board shall not be permitted to be responsible for finance/accounting or for organisation/IT. Exceptions to this rule shall be possible only at deputy level. Implementation of the principle of proportionality Implementation of these requirements in line with the principle of proportionality shall comply with number 201 and Title I of EBA/GL/2021/05. 6 The supervisory board shall be notified beforehand in due time if the head of the risk control function is replaced, stating the reasons for the replacement.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 32 of 119 AT 4.4.2 Compliance function 1 Each institution shall have a compliance function in place in order to counteract the risks that may arise from non-compliance with legal rules and regulations. The compliance function shall ensure the implementation of effective procedures for complying with the legal rules and regulations that are material to the institution, and of corresponding controls. The compliance function shall additionally support and advise the management board with regard to complying with these legal rules and regulations. Responsibility of the management board members and the business units Notwithstanding the duties of the compliance function, the management board members and the business units remain fully responsible for complying with legal rules and regulations. Relevance of other supervisory requirements This is without prejudice to all other compliance function requirements arising from other prudential supervisory legislation (in particular, section 80 (1) of the Securities Trading Act and Article 22 of Delegated Regulation (EU) 2017/565 in conjunction with Circular 4/2010 (WA) – Minimum Requirements for the Compliance Function and Additional Requirements Governing Rules of Conduct, Organisation and Transparency pursuant to sections 31 et seq of the Securities Trading Act for Investment Services Enterprises; section 25h of the Banking Act in conjunction with corresponding administrative provisions). 2 The compliance function shall regularly identify the material legal rules and regulations, non-compliance with which might jeopardise the institution's assets, in the light of risk factors. 3 The compliance function shall be directly subordinate to and report to the management board. It shall also be permitted to be linked to other control units as long as there is a direct reporting line to the management board. The compliance function shall also be permitted to be assisted by other functions and units in the performance of its duties. Depending on the nature, scale, complexity and riskiness of the business activities, the compliance function shall be assigned to a unit that is independent of the front office and trading. Link to other control units Other control units may be, for example, the risk control function or the anti-money laundering officer, but not the internal audit function. 4 Significant institutions and institutions under section 2 (9i) sentence 2 of the KWG that exceed the balance sheet threshold defined in sentence 2 of this provision, shall set up an independent organisational unit for the compliance function. Independent compliance unit The proportionality criteria shall comply with the information set out in number 206 and Title I of EBA/GL/2021/05. Other compliance-related control units (eg Securities Trading Act compliance, anti-money laundering officer, information security officer, data protection) may also be assigned to the independent unit for the compliance function.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 33 of 119 5 The institution shall appoint a compliance officer who is responsible for carrying out the compliance function tasks. Depending on the nature, scale, complexity and riskiness of the business activities as well as on the institution’s size, the compliance officer may in exceptional cases be a member of the management board. 6 Compliance function staff shall be granted sufficient powers and unrestricted access to all information needed to perform their tasks. They shall be notified of instructions and decisions of the management board that are material to the compliance function. The compliance function staff shall be notified in due time of material amendments of the rules that are intended to ensure compliance with the material legal rules and regulations. 7 The compliance function shall report to the management board on its activities at least once a year and on an ad hoc basis. Such reports shall address the appropriateness and effectiveness of the rules that are intended to ensure compliance with the material legal rules and regulations. The reports shall also cover information on potential deficits and on remedial measures. These reports shall be additionally passed on to the supervisory board and the internal audit function. Supervisory body committees As a general principle, reports should be addressed to all members of the supervisory board. To the extent that the supervisory body has formed committees, the communication of information can also be limited to one particular committee. This is subject to the prerequisite that a corresponding resolution has been passed on the establishment of the committee, and that the chairperson of the committee makes a report to the entire supervisory body on a regular basis. Furthermore, each member of the supervisory body still has to be given the right to view the risk reports passed to the committee in question. 8 The supervisory board shall be notified beforehand in due time if the compliance officer is replaced, stating the reasons for the replacement. AT 4.4.3 Internal audit function 1 Each institution must have a functioning Internal Audit in place. In the case of institutions for which for reasons of size it would be disproportionate to establish an audit department, the internal audit functions may be carried out by a manager. 2 The Internal Audit as an instrument of the management is under its direct control and has to report to the management. It can also be subject to the direct control of one individual member of the management, who should, if possible, be the Obtaining of information by the chair of the supervisory board

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 34 of 119 chairperson. Notwithstanding this, it shall be ensured that the chair of the supervisory board is able, with the involvement of the management board, to obtain information from the head of the internal audit function directly. If the institution has established an audit committee, it may alternatively be ensured that the chair of the audit committee obtains information from the head of the internal audit function. 3 The Internal Audit has to examine and assess, in a manner which is risk-focused and independent of individual processes, the effectiveness and appropriateness of the “risk management in general”, and the internal control system in particular, as well as the extent to which all activities and processes comply with the appropriate regulations regardless of whether these are outsourced or not. This shall be without prejudice to BT 2.1 number 3. 4 For the performance of their duties, internal auditors have to be given complete and unrestricted information rights. This right has to be ensured at all times. To this end, the internal audit function shall be promptly provided with the necessary information and access to the necessary documentation, and be given insight into the institution’s activities and processes as well as its IT systems. 5 The internal audit function shall be notified of instructions and decisions of the management board that may be of relevance to it. Significant changes in risk management have to be communicated to the auditors in a timely manner. 6 The supervisory board shall be notified beforehand in due time if the head of the internal audit function is replaced, stating the reasons for the replacement.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 35 of 119 AT 4.5 Risk management at group level 1 Pursuant to section 25a (3) of the Banking Act, the management board members of the superordinated enterprise of a group of institutions or a financing holding group as well as the management board members of the superordinated financial conglomerate enterprise of a financial conglomerate shall be responsible for establishing appropriate and effective risk management at group level. Risk management at group level shall include all the group’s material risks, whether or not they are caused by enterprises subject to consolidation (eg risks arising from specialpurpose vehicles not subject to consolidation). The methods and procedures applied (eg IT systems) shall not hamper the effectiveness of risk management at group level. Special criteria may apply to risk management at group level resulting from specific legal regulations, such as those applying to building and loan associations (Bausparkassen) regarding the treasury risk management of their collective savings and loans (Kollektivsteuerung) or to Pfandbrief banks. Structure of risk management at group level The specific structure of risk management at group level depends, in particular, on the nature, scale, complexity and riskiness of the group’s business activities as well as on the available options under company law. Focus on material risks Risk management at group level comprises all material risks taking due account of the impact of ESG risks. Thus, for example, subordinated enterprises whose risks are not considered material by the superordinated enterprise may be exempted from the risk management requirements at group level. This does not apply if the aggregated risks of all those subordinated enterprises with immaterial risks are considered material in an overall view. Reference to AT 9 Outsourcing The requirements of module AT 9 must be complied with at both individual institution and group level. The superordinated enterprise is responsible for ensuring compliance at group level. AT 9 number 15 shall apply notwithstanding. 2 The management board of the superordinated enterprise shall decide on a business strategy and a consistent risk strategy (group-wide strategies). The strategic orientation of the group enterprises shall be aligned with the group-wide strategies. The management board of the superordinated enterprise shall ensure that the group-wide strategies are implemented. 3 Based on the group’s overall risk profile, the superordinated enterprise shall establish an ICAAP at group level (AT 4.1 number 2). The group’s internal capital adequacy shall be maintained on an ongoing basis. 4 Appropriate workflow patterns shall be established at group level, ie processes, along with the related tasks, competencies, responsibilities, controls and reporting channels within the group, shall be clearly defined and coordinated. Timely reporting to the management board of the superordinated enterprise shall be ensured.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 36 of 119 5 The superordinated enterprise shall establish appropriate risk management and risk control processes integrating the group enterprises. Appropriate stress tests in respect of material risks at group level shall be carried out regularly. To this end, the material risk factors pertaining to the respective risks shall be identified and explicit account taken of the impact of ESG risks. Regular and, where appropriate, ad hoc stress tests shall also be carried out in respect of the overall risk profile at group level. The superordinated enterprise shall obtain information about the risk situation of the group at appropriate intervals. 6 As part of risk management at group level, the group internal audit function shall operate complementarily to the internal audit functions of the group enterprises. To this end, the group internal audit function shall also be permitted to consider findings of the internal audit functions of the group enterprises. It shall be ensured that the same auditing principles and standards apply to the group internal audit function and the internal audit functions of the group enterprises, and that comparability of the audit findings is assured. Furthermore, audit plans and the procedures to monitor the punctual remedying of findings shall be coordinated. The group internal audit function shall report to the management board and the supervisory board of the superordinated enterprise on its activities at group level at appropriate intervals, at least quarterly, analogously to BT 2.4 number 4.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 37 of 119 AT 5 Organisational guidelines 1 The institution has to ensure that its business activities are conducted on the bases of organisational guidelines (e.g. manuals, work documentation or workflow procedures). The level of complexity of the organisational guidelines depends on the nature, scale, complexity and risk content of the business activities in question. Presentation of the organisational guidelines The main issue with regard to the presentation of the organisational guidelines is that they are appropriate and presented in a manner which is clear to the employees of the institution. The specific manner in which the guidelines are presented remains at the discretion of the institution. 2 The organisational guidelines shall be set down in writing and communicated to the staff members concerned in a suitable manner. Care has to be taken to ensure that the latest version of these guidelines is available to these staff members. The guidelines have to be amended to reflect any changes in the institutions’ activities and processes as soon as possible. 3 Most importantly, the organisational guidelines shall contain the following information: a) rules governing the organisational and operational structure as well as the allocation of tasks, the assignment of competencies, and responsibilities, b) rules governing the organisation of the risk management and risk control processes, c) rules governing the procedures, methods and processes for risk data aggregation (in the case of significant institutions), d) rules for the Internal Audit, e) rules which ensure observation of legal rules and regulations (eg data protection, compliance), f) rules governing procedures for outsourced activities and processes, g) depending on the size of the institution and the nature, scale, complexity and riskiness of the business activities, a code of conduct for the staff. The organisation guidelines must also include rules for taking due account of the impact of ESG risks. Rules governing outsourcing procedures The rules governing outsourcing procedures shall include the main phases of the life cycle of outsourcing arrangements and define the relevant principles, responsibilities and processes. The rules governing outsourcing procedures should ensure that the external service provider acts in a manner consistent with the outsourcing institution’s values and code of conduct. 4 The organisational guidelines have to enable the Internal Audit to conduct an audit.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 38 of 119

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 39 of 119 AT 6 Documentation 1 Business, control and monitoring documentation shall be systematical and written in a manner that is readily comprehensible for expert third parties and shall generally be saved for five years. The timeliness and completeness of recording has to be ensured. 2 Any material actions and decisions that are relevant for compliance with this Circular have to be documented in a clear manner. This shall include provisions governing the use of material opening clauses, which shall be substantiated where appropriate.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 40 of 119 AT 7 Resources AT 7.1 Staff 1 The staffing of the institution has to be based, in both quantitative and qualitative terms, on the institution’s internal operational needs, business activities and risk situation. This shall also apply to the use of temporary staff. 2 Staff members and their deputies shall possess the expertise and experience needed for their tasks, competencies and responsibilities and be familiar with the values and risk expectations of the institution. Suitable measures have to be taken to ensure that the employees have the appropriate qualifications. Qualification requirements for special functions The head of the risk control function and the head of the internal audit function as well as the compliance officer shall possess special professional and personal qualifications corresponding to their particular duties. 3 Employee absence, or resignation from the institution, should not result in any longterm impairment of operations.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 41 of 119 AT 7.2 Technical and organisational resources 1 The scope and quality of the institution’s technical facilities and related processes have to be based, in particular, on the institution’s operational needs, business activities and risk situation. 2 The IT systems (hardware and software components), the related IT processes and other elements of the information domain shall ensure the integrity, availability, authenticity and confidentiality of the data. To this end, generally established standards shall apply to the arrangement of the IT systems and related IT processes; in particular, processes shall be established for appropriately allocating IT access rights to ensure that staff have only those rights that they need to perform their particular tasks; IT access rights may be collated in a role model. The suitability of the IT systems and related processes shall be regularly reviewed by the responsible organisational unit staff and IT staff. Information domain An information domain includes, for example, business-relevant information, business and support processes, IT systems and related IT processes, and network and building infrastructures. Standards for IT systems design Such standards include, for example, the IT Grundschutz issued by the Federal Office for Information Security (BSI) and the ISO/IEC 270XX international security standards developed by the International Organization for Standardization. The adherence to established standards does not mean that standard hardware or software must be used. In-house solutions are generally equally permissible. IT access rights The IT access rights allocated to staff should not conflict with their assignment to a particular organisational unit. It should be ensured that, especially when granting access rights in conjunction with role models, the segregation of duties is observed and conflicts of interest are avoided. 3 The IT systems shall be tested before their first use and after any material changes and approved by both the responsible organisational unit staff and IT staff. To this end, a standard process of development, testing, approval and implementation in the production processes shall be established. The production and testing environments shall be segregated. Changes to IT systems The assessment of the materiality of changes shall be based not on the extent of changes but on the impact they may have on the functioning of the IT system concerned. Approval by IT staff and organisational unit staff The approval process carried out by the staff of the organisational unit and IT staff should focus on the suitability and appropriateness of the IT systems for the institution’s specific situation. Third-party certifications may be taken into account in the approval process but cannot substitute it entirely.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 42 of 119 4 In the case of IT risks, appropriate monitoring and management processes shall be set up, comprising, in particular, specification of IT risk criteria, identification of IT risks, determination of the required level of protection, derivation of protective measures for IT operations and specification of corresponding measures for risk handling and mitigation. For software procurement, the associated risks shall be appropriately assessed. 5 The requirements of AT 7.2 shall also be observed when using applications developed or run by staff belonging to the organisational units (end-user computing, EUC), in line with the criticality of the business processes supported and the importance of the applications for these processes. Measures to safeguard data security shall be tailored to the protection requirements of the processed data.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 43 of 119 AT 7.3 Contingency management 1 The institution shall define business continuity management objectives and establish a business continuity management process on this basis. Arrangements shall be made for emergency situations in time-critical activities and processes (contingency plan). The measures set forth in the contingency plan have to aim at reducing the scale of any possible impact. The contingency plan must be updated on an ad hoc basis, reviewed annually to ensure that it is up to date, and communicated appropriately. The management board shall require written status reports on contingency management to be submitted to it at least quarterly and on an ad hoc basis.. Time-critical activities and processes The term “time-critical” applies to activities and processes whose impairment for defined periods is expected to lead to damage to the institution that can no longer be considered acceptable. The institution shall perform business impact analyses and risk impact analyses to identify time-critical activities and processes, supporting activities and processes, the IT systems needed for this plus other necessary resources, and potential threats. These shall be based on an overview of all activities and processes that can take the form of a process map, for example. Business impact analyses Business impact analyses examine the consequences for business operations of impairments of activities and processes over different periods. They should take due account of the following aspects, among other things:

The nature and scale of the (non-)material losses,
The point in time at which the failure occurs. Risk impact analyses Risk impact analyses are used to identify and assess potential threats to the identified time-critical activities and processes that could lead to the impairment of these timecritical activities and processes. 2 The contingency plan shall include business continuity and recovery plans. Business continuity plans shall ensure that back-up solutions are available promptly in emergencies. Recovery plans shall ensure that normal operations can be resumed within an appropriate time frame. Appropriate internal and external communication shall be ensured during emergencies. In the event that time-critical activities and processes are outsourced, the outsourcing institution and the external service provider shall have in place coordinated contingency plans. Contingency plan The contingency plan sets out responsibilities, objectives and measures for continuing or restoring time-critical activities and processes, plus classification criteria and criteria for triggering the plans. Contingency scenarios The following scenarios at a minimum shall be considered:
Partial or total site failures (eg as a result of flooding, major fires, closures of specific areas, or access control failures)

