Circular 06/2024 (BaFin) – Minimum Requirements for Risk Management (MaRisk) – To All Credit Institutions and Financial Services Enterprises in Germany

Companies & Markets | Law & Regulation | Administrative practice | Circulars

To all credit institutions and financial services enterprises in the Federal Republic of Germany

29.05.2024

AT 1 Preamble

This circular, based on Section 25a(1) of the Banking Act (KWG), provides a flexible and practice-oriented framework for the design of risk management by institutions. It further clarifies the requirements of Section 25a(3) KWG (group-level risk management) and Section 25b KWG (outsourcing). An adequate and effective risk management, taking into account the institution's risk-bearing capacity, particularly includes the definition of strategies and the establishment of internal control procedures. Internal control procedures consist of the internal control system and internal audit. The internal control system particularly includes:

• regulations on organizational structure and processes,
• processes for identifying, assessing, steering, monitoring, and communicating risks (risk steering and controlling processes), and
• a risk controlling function and a compliance function.

Risk management creates the basis for the appropriate exercise of supervisory functions by the supervisory body and therefore also includes its adequate integration.

The circular further provides a qualitative framework for implementing key articles of Directive 2013/36/EU (Banking Directive – "CRD IV") regarding the organization and risk management of institutions. Accordingly, institutions must establish adequate leadership, steering, and control processes ("Robust Governance Arrangements"), effective procedures for identifying, steering, monitoring, and communicating actual or potential risks, and adequate internal control mechanisms. Furthermore, they must possess effective and comprehensive procedures and methods ensuring that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - "ICAAP"). The adequacy and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process ("Supervisory Review and Evaluation Process" - "SREP"). The circular is therefore designed as a regulatory framework for qualitative supervision in Germany, taking into account the principle of double proportionality. With regard to methods for calculating regulatory capital under the Banking Directive, the circular's requirements are designed neutrally, as they can be met regardless of the chosen method.

The appropriate handling of the proportionality principle by institutions, reflected in the principles-based structure of MaRisk, also means that institutions may, on a case-by-case basis, implement measures beyond certain explicitly stated requirements in MaRisk, provided this is necessary to ensure the adequacy and effectiveness of risk management. Accordingly, institutions that are particularly large or whose business activities are characterized by special complexity, internationality, or specific risk exposure must implement more extensive measures in the area of risk management than smaller institutions with less complex business activities and no exceptional risk exposure. The former must also independently incorporate the contents of relevant publications by the Basel Committee on Banking Supervision and the Financial Stability Board regarding risk management into their considerations for an appropriate design of risk management.

The circular also implements Article 16 of Directive 2014/65/EU (Markets in Financial Instruments Directive - "MiFID II") via Section 80(1) of the Securities Trading Act (WpHG) in conjunction with Section 25a(1) KWG, to the extent that it applies equally to credit institutions and financial services enterprises. This concerns the general organizational requirements under Article 5, the risk management and internal audit requirements under Articles 7 and 8, the executive responsibility requirements under Article 9, and outsourcing requirements under Articles 13 and 14 of Directive 2006/73/EC (Implementing Directive to MiFID). These requirements serve the goal of harmonizing financial markets in the European Union in the interest of cross-border financial services and uniform investor protection foundations.

The circular accounts for the heterogeneous institutional structure and diversity of business activities. It contains numerous opening clauses that enable simplified implementation depending on the size of institutions, business focus, and risk situation. Accordingly, it can be flexibly implemented by smaller institutions as well. The circular is open to the ongoing development of processes and procedures in risk management, provided they align with the circular's objectives. For this purpose, the Federal Financial Supervisory Authority (BaFin) will maintain a continuous dialogue with practice.

Where MaRisk refers to significant institutions, it means institutions classified as significant according to Article 6 of Council Regulation (EU) No 1024/2013 of 15 October 2013 (SSM Regulation).

BaFin expects that the flexible basic orientation of the circular will be reflected in supervisory examinations. Examinations must therefore be conducted on the basis of a risk-oriented examination approach.

The circular is modularly structured, allowing necessary adjustments in certain regulatory areas to be limited to the timely revision of individual modules. A general part (Module AT) contains fundamental principles for designing risk management. Specific requirements for the organization of credit, trading, and real estate business are set out in a special part (Module BT). Taking risk concentrations into account, this module also sets requirements for the identification, assessment, steering, monitoring, and communication of counterparty default risks, market price risks, liquidity risks, and operational risks. Furthermore, Module BT provides a framework for designing internal audit within institutions and for risk reporting.

AT 2 Scope of Application

Compliance with the circular's requirements by institutions should help counteract deficiencies in the credit and financial services sector that could endanger the safety of assets entrusted to institutions, impair the proper conduct of banking or financial services business, or cause significant disadvantages for the overall economy. When providing securities services and ancillary securities services, institutions must additionally comply with these requirements to protect the interests of securities service customers.

