Annotated Text of the Minimum Requirements for Risk Management (MaRisk) – Version of 16 August 2021

Annex 1: Annotated text of the Minimum Requirements for Risk Management (MaRisk) in the version of 16.08.2021 Please note: This English version is provided for information purposes only. The original German text is binding in all respects. For the sake of clarity, some key concepts used in this document are listed below together with the respective German term to which they refer and which defines their precise meaning. Management board – Geschäftsleitung Supervisory board – Aufsichtsorgan Integrated performance and risk management – Gesamtbanksteuerung Financial position and financial performance - Vermögens-, Finanz- und Ertragslage Segregation of duties – Funktionstrennung

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 2 von 105 AT 1 Preliminary remarks ..........................................................................................................................................5 AT 2 Subject matter ............................................................................................... Fehler! Textmarke nicht definiert. AT 2.1 Scope ........................................................................................................................................................9 AT 2.2 Risks ....................................................................................................................................................... 10 AT 2.3 Business transactions.................................................................................................................................11 AT 3 Joint responsibility of the management board members ........................................................................................ 13 AT 4 General risk management requirements .............................................................................................................14 AT 4.1 Internal capital adequacy............................................................................................................................ 14 AT 4.2 Strategies ................................................................................................................................................18 AT 4.3 Internal control system .............................................................................................................................. 21 AT 4.3.1 Organisational and operational structure..................................................................................................22 AT 4.3.2 Risk management and risk control processes ............................................................................................ 23 AT 4.3.3 Stress tests......................................................................................... Fehler! Textmarke nicht definiert. AT 4.3.4 Data management, data quality and aggregation of risk data ......................................................................27 AT 4.4 Special functions .......................................................................................................................................29 AT 4.4.1 Risk control function ............................................................................................................................. 29 AT 4.4.2 Compliance function ............................................................................................................................. 31 AT 4.4.3 Internal audit function .......................................................................................................................... 32 AT 4.5 Risk management at group level ..................................................................................................................34 AT 5 Organisational guidelines .................................................................................................................................36 AT 6 Documentation ...............................................................................................................................................37 AT 7 Resources...................................................................................................................................................... 38 AT 7.1 Staff........................................................................................................................................................ 38 AT 7.2 Technical and organisational resources..........................................................................................................39 AT 7.3 Contingency plan.......................................................................................................................................41 AT 8 Adjustment processes......................................................................................................................................43 AT 8.1 New product process..................................................................................................................................43 AT 8.2 Modifications of operational processes or structures ........................................................................................ 45 AT 8.3 Mergers and acquisitions............................................................................................................................. 46 AT 9 Outsourcing ...................................................................................................................................................47 BT 1 Special requirements relating to the internal control system ..................................................................................56 BTO Requirements relating to the organisational and operational structure......................................................................57 BTO 1 Credit business ..........................................................................................................................................59 BTO 1.1 Segregation of duties, and voting ............................................................................................................60

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 3 von 105 BTO 1.2 Requirements relating to credit business processes ....................................................................................... 62 BTO 1.2.1 Granting of loans ............................................................................................................................... 65 BTO 1.2.2 Further processing of loans..................................................................................................................66 BTO 1.2.3 Credit processing control.....................................................................................................................67 BTO 1.2.4 Intensified loan management...............................................................................................................67 BTO 1.2.5 Treatment of problem loans.................................................................................................................68 BTO 1.2.6 Risk provisioning................................................................................................................................ 70 BTO 1.3 Requirements relating to the procedure for the early detection of risks and the treatment of forbearance............71 BTO 1.4 Risk classification procedures..................................................................................................................74 BTO 2 Trading ....................................................................................................................................................75 BTO 2.1 Segregation of duties ............................................................................................................................ 75 BTO 2.2 Requirements relating to trading processes............................................................................................... 76 BTO 2.2.1 Trading ............................................................................................................................................76 BTO 2.2.2 Settlement and control ....................................................................................................................... 78 BTO 2.2.3 Capturing in risk control...................................................................................................................... 81 BTR Requirements relating to risk management and risk control processes......................................................................82 BTR 1 Counterparty and credit risk......................................................................................................................... 83 BTR 2 Market risk................................................................................................................................................85 BTR 2.1 General requirements ............................................................................................................................ 85 BTR 2.2 Market risk in the trading book................................................................................................................86 BTR 2.3 Market risk in the banking book (including interest rate risk) .......................................................................86 BTR 3 Liquidity risk..............................................................................................................................................88 BTR 3.1 General requirements ............................................................................................................................ 88 BTR 3.2 Additional requirements relating to capital market-oriented institutions.......................................................... 90 BTR 4 Operational risk .........................................................................................................................................93 BT 2 Special requirements relating to the internal audit function....................................................................................95 BT 2.1 Tasks of the internal audit function...............................................................................................................95 BT 2.2 General principles relating to the internal audit function...................................................................................96 BT 2.3 Planning and conduct of the audit.................................................................................................................97 BT 2.4 Reporting requirement ............................................................................................................................... 98 BT 2.5 Reaction to identified findings .................................................................................................................... 100 BT 3 Risk reporting requirements............................................................................................................................ 101 BT 3.1 General requirements relating to risk reports ............................................................................................... 101

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 4 von 105 BT 3.2 Reports produced by the risk control function 103