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 44 of 119

Substantial failures of IT systems or of the communications infrastructure (eg due to errors or attacks)
The non-availability of a critical number of staff (eg in the case of a pandemic, food poisoning, or strikes)
Service provider outages (eg suppliers, utilities) 3 The effectiveness and appropriateness of the contingency plan shall be reviewed regularly. For time-critical activities and processes, this shall be demonstrated at least once a year and on an event-driven basis for all relevant scenarios. Reviews of the contingency plan must be documented. The results shall be analysed to establish any necessary improvements. Risks shall be managed appropriately. The results shall be communicated in writing to the persons responsible in each case. Reviews of the contingency plan The frequency and scale of reviews should be based on the threat landscape. Service providers shall be integrated appropriately. Among other things, reviews include:
Testing the technical precautions
Communications, crisis management team and alarm exercises
Simulation exercises or full-scale exercises.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 45 of 119 AT 8 Adjustment processes AT 8.1 New product process 1 Each institution shall have a sound understanding of the business activities it conducts. A plan has to be drawn up prior to commencing business activities that relate to new products or markets (including new distribution channels). The strategic plan shall be based on the analysis of the riskiness of these new business activities and their impact on the overall risk profile. It has to describe the main consequences of the new activities on risk management. Content of the plan The consequences outlined in the strategic plan should include those relating to organisation, staffing, necessary modifications to the IT systems and the methods of assessing the associated risks as well as any legal implications (in accounting law, tax law etc) where they are of material importance. 2 The institution shall maintain a catalogue of the products and markets that the business activities will involve. It shall check at suitable intervals whether the products are still in use. Products that the business activity has not involved for an extended period of time shall be flagged. This shall not relate to the run-down of positions. The run-off or continued management of exposures in the portfolio shall not constitute product use. Before business activities involving flagged products are resumed, confirmation of the continued existence of the business processes in place at the time of the last transaction shall be obtained from the organisational units involved in the operational processes. If changes have occurred, a check shall be carried out to determine whether the new product process needs to be followed again. 3 An organisational unit that is segregated from the front office or trading shall be involved in deciding whether business activities involve new products or new markets. 4 As far as trading activities are concerned, a test phase has to, as a general rule, be introduced before continuous trading in the new product or on the new market commences. During the test phase, trading has to be limited to a manageable scale. The institution shall ensure that it does not commence regular trading until after the test phase has been successfully completed and suitable risk management and risk control processes are in place. Lending transactions and test phase For lending transactions, drafting of the plan may be reduced to a test phase if warranted by the complexity of the new product or business. One-off transactions A test phase need not be applied to one-off transactions. 5 The organisational units which will be involved in the operations of the new business at a later stage have to participate in the drafting of the plan and in the test phase.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 46 of 119 The risk control function, the compliance function and the internal audit function shall also be involved within the scope of their duties. 6 The plan and the commencement of ongoing business activities have to be approved by the responsible managers, in cooperation with the managers responsible for monitoring the activities in question. These approval processes can be delegated, provided that clear guidelines are in place and that the management is informed of the decisions as soon as possible. 7 The drafting of a strategic plan pursuant to number 1 and the provision of a test phase pursuant to number 4 are not required if the organisational units involved in the operational processes consider that activities involving a new product or a new market can be properly managed. 8 If the new product process frequently reveals cases in which

the assumptions made in the strategic plans and the related analyses of the riskiness of the activities involving new products or new markets were essentially incorrect, or
the consequences drawn in the strategic plans and from the test phases were essentially incorrect, or
considerations pursuant to number 7 that activities involving new products or new markets can be properly managed have proved incorrect, the new product process shall be carried out on an ad hoc basis. The process shall be promptly adjusted if any shortcomings are identified.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 47 of 119 AT 8.2 Modifications of operational processes or structures 1 Before material modifications are made to the organisational and operational structure or the IT systems, the institution shall analyse the impact of the planned modifications on the control mechanisms and control intensity. The organisational units that will subsequently be involved in the operational processes shall be involved in these analyses. The risk control function, the compliance function and the internal audit function shall also be involved within the scope of their duties.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 48 of 119 AT 8.3 Mergers and acquisitions 1 Prior to an acquisition of or a merger with other enterprises, the institution shall draw up a strategic plan that sets out the material strategic objectives, the prospective main implications for risk management and the material impact on the overall risk profile of the institution or group. This shall include the planned medium-term development of the financial position and financial performance (Vermögens-, Finanz- und Ertragslage), the prospective level of the risk positions, the necessary adjustments to the risk management and risk control processes and the IT systems (including the data aggregation capacities), and an outline of any material legal implications (in accounting law, tax law etc).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 49 of 119 AT 9 Outsourcing 1 Outsourcing is deemed to exist when another company is commissioned to carry out activities or processes in connection with the execution of banking transactions, financial services or other typical services that would otherwise be performed by the institution itself. Arrangements and agreements made under civil law cannot negate a possible outsourcing a priori. Procurement of other external services The procurement of other external services is not to be qualified as outsourcing within the scope of this Circular. To start with, the procurement of other external services includes the non-recurrent or occasional procurement of outside goods and services. It also includes services that are usually provided by a supervised enterprise and which, owing to actual circumstances or legal provisions, the institution itself is normally unable to provide either at the time of external procurement or in the future. These include, for example,

The use of central banking functions (within a network of affiliated financial institutions) or clearing houses in the context of payment transactions and securities settlement,
Recourse to liquidity lines,
The involvement of correspondent banks,
The use of safe custody services for assets in accordance with the German Safe Custody Act (Depotgesetz),
The use of publicly available data (including fee-based data) from market information providers (eg publicly available data from rating agencies that were not specifically generated/processed for the institution),
The use of global payments infrastructures (eg card payment procedures),
The use of global financial messaging structures that are subject to oversight by competent authorities, and
The acquisition of services such as the provision of a legal opinion, representation in front of the court and administrative bodies, and utility services. The relevant provisions of section 25b of the Banking Act will normally not apply given the particular risks associated with such collaborations. Nonetheless, the institution must still comply with the general requirements relating to a proper business organisation pursuant to section 25a (1) of the Banking Act in the case of other external procurement of services. As a rule, isolated software procurement shall generally be considered other external procurement. This shall also include, inter alia, the following support services:

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 50 of 119

adapting software to a credit institution's requirements,
development-based implementation of requested changes (programming),
testing, approving and integrating software into the production processes when it is used for the first time and when major changes are made, especially to programming specifications,
resolving errors (maintenance) in accordance with the description of requirements/errors of the client or vendor,
other support services beyond pure consultation. This shall not apply to software used to identify, assess, manage, monitor or report risks or which is of material importance for the conduct of banking tasks; support services for these types of software shall be classified as outsourcing. The same criteria apply to the operation of software by an external third party. Other services typical of the institution The reference to other usual services takes into account Article 13 (5) sentence 1 of the Markets in Financial Instruments Directive insofar as that article relates to the outsourcing of operational functions which are critical for the provision of continuous and satisfactory service to clients and the performance of investment activities. Other usual services of an institution can also include, for example, the ancillary services listed in Annex I Section B of the Markets in Financial Instruments Directive. 2 The institution shall perform a risk analysis to assess the risks associated with outsourcing. Based on this risk analysis, it must determine independently which outsourced activities and processes are important from a risk perspective (“important outsourced activities and processes”). It shall conduct both regular and ad hoc analyses based on framework requirements that apply uniformly to the whole institution or whole group. The results of the risk analysis shall be taken into account when managing outsourcing and in risk management. The main organisational units are to be involved in the preparation of the risk analysis. Internal Audit also has to be involved within the framework of its duties. Risk analysis The risk analysis shall take due account of all aspects of outsourcing that are relevant to the institution (eg the important outsourcing risks, including potential risk concentrations (multiple outsourcing arrangements/outsourcing contracts with the same external service provider, among other things), risks arising from suboutsourcing, political risk, ESG risks, measures to manage and mitigate risk, the suitability of the external service provider, potential conflicts of interest, the protection requirements for the data transferred to the external service provider, and costs), whereby the intensity of the analysis shall depend on the nature, scale, complexity and riskiness of the outsourced activities and processes. In particular, the risk analysis must consider the extent to which an activity or process that is to be outsourced must be classified as an important part of the institution’s process landscape. In the case of outsourcing with significant consequences – such as the complete or partial outsourcing of the risk control, compliance or internal audit special functions or of core bank units – the institution must intensively consider

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 51 of 119 whether and how it can ensure that the outsourced activities and processes can be integrated into its risk management. The risk analysis shall be supplemented by a scenario analysis to the extent that this is advisable and proportionate. Where available, internal and external loss data shall be used in the scenario analysis. Small, less complex institutions may use qualitative approaches to risk analysis. 3 Outsourced activities and processes that are not regarded as material in terms of risk shall be subject to the general requirements relating to a proper business organisation pursuant to section 25a (1) of the Banking Act. 4 In general, activities and processes can be outsourced provided that the proper business organisation pursuant to section 25a (1) of the Banking Act is not impaired. Outsourcing may not lead to the delegation of management responsibility to the external service provider. Management functions may not be outsourced. Special criteria for outsourcing arrangements arise from the complete or partial outsourcing of the special functions risk control function, compliance function and internal audit function. Special criteria may also arise from specific legal regulations (eg regulations that apply to building and loan associations regarding the treasury risk management of their collective savings and loans or that apply to Pfandbrief banks regarding the management of the collateral register (Deckungsregisterführung) and the coverage calculation (Deckungsrechnung). Outsourcing may not lead to an institution becoming merely an “empty shell”. Management functions The management functions which cannot be outsourced include corporate planning, coordination, controlling and managerial appointments. They also comprise tasks which are explicitly assigned to the management board through legislation or other regulations (eg deciding on large exposures pursuant to section 13 of the Banking Act or defining strategies). Management tasks should be distinguished from functions or organisational units which the management board uses to perform its management tasks (especially the risk control function, compliance function and internal audit function). These can be delegated either internally or – under the conditions set out in number 5 – externally through outsourcing. External service provider’s authority to perform its services The institution shall ensure that the external service provider is authorised under the laws of its home country to perform the outsourced activities and processes, and that it is in possession of any necessary permits and registrations for this. In addition, where activities and processes are outsourced to undertakings domiciled outside the European Economic Area (EEA), the institution shall, to the extent these relate to outsourced activities or processes in conjunction with banking business the scale of which would, in Germany, require the approval of, or registration with, the competent supervisory authority, ensure that the external service provider is supervised by the competent supervisory authorities in the third country concerned and that a corresponding cooperation agreement, eg in the form of a memorandum of understanding or a College agreement, exists between the competent supervisory

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 52 of 119 authorities responsible for supervising the institution and the competent supervisory authorities responsible for supervising the external service provider. 5 Activities and processes in control units and core bank units may be outsourced in compliance with the requirements set out in number 4 to a degree that ensures that the institution retains the expertise and experience needed to ensure the effective monitoring of services carried out by external service providers. It shall be ensured that, if necessary – should the outsourcing arrangement be terminated or the group structure change – the institution can maintain properly functioning operations in these units. Complete outsourcing of the risk control, compliance or internal audit special functions is only permissible for subsidiary institutions within a group of institutions to the extent that the outsourcing institution can be considered as not being significant in terms of its size and complexity and the riskiness of its business activities for the domestic financial sector, or in terms of its importance within the group.. The same shall apply to groups in which the parent enterprise is not an institution and is domiciled in Germany. Furthermore, the complete outsourcing of the compliance function or of the internal audit function is solely permissible at small institutions insofar as the internal establishment of these functions would appear inappropriate given the institution’s size and the nature, scale, complexity and riskiness of its business activities. 6 In the case of material outsourced activities and processes, the institution, in the event of an intended or expected termination of the outsourcing arrangement, shall take safeguards to ensure the continuity and quality of the outsourced activities and processes also after the termination of the outsourcing arrangement. In cases of unintended or unexpected termination of these outsourced activities and processes that might seriously impair business activity, the institution shall examine the feasibility of and adopt possible courses of action. This shall entail, as far is as meaningful and possible, defining corresponding exit processes. The courses of action shall be reviewed both regularly and on an ad hoc basis. Courses of action and exit processes Exit processes shall be defined with a view to ensuring that the necessary continuity and quality of the outsourced activities and processes can be maintained or restored within an appropriate period of time. If no courses of action have been specified, appropriate options must at least be taken into account in the contingency planning process. 7 In the case of material outsourced activities and processes, the outsourcing contract, which shall be documented in writing (“Textform” pursuant to section 126 b of the BGB), shall specifically a) specify and, where appropriate, delineate the services to be provided by the external service provider, The institution’s right to issue instructions/audits by Internal Audit An explicit agreement granting the institution the power to give instructions can be waived if the service to be performed by the external service provider is specified clearly in the outsourcing contract. Furthermore, the outsourcing institution’s internal audit function may waive its own audit activities subject to the conditions set forth in

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 53 of 119 b) agree the start date and, as applicable, the end date of the outsourcing arrangement, c) agree the law governing the outsourcing arrangement in those cases in which the laws of Germany do not apply, d) agree the locations (ie the regions or countries) in which the service will be performed and/or where relevant data will be kept and processed, including a requirement to notify the institution if the external service provider proposes to change the location, e) define the agreed service levels, including precise performance targets, f) where applicable, agree that the external service provider shall submit proof of insurance cover against certain risks, g) agree the requirements to implement and test business contingency plans, h) set out appropriate internal and external auditors’ rights of information and review, i) ensure that the competent authorities pursuant to section 25b (3) of the Banking Act retain unrestricted rights of information and review and the ability to supervise with regard to the outsourced activities and processes, j) rights to issue instructions to the extent that they are necessary, k) include rules ensuring compliance with data protection provisions and other security requirements, l) specify termination rights and appropriate notice periods, m) regulations as to the possibility and on the modalities of further outsourcing and transfers that guarantee that the institutions continue to comply with the banking supervisory requirements, n) the duty of the outsourcing firm to inform the institution of any developments that may impair the proper performance of the outsourced activities and processes. BTR 2.1 number 3. These waivers may also be applied where activities and processes are outsourced to “multi-client service providers”. Rights of information and review Wherever possible, rights of information and audit pursuant to number 7 h) and i) should also be agreed for non-important outsourcing arrangements to the extent that it can be expected that the latter could become important within the meaning of number 2 in the near or medium-term future. Rights of information and audit pursuant to number 7 h) and i) also comprise the rights required to ensure physical and logical access. Escalation in the event of underperformance Before drafting the contract, the institution shall define internally the degree of underperformance that it is prepared to tolerate. Termination rights The outsourcing arrangement should oblige the external service provider, if the arrangement is terminated, to support the institution in transferring the outsourced activity or process to another external service provider or in reintegrating it within the institution. Other security requirements Rules governing other security requirements should be contractually agreed for all outsourcing arrangements, ie including non-important ones. Other security requirements notably include physical access rights to rooms and buildings (eg in the case of data centres) as well as access rights to software solutions designed to protect material data and information. Compliance with these requirements must be monitored continuously. Institutions should adopt a risk-based approach to data storage and data processing locations and information security considerations. It must be ensured that the data held by the institution can still be accessed in cases in which the external service provider becomes insolvent, is liquidated, or discontinues its business operations. Place of performance of the service

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 54 of 119 In addition to number 7 d), the institution must be aware at all times of the place of performance of the service (eg the city or, where necessary, the precise address). 8 With respect to subcontracting, where possible, either the outsourcing institution shall be given the right to reserve approval or concrete provisions shall be agreed in the outsourcing agreement specifying when individual work and process steps may be subcontracted. It shall at least be contractually secured that the service provider's agreements with subcontractors are in line with the contractual agreements of the original outsourcing contract. Furthermore, in the case of sub-outsourcings the contractual requirements shall also include a duty to inform on the part of the service provider vis-à-vis the outsourcing institution. It must be ensured that, in the event that the external service provider subcontracts activities or processes to a third party, it remains responsible for reporting to the outsourcing institution. 9 The institution shall appropriately manage the risks associated with outsourcing and shall monitor the provision of the outsourced activities and processes in a due and proper manner. In the case of the outsourcing of important activities and processes, this also comprises continuously monitoring the external service provider’s performance using defined criteria (eg key performance indicators, key risk indicators) and contractually agreed information supplied by the external service provider; the quality of the services provided shall be assessed on a regular basis. 10 The institution shall clearly specify the responsibilities for documenting, managing and monitoring material outsourced activities and processes. If special functions pursuant to number 5 are completely outsourced, the management board shall appoint a responsible officer for each function who shall ensure that the respective tasks are being properly performed. The requirements of AT 4.4.3 and BT 2 shall be complied with accordingly. Special tasks of the audit officer The audit officer should draw up the inspection plan together with the commissioned third party. The audit officer should also, where appropriate together with the commissioned third party, draw up the overall report in accordance with BT 2.4 number 4 and review pursuant to BT 2.5 whether the identified findings have been remedied. The audit officer shall report directly to the management board. The duties of the audit officer may be carried out by an organisation unit, an employee or a manager, depending on the type, scope, complexity and risk content of the business activities of the institution. Adequate know-how and the required independence must be ensured. 11 The requirements governing the outsourcing of activities and processes shall be complied with also in the event that the outsourced activities and processes are subcontracted. Risk analysis pursuant to AT 9 number 2 The risks associated with sub-outsourcing shall be assessed in the course of the risk analysis. This shall also include assessing the importance of the sub-outsourcing.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 55 of 119 The extended requirements for outsourcing important activities and processes shall only apply to important sub-outsourced activities and processes from a risk perspective. In addition, due account should be taken of the risk that long and complex chains of sub-outsourcing could reduce the ability of institutions to oversee the outsourced activities and processes. 12 Each institution that performs outsourcing shall establish the position of a central outsourcing officer at the institution itself. In addition, depending on the nature, scale and complexity of the outsourcing activities, the institution must establish a central outsourcing management function to support the central outsourcing officer. The tasks to be performed include, but are not limited to, the following: a) Implementing and further developing an appropriate outsourcing management and corresponding control and monitoring processes, b) Creating and maintaining full documentation of outsourcings (including subcontracted activities and processes), c) Supporting the business units with regard to internal and statutory requirements for outsourcing, d) Coordinating and reviewing the risk analysis pursuant to number 2 conducted by the responsible units. Central outsourcing officer The central outsourcing officer shall be assigned to an organisational unit that reports directly to the management board. He or she can also be attached to other units provided that a direct reporting line to the management board is ensured. Small, less complex institutions may also entrust this function to a member of the management board. The head of the central outsourcing management function can also be appointed as the outsourcing officer. 13 The outsourcing officer or the central outsourcing management function shall prepare a report on the important outsourced activities and processes at least once a year and shall make this available to the management board. In addition, ad hoc reports must be submitted.. Taking into account the information available to the institution or the institution's internal evaluation of the quality of the services provided by the external service provider, the report shall contain an assessment of whether the services provided by the external service providers correspond to the contractual agreements, whether the outsourced activities and processes can be appropriately managed and monitored and whether further risk mitigation measures are to be taken. Reporting by small, less-complex institutions It is sufficient for small, less-complex institutions to report in the context of management board meetings. 14 The institution shall maintain an updated register of information on all outsourcing arrangements. The minimum requirements for the content of the register of all outsourced activities and processes can be found in section 54 of the EBA Guidelines