AT 2.1 Target Group

The circular's requirements must be observed by all institutions within the meaning of Section 1(1b) KWG or Section 53(1) KWG. They also apply to branches of German institutions abroad. They do not apply to branches of companies with seats in another European Economic Area state under Section 53b KWG. The requirements in Module AT 4.5 of the circular must be observed by parent companies or parent financial conglomerate companies of an institutional group, a financial holding group, or a financial conglomerate at the group level.

Financial services enterprises and large securities firms within the meaning of Section 2(18) of the Securities Institutions Act, which are obligated to apply Sections 25a and 25b of the KWG due to Section 4 of that Act, must observe the circular's requirements insofar as this appears justified against the background of institutional size and the nature, scope, complexity, and risk content of business activities. This applies in particular to Modules AT 3, AT 5, AT 7, and AT 9.

AT 2.2 Risks

The circular's requirements relate to the management of risks material to the institution. To assess materiality, management must regularly and on an ad-hoc basis obtain an overview of the institution's risks as part of a risk inventory, appropriately and explicitly including the effects of ESG risks (overall risk profile). Risks must be captured at the level of the entire institution, regardless of which organizational unit caused them.

At a minimum, the following risks must be classified as material: a) counterparty default risks (including country risks), b) market price risks, c) liquidity risks, and d) operational risks.

Risk concentrations associated with material risks must be considered. Credit spread risks in the book of own account may be determined together with other risk types or as a separate risk type. The presentation of credit spread risks in the book of own account must be reported separately, regardless of allocation. Appropriate measures must be taken for risks classified as immaterial.

As part of the risk inventory, the institution must assess which risks can significantly affect its financial position (including capital adequacy), profitability, or liquidity. The risk inventory must not be based solely on accounting impacts and formal legal structures.

AT 2.3 Business/Transactions

Credit transactions within the meaning of this circular are generally transactions according to Section 19(1) KWG (balance sheet assets and off-balance sheet transactions with counterparty default risks).

For the purposes of this circular, a credit decision is any decision on new loans, loan increases, participations, limit exceedances, the establishment of borrower-specific limits, as well as counterparty and issuer limits, extensions, and changes to risk-relevant facts underlying the credit decision (e.g., collateral, purpose of use). It is irrelevant whether this decision is made exclusively by the institution itself or jointly with other institutions (so-called syndicated transaction).

Trading transactions are generally all contracts that form the basis of a financial instrument within the meaning of Section 1(11) KWG in the form of: a) money market transactions, b) securities transactions, c) foreign exchange transactions, d) transactions in tradable claims (e.g., trading in promissory notes), e) commodity transactions, f) derivative transactions, or g) cryptocurrency transactions.

Securities transactions also include transactions in registered bonds and securities lending, but not the initial issuance of securities. Trading transactions also include agreements on repurchase or buyback obligations and repo transactions, regardless of the transaction subject matter.

Derivative transactions include futures contracts whose price derives from an underlying asset, a reference price, reference interest rate, reference index, or a pre-defined event.

Real estate transactions within the meaning of this circular are transactions conducted on own account by an institution, pursuing one of the following intentions: a) real estate acquisition or construction for income generation through leasing/letting, b) real estate acquisition or construction for resale (e.g., property development business), c) existing real estate for income generation through leasing/letting or resale.

In addition to direct real estate transactions, on own account real estate transactions of the institution's subsidiaries within the meaning of Section 290 HGB are also considered real estate transactions of the institution, provided that the subsidiary's assets consist exclusively or predominantly of real estate transactions or participations in real estate transactions. Subsidiaries are equated with companies on which institutions jointly exercise a controlling influence.

Real estate transactions that predominantly serve the institution's own business operations are not considered real estate transactions within the meaning of this circular.

AT 3 Overall Responsibility of Management

All executive board members (Section 1(2) KWG) are responsible, regardless of internal allocation of responsibilities, for the proper business organization and its further development. This responsibility relates to all material elements of risk management, taking into account outsourced activities and processes. Executive board members fulfill this responsibility if they can assess risks, including ESG risks, and take the necessary measures to limit them. This also includes developing, promoting, integrating, and monitoring an appropriate risk culture at all levels within the institution and the group. Executive board members of a parent company of an institutional or financial holding group, or a parent financial conglomerate company, are also responsible for proper business organization within the group and thus for adequate and effective risk management at the group level (Section 25a(3) KWG).

Regardless of management's overall responsibility for proper business organization and particularly adequate and effective risk management, each executive board member is responsible for establishing appropriate control and monitoring processes in their respective area of responsibility.

AT 4 General Requirements for Risk Management

AT 4.1 Risk Bearing Capacity

Based on the overall risk profile, it must be ensured that the institution's material risks are continuously covered by its risk coverage potential, taking into account risk concentrations, thereby ensuring risk bearing capacity. The effects of ESG risks (as defined in AT 2.2 Para. 1) must be appropriately and explicitly considered.

The institution must establish an internal process to ensure risk bearing capacity. The procedures used for this purpose must appropriately consider both the goal of continuing the institution and protecting creditors from losses from an economic perspective. To fulfill these goals, procedures for ensuring risk bearing capacity must be established from both a normative and an economic perspective.