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 56 of 119 on outsourcing (EBA/GL/2019/02), while those for important outsourced activities and processes can be found in section 55. The register of existing outsourcing arrangements covers all outsourcing arrangements, including outsourcing arrangements with external service providers within a group of institutions or a financial network. Furthermore, where important outsourced activities and processes are sub-outsourced, the outsourcing institution shall specify whether the part that is to be sub-outsourced is important and whether this important part shall be entered in the register. 15 The following simplifications apply with regard to groups pursuant to AT 4.5 or financial networks: a) In the case of activities and processes that are outsourced within a group or financial network, effective measures at group or financial network level, and especially uniform, comprehensive risk management and rights of intervention can be considered when preparing and adapting the risk analysis pursuant to number 2 so as to mitigate the risk involved. b) In the case of activities and processes that are outsourced by multiple institutions within a group or financial network to one or more common external service providers, a central outsourcing management function can be established at group or financial network level if this central outsourcing management function meets the requirements set out in module AT 9 or, if this module does not apply, the requirements of EBA/GL/2019/02. c) In the case of risk reporting by external service providers that are used within a group/a financial network, a preliminary central analysis can be made, facilitating further use by the outsourcing institutions. d) Exit processes and courses of action do not have to be prepared in the case of activities and processes that are outsourced within a group or financial network. e) If a central register of outsourcing arrangements is established and maintained within a group or financial network, it must be ensured that the individual institution and the competent authority receive the individual register of outsourcing arrangements without significant delay where required. Joint contingency plans (pursuant to AT 7.3) If the institutions within a group of institutions or a financial network have agreed on a joint contingency plan for an important outsourced activity or process, the institutions must receive the portion of the contingency plan that is relevant for them.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 57 of 119 The conditions (including the financial conditions) must also be set out in those cases in which activities and processes are outsourced within a group of institutions or a financial network to a central external service provider within the said group or financial network.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 58 of 119 BT 1 Special requirements relating to the internal control system 1 This module sets out the special requirements for the internal control system. The requirements relate primarily to the organisational and operational structure in credit business, trading business and real estate business (BTO). Additional requirements relate to the appropriate structure of the risk management and risk control processes for counterparty and credit risk, market risk, liquidity risk and operational risk, taking due account of risk concentrations and the impact of ESG risks (BTR).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 59 of 119 BTO Requirements relating to the organisational and operational structure 1 This module primarily sets out requirements relating to the organisational and operational structure in the lending, trading and real estate business. Depending on the size of the institution, the business focus and the risk situation, the BTO requirements may be implemented in simplified form. 2 This Circular distinguishes between the following organisational areas: a) the area which initiates credit transactions and has a vote in credit decisions (front office), b) the area which initiates real estate transactions and has a vote in decisions (front office), c) the area which has an additional vote in credit decisions (back office), and d) the area which has an additional vote in decisions on the conclusion of real estate transactions (back office), and e) the trading area. Furthermore, a distinction is made between the following functions: f) those functions which serve to monitor and communicate risks (“risk control function”) and g) those functions which serve to settle and control trading transactions (“settlement and control function”). Notes on the use of the terms “area” and “unit” A “unit (Stelle) that is independent of the front office and trading” may be answerable to the same member of the management board who is responsible for trading or the front office. An “area” which is independent of “front office” and “trading” can nevertheless be incorporated into “front office” or “trading”. Notes on the use of the terms “front office” and “back office” The area which initiates real estate transactions (e.g. activity of initiating real estate transactions and selecting suitable objects), is termed “front office”, the credit business serving as the basis for this. Likewise, the area that passes the second vote is termed “back office”. The areas “front office” in accordance with BTO number 2 a) and b) and “back office” in accordance with BTO number 2 c) and d) may, where relevant, be merged for “lending transactions” and “real estate transactions”. 3 The organisational structure shall ensure that the front office (lending business) and trading are segregated up to and including the management board level from those areas and functions listed in number 2 under c), f) and g) as well as in BTO 1.1 number 7, BTO 1.2 number 1, BTO 1.2.4 number 1, BTO 1.2.5 number 1 and BTO 1.4 number 2. The front office in the real estate business shall be segregated up to and including the management board level from the areas and functions listed in number 2 d) and f) and the function listed in BTO 3.2 number 3. Segregation of duties at legally dependent foreign branches Organisational segregation up to and including management board level means that both functional and disciplinary responsibility are separated. However, functional responsibility and disciplinary responsibility may diverge at legally dependent foreign branches. The precondition for this is that at least functional responsibilities are separated in line with the aforementioned principle of the segregation of duties up to and including management board level. Notes to sentence 1

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 60 of 119 BTO 1.1 number 7: The assessment of certain types of collateral,– to be determined from a risk point of view – and decisions regarding risk provisioning for significant exposures. BTO 1.2 number 1: Responsibility for the development and quality of loan processing, credit processing control, intensified loan management, the processing of problem loans and risk provisioning. BTO 1.2.4 number 1: Responsibility for the development and quality, as well as the regular review of the criteria which govern the classification of exposures requiring intensified loan management. BTO 1.2.5 number 1: Responsibility for the development, quality and regular review of the criteria governing when an exposure shall be transferred to recovery or liquidation as well as the main responsibility for the recovery or liquidation process or for monitoring these processes. BTO 1.4 number 2: Responsibility for the development, quality and monitoring of the use of risk classification procedures. Note to sentence 2 BTO 3.2 number 3: Calculating market value within the framework of real estate transactions. 4 Market risk control functions shall be segregated up to and including the management board level from those areas which bear responsibility for the respective positions. 5 The segregation of duties shall also be maintained at deputy level. A suitable member of staff from below management level may also act as deputy. 6 The member of the management board responsible for risk control functions may collaborate in a committee tasked by the management board with risk management without breaching the principle of the segregation of duties. 7 Accounting tasks, especially the setting of the accounting rules and the development of the accounting system, shall be assigned to a unit that is independent of the front office and trading. Segregation of duties at institutions with significant trading Given the extensive discretionary scope in valuing certain trades (eg structured products), institutions with significant trading should ensure that accounting is located in a unit that is segregated from trading.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 61 of 119 8 Material legal risks shall be assessed by a unit that is independent of the front office and trading (eg the legal department). 9 In the case of IT-based processing, the segregation of duties shall be ensured by appropriate procedures and safeguards.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 62 of 119 BTO 1 Credit business 1 This module sets out requirements relating to the organisational and operational structure, the procedures for the early detection of risks and the procedures for risk classification in credit business. As far as trading transactions and participating interests are concerned, the implementation of individual requirements set forth in this module may be waived provided that their implementation is not deemed to be appropriate in view of the specific features of these types of business (e.g. the requirement to monitor the loan purpose set forth in BTO 1.2.2 number 1). 1). Corresponding implementation in the case of equity investments Corresponding implementation in the case of equity investments shall comprise an equity investment strategy and the establishment of an equity investment control function – regardless of whether the particular equity investment is a creditequivalent/credit-substituting equity investment or a strategic equity holding. In the case of a credit-equivalent or credit-substituting equity investment, the requirements regarding the organisational and operational structure shall generally be observed in addition. In the case of equity investments in a network of affiliated financial institutions or of mandatory equity investments (eg equity investments prescribed by legislation applying to the savings bank sector or by the articles of association, or equity investments in SWIFT), the establishment of a separate risk control function may be waived. In these cases, the necessary monitoring activity may also be achieved by other means (eg by examining annual financial statements or annual reports or by monitoring the equity investment accounts). In the case of subsidiaries with real estate business within the meaning of AT 2.3 number 5, the institution shall comply with the requirements set out in BTO 3 in the case of threshold breaches as explained in BTO 3 number 1. BTO 1.1 Segregation of duties, and voting 1 The basic principle that applies to the structure of processes in lending business is the clear structural separation of the front office and back office up to and including the management level. In the case of small institutions, exceptions may be made under certain circumstances with regard to the segregation of functions. Simplified procedures for small institutions Where complying with the required segregation of duties between the back office/other functions independent of the front office and the front office up to and including management board level would be disproportionate owing to the institution’s small size, the requirement to segregate duties may be waived if direct management board involvement in the granting of risk-relevant loans ensures that credit business continues to be handled in a manner that is proper and commensurate with the existing risks. In this respect, the management has to carry out the processing and decision making with regard to risk-relevant loans. Any absent managers have to be informed following any decisions regarding risk-relevant business.

the lending volume does not exceed 100 million euros,
the institution has only two managers and
the lending business has a non-complex structure. Staff loans In the case of loans to staff and to management board members, the organisational requirements often cannot be implemented one-to-one, particularly because there is no front office involvement. As a general rule, these lending decisions have to involve a suitable section which is not involved in loan processing (e.g. the personnel department). The actual processing may also be performed, where appropriate, by the loan processing staff. 2 Depending on the nature, scale, complexity and risk content of the exposure in question, a lending decision requires two consenting votes by both the front and back office. This shall be without prejudice to other provisions referring to the act of decision-making (eg the Banking Act, articles of association). If these decisions are made by a single committee, the majority structure within that committee has to be defined in such a way that the back office cannot be outvoted. Presentation of votes and document plausibility checks The votes may be summarised in the form of a document. In this case, the (positive) vote by the back office should be documented by the responsible staff member’s signature or clearance in the electronic workflow. This may not be done as a favour. Depending on how the credit processes are assigned between the front office and back office, the vote by the back office should at least be based on a substantive plausibility check. The plausibility check does not call for a repeat of the activities already performed in the front office. Rather, the focus is on the plausibility and tenability of the lending decision. This includes assessing the informational value of the front office vote and the extent to which the amount and type of loan to be granted is justifiable. The intensity of the document plausibility check also depends on the complexity of the lending transactions in question. The employee responsible for the vote which is independent of the front office has to have at least access to all of the relevant lending documents. 3 In the case of trading transactions, counterparty and issuer limits are to be set by means of a back office vote. 4 In the case of lending decisions which are deemed immaterial from a risk point of view, the institution may decide that only one vote is necessary (“non-risk relevant lending transactions”). The process can also be simplified in the case of lending transactions initiated by third parties. In this respect, the structural separation Distinction between risk-relevant and non risk-relevant lending transactions Each institution is responsible for making its own distinction between risk-relevant and non risk-relevant lending transactions from a risk point of view. One example of a non risk-relevant lending transaction would be standardised retail business.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 64 of 119 between front office and back office is only relevant to lending transactions where the risk involved makes two votes necessary. Where a second vote is unnecessary, it shall be ensured that the requirements set out in BTO 1.2 are implemented appropriately. Third-party initiation The process surrounding the segregation of functions may also be simplified in the event of lending transactions initiated by third parties. In development lending business, for instance, it is normally unnecessary to obtain two internal votes within the institution because the credit transactions are often initiated by a principal bank of a borrower (Hausbank) or a holding company. Similar situations can occur, inter alia, in the case of credit transactions by institutions via dealer organisations, by building and loan associations via commercial agents, by guarantee banks via a principal bank or, in the case of syndicate members, by the lead manager in syndicated loans. In the case of risk-relevant credit decisions, the additional vote to be obtained within the institution should be generally submitted by a unit independent of the front office, ie the back office, where one exists. Initiation by third parties/workflow standardisation by means of external regulations The requirement to obtain an additional vote can also be waived if decision-making is so standardised by external rules (eg owing to statutory requirements such as in the German Housing Promotion Act (Wohnraumfördergesetz) that the institution follows standard procedures and thus has little discretionary scope with regard to the granting of loans. De minimis limits De minimis limits may be used to a certain degree for defining risk-relevant business. It can, for example, make sense to simplify procedures for an additional loan application covering a relatively small amount, even if the total client exposure is classified as risk-relevant. 5 Each member of the management board may, within the scope of his/her individual credit approval authority, independently make credit decisions and also maintain customer contacts. This shall be without prejudice to the organisational segregation of the front office and back office. In addition, two votes shall be obtained where this is considered necessary in terms of risk. In the event that decisions made within the framework of an individual’s decision-making authority deviate from the votes or if such decisions are made by the manager responsible for the back office, they have to be highlighted in the risk report (BT 3.2 number 3). Individual credit approval authority and management board members Only a manager may exercise the individual decision-making authority. A manager’s right to make independent lending decisions within the framework of individual decision-making authority is not automatically transferred to his deputy where the latter is not a management-level employee. Even in the event that risk-relevant lending decisions are made jointly by the entire management or by several managers, these decisions have to, as a general rule, be processed appropriately and two votes, one from each area, have to be obtained.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 65 of 119 6 The institution has to define a clear and consistent decision-making hierarchy for decisions in lending business. If the votes are split, clear decision-making rules have to be defined in this hierarchy. In such cases, the loan has to be either rejected or passed on to the next hierarchy level for a decision (escalation procedure). Credit decision-making The structure of credit decision-makers should be in line with and integrated into credit risk appetite, policies and limits and reflect the business model of the institutions. The allocation of credit decision-makers to the organisational and business structure should reflect the cascading credit risk appetite and limits within an organisation and be based on objective criteria, including risk indicators. The credit decision-making framework should clearly articulate the decision-making powers and limitations of each decision-maker and of any automated models for credit decision-making purposes. These powers and limitations should account for the characteristics of the credit portfolio, including its concentration and diversification objectives, in relation to business lines, geographies, economic sectors and products, as well as credit limits and maximum exposures. Where relevant, institutions should set time limits for the delegated powers or the size of delegated approvals. When delegating credit decision-making powers, including limits, to members of staff, institutions should consider the specificities of the credit facilities subject to this individual decision-making, including their size and complexity, and the types and risk profiles of borrowers. Institutions should also ensure that these staff members are adequately trained and hold relevant expertise and seniority in relation to the specific authority delegated to them. The credit decision-making framework should account for the risk perspective in the decision-making. It should also take into account the specificities of credit products and borrowers, including the type of product, the size of credit facility or limit, and the risk profile of the borrower. The framework should also specify the working modalities of the credit committees and the roles of their members, including, when applicable, aspects such as voting procedures (unanimity or simple majority of votes). If the institutions grant specific veto rights in relation to positive credit decisions to the head of the risk management function, institutions should consider granting such veto rights to additional staff members within the risk management function for specific credit decisions, to ensure that such a veto can be exercised, if appropriate, at all levels of the credit decision-making framework below the management body. Institutions should specify the scope of these veto rights, the escalation or appeal procedures, and how the management body will be involved.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 66 of 119 Objectivity and impartiality in credit decision-making Institutions should ensure that decisions taken by credit decision-makers are impartial and objective and not adversely affected by any conflict of interest, in line with the EBA Guidelines on internal governance. More specifically, for the purposes of these guidelines, institutions should ensure that any individual involved in credit decision-making, such as members of staff and members of the management body, should not take part in credit decisions if any of the following occurs: a) any individual involved in credit decision-making has a personal or professional relationship (outside the professional relationship when representing the institution) with the borrower; b) any individual involved in credit decision-making has an economic or any other interest, including direct or indirect, actual or potential, financial or non-financial, associated with the borrower; c) any individual involved in credit decision-making has undue political influence on or a political relationship with the borrower. Notwithstanding the governance structures implemented in institutions to operationalise the credit decision-making framework, institutions should have policies, procedures and organisational controls in place that guarantee and ensure objectivity and impartiality in the credit decision-making process. These policies, procedures and organisational controls, including any mitigating measures, should be clearly defined and understood, and should address any potential conflicts of interest. Institutions should ensure effective oversight of the decisions taken by credit decision-makers, including credit granting, to ensure their objectivity and impartiality. 7 The review of certain types of collateral – to be determined under risk aspects – is to be conducted outside the front office. This also applies to decisions regarding risk provisioning for significant exposures. The competence for all other processes and sub-processes mentioned in BTO 1.2 (such as loan processing or loan processing sub-processes) shall be assigned at the institutions’ discretion, unless this Circular stipulates otherwise. Preparation of expert opinions Expert opinions on the value of certain collateral can also be prepared by front office employees who have the appropriate professional qualification, provided that a material plausibility check ensures that the resulting values are subject to an assessment which is performed independent of the front office. Review of legal validity The legal status of collateral may also be assessed by a unit that is independent of “front office” and “trading” (e.g. by the Legal Department).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 67 of 119 BTO 1.2 Requirements relating to credit business processes 1 The institution has to set up loan processing procedures (the granting and further processing of the loan), the monitoring of loan processing, intensified loan management, the processing of problem loans and risk provisioning. Responsibility for the development and quality of these processes has to lie outside of the front office. Requirements relating to credit granting processes Credit risk policies and procedures should include specific lending policies and procedures, with sufficient granularity to capture the specific business lines of the institution, for different sectors, in line with their varying complexities and sizes, and risks of different market segments related to the credit facility. Credit risk policies and procedures should specify:  policies and procedures and rules for the approval of credit granting and decision-making, including appropriate authorisation levels set in accordance with the credit risk appetite and limits;  suitable credit-granting criteria;  requirements for exposure aggregation and credit risk limits and the management of credit risk concentrations;  requirements and procedures regarding the acceptance and use of collateral and credit risk mitigation measures, to determine their effectiveness in minimising the inherent risk of a credit facility — such requirements and procedures should be asset class-specific and product type-specific and should duly consider the type, size and complexity of the credit facilities being granted;  conditions for the application of automated decision-making in the creditgranting process, including identifying products, segments and limits for which automated decision-making is allowed;  a risk-based approach, addressing possible deviations from standard credit policies and procedures and credit-granting criteria, including: i. conditions defining the approval process for deviations and exceptions and the specific documentation requirements, including the audit trail; ii. criteria for rejections and criteria for the escalation of deviations/exceptions to higher levels of the decision-making authority (including overrides, overrules, exposures possibly approved as an exception to general lending standards and other non-standard business under a special process with different approval authorities);

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 68 of 119 iii. requirements for the monitoring of circumstances and conditions for an exceptional credit-granting decision, including requirements for their review by the relevant functions during the regular review of the application and compliance with policies and limits;  requirements relating to what is to be documented and recorded as part of the credit-granting process, including for sampling and audit purposes — this should include, at a minimum, the requirements for the completion of credit applications, the qualitative and quantitative rationale/analysis, and all supportive documentation that served as a basis for approving or declining the credit facility; Within their credit risk policies and procedures and building on the credit risk strategy, institutions should also take into account principles of responsible lending. In particular:  institutions should consider the specific situation of a borrower, such as the fair treatment of borrowers that are in economic difficulties;  institutions should design credit products that are offered to consumers in a responsible way. For the credit products that are offered to consumers, institutions should ensure that the credit-granting criteria are not inducing undue hardship and over-indebtedness for the borrowers and their households. In their credit risk policies and procedures dealing with credit decision-making and creditworthiness assessments, institutions should also specify the use of any automated models in the creditworthiness assessment and credit decision-making processes in a way that is appropriate to the size, nature and complexity of the credit facility and the types of borrowers. In particular, institutions should set out appropriate governance arrangements for the design and use of such models and the management of the associated model risk. Institutions should ensure that the credit risk policies and procedures are designed to minimise the risk of internal or external fraud in the credit-granting process. Institutions should have adequate processes in place to monitor any suspicious or fraudulent behaviour. Responsibility for methods

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 69 of 119 Development of the aforementioned processes may also lie with the front office, provided that care is taken to ensure that the quality assurance is performed by an area independent of the front office on the basis of a material plausibility check. Environmentally sustainable loan granting Institutions that originate or plan to originate environmentally sustainable credit facilities shall comply with the requirements under the EBA guidelines for loan origination and monitoring (EBA/GL/2020/06), section 4.3.6 (Environmentally sustainable loan granting). Simplifications in third-party-initiated business Institutions may waive sensitivity analyses, monitoring compliance with additional clauses, intensified loan management and problem loan treatment if objective circumstances hinder access to the required data and the institution has consequently also opted not to set up a procedure for the early detection of risks. In doing so, the institution has to ensure that it is informed of all significant occurrences affecting the circumstances of the borrower. 2 The institution shall formulate processing guidelines for lending business processes, which are to be broken down (e.g. by loan type) where appropriate. Furthermore, the types of collateral accepted by the institution and the procedures for the valuation, management and realisation of this collateral shall be defined. When defining the procedures for the valuation of collateral, suitable valuation procedures shall be applied. The procedures to be used for collateral valuation shall be reviewed at least on an annual basis and shall be approved by the management board before being used for the first time and following major amendments. However, regular reviews of valuation procedures do not have to be performed to the extent that the institution uses a generally recognised, standardised procedure (that is in line, for example, with the German Regulation on the Determination of the Mortgage Lending Value (Beleihungswertermittlungsverordnung). Criteria for advanced statistical models for valuation Institutions should set out, in their policies and procedures, the criteria for using advanced statistical models for the purposes of valuation, revaluation and monitoring the values of collateral. These policies and procedures should account for such models’ proven track record, property-specific variables considered, the use of minimum available and accurate information, and models’ uncertainty. Institutions should ensure that the advanced statistical models used are: a) property and location specific at a sufficient level of granularity (e.g. postcode for immovable property collateral); b) valid and accurate, and subject to robust and regular backtesting against the actual observed transaction prices; c) based on a sufficiently large and representative sample, based on observed transaction prices; d) based on up-to-date data of high quality. When using these advanced statistical models, institutions are ultimately responsible for the appropriateness and performance of the models, and the valuer remains responsible for the valuation that is made using an advanced statistical model. Institutions should understand their methodology, input data and assumptions of the

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 70 of 119 models used. They should ensure that the documentation of models is up to date. Institutions should have adequate IT processes, systems and capabilities in place and sufficient and accurate data for the purposes of any statistical model-based valuation or revaluation of collateral. Differentiated processing principles Differentiated processing principles should also be drawn up for transactions with hedge funds and private equity enterprises, eg with regard to procuring financial and other information, analysing the purpose and structure of the transaction that is to be financed, the nature of the collateral provided or analysing the counterparties’ capacity to repay. Differentiated processing principles should likewise be drawn up for foreign currency loans that take account of the particular risks involved in this loan type. 3 The experts entrusted with valuing real estate collateral and other movable assets must possess the necessary qualifications and experience and may not be involved in the loan origination process or in loan processing. External appraisers may be used for these purposes. Potential conflicts of interest in connection with the valuation shall be ruled out. Appropriate rotation of the persons responsible for the valuation of real estate collateral shall be ensured. Criteria for valuers Institutions should ensure that the experts entrusted with valuations fulfil the requirements of Section 7.3 (Criteria for valuers) of the EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06) with the exception of number 235. Rotation of the experts entrusted with valuations A rotation shall be performed if the expert entrusted with performing the valuation has made two consecutive individual appraisals of the same property. Independence of internal appraisers At institutions for which establishing a separate unit for internal appraisers is disproportionate, the persons entrusted with valuations can process other exposures provided that they do not prepare any valuations for the cases they handle. 4 All aspects material to the counterparty risk of a lending exposure have to be identified and assessed, with the intensity of these activities depending on the risk content of the exposures. Due account shall be taken of sectoral risk and, where applicable, country risk, and of the impact of ESG risks. When assessing the impact of ESG risks, an appropriately long time period shall be chosen.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 71 of 119 5 The use of external credit assessments shall not relieve the institution of its obligation to form its own opinion on counterparty and credit risk and to factor its own knowledge and information into the credit decision. 6 Depending on the riskiness of the credit transactions, the risks associated with an exposure shall be evaluated using risk classification procedures, both in the context of the credit decision and in regular or ad hoc assessments. Due account shall be taken of the impact of ESG risks. The risk classification is to be reviewed annually. Frequency of assessments Based on accounting requirements alone, the duty to perform an annual risk assessment also applies to exposures that are not subject to the risk classification procedure due to their low risk content. However, the assessment may be less intense in such cases and, for example, may be limited to validating the proper repayment of the loan by the borrower. Taking ESG risks into account The impact of ESG risks may constitute part of the risk classification procedure (creditworthiness-induced impact) or may also be valued separately from this (e.g. in the form of an ESG score). 7 The terms and conditions of the loan should take risk appetite, business strategy and type of loan into account and weigh up all relevant costs. Furthermore, the terms and conditions of the loan must be appropriately documented, backed by suitable governance structures and monitored with appropriate performance indicators. Pricing frameworks and pricing models Institutions should consider using different pricing frameworks, depending on the types of loans and borrowers. For consumers and micro and small enterprises, the pricing should be more portfolio and product based, whereas for medium-sized and large enterprises the pricing should be more transaction and loan specific. Institutions should set out specific approaches to pricing promotional loans, when risk-based and performance considerations specified in this section do not fully apply. Relevant costs When calculating the relevant costs, institutions should consider, and reflect in loan pricing in particular the cost of capital, the cost of funding (which should match the key features of the loan, including behavioural assumptions), operating and administrative costs, credit risk costs (which should match the classification in the risk classification procedure), other costs (if relevant, including tax considerations), competition and prevailing market conditions. Appropriate performance measures For the purposes of pricing and measuring profitability, institutions should consider and account for risk-adjusted performance measures (e.g. economic value added (EVA), return on risk-adjusted capital (RORAC), risk-adjusted return on capital

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 72 of 119 (RAROC), return on risk-weighted assets (RORWA), return on total assets (ROTA)) in a manner that is proportionate to the size, nature and complexity of the loan and the risk profile of the borrower. Risk-adjusted performance measures may also depend on and reflect institutions’ capital-planning strategies and policies. 8 The institution has to establish a procedure that conforms to the decision-making hierarchy, for dealing with the exceeding of limits. To the extent acceptable in terms of risk, the requirements set forth in BTO 1.1 and BTO 1.2 may be implemented in a simplified manner on the basis of clear rules for breaches of limits as well as prolongations. 9 A procedure has to be set up to monitor the timely submission of the necessary lending documents and ensure timely evaluation. A dunning procedure is to be implemented for overdue documents. 10 The institution is required to use standardised lending documents, to the extent that this is possible and appropriate with respect to the type of lending business in question, with the structure of the credit documents depending on the nature, scale, complexity and risk content of the business. 11 Contractual agreements relating to lending business have to be concluded on the basis of legally validated documentation. 12 Legally validated standard texts shall be used for the individual loan agreements and updated on an event-driven basis. Where a deviation from the standard texts is necessary for a given exposure (such as in the case of customised agreements), an examination has to be conducted by a section that is independent of the front office prior to signing the agreement, to the extent that this is deemed necessary from a risk point of view. Assessment by an expert front office employee In the event that the legally validated standard documents are not used, non riskrelevant lending transactions may also be assessed by an expert front office employee. BTO 1.2.1 Granting of loans 1 The process of granting loans encompasses all necessary workflows up to the loan payout. All factors which are material for assessing risk and the impact of ESG risks shall be analysed and assessed, taking particular account of the debt-servicing capacity of the borrower or the property/project, with the intensity of the assessment Debt-servicing capacity Taking particular account of the debt-servicing capacity essentially necessitates considering the individual borrower’s financial circumstances, whereby risks to the borrower’s future financial position and, if applicable, its liquidity position, must be

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 73 of 119 depending on the riskiness of the exposures (eg creditworthiness assessment, risk score in the risk classification procedure or an assessment based on a simplified procedure). factored into the analysis. The intensity of the assessment depends on the riskiness of the loan. Assessing debt-servicing capacity based on a simplified procedure does not, however, amount to a general waiver of such activities. Requirements relating to the processes for loan granting Differentiated processes for loan granting must be observed in accordance with the EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06) under section 5.2 (Assessment of borrower’s creditworthiness). The requirements relating to the following sub-sections of these Guidelines must be taken into account for these processes: a) section 5.2.1 for lending to consumers; b) section 5.2.2 for lending to consumers in relation to residential immovable property; c) section 5.2.3 for other secured lending to consumers; d) section 5.2.4 for unsecured lending to consumers; e) section 5.2.5 for lending to micro and small enterprises; f) section 5.2.6 for lending to medium-sized and large enterprises; g) section 5.2.7 for commercial real estate lending; h) section 5.2.8 for lending for real estate development ; i) section 5.2.9 for leveraged transactions; j) section 5.2.10 for shipping finance; k) section 5.2.11 for project finance. Taking into account the proportionality clause under number 16 b. of the EBA Guidelines for loan origination and monitoring (EBA/GL/2020/06), simplifications are possible in the non-risk-relevant lending business provided an appropriate risk assessment is ensured and compliance with consumer protection laws is not impaired. For example, for unsecured lending to consumers and lending to micro and small companies, sensitivity analyses reflecting potential negative events in accordance with numbers 117 and 131 may be waived provided an institution has classified this business as non-risk-relevant. Within the non-risk-relevant business, the creditworthiness assessment may also be implemented by means of simplified procedures. Property/project finance

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 74 of 119 Property/project finance refers to the financing of properties/projects where the repayments are drawn primarily from the income generated by the financed assets and not from the borrower's independent debt-servicing capacity. In the course of loan processing the institution shall ensure that not only economic considerations but also notably the technical feasibility and development as well as the legal risks associated with the property/project and the impact of ESG risks are included in the assessment. Recourse may also be made to the expertise of an appropriate organisational unit independent of the borrower. Whenever external sources are consulted for these purposes, their qualification has to be assessed in advance. Inspections and the monitoring of building construction progress shall be carried out during the development phase of the project/property at intervals deemed necessary in terms of risk. 2 As a general rule, the value and legal validity of collateral has to be assessed prior to the granting of the loan. The carrying amount must be plausible in terms of the factors influencing its value and the underlying assumptions and parameters must be justified. Existing collateral values may be used if there are no indications of changes in value. Valuation of immovable property collateral and movable property For the purposes of valuing collateral, the requirements of the EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06), section 7.1.1 (Immovable property collateral) and section 7.1.2 (Movable property collateral) must be complied with. If relevant, the institution must take into account the impact of ESG risks that influence the value of the collateral, such as the energy efficiency of buildings. BTO 1.2.2 Further processing of loans 1 Whether or not the borrower is complying with the terms of the contract has to be monitored in the further processing of loans. In the case of special-purpose loans, the institution has to monitor whether or not the funds made available are being used as agreed (monitoring of the loan purpose). Covenants Where relevant and applicable to specific credit agreements, institutions should monitor the requirements of collateral insurance. Moreover, institutions should regularly monitor borrowers’ adherence to the covenants agreed in the credit agreements. The borrower’s adherence to covenants, as well as the timely delivery of covenant compliance certificates, where applicable, should be utilised as early warning tools. The ongoing monitoring of financial covenants should include all relevant ratios specified in the covenants (e.g. net debt/EBITDA, interest coverage ratio, debt service coverage ratio (DSCR).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 75 of 119 Institutions should also monitor non-financial covenants not only by collecting the covenant certificate, where applicable, but also by other means, e.g. through close contact with the borrower by the client executive. 2 Counterparty and credit risk shall be assessed at least annually, with the intensity of the assessments depending on the riskiness of the exposures (eg creditworthiness assessment, risk score in the risk classification procedure or an assessment based on a simplified procedure). The requirements of the EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06) of section 8.3 (Regular credit review of borrowers) must be complied with. Bullet loans In the case of bullet loans, the institution shall assess the borrower’s repayment capabilities, depending on the level of risk associated with the exposure, because continuous payment by the borrower of the interest amounts due is not sufficient reason to assume that the final bullet repayment of the loan will take place. The borrower’s repayment capabilities shall include eg an adequate assessment of the borrower’s financial situation, based on sufficient information and taking into account relevant factors such as the debt-servicing capacity and the overall indebtedness of the borrower, or the value of the property/the project, taking due account of the impact of ESG risks. 3 The value and legal validity of collateral shall be monitored during further loan processing, based on the type of collateral, and where applicable reviewed and – depending on the result of this review – revalued. Above a certain threshold, which the institution shall define in terms of risk, the collateral shall be reviewed at appropriate intervals and revalued where necessary. Monitoring and reviewing collateral For reviewing and revaluing collateral, the requirements of EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06), section 7.2.1 (Immovable property collateral) and section 7.2.2 (Movable property collateral) must be complied with. Since market volatility concepts can deliver no more than an initial indication of general events in a given market segment, they are not intended to be a sole reference point when monitoring the value of real estate collateral. As a supplementary measure, the institution shall itself observe the market and perform additional analyses for the collateral portfolio concerned and shall examine the extent to which the market volatility concept is representative for its own portfolio and, consequently, the properties for which it can be used. 4 Ad hoc reviews of exposures, including collateral, have to be conducted immediately, at least whenever the institution obtains knowledge, from either internal or external sources, which would indicate a substantial negative change in the risk assessment of the exposures or the collateral. Such information has to be forwarded to all of the organisational units involved immediately.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 76 of 119 BTO 1.2.3 Credit processing control 1 Process-related controls have to be established for loan processing to ensure compliance with the organisational guidelines. Controls may also be conducted via the standard “dual control” principle. 2 Such controls shall particularly examine whether the credit decision was made in line with the established credit approval structure and whether the preconditions and/or requirements set out in the loan agreement were met before the loan was provided. BTO 1.2.4 Intensified loan management 1 The institution shall specify criteria governing when an exposure shall be assigned to intensified loan management. Responsibility for the development and quality, as well as the regular review of these criteria has to lie outside of the front office. Criteria for intensified loan management The institution may freely decide whether the criteria constitute an automatic trigger, or whether they are indicators which serve as a basis for the review. The aim is to swiftly identify problem exposures so as to enable suitable measures to be initiated as quickly as possible. The same applies to those criteria which are decisive with respect to the procedure, whereby an exposure is passed on for intensified loan management (BTO 1.2.5 number 1). 1). Exemptions from intensified loan management, recovery and resolution As in applying the procedure for the early detection of risks, the institution may exempt certain types of credit transactions, depending on the riskiness of these transactions, or credit transactions below certain thresholds from intensified loan management and from recovery and resolution. 2 When exposures are transferred to intensified loan management, measures shall be taken and monitored with the aim of returning them to normal management. Intensified loan management measures Potential measures forming part of intensified loan management can include the following:

Intensified customer contact,
Close monitoring (eg using the watch list),
Intrayear analysis of the customer’s financial situation, or
Restructuring of exposures (eg refinancing, collateral enhancement.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 77 of 119 3 Exposures under intensified loan management are to be reviewed at regularly scheduled intervals, in order to determine what sort of further handling they require (further intensified loan management, return to normal management, transfer to winding up or restructuring). BTO 1.2.5 Treatment of problem loans 1 The institution shall define criteria governing the transfer of an exposure to, or the involvement of the staff or organisational units specialising in, recovery or resolution. Responsibility for the development and quality of these criteria and their regular review shall lie outside the front office. The main responsibility for the recovery or resolution process or for monitoring these processes shall lie outside the front office. Criteria for initiating problem loan treatment The notes to the criteria that apply to intensified loan management (see BTO 1.2.4 number 1) apply accordingly to the criteria for transfer to problem loan processing. 1). When determining these criteria, due account must also be taken of the indicators for classification as non-performing exposures (NPEs). It must be ensured that the definition of NPEs is applied uniformly in all branches and establishments. The uniform application of these criteria to individual customers and within groups of connected clients must be ensured. Review of non-standardised agreements in recovery cases The requirement to have non-standardised agreements reviewed by a unit independent of the front office can be waived in recovery cases if the recovery is pursued by specialists whose expertise and experience enables them to draw up such contractual documents autonomously and without any additional independent review. Votes on recovery loans and exposures in legacy portfolios One vote from the back office is sufficient for decisions on recovery loans. The same applies to exposures in legacy portfolios, whereby the portfolios and the institution’s intention in each case shall be comprehensibly documented (eg in a legacy portfolio strategy). NPE workout units Institutions with high stocks of NPLs should establish specialised NPE workout units that are appropriate to their size, nature, complexity and risk profile, and should ensure that these units are separate from the loan origination process. The NPE workout unit shall be established outside the front office; it is also possible to assign it to the area responsible for the treatment of problem loans. If overlaps with the staff involved in loan origination are unavoidable, it must be ensured that conflicts of interest are avoided. When designing the NPE workout units, due account shall be

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 78 of 119 taken of the specificities of the institution’s own NPE portfolios (eg retail banking, corporate banking), with sufficiently qualified staff specialised in NPE workouts being used to analyse the NPE portfolios concerned. 2 When exposures are transferred to recovery or resolution, the value of the collateral shall be reviewed and, where necessary, a new valuation determined from a realisation perspective shall be made. A review shall be performed at least annually, and due account shall be taken of material volatility and in particular of any significant decrease in the value of the collateral. Staff or, if necessary, external specialists with the requisite expertise shall be involved in the value review/valuation process. Valuation from a realisation perspective Valuations from a realisation perspective relate to exposures in resolution. The value of the collateral shall be determined, generally starting with the fair value, by determining the probable liquidation proceeds, taking the expected liquidation costs and the expected liquidation period into account. The value of the collateral shall be discounted where necessary. Appropriate haircuts shall be applied when calculating it. The waiver or use of haircuts must be justified appropriately. 3 If the institution decides to keep an exposure in intensified loan management even though the criteria for initiating a recovery or resolution process are met and the exposure exhibits material non-performing features, it shall be ensured that the exposure’s counterparty and credit risk can be mitigated or limited. The procedure shall be coordinated with the staff specialised in recovery or resolution. Legal risks and the value of collateral shall be reviewed in this regard. 4 If an institution considers pursuing the recovery option, it shall require submission of a restructuring plan in order to assess the extent to which the borrower can be restructured and shall use this as a basis for making its own independent assessment of whether a recovery can be achieved. 5 The implementation of the restructuring plan and the effects of the measures are to be monitored by the institution. 6 In the case of significant exposures, the responsible managers have to be informed of the status of the restructuring process on a regular basis. If necessary, recourse can be taken to outside specialists with relevant expertise for the restructuring process. 7 If an exposure is to be liquidated, a liquidation plan shall be drawn up detailing suitable liquidation measures. The measures shall be monitored regularly. Staff or, if necessary, external specialists with the requisite expertise shall be involved in the collateral liquidation process. Monitoring of liquidation measures The institution should monitor the period needed to liquidate the collateral or to enforce a guarantee.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 79 of 119 8 If an institution is considering foreclosing assets, it shall develop guidelines detailing how the collateral furnished is to be acquired. The guidelines shall also specify the intended holding period and procedures for the appropriate valuation and review of the assets acquired. Foreclosures of assets Foreclosures of assets are defined as the acquisition of collateral (eg real estate, means of transport) that are subsequently disclosed as assets on the institution’s balance sheet. If real estate is acquired as part of a foreclosure of assets, these count as real estate transactions and the requirements of BTO 3.2.2 must be complied with if the thresholds set out in the explanations in BTO 3 are exceeded. 9 As part of the monitoring of non-performing exposures, the institution shall set out suitable maximum periods for the treatment of secured and unsecured NPEs that ensure that stocks of non-performing exposures are reduced within an appropriate period. Monitoring of non-performing exposures The institution shall assess the extent to which non-performing exposures that are in long-term arrears can be collected. A check shall be made in this context as to whether sufficient provisions have been established. The institution shall observe the supervisory requirements (eg CRR) when determining the maximum periods and the minimum coverage for secured and unsecured NPEs. BTO 1.2.6 Risk provisioning 1 The institution has to set forth criteria which are to form the basis for value allowances, write-downs and loan loss provisions (including country risk provisioning), taking due account of the accounting standards in use (e.g. an internal valuation procedure for loans). A review of the collateral or, where necessary, a new valuation shall be performed when determining the risk provisions required. 2 The necessary risk provisions shall be calculated and updated in a timely manner. In the event that substantial risk provisioning is required, the management has to be notified immediately. 3 The institution shall regularly back-test the risk provisioning methods and procedures so as to avoid as far as possible differences arising between the impairments recognised and the actual losses incurred in the period until the exposure is written off in full.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 80 of 119 BTO 1.3 Requirements relating to the procedure for the early detection of risks and the treatment of forbearance BTO 1.3.1 Procedure for the early detection of risks 1 The procedure for the early detection of risks is intended primarily to identify, in a timely manner, borrowers whose loans are beginning to show signs of increased risk. The aim is to enable the institution to initiate countermeasures (eg to implement forbearance measures or perform intensified loan management of exposures) as early as possible. 2 To this end, the institution has to develop indicators for the early identification of risks based on quantitative and qualitative risk features. This also includes – where meaningful and possible – due consideration of the impact of ESG risks. The requirements of the EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06) under section 8.5 (Use of early warning indicators/watch lists in credit monitoring) must be complied with. Risk characteristics Depending on the riskiness of the exposure, the institution must examine whether the parameters stated in the EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06) under number 274 are suitable as risk characteristics for timely risk detection. 3 The institution is permitted to exempt certain types of lending business to be defined under risk aspects or lending transactions below certain thresholds from the application of the procedure for the early detection of risks. The function of early detection of risks may also be performed by a risk classification procedure, provided that this procedure adequately allows early detection of risks. Exemptions for loans via a principal bank An institution may refrain from setting up a procedure for the early detection of risks if it has only limited access to the required data due to objective circumstances. This may be assumed where credit transactions are initiated via, and subsequently managed by, a third-party institution (eg principal bank (Hausbank) in credit business of development banks (Förderbanken) or also of banks mainly granting bank guarantees (Bürgschaftsbanken)). The institution granting the loan has to ensure that it is informed of circumstances that affect the borrower. Risk classification procedure and early detection of risks Taking into account business management aspects, a risk classification procedure has to contain, in particular, the following components, so that it can also serve as an early risk detection procedure:

The procedure’s underlying indicators (eg account turnover, cheque returns) should be able to detect impending risks early (“indicator-based component”),
the indicators should enable the ongoing identification of impending risks (“time-related component”) and

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 81 of 119

signals produced by the early risk detection procedure should also result in the appropriate measures being taken at the institution as soon as possible (e.g. intensified client contact, addition of collateral, suspension of repayments), so that the risks do not result in losses (“process-related component”). BTO 1.3.2 Treatment of forbearance 1 When defining the criteria to be used for the transfer to intensified loan management or problem loan treatment, the institution shall also take due account of exposures to which forbearance measures apply. The objective of forbearance measures is a return to a sustainable, performing repayment status. Definition of forbearance Forbearance is defined in accordance with the definition used in supervisory reporting. 2 Guidelines shall be implemented for forbearance measures that contain the following points at least: a) The processes and procedures for granting forbearance measures, including responsibilities and decision-making, b) A description of the available forbearance measures, including measures embedded in contracts, c) Information requirements for assessing the viability of the measures, d) Documentation of the measures granted, e) The process and metrics for monitoring their effectiveness. The institution shall review the guidelines regularly. Forbearance guidelines The guidelines can also include standardised forbearance solutions, eg for homogeneous portfolios of less complex exposures. 3 The institution shall establish criteria for the appropriate classification and, if necessary, transfer of forborne exposures to the non-performing or performing categories. A suitable cure period shall be observed when reclassifying forborne and non-performing exposures. An assessment of the borrower’s financial situation is required before any change to or reclassification of the status is made. Forborne exposures An exposure can be classified as forborne if the borrower is in financial difficulties and concessions are made as a result. When classifying the exposure, a distinction can be made between non-performing forborne exposures, performing forborne exposures and non-performing exposures. A forborne exposure shall be classified as non-performing if one of the following criteria applies:
The forborne exposure is supported by an inadequate payment plan,

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 82 of 119

It includes contract terms that delay the time for the regular repayment instalments on the transaction in such a way that its assessment for a proper classification is hindered, such as when a grace period of more than two years for the repayment of the principal is granted, or
Amounts are derecognised. When reviewing whether to exit exposures from non-performing status, the impact of such an exit on other exposures of the borrower that are not the subject of forbearance measures must also be considered. The existence of contract terms that extend the repayment period for existing non-performing exposures should confirm the classification of the forborne exposures as non-performing. 4 The assessment of a borrower’s financial difficulties that is required for the purpose of implementing forbearance measures shall be based solely on the borrower’s situation and shall not take any collateral furnished or guarantees into account. Changes to contract terms The institution shall assess the borrower’s financial situation if changes to the contract terms impact the latter’s payment performance. A distinction shall be made between renegotiations with borrowers that are not in financial difficulties and forbearance measures granted to borrowers in financial difficulties. 5 The institution shall distinguish between viable forbearance measures contributing to reducing the borrower’s exposure and non-viable forbearance measures. Both shortterm and long-term forbearance measures can be considered, depending on the nature and duration of the loans; however, the implementation period for short-term measures should not exceed a maximum of two years. Assessing the viability of forbearance measures When assessing the viability of forbearance measures, the institution shall take due account of the following factors in particular: a) The borrower’s repayment ability and hence debt-servicing capacity, b) A reduction in the borrower’s balance is expected in the medium to long term, c) Forbearance measures with a short-term time horizon are applied temporarily, to the extent that it is reasonably expected that the borrower will have the ability to repay the original or modified amount commencing from the expiry date of the short-term temporary arrangement, d) The measure does not result in multiple consecutive forbearance measures having been granted to the same exposure. 6 The institution shall monitor at appropriate intervals the process for granting forbearance measures and the effectiveness of the measures granted. Monitoring of forbearance measures The following metrics can be used for monitoring, depending on the portfolio and the nature of the forbearance measures: a) Forbearance cure rate, b) Cash collection rate from forborne exposures,

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 83 of 119 c) Partial write-offs that may result from granting a forbearance measure. BTO 1.4 Risk classification procedures 1 Each institution shall set up informative risk classification procedures for the initial, regular or ad hoc assessment of counterparty and credit risk and, where appropriate, property/project risk. Criteria shall be specified that ensure the logical and transparent assignment to a risk category without undue delay as part of the risk assessment procedure. 2 Responsibility for the development, quality and monitoring of the use of risk classification procedures need not lie with the front office. 3 Key indicators for determining counterparty risk in the risk classification procedure have to include not only quantitative criteria but, wherever possible, also qualitative criteria. In particular, account has to be taken of the borrower’s ability to generate income in the future in order to repay the loan. 4 The classification procedures shall be appropriately incorporated into the credit business processes and, where appropriate, into the credit approval structure.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 84 of 119 BTO 2 Trading 1 The main purpose of this module is to set forth the requirements that apply to the organisational and operational structure in the trading business. BTO 2.1 Segregation of duties 1 The basic principle that applies to processes in the trading business is the clear structural separation between the trading area and the “risk control function” and “settlement and control function” up to and including the management level. Customer service representatives Circumstances in which customer service representatives pass client orders onto the trading department within a certain limit for pricing purposes are deemed to be in accordance with this Circular. They should neither quote prices independently nor build up own positions. 2 An institution may refrain from the segregation of functions including the management level if the whole of trading activities focus on trading transactions deemed immaterial from a risk point of view ("non-risk-relevant trading activities"). Non-risk relevant trading activities These simplifications can be applied if the following conditions are met, taking into account all facts and circumstances:

the institution applies or can apply the simplified implementation offered under Article 94 (1) CRR,
trading is focused on long-term assets or the liquidity reserve,
the volume of trading activities is very low as compared with overall business volume and
the structure of the trading activities is non-complex, and the complexity, volatility and risk content of the positions is low. The above prerequisites need not be fulfilled cumulatively. The determining factor is the overall view, ie taking account of the above factors and their respective weight in each case. Where an institution applies this simplified implementation, organisational segregation may likewise be waived with respect to duties independent of trading, eg their assignment to different units. Mutually incompatible activities are, however, to be carried out by different employees (AT 4.3.1 number 1). 1). Hence staff members tasked with trading must generally not be given responsibility for duties independent of trading. Simplified implementation for small institutions and very limited trading