Risk bearing capacity must be considered when defining strategies (AT 4.2) and when adjusting them. To implement strategies and ensure risk bearing capacity, suitable risk steering and controlling processes (AT 4.3.2) must also be established.

Material risks not included in the risk bearing capacity concept must be defined. Their exclusion must be logically justified and only possible if, due to their nature, the respective risk cannot be meaningfully limited by risk coverage potential (e.g., insolvency risk). It must be ensured that such risks are appropriately considered in the risk steering and controlling processes.

If an institution lacks suitable procedures for quantifying individual risks to be included in the risk bearing capacity concept, a risk amount must be determined for these based on plausibility checks. Plausibility checks may be conducted based on qualified expert estimates.

If observed historical developments are incorporated into risk quantification procedures, and the observation period consists exclusively or predominantly of orderly and calm market conditions, then stronger parameter changes must also be appropriately considered in risk quantification.

If an institution considers risk-mitigating diversification effects within or between risk types in its risk bearing capacity concept, the underlying assumptions must be based on an analysis of institution-specific conditions and rely on data transferable to the institution's individual risk situation. Diversification effects must be estimated conservatively enough to remain sufficiently stable during economic downturns or unfavorable market conditions relative to the institution's business and risk structure. The reliability and stability of diversification assumptions must be reviewed regularly and, if necessary, on an ad-hoc basis.

The choice of methods and procedures for assessing risk bearing capacity lies with the institution. The assumptions underlying these methods and procedures must be logically justified. The definition of material elements of risk bearing capacity steering and key underlying assumptions must be approved by management.

The adequacy of methods and procedures must be reviewed at least annually by the technically responsible staff. In reviewing, sufficient account must be taken of limits and restrictions arising from the methods and procedures used, their underlying assumptions, and data incorporated into risk quantification. The stability and consistency of methods and procedures, as well as the explanatory power of risks determined thereby, must be critically analyzed.

If, due to the comparative complexity of methods and procedures, underlying assumptions, or incorporated data, comprehensive validation of these components (Para. 9) is required, appropriate independence between method development and validation must be ensured. The main results of validation and, if necessary, proposals for measures to address known limits and restrictions of methods and procedures must be submitted to management.

Each institution must have a process integrated into profit and risk steering for planning future capital requirements and available capital to cover these requirements. The planning horizon must cover an appropriately long, multi-year period. Changes in the institution's own business activities or strategic goals, as well as changes in the economic environment, must be considered regarding their impact on capital requirements and capital stock. Possible adverse developments deviating from expectations must be appropriately accounted for in planning.

AT 4.2 Strategies

Management must define an economically sustainable business strategy, presenting the institution's objectives for each material business activity and the measures to achieve these objectives. This strategy development requires an in-depth, forward-looking analysis of the business model. When defining and adjusting the business strategy, both external influencing factors (e.g., market development, competitive situation, regulatory environment, changing environmental conditions, and transition to a sustainable economy considering possible developments over an appropriately long period) and internal influencing factors (e.g., risk bearing capacity, liquidity, profitability, personnel and technical-organizational resources) must be considered. Assumptions must be made regarding the future development of relevant influencing factors. The assumptions are subject to at least annual and ad-hoc review; if necessary, the business strategy must be adjusted.

Management must define a risk strategy consistent with the business strategy and resulting risks. The risk strategy, potentially divided into sub-strategies for material risks with explicit and appropriate consideration of ESG risk effects, must include the objectives of steering material business activities and measures to achieve these objectives. In particular, taking risk concentrations into account, the institution's risk appetite must be defined for all material risks. Risk concentrations must also be considered with regard to the institution's profitability (profitability concentrations). This requires the institution to distinguish its sources of earnings and quantify them (e.g., regarding rate and structural contributions in the interest book).

Institutions with a high NPL stock must introduce a strategy for non-performing risk positions to reduce them to a pre-defined NPE target (if not the core business model) over a realistic but sufficiently ambitious time horizon.

The following steps form the central building blocks for developing and implementing this strategy:

• Assessment of the operational business environment and external conditions;
• Development of a strategy with short-, medium-, and long-term objectives; and
• Implementation of the implementation plan.

Management is responsible for defining and adjusting strategies; this responsibility is non-delegable. Management must ensure the implementation of strategies. The level of detail in strategies depends on the scope and complexity, as well as the risk content, of planned business activities. The institution may freely integrate the risk strategy into the business strategy.

Management must establish a strategy process covering, in particular, planning, implementation, assessment, and adjustment of strategies. For assessment purposes, objectives stated in strategies must be formulated to allow meaningful review of target achievement. Causes of any deviations must be analyzed.

Strategies and, if necessary, required strategy adjustments must be communicated to the institution's supervisory body for information and discussed with it. The discussion also covers the cause analysis (AT 4.2 Para. 5) in case of target deviations.

The contents and changes of strategies must be appropriately communicated within the institution.

AT 4.3 Internal Control System

In each institution, corresponding to the nature, scope, complexity, and risk content of business activities: a) regulations on organizational structure and processes must be established, b) risk steering and controlling processes must be set up, and c) a risk controlling function and a compliance function must be implemented.