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 85 of 119 If a segregation of functions is impossible with regard to trading activities owing to the size of the institution, the proper settlement of transactions has to be ensured by the direct involvement of management. If an institution’s trading activities are so low in volume that one single employee would not be working to full capacity, segregation of functions can be ensured by temporarily allocating other employees who are normally not entrusted with trading transactions BTO 2.2 Requirements relating to trading processes BTO 2.2.1 Trading 1 When trades are concluded, the terms and conditions, including any covenants, shall be agreed in full. The institution shall use standardised contract texts insofar as this is possible and appropriate with respect to the types of transaction in question. Internal trades shall be concluded only on the basis of clear regulations. Internal trades Internal trades within the meaning of this Circular are trades within a legal entity which serve to transfer risk between individual organisational units or sub-portfolios (eg trades between an institution’s own branches, organisational units or portfolios etc). It shall be ensured that the requirements applying to external trades are correspondingly adhered to in internal trades. 2 As a general rule, transactions which are not in-line with market conditions are not permitted. Exceptions may be made in individual cases if a) they are made at the client’s request, can be justified and the deviation from market conditions is clearly visible from the documentation, b) they are made on the basis of internal rules detailing the types of transaction, the range of customers, the scope and the structure of these trades, and c) the management has been informed in the case of material transactions. Documenting deviations from usual market conditions Deviations from usual market conditions that are documented in the transaction documentation are generally also documented by disclosing them to the customer in the trade confirmation. 3 Trading outside the business premises is only admissible within the scope of internal rules. These rules have to specify, in particular, the authorised individuals, purpose, scope and recording. If trading is conducted partially from a workplace at home, institutions must ensure that a sufficient number of other traders are present in the business premises. Prompt confirmation in suitable form (eg written or electronic) shall be requested from the counterparty in the case of trades that are not entered directly in a settlement or confirmation system used by the bank. Such trades, unless directly recorded in the booking systems in which the positions are managed, must be immediately notified by the trader to that trader’s own institution in a suitable Internal requirements Internal requirements for trading from workplaces at home must specify at least the following aspects and ensure that they are complied with: The institution must ensure the confidentiality of the data on which the business transactions are based using suitable guidelines. As regards the stability of the settlement and confirmation systems and requirements relating to IT security, trading from home offices must, in general, fulfil requirements comparable to trading conducted at the business premises.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 86 of 119 form and brought to the notice of the member of the management board responsible for trading or an organisational unit authorised by the latter. All transactions entered into outside the business premises must be flagged and brought to the notice of an area independent of trading, using suitable reports, at the latest on the working day following the transaction date. Home offices Traders working from home offices must conduct their activities at fixed and agreed locations; the workplaces may be used by traders during working hours only if the confidentiality of business transactions is safeguarded. Sufficient presence in the business premises Other traders are deemed present at the business premises in sufficient numbers if it is possible to immediately relocate the trading activity to the business premises to the extent required in the event of a (technical) disruption in trading at the home office. Small institutions with only one or two traders must ensure at least adequate deputisation rules for such cases or rules for switching from home offices to business premises. 4 An audio recording shall be made of traders’ transaction conversations during telephone trading and kept for at least three months. Appropriate procedures must be set up for documenting trading activities via trading systems. 5 Immediately after their conclusion, trades must be recorded together with all of the relevant transaction data, taken into account when determining the respective position (updating of positions) and passed on to the settlement function together with all documentation. The transaction data may also be transferred automatically by a settlement system. Transaction data Relevant transaction data include the transaction type, volume, terms and conditions, maturity, counterparty, date, time, trader, consecutive transaction number and covenants. 6 Where data is recorded directly in an IT system, care has to be taken to ensure that a trader can enter transactions solely under his own trader ID. The recording date and time as well as the transaction’s serial number are to be entered automatically by the system and must be impossible for the trader to alter. 7 Trades concluded after the cut-off time for settlement (late trades) are to be marked as such and included in that day's positions (including subsequent settlement) if they result in substantial changes. The transaction data and documentation relating to late trades have to be passed immediately to an area which is independent of trading. Requirement to mark late trades Late trades do not have to be flagged separately if a fixed timeframe is defined for the settlement’s cut-off time and a late trade is thus readily identifiable from the time or, where appropriate, time zone in which it is concluded. 8 Prior to the conclusion of agreements in connection with trading activities, especially in the case of master agreements, netting agreements and collateral agreements,

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 87 of 119 assessments are to be performed by a section which is independent of trading, to determine whether and, if so, to what extent they are legally enforceable. 9 With regard to money transfers employees belonging to the trading area in organisational terms may only have joint signature authority with employees from an area which is independent of trading. 10 The institution shall ensure by means of suitable measures that traders’ responsibility for specific positions is annually transferred to another employee for an uninterrupted period of at least ten trading days. During this period, the institution shall ensure that an absent trader does not access the positions for which he/she is responsible. BTO 2.2.2 Settlement and control 1 Based on the transaction data received from trading, the settlement office shall issue the trade confirmations or contract notes and carry out subsequent settlement tasks. Settlement systems Depending on their nature, scale, complexity and riskiness, trades shall generally be settled electronically; existing settlement systems shall be used as far as possible. 2 As a general rule, trades shall be promptly confirmed in suitable form (eg in writing or electronically). The confirmation has to contain the required transaction data. If the trade is transacted via a broker, the broker is to be named. Assessments are to be performed to ensure that the corresponding counter-confirmations are received immediately, whereby care has to be taken to ensure that the incoming counterconfirmations are passed directly to the settlement function in the first instance and are not addressed to trading. Missing or incomplete reconfirmations shall be promptly claimed, unless all parts of the trade in question have been duly executed. Counter-confirmations for foreign trades If reconfirmations cannot be obtained, the institution must verify the existence and details of the transaction in another suitable manner. Confirmation procedure for complex products If the master agreements specify that, in the case of complex products, only one of the two parties is responsible for drafting the agreement, a mutual ad-hoc confirmation (abridged form) and the unilateral draft agreement (full-length form) after all of the details have been clarified are suffice. The ad-hoc confirmation should contain the key information on the agreed trade. Agreements relating to the confirmation process The confirmation process within master agreements may specify that silence following expiration of a previously agreed deadline shall be taken to indicate reconfirmation. Cancellations and amendments

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 88 of 119 Particular attention should be paid in the cancellation and amendment procedures to an accumulation of cancellations or amendments by individual staff members or in certain trades. 3 The confirmation procedure may be waived where trades are recorded in a settlement or confirmation system which ensures automatic matching of the relevant transaction data and executes trades only if the data match (matching). Where there is no automatic matching of the relevant transaction data, the confirmation procedure may be waived if the settlement or confirmation system allows both counterparties to access the transaction data at any time and if these data are verified. Confirmation process for OTC derivatives In the case of transactions in OTC (over-the-counter) derivatives, a confirmation pursuant to Art. 11 (1 a)) of Regulation EU No 648/2012 (EMIR) is sufficient to the extent that it is issued independently of trading and the duty to report the transaction to a transaction register is complied with. Both counterparties must be able to access the settlement data in the transaction register at all times. The institution must access the data and must document this. 4 Transactions are to be subject to ongoing monitoring. In particular, assessments have to be made to ascertain whether a) the transaction documents are complete and have been submitted as soon as possible, b) the data supplied by traders is correct and complete and - where available - matches the data in the brokers' confirmations, print-outs from trading systems or other relevant sources, c) the transactions fall within the defined limits with regard to their type and scope, d) the terms agreed are in line with market conditions, and e) any deviations from predefined standards (e.g. master data, delivery instructions methods of payment) have been agreed. Changes and cancellations related to transaction data or booking have to be assessed outside the trading section. Automatic forwarding to the settlement office Controls of (a) and (b) may be waived if the transaction data entered by the traders are forwarded to the settlement office automatically and without the possibility of further intervention by the traders. 5 Suitable procedures shall be established for verifying the market conformity of transactions, where applicable differentiated according to transaction type. The member of the management board responsible for verifying market conformity shall be notified promptly if, in deviation from BTO 2.2.1 number 2, trades are concluded which do not conform to usual market conditions. Notes on the assessments to ensure compliance with market conditions For liquid spot, future and forward instruments, verification may take the form of sample checks, provided such checks are acceptable in terms of risk. Verification of market conformity can be waived in the case of trades executed directly or via third parties (eg via a correspondent bank) on an exchange or on another regulated market. The following lists can be used to identify the markets

The overview of exchanges or other regulated markets in EU member states and in the other signatories to the Agreement on the European Economic Area published by the European Securities and Markets Authority (ESMA) (accessible as at the time of publication of this Circular at: https://registers.esma.europa.eu/publication/searchRegister?core=esma_registers_upreg# using “Entity type: Regulated market” or “Entity type: Multilateral Trading Facility”),
The list of authorised exchanges and of other organised markets pursuant to section 193 (1) numbers 2 and 4 of the German Capital Investment Code (Kapitalanlagegesetzbuch) for such markets in countries outside the EU member states and outside the other signatories to the Agreement on the European Economic Area (BaFin interpretation of 16 February 2011; accessible as at the time of publication of this Circular at: https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Auslegungsentscheidung/WA/ae_080208_boersenInvG.html – only available in German). Verification of market conformity cannot be waived in the case of organised trading facilities (OTFs), due to the lower level of requirements applicable there. A simplified procedure may be used with regard to assessment of compliance with market conditions for first-time acquisitions from an issue, depending on the nature and structure of these trades. For instance, where a security is issued via public auction/bid, market conformity may be verified simply by ensuring that the issue price has been settled correctly. The task of verifying market conformity shall also cover internal trades. Exceptions to this are possible, subject to the corresponding conditions set out in BTO 2.2.1 number 2. 6 Any discrepancies and incongruities identified during settlement and control shall be clarified promptly under the main responsibility of an organisational unit which is independent of trading. The institution shall establish suitable escalation procedures for any discrepancies and incongruities that cannot be plausibly clarified.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 90 of 119 7 The positions established in the trading area are to be matched with the positions in the downstream processes and functions (e.g. settlement, accounting) on a regular basis. The matching operations shall also cover dormant portfolios and dummy counterparties. Particular attention shall be paid to the matching of intermediate and suspense accounts. Any incongruities concerning these accounts shall be clarified promptly. Audit trail To ensure appropriate matching processes, the institution may have to establish processes and procedures which enable the full history of positions and cash flows to be verified at any time (audit trail). BTO 2.2.3 Capturing in risk control 1 Trades, including ancillary agreements which result in positions, have to be covered by the risk control function immediately. Positions to be covered by the risk control function This is without prejudice to the ability to access data from the accounting unit for risk control purposes.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 91 of 119 BTO 3 Real estate business 1 This module sets out requirements regarding the organisational and operational structure in real estate business. Scope of application for real estate transactions Compliance with these requirements may be waived if the book values of all real estate transactions do not exceed either EUR 30 million or 2% of total assets. BTO 3.1 Organisational structure 1 The core principle for structuring real estate business processes shall be the clear organisational segregation of the front office and back office up to and including management board level. 2 A decision to enter into a real estate transaction requires two positive votes from front office and back office. This shall be without prejudice to other provisions referring to the act of decision-making (eg the Banking Act, articles of association). Where these decisions are made by a committee, the voting structure within that committee shall be defined such that the back office cannot be outvoted. For real estate business initiated by third parties, a vote is only necessary from back office. Presentation of votes and substantive plausibility checks The votes may be summarised in a single document. In this case, the (positive) vote by the back office is documented by the responsible staff member’s signature or clearance in the electronic workflow. This may not be done as a favour. The back office vote must be based at least on a plausibility check. The plausibility check does not call for a repetition of the activities already performed in the front office. It should focus instead on the comprehensibility and justifiability of the investment decision. This includes assessing the robustness of the front office vote and the extent to which the amount and type of the real estate transaction are justifiable. The intensity of the plausibility check also depends on the complexity of the real estate transactions in question. The staff member responsible for the vote by the back office must at least have access to all material documents. Initiation by third parties Initiation of real estate transactions by third parties may be assumed if a subsidiary initiates the real estate acquisition and gives the first vote. 3 The institution shall establish a clear and consistent hierarchical credit approval structure for decision-making in real estate business. Clear decision-making rules have to be defined in this hierarchy for cases in which the votes are split. In such cases, the real estate transaction shall be rejected or escalated to a higher level of authority for a decision (escalation procedure).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 92 of 119 BTO 3.2 Requirements relating to real estate business processes 1 The institution shall establish procedures for real estate business and formulate principles for processing them. Responsibility for methods Development of the aforementioned processes may also lie with the front office, provided that care is taken to ensure that the quality assurance is performed by an area independent of the front office on the basis of a plausibility check. Activities conducted by subsidiaries For real estate transactions of subsidiaries of the institution, the activities stipulated in BTO 3.2.1, BTO 3.2.2 and BTO 3.2.3 may be performed by the subsidiary itself provided these are carried out in accordance with the institution’s clear requirements and the institution has appropriately ensured itself of the quality of the activities performed by the subsidiary. 2 When defining the procedures for the valuation of real estate, suitable valuation procedures shall be applied. The valuation shall plausibly take into account any circumstances which have a bearing on the value and be substantiated and documented in the assumptions and parameters. The object must be viewed as part of the valuation process. 3 The market value of the real estate shall be calculated by experts. These persons must have the necessary qualifications and experience, especially regarding the real estate market in question and the type of object they are valuing. Potential conflicts of interest in connection with the valuation shall be ruled out. Appropriate rotation of the persons responsible for the valuation shall be ensured. Qualification of the experts Only experts who, on the basis of their training and professional activity, have special knowledge and experience in the area of real estate valuation may be entrusted with carrying out the valuation; such a qualification is assumed for persons who have been appointed or certified as expert or valuer for valuation of real estate by a government agency, an agency recognised by the government or accredited under DIN EN ISO/IEC 17024. Rotation of the experts entrusted with valuations A rotation shall be performed if the expert entrusted with performing the valuation has made two consecutive individual appraisals of the same property. 4 If external appraisers are used to value real estate, the institution must perform a plausibility check on the valuation and must include, where relevant, its own insights and information in the assessment.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 93 of 119 BTO 3.2.1 Real estate acquisition or origination 1 All aspects material to the risk of a real estate transaction shall be analysed and assessed before the real estate acquisition or origination, with the intensity of these activities depending on the riskiness of the real estate transaction. Critical aspects of the real estate transaction shall be highlighted and, where applicable, considered under various scenarios. 2 Prior to the acquisition or origination of real estate, the institution shall analyse the economic aspects relating thereto and in particular include risks in the assessment. In the case of real estate projects, the technical feasibility and development and the legal risks associated with the object/project are to be assessed. To the extent that external sources are consulted for these purposes, their qualification has to be reviewed beforehand. Economic analysis and risks relating to real estate acquisition or origination The economic analysis may include aspects such as:

object/project analysis including market value reports,
financing structure
ex ante and ex post calculations. Project-related risks are, for example, construction cost increases, deadline risks and legal risks. The risks associated with completed objects include value fluctuation risks and rental risks. 3 The market value of real estate must be calculated before acquisition of the real estate. In the case of real estate not yet completed at the time of acquisition, the market value must be calculated based on the assumption of completion. The explanations under BTO 3.2 numbers 2, 3 and 4 mutatis mutandis. BTO 3.2.2 Processing and monitoring 1 Inspections and the monitoring of building construction progress shall be carried out during the development phase of projects at intervals deemed necessary in terms of risk. For projects, the institution must also carry out continuous cost controls. 2 The value of real estate must be reviewed annually. When carrying out the review, existing real estate values may be used if there are no indications of change in value. If the conclusion is reached in the review that the real estate value might have fallen by more than 10%, a revaluation is strictly necessary. The explanations under BTO 3.2 numbers 2, 3 and 4 apply mutatis mutandis.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 94 of 119 3 Ad hoc reviews shall be promptly conducted at the very least whenever the institution obtains information from external or internal sources that indicates a significant negative change in the value of the real estate or negative developments of the real estate project. Such information has to be forwarded immediately to all of the organisational units involved. 4 A report on the real estate transactions shall be drawn up and made available to the management board at least once a year. The report must list and explain any value changes determined in the real estate. A report must also be made of the risks associated with the real estate and projects. BTO 3.2.3 Processing controls 1 Process-related controls shall be put in place for processing real estate transactions in order to ensure compliance with the requirements of the organisational guidelines. Controls may also be conducted via the standard “dual control” principle. In particular a control must be made of whether the decision relating to the real estate transaction was made in accordance with the hierarchical approval structure established.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 95 of 119 BTR Requirements relating to risk management and risk control processes 1 This module sets out specific requirements for risk management and risk control processes (AT 4.3.2), taking account of risk concentrations, in respect of a) counterparty and credit risk (BTR 1), b) market risk (BTR 2), c) liquidity risk (BTR 3), and d) operational risk (BTR 4). Due account shall be taken of the impact of ESG risks.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 96 of 119 BTR 1 Counterparty risks 1 The institution shall take suitable steps to ensure that counterparty and credit risk and associated risk concentrations can be limited in relation to its internal capital adequacy. Due account shall be taken of the impact of ESG risks. Counterparty and credit risk concentrations These comprise counterparty and sectoral concentrations, regional concentrations and other concentrations in credit business which, in relation to the available financial resources (risk coverage potential), could lead to considerable losses (eg concentrations with regard to borrowers, products or underlyings of structured products, to sectors, distributions of exposures across size and risk classes, collateral and, where appropriate, countries and other highly correlated risks). 2 No lending transaction may be entered into without a borrower-related limit (borrower limits, borrower unit limits), i.e. without a lending decision. 3 As a general rule, trades may only be executed with contractual partners for whom counterparty limits apply. All transactions concluded with a particular counterparty are to be counted towards that counterparty's individual limit. Replacement risks und settlement risks have to be taken into account when determining the extent to which the counterparty limits have been utilised. The individuals responsible for the positions in question have to be informed of the limits that apply to them and their current utilisation level as soon as possible. Counterparty limits Exempted from this are exchange-traded transactions and spot transactions in which the countervalue has been delivered or has to be delivered on a delivery-versuspayment basis or for which corresponding cover has been provided. 4 In addition, issuer limits shall generally be set for trading. If limits do not exist for particular issuers in trading, issuer limits for trading purposes may be defined at short notice based on clear rules, without the need to perform the full loan processing procedure defined in the relevant organisational guidelines according to risk aspects. The respective processing procedure must have been performed within three months at the latest. The applicable rules shall take due account of risk aspects. They shall be consistent with the objectives set out in the institution’s strategies. Recognition of the issuer’s specific risk Setting a separate limit for the issuer’s counterparty and credit risk may be waived if the issuer’s specific risk has been duly taken into account in setting the market risk limit using appropriate procedures. Due account must be taken of risk concentrations. Liquid lending products (e.g. “loan trading”) Counterparty or issuer limits must be set in accordance with this Circular prior to commencing trading in liquid credit products which are traded on the secondary markets like securities. The simplified implementation set forth in number 4 may be applied when setting issuer limits. Short-term issuer limits for trading purposes Counting trades towards lump-sum issuer limits (“Vorratslimite”) that have been granted at short notice is sufficient provided that such issuer limits have been derived from the internal capital adequacy calculation and the corresponding limit system,

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 97 of 119 and that sufficient risk coverage potential exists. No predefined processing procedure needs to be triggered or executed if trading book securities do not remain with the institution for longer than three months. If the securities remain for longer or such a longer stay is foreseeable, the predefined processing procedure shall be triggered promptly and must have been completed after three months at the latest. In the case of banking book transactions, the predefined processing procedure should have been performed in its entirety before the trade is executed. However, if technical trading processes mean that – under clearly defined conditions (such as the shortterm nature of an offer) – no issuer limit has been set up for the issuer by the time that the securities are acquired for the banking book, transactions with this issuer may initially be also counted towards the aforementioned “Vorratslimit” even if the institution does not maintain a trading book. However, unlike trading book transactions, the processing procedure for setting up the issuer limit should be initiated promptly upon conclusion of the transaction at the latest and be carried out and completed without delay. 5 Transactions are to be counted towards the borrower-related limits immediately. Compliance with the limits shall be monitored. Any breaches of the limits and, where appropriate, the measures taken in response shall be documented. The exceeding of counterparty and issuer limits that exceed a level determined from a risk point of view has to be reported to the responsible managers on a daily basis. 6 Risk concentrations shall be identified. Due account shall be taken of any interdependencies. The assessment of risk concentrations shall be based on qualitative and, where possible, quantitative procedures. Risk concentrations shall be managed and monitored using suitable procedures (eg limits, traffic light systems or other precautionary measures). Interdependencies Interdependencies may occur, inter alia, as economic dependencies or legal dependencies between enterprises. 7 The institution shall ensure that proceeds from the liquidation of credit exposures and the related historical values of the credit collateral are recorded appropriately in a recovery rate documentation. The experience gained from the recovery rate documentation shall be appropriately taken into consideration when managing counterparty and credit risk. Recovery rate documentation This also includes recovery rates from foreclosed assets.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 98 of 119 BTR 2 Market risk BTR 2.1 General requirements 1 A limit system shall be established, based on the institution’s internal capital adequacy, in order to limit market risk, taking due account of risk concentrations and the impact of ESG risks. Structure of BTR 2 In BTR 2.1 the Circular sets out general requirements that apply to all types of market risk (including interest rate risk in the banking book). BTR 2.2 complements BTR 2.1, adding rules which apply to market risk in the trading book. BTR 2.3 sets out simplified implementation for market risk in the banking book. Market price risks Market price risks include:

share price risks,
interest rate risks,
currency risks and
market price risks from commodities transactions (including electricity derivatives and CO2 emission certificates). They do not, however, include market price risks from traditional commodities transactions executed by semi-public cooperative banks. Market-related risk which results from a change in a counterparty's creditworthiness (eg specific position risk or potential changes in credit spreads) or which is attributable to market liquidity must be adequately covered by the risk management and risk control processes. 2 No transaction that incurs market price risks may be entered into in the absence of a market price risk limit. 3 The procedures used to assess market price risks have to be reviewed on a regular basis. Such reviews shall examine whether the procedures produce robust results also in the event of severe market disruptions. Alternative valuation methods shall be defined for material positions in the event that market prices are unavailable, out of date or distorted for a prolonged period.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 99 of 119 4 The results calculated by the accounting department and the risk control function have to be subjected to regular plausibility checks. BTR 2.2 Market risk in the trading book 1 The institution has to ensure that trading book transactions which incur market price risks are counted immediately towards the corresponding limits and that the individual responsible for a position is informed as soon as possible of the limits relevant to him and of their current level of utilisation. Suitable measures have to be introduced in the event that these limits are exceeded. An escalation procedure shall be initiated, where applicable. 2 The trading book positions that incur market price risks have to be valuated on a daily basis. 3 A trading book result shall be calculated daily. The existing risk positions have to be consolidated into overall risk positions at least once a day at the close of trading. 4 Risk figures derived from risk simulation models have to be continuously compared with actual trends. BTR 2.3 Market risk in the banking book (including interest rate risk) 1 The banking book positions that incur market price risks have to be valued on a quarterly basis at the very least. 2 Furthermore, the banking book results have to be calculated on at least a quarterly basis. 3 Suitable measures have to be taken to ensure that situations in which limits are exceeded due to interim changes in risk positions can be avoided.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 100 of 119 4 Depending on the nature, scale, complexity and risk content of the positions in the banking book, valuation, calculation and communication of risks may also be necessary on a daily, weekly or monthly basis. 5 The procedure used to assess interest rate risks in the banking book have to cover the key characteristics of interest rate risk. Treatment of interest rate risks in the banking book As a general rule, the institution is free to decide how it wishes to take interest rate risks into account. These can either be treated separately in the trading and banking book, or can be considered together at institution level (provided that the institution adheres to the required daily valuation of the risk positions in the trading book and its daily performance evaluation). Scope of the positions to be included The procedure has to include both the balance-sheet and off-balance sheet positions in the banking book which are subject to interest rate risks. 6 The calculation of interest rate risk may be based on the impact of interest rate changes on the institution’s profit and loss as recorded in the financial statements or on the market or present values of the relevant positions as the procedure that is of primary relevance to risk management. Due account shall be taken of the impact of the respective alternative risk management perspective. If this results in further interest rate risk on a significant scale, this shall be taken into account in the risk management and control processes as well as in the assessment of internal capital adequacy. In determining the impact on accounting profit, possible developments after the balance sheet date have to be taken into account as appropriate. Monitoring developments after the balance sheet date when applying an earnings-based approach Monitoring developments after the balance sheet date takes account of the fact that there is generally a time lag before interest rate risk has an impact on the profit and loss as recorded in the financial statements. The length of the monitoring period should be chosen with due regard to the individual portfolio structure. The appropriate monitoring period could be gauged, for example, by the average interest rate maturity for on-balance-sheet and off-balance-sheet positions included in the calculation. 7 Appropriate assumptions have to be established with regard to the consideration of positions with indeterminate capital tie-up or interest terms. Positions with indeterminate capital tie-up or interest terms By way of example, positions with indeterminate capital tie-up or interest terms can be:

positions where the behavioural interest rate maturity differs from the contractual interest rate maturity (mainly sight deposits and savings deposits), or
option elements (e.g. client termination rights, early repayment options, repayment options). Equity components that are available to the institution for an indefinite period must not be included in the economic-value calculation of interest rate risk.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 101 of 119 8 Institutions which incur material interest rate risks in various currencies have to assess the interest rate risks in each currency.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 102 of 119 BTR 3 Liquidity risk BTR 3.1 General requirements 1 The institution has to ensure that it can meet its payment obligations at all times. In doing so, the institution shall, if necessary, also take measures to manage intraday liquidity risk. Sufficient diversification of funding sources and of the liquidity buffers shall be ensured, with due account also to be taken of the impact of ESG risks. Concentrations shall be effectively monitored and limited. Integration solutions The requirement in sentence 3 may also be fulfilled via existing institutional network or group structures. Diversification of funding sources and of the liquidity buffers Possible key criteria for diversification are, for example, counterparties or issuers, products, maturities and regions. Intraday liquidity risk Intraday liquidity risk may arise, in particular, when using real-time settlement and payment systems. 2 The institution shall ensure that any imminent liquidity shortfall is identified early. It shall implement appropriate procedures and review their suitability regularly and at least once a year. The impact of other risks (eg reputational risk) on the institution’s liquidity shall be taken into account in such procedures. 3 The institution shall draw up one or more informative liquidity overviews for an appropriate period listing the anticipated inflows and outflows of funds. The liquidity overviews shall be suitable for modelling the liquidity position over the short, medium and long-term horizon. This shall be appropriately reflected in the specified assumptions on which inflows and outflows of funds are based and in the breakdown into time buckets. The liquidity overviews shall take due account of the usual volatility in payment flows that also occur in normal market phases. Assumptions about inflows and outflows of funds The assumptions should also take account of any drawdowns on liquidity and credit lines which the institution has made available to third parties. 4 The institution shall continuously review its ability to cover any liquidity needs that may arise, including in a tense market environment. The review shall focus among other aspects particularly on asset liquidity. The institution shall regularly verify that it has permanent access to the funding sources that are relevant to it. The institution shall maintain sufficient sustainable liquidity buffers (eg highly liquid, unencumbered assets) to cover any deteriorations in the liquidity position that may occur in the short term. Calculation of the liquidity buffers The liquidity buffers shall be calculated in such a way that any liquidity needs that may occur either in normal market phases or in predefined stress scenarios can be bridged entirely by the liquidity buffers. Recognition of asset encumbrance The procedures for managing and assessing liquidity risk shall also ensure that the amount, nature, scale and development of encumbered assets are identified swiftly

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 103 of 119 and reported to the management board. Due account shall be taken of the impact of stress scenarios. The liquidity contingency plan (number 9) shall also take due account of asset encumbrance. 5 The institution shall set up a suitable internal allocation system for liquidity costs, benefits and risks. The design of this allocation system shall depend on the nature, scale, complexity and riskiness of the institution’s business activities as well as its funding structure. The allocation system for liquidity costs, benefits and risks shall be approved by the management board. Simplified implementation for granular customer business Institutions with predominantly granular customer business on both the asset and the liability side and stable funding may also comply with the requirements by means of a simple allocation system. 6 Large institutions with complex business activities shall establish a liquidity transfer pricing system in order to allocate internally and in line with the point of origination the respective liquidity costs, benefits and risks. The determined transfer prices shall be factored into the integrated performance and risk management via allocation at transaction level wherever possible. This shall apply both to on-balance-sheet and off-balance-sheet business activities. The institution shall take account of the assets’ holding period and market liquidity when determining the relevant transfer prices. It shall make appropriate assumptions in the case of uncertain cash flows. The costs of maintaining the requisite liquidity buffers shall also be factored into the liquidity transfer pricing system. Liquidity transfer pricing system A liquidity transfer pricing system within the meaning of this requirement is a special type of the allocation system described in number 5 and is typically characterised by internal allocation of costs, benefits and risks by means of centralised transfer pricing. Allocation in line with the point of origination In a liquidity transfer pricing system, costs, benefits and risks shall be allocated at transaction level wherever possible; products and transactions with similar liquidity features may be aggregated. 7 Responsibility for the development and quality as well the regular review of the liquidity transfer pricing system shall be assigned to an organisational unit that is independent of the front office and trading. The current liquidity transfer prices shall be made transparent to the staff concerned. The consistency of the liquidity transfer pricing systems used within the group shall be ensured. 8 Appropriate liquidity risk stress tests shall be conducted regularly. Both institutionspecific (idiosyncratic) and market-wide causes of liquidity risk shall be incorporated into the analysis. Third, they shall encompass both aspects in combination. The institution shall define the stress tests individually. The stress tests shall be based on time horizons of differing lengths. In the stress scenarios the institution shall determine its expected survival horizon as a going concern. Institution-specific (idiosyncratic) and market-wide causes Institution-specific (idiosyncratic) causes may result in, for example, withdrawal of customer deposits at a given institution. Market-wide causes may lead, for example, to a deterioration in the funding conditions of some or all institutions. 9 The institution shall specify the measures to be taken in the event of a liquidity shortfall (liquidity contingency plan). This shall include a description of the liquidity

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 104 of 119 sources available in such cases, taking due account of possibly reduced proceeds. The institution has to determine also the communication channels to be used in the event of a liquidity squeeze. The operational feasibility of the planned measures shall be reviewed regularly and the measures modified if necessary. The stress test results shall be taken into account in this process. 10 The extent to which the intra-group transfer of liquid funds and unencumbered assets may be incompatible with company law provisions and with regulatory and operational constraints shall be reviewed. 11 An institution that incurs material liquidity risk in foreign currencies shall implement appropriate procedures for managing foreign exchange liquidity in the major currencies in order to safeguard its payment obligations. For the currencies concerned, this shall include at least one separate liquidity overview, separate foreign currency stress tests and explicit inclusion in the liquidity contingency plan. Material liquidity risk arising from different foreign currencies Material liquidity risk arising from different foreign currencies exists, in particular, if a significant part of the assets or liabilities is denominated in a foreign currency and, at the same time, there are significant currency mismatches or maturity mismatches between the respective foreign currency assets and liabilities. 12 The institution shall set up an internal funding plan that appropriately reflects the strategies, the risk appetite and the business model. The planning horizon shall cover a period of an appropriate duration generally spanning several years. Consideration shall be given to how changes in the institution’s own business activity or its strategic goals as well as changes in the economic environment impact on the funding requirement. Due account shall be taken in the planning process of potential adverse developments which depart from expectations. Internal funding plan The internal funding plan serves solely internal management purposes and can, depending on the nature and scale of the liquidity risk, be designed to suit the individual institution. Such a plan shall be distinguished from funding plans required pursuant to the EBA guidelines for funding plans of credit institutions (EBA/GL/2019/05) and submitted by certain institutions to the EBA. These are not the subject matter of the requirement; nevertheless, the requirement may be fulfilled by a funding plan prepared for the EBA. BTR 3.2 Additional requirements relating to capital market-oriented institutions 1 The institution shall be able to bridge its liquidity needs arising from the institutionspecific stress scenarios over the time horizon of at least one month using the liquidity buffers required pursuant to BTR 3.1 number 4, as further specified in BTR 3.2 number 2. Capital market-oriented institutions Section 264d of the German Commercial Code applies mutatis mutandis to the criterion of capital market orientation. 2 In order to bridge its short-term liquidity needs of at least one week, the institution shall maintain, besides central bank money, highly liquid assets which can be liquidated at any time in private markets without significant losses of value and which are eligible as central bank collateral. For the ongoing liquidity needs up to the end Private markets The term private markets is used to differentiate such transactions from those with central banks (eg open market operations or marginal lending facilities).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 105 of 119 of the time horizon of at least one month, it shall be possible to use other assets as additional components of the liquidity buffers if these can be liquidated without significant losses of value within the given time horizon. Capability to liquidate assets without significant losses of value The capability to liquidate assets may also be achieved by possible recourse to repurchase agreements (repos) or other forms of collateralised funding provided that no significant losses of value occur in the assets to be used as liquidity buffers. The assets eligible for this purpose should have a high credit rating, be easy to value and it should be possible to liquidate them in markets that are sufficiently deep and broad also in stress phases. The size of the liquidity effect to be achieved in stress phases is reflected in the haircuts to be applied by the institution. Only assets that demonstrably fulfil the criteria for the envisaged liquidation channel may be earmarked as components of the liquidity buffers. Prospective fulfilment of the criteria at some point in the future is not sufficient. 3 The institution shall consider stress scenarios under which the liquidity buffers pursuant to number 1 shall also be measured. The stress tests shall, first, encompass stress scenarios based on institution-specific causes. They shall, second, separately encompass stress scenarios due to market-wide causes. Third, they shall encompass both aspects in combination. A scenario based on institution-specific causes shall also model a significant rating downgrade, incorporating at least the following assumptions:

Withdrawal by institutional investors of a substantial portion of the entity’s unsecured funding at least during the first week of the stress scenario; in the case of financial sector entities, the complete withdrawal of this unsecured funding within the first week shall be assumed,
Withdrawal of part of the retail deposits. In addition, the following assumptions shall be incorporated into a scenario based on market-wide causes:
General decline in the prices of marketable assets, particularly securities,
General deterioration in funding conditions. Institutional investors Institutional investors are professional market players:
Financial sector entities (eg banks and insurance undertakings, hedge funds, pension funds), including central banks outside the euro area,
Other professional market players not belonging to the financial sector (eg other sizeable entities). Operational deposits by financial sector entities In the case of deposits by financial sector entities that are used to maintain their operating business (operational deposits), a departure can be made in justified cases from the assumption of complete withdrawal in those scenarios that are based on institution-specific causes. General deterioration in funding conditions A general deterioration in funding conditions may be reflected, for example, in the non-rollover also of secured institutional funding, the shortening of funding maturities or a general widening of funding spreads. 4 The institution shall ensure that the deployment of the liquidity buffers is not incompatible with any legal, regulatory or operational constraints. The liquidity

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 106 of 119 buffers’ diversification and their dispersion across different jurisdictions shall accord with the structure and business activities of the institution and the group.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 107 of 119 BTR 4 Operational risk 1 The institution shall perform appropriate risk management to take account of operational risk. To this end, operational risk shall be internally defined and delineated uniformly and communicated to members of staff. Definition of operational risk The definition should include a clear delineation from other risks considered by the institution. Treatment of boundary events and near-losses The processes for managing operational risk should also cover the treatment of risks that are not unambiguously assignable (boundary events), near-losses and related events. "Boundary events" is a term used to classify losses which are or have already been assigned to another risk (eg credit losses), but which have or had their origin in events such as inadequate processes and controls. "Near-losses" is a term used to describe events triggered by errors or deficiencies which have not led to any loss (eg erroneous payment to the wrong counterparty; repayment by the counterparty). 2 It shall be ensured that any material operational risk is identified and assessed at least once a year. Due account shall be taken of the impact of ESG risks. 3 The institution shall ensure an appropriate recording of damage events. Major losses are to be analysed immediately with regard to their causes. Recording of damage events To do this, larger institutions shall set up an event database for damage events which ensures the complete recording of all damage events above appropriate thresholds. Collective losses Collective losses that are recognised separately but can be assigned to the same event shall subsequently be processed in the aggregate. 4 The procedures for assessing operational risk must cover the main types of operational risk. Significant types of risk Due account shall be taken of historical findings (and in particular losses) and potential events when assessing the significant types of risk. Findings relating to current weaknesses – and particularly those deriving from the internal audit, information security management and compliance functions, the modification processes, and business continuity and outsourcing management – shall also be used to identify and assess relevant potential events.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 108 of 119 5 The operational risks identified shall serve as the basis for deciding whether, and if so what, measures are to be taken to eliminate the causes, or what risk management measures are to be taken. The implementation of these measures has to be monitored. Risk management measures Risk management measures include eg insurance, backup procedures, the reorientation of business activities, and business continuity management measures.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 109 of 119 BT 2 Special requirements relating to the internal audit function BT 2.1 Tasks of the internal audit function 1 As a general rule, the audit activities of internal audit have to cover all of an institution’s activities and processes based on a risk-oriented approach. 2 The internal audit function, while guarding its independence and avoiding conflicts of interest, shall be involved in key projects. 3 Where activities are outsourced to another enterprise, the institution’s internal audit function shall be permitted to waive conducting its own audit activities, provided that the audit activity conducted by other audit functions complies with the requirements in AT 4.4.3 and BT 2. The internal audit department of the outsourcing institution shall satisfy itself at regular intervals that these prerequisites are fulfilled. The audit findings that are relevant for the institution are to be passed on to the internal audit department of the outsourcing institution. Execution of auditing work elsewhere The auditing work may be taken over by:

the internal audit department of the outsourcing firm,
the internal audit department of one or several of the outsourcing institutions on behalf of the outsourcing institution,
a third party nominated by the external service provider or
a third party nominated by the outsourcing institutions. In the course of its internal audit activities, the internal audit function can also rely on evidence or certifications based on current standards. Due account shall be taken in this context not only of the level of detail, topicality and suitability of the evidence or certifications and the associated audit reports but also of the suitability of the certification body or auditor. However, a supervised enterprise may not rely solely on these when performing its internal audit activities in the case of important outsourced activities and processes.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 110 of 119 BT 2.2 General principles relating to the internal audit function 1 The internal audit department has to perform its duties in an autonomous and independent fashion. In particular, it has to ensure that it is not subject to any instructions with regard to its reporting and evaluation activities. The management’s right to order additional audits does not conflict with the autonomy and independence of the internal audit department. 2 As a general rule, members of staff employed in Internal Audit may not be entrusted with tasks which are not related to auditing. In particular, they may not perform tasks which are not consistent with auditing activities. Provided that the internal audit department maintains its independence, it may provide advisory support to management or other organisational units of the institution within the realm of its duties. 3 As a general rule, members of staff employed in other organisational units of the institution may not be entrusted with internal audit tasks. This does not, however, rule out justified situations in which other employees can, due to their particular expertise, conduct activities for Internal Audit on a temporary basis. An appropriate cooling-off period of, generally, at least one year shall be envisaged for members of staff from other organisational units who move to the internal audit function, during which time these members of staff shall not be permitted to audit any activities that breach the ban on self-audit and self-review. Simplified implementation of the transitional periods is possible for institutions, depending on the nature, scale, complexity and riskiness of their business activities.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 111 of 119 BT 2.3 Planning and conduct of the audit 1 The activities of Internal Audit have to be based on a comprehensive audit plan which has to be updated on a yearly basis. Audit planning shall be risk-oriented. The activities and processes of the institution, even if these are outsourced, have to be audited at appropriate intervals, as a general rule within three years. Auditing has to be performed annually if particular risks exist. Activities and processes which are deemed not to be material from a risk point of view may be exempted from the threeyear audit cycle. The risk classification of activities and processes shall be reviewed regularly. Activities and processes which are immaterial in terms of risk A waiver of the three-year audit cycle for activities and processes which are immaterial in terms of risk does not imply largely forgoing audit activities in these areas. They, too, shall be integrated into the audit planning and audited at appropriate intervals. 2 The risk assessment procedures of the internal audit function shall include an analysis of the potential risk of the activities and processes taking due account of any foreseeable changes. This requires appropriate consideration of the various sources of risk and the vulnerability of the processes to manipulation by members of staff. 3 Audit planning, methods and quality shall be reviewed and refined with regard to their appropriateness regularly and on an ad hoc basis. 4 Care has to be taken to ensure that any special audits required at short notice, e.g. due to irregularities which have arisen or certain informational requirements, can be performed at any time. 5 Audit planning as well as any material modifications thereto shall be approved by the management board.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 112 of 119 BT 2.4 Reporting requirement 1 The internal audit function shall swiftly prepare a written report on each audit and, as a general rule, submit it to the responsible members of the management board. In particular, the report shall detail the audit subject and the audit findings, including the envisaged remedial measures, where appropriate. Any major irregularities have to be highlighted. The results of the audit also have to be assessed. In the event of serious findings, the report shall be promptly submitted to the management board. Grading of audit findings This Circular distinguishes in BT 2 between “material”, “serious” and “particularly serious” findings. This means that the relevant identified findings are graded in terms of their (potential) significance in terms of risk. The precise definition of the individual rating grades is left to the discretion of the corresponding institution. The institution may define further rating grades at its own discretion for irregularities that are less relevant from the risk point of view. 2 The audits are to be documented by working documents. These must show the work carried out, as well as the irregularities identified in the audit and the following conclusions, drawn in a manner that is transparent for competent third parties. 3 If there is no agreement between the audited organisational unit and the internal audit function regarding the measures to be taken in order to remedy the findings, the audited organisational unit shall issue a statement on this matter. 4 The internal audit function shall swiftly write a quarterly report on the audits it has performed since the cut-off date for the last quarterly report and swiftly submit it to the management board and the supervisory board. The quarterly report shall provide information on the material or more highly ranked findings, the adopted measures as well as the status of these measures. It has to demonstrate whether or not, and to what extent, the audit plan has been adhered to. The internal audit function shall also provide the management board and the supervisory board with concise information on the serious findings identified by the internal audit function during the course of the year and on any material findings that have not yet been remedied (annual report). The serious findings that have been discovered, the measures adopted to remedy them, and the status of those measures shall be specially highlighted. The internal audit function shall promptly report any particularly serious findings. Method of reporting findings in the quarterly report A concise presentation of the facts may be made. Individual findings which are similar in nature, as well as the status of the measures resolved, can be summarised in the report. Reporting to the supervisory board Reporting to the supervisory board may be routed via the management board if this does not entail any significant delay in informing the supervisory board and the content of the reports to the management board and the supervisory board is identical. Combining the quarterly report for the fourth quarter with the annual report The quarterly report for the fourth quarter and the annual report may be combined as separate sections in a single report.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 113 of 119 5 The management has to be informed immediately in the event that the audit results in severe findings against managers. The management then immediately has to inform the chairperson of the supervisory body and the supervisory authorities (BaFin, Deutsche Bundesbank). If the management fails to meet its reporting obligation or if it fails to implement appropriate measures, Internal Audit has to inform the chairperson of the supervisory body. 6 Audit reports and working documents are to be kept for six years.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 114 of 119 BT 2.5 Reaction to identified findings 1 The internal audit department has to perform appropriate assessments to ensure that any irregularities discovered in the course of the audit are remedied within the required period. Where appropriate, it has to perform a follow-up audit. 2 If the material findings are not remedied within an appropriate period of time, the head of the internal audit function shall first inform the responsible member of the management board of this in written form. If the irregularities remain unresolved, the management has to be informed of these irregularities in writing, at the latest in the next overall report.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 115 of 119 BT 3 Risk reporting requirements BT 3.1 General requirements relating to risk reports 1 Risk reports on the business situation and the risk situation shall be submitted to the management board at appropriate intervals. The reports to be prepared for this are to be drawn up in a comprehensible and meaningful way. Along with a risk description, the risk reporting should also contain an assessment of the risk situation. The reports shall be based on complete, precise and current data. The reports shall also provide a forward-looking risk assessment and shall not rely solely on current and historical data. Suggested actions, e.g. to reduce risk, are also to be included in the risk report where required. Comprehensibility and meaningfulness of the reports Comprehensible and meaningful business and risk reporting also requires an appropriate substantive balance between quantitative information (regarding position size, risk) and a qualitative assessment of material positions and risks. Obsolescence of data Data shall be captured and reported as at the date of the risk report. Where preliminary data or data from previous periods are used, this must be flagged and justified if necessary. Taking ESG risks into account The risk reports give the management board an up-to-date and, where meaningful and possible, quantitative overview of the impact of ESG risks. 2 In particular, the risk reports shall include the results of stress tests and their potential impact on the risk situation and the available financial resources (risk coverage potential). The key assumptions underlying the stress tests shall likewise be described. The risk reports shall, moreover, address risk concentrations and their potential impact separately. 3 Besides regular risk reports (overall risk report, reports on individual risk types), the institution shall also be able to generate ad hoc risk information where this appears warranted based on the institution’s current risk situation or the current situation of the markets in which the institution operates. 4 The risk reports shall be produced within an appropriate timeframe that facilitates the active and timely management of risks on the basis of the reports, whereby the production time shall also depend on the nature and volatility of the risks. 5 The management board shall inform the supervisory board at least quarterly of the risk situation, including existing risk concentrations, in an appropriate written form. The reports shall be written in a comprehensible and meaningful manner, and shall Supervisory body committees As a general rule, the risk reports should be provided to every member of the supervisory body. To the extent that the supervisory body has formed committees,

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 116 of 119 cover both a description and an assessment of the risk situation. The reports shall separately address particular risks to business development and the management board’s intended remedial measures. The management board shall promptly pass on material risk-related information to the supervisory board. A suitable procedure for this shall be established by the management board along with the supervisory board. the communication of information can also be limited to one particular committee. This is subject to the prerequisite that a corresponding resolution has been passed on the establishment of the committee, and that the chairperson of the committee makes a report to the entire supervisory body on a regular basis. Moreover, every member of the supervisory board must retain the right to inspect the reports that have been passed on to the committee.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 117 of 119 BT 3.2 Reports produced by the risk control function 1 The risk control function shall draw up at regular intervals, at least once a quarter, an overall risk report on the risk types classified as being material, taking due account of the impact of ESG risks, and submit this to the management board. With regard to the individual risk types classified as being material, it may be necessary, depending on the risk type, the nature, scale, complexity, riskiness and volatility of the respective positions and on market developments, for reports on individual risk types to be made monthly, weekly or daily. Reporting during stress phases Institutions are expected to increase the frequency of reporting when they themselves experience stress phases if this appears necessary for the purpose of active and timely risk management. Risk types classified as material Risk types classified as material include at least those listed under AT 2.2 number 1. Taking ESG risks into account The impact of ESG risks over an appropriately long time period shall also be taken into account in the overall risk report. If ESG risks are not specified in the risk reports as set out in numbers 3 and 4, the management board must be given meaningful information and data in the overall risk report that highlight the impact of ESG risks on the business model, strategy and overall risk profile. Focus must be placed in particular on sustainability-related sectoral and geographical risk concentrations. 2 Besides containing key information on the individual risk types classified as being material, the stress test results and information on risk concentrations, the overall risk report shall also contain information on capital adequacy, on regulatory and economic capital, on the current capital ratios and liquidity ratios and on the funding positions. Moreover, it shall also contain projections on the development of capital and liquidity ratios and the funding positions. Guidance on risk reporting The risk reports submitted to management can also be complemented by concise summary reports (e.g. a management summary) where the institution believes this to be appropriate. If there are no relevant changes to the information already communicated in previous reports, the current report may refer to the earlier information. Since risk aspects have to be addressed within the context of income and cost aspects, the latter can also be included in the risk report. In general, a discussion of the proposals for action with the responsible units is unproblematical as long as it is ensured that the information contained in the risk report or in the proposals for action is not improperly distorted. 3 A risk report on counterparty and credit risk containing the main structural features of credit business shall be drawn up and made available to the management board periodically, at least once a quarter. The risk report has to contain the following information: Individual credit approval authority by the member of the management board responsible for the back office in the case of recovery loans Since noteworthy exposures (eg recovery and resolution loans of material importance) must be reported pursuant to number 3 (b), there is no need for an additional reporting requirement applying to decisions on recovery loans taken by a

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 118 of 119 a) the performance of the credit portfolio, broken down, for example, by sector, country, risk class and size or collateral category, taking particular account of risk concentrations, b) the scope of the agreed limits and external lines; in addition, large exposures and other noteworthy exposures (eg recovery and resolution loans of material importance, loans of material importance under intensified management) shall also be listed and, where appropriate, commented on, c) a separate analysis of country risk, where appropriate, d) any instances where limits were exceeded to a substantial degree (including reasons), e) the scale and development of new business, f) the development of the institution’s risk provisioning, g) credit decisions of material importance which deviate from the strategies, h) credit decisions in risk-relevant credit business taken by members of the management board acting within the scope of their individual credit approval authority, either where these decisions diverge from the votes or where they are taken by a member of the management board responsible for the back office, and i) in the case of institutions with high stocks of NPLs, a separate presentation of non-performing and forborne exposures, and of changes in the assets acquired (where foreclosed assets form part of the institution’s NPE strategy). member of the management board responsible for the back office within the scope of his/her individual credit approval authority. 4 A risk report on the market risk, including interest rate risk, incurred by the institution shall be drawn up and made available to the members of the management board periodically, at least quarterly. The report, which shall also cover internal trades, shall contain the following information: a) an overview of the risk and profit and loss development of the positions subject to market risk, b) significant breaches of the limits, c) changes in the major assumptions or parameters on which the procedures for assessing market risk are based, Performance For the purposes of the risk report, reference may be made either to the change in profit and loss as recorded in the financial statements (including gains and losses in the course of settlement) or to the change in the operating result. Daily reporting In the case of institutions that apply or can apply the simplified implementation offered under Article 94 (1) CRR and which have limited trading book positions in terms of risk, daily reporting may be waived in favour of a less frequent reporting frequency.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 29 June 2023 Page 119 of 119 d) incongruities that came to light during the matching of trading positions (eg with regard to trading volumes, impact on the profit and loss statement, cancellation rates). The overall risk positions and results to be determined pursuant to BTR 2.2 number 3 and the limit utilisation levels shall be reported to the member of the management board responsible for risk control early on the following business day. The report shall be agreed with trading. This is without prejudice to reporting duties pursuant to BTO 2.2.1 number 2 (c) (significant trades that deviate from usual market conditions). 5 A risk report on the liquidity risk and the liquidity position shall be drawn up and made available to the management board on a regular basis, at least once per quarter. The risk report shall additionally contain stress test results and material modifications of the liquidity contingency plan. Particular liquidity risk arising from off-balance-sheet entities and from different foreign currencies as well as any intraday liquidity risk shall be addressed separately. Significant institutions or capitalmarket-oriented institutions shall draw up the risk report on liquidity risk and the liquidity position at least once a month. This report shall also cover the amount, the quality and the composition of the liquidity buffers. 6 The management board shall be informed at least annually of significant losses, material weaknesses and material potential events (pursuant to BTR 4 number 4 disclosures) resulting from operational risks. The reports shall cover the nature of the loss/risk, the causes, the scale of the loss/risk, and countermeasures initiated and already taken. 7 The management board shall be informed at least quarterly of the other risks identified by the institution as being material. The reports shall cover the respective risk, the causes, the possible implications and, where appropriate, the countermeasures initiated and already taken. It must be clear from the reports what the current risk position is and, where appropriate, what measures have been taken or can be taken to address these risks.