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 5 von 105 AT 1 Preliminary remarks 1 This Circular provides a flexible and practical framework for structuring institutions’ risk management on the basis of section 25a (1) of the German Banking Act (Kredit￾wesengesetz). Moreover, it specifies the requirements laid down in section 25a (3) of the Banking Act (risk management at group level) as well as section 25b of the Bank￾ing Act (outsourcing). Geared to maintaining internal capital adequacy, appropriate and effective risk management encompasses, in particular, defining strategies and establishing internal control mechanisms. Internal control mechanisms shall consist of an internal control system and an internal audit function. The internal control sys￾tem shall comprise, in particular,

• rules on the organisational and operational structure,
• processes for identifying, assessing, managing, monitoring and reporting risks (risk management and risk control processes), and
• a risk control function and a compliance function. Risk management creates a basis for the proper performance of the supervisory board’s (Aufsichtsorgan) monitoring functions and thus shall also include the ade￾quate involvement of the supervisory board. Branches pursuant to section 53 of the Banking Act As there is no supervisory board for branches of enterprises domiciled outside Germany pursuant to section 53 of the Banking Act, these institutions must instead involve their corporate headquarters in an appropriate manner. 2 Furthermore, this Circular provides a qualitative framework for implementing relevant articles of Directive 2013/36/EU (Banking Directive – CRD IV) on institutions’ organi￾sation and risk management. Pursuant to these articles, institutions shall especially have in place robust governance arrangements, effective procedures to identify, man￾age, monitor and report the risks they are or might be exposed to, as well as adequate internal control mechanisms. Moreover, they shall have in place effective and com￾prehensive procedures and methods which ensure that adequate internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process, or ICAAP). The adequacy and effectiveness of these procedures, methods and processes shall be assessed periodically by the supervisory authority pursuant to Article 97 of the Banking Directive as part of the Supervisory Review and Evaluation Process. Therefore, taking account of the principle of dual proportionality, this Circular pro￾vides the regulatory framework for qualitative supervision in Germany. With regard to the methods used for calculating the regulatory own funds stipulated in the Bank￾ing Directive, this Circular’s requirements are designed in a neutral manner such that they can be met irrespective of the chosen method.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 6 von 105 3 In line with the principles-based structure of the Minimum Requirements for Risk Management (MaRisk), proper application of the principle of dual proportionality by institutions also includes the demand that institutions, in individual cases, shall make more extensive provisions over and above particular requirements that are explicitly formulated in the Minimum Requirements for Risk Management if this is necessary to ensure that their risk management is appropriate and effective. Therefore, institutions which are particularly large or whose business activities are particularly complex, inter￾nationalised or exposed to risk shall make more extensive risk management arrange￾ments than smaller institutions with less complexly structured business activities that do not incur any extraordinary risk exposure. The former institutions, on their own ini￾tiative, shall also incorporate into their considerations on an appropriate risk manage￾ment structure the insights provided in the relevant publications on risk management issued by the Basel Committee on Banking Supervision and the Financial Stability Board. 4 Moreover, this Circular implements Article 13 of Directive 2004/39/EC (Markets in Fi￾nancial Instruments Directive, or MiFID) by way of section 80 (1) of the German Secu￾rities Trading Act (Gesetz über den Wertpapierhandel) in conjunction with section 25a (1) of the Banking Act insofar as the Directive applies equally to credit institutions and financial services institutions. This concerns the general organisational requirements pursuant to Article 5, the risk management and internal audit requirements pursuant to Articles 7 and 8, the requirements regarding the responsibility of the management board (Geschäftsleitung) pursuant to Article 9 and outsourcing pursuant to Articles 13 and 14 of Directive 2006/73/EC (MiFID Implementing Directive). These require￾ments serve to achieve the objective of the MiFID, namely to harmonise the financial markets in the European Union in the interests of facilitating the cross-border flow of financial services and a uniform framework for investor protection. 5 This Circular takes due account of the heterogeneous structure of institutions and the diversity which characterises business activities. It contains numerous opening clauses which enable simplified implementation depending on the institution’s size, core business activities and risk situation. It can, therefore, be implemented flexibly, in par￾ticular also by smaller institutions. This Circular is open to the ongoing development of risk management processes and procedures, provided that such processes and procedures are in line with the objectives of this Circular. To this end, the Federal

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 7 von 105 Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, hereinafter referred to as BaFin) will maintain an ongoing dialogue with the industry. 6 Any reference in the MaRisk to significant institutions refers to institutions that have been classified as significant within the meaning of Article 6 of Council Regulation (EU) No 1024/2013 of 15 October 2013 (“SSM Regulation”). 7 BaFin expects the Circular’s flexible basic tenor to be taken into due account in audit activities. Audits shall, therefore, be conducted on the basis of a risk-oriented audit approach. 8 This Circular has a modular structure to enable necessary adjustments in certain reg￾ulatory areas to be confined to the timely revision of individual modules. A general part (the AT module) contains basic principles for structuring risk management. Spe￾cific requirements regarding the organisation of credit business and trading are laid down in a special part (the BT module). Taking account of risk concentrations, this module also outlines the requirements for identifying, assessing, managing, monitor￾ing and reporting counterparty and credit risk, market risk, liquidity risk and opera￾tional risk. Furthermore, the BT module provides a framework for structuring institu￾tions’ internal audit function and for structuring risk reporting.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 8 von 105 AT 2 Subject matter 1 Compliance with the requirements of this Circular by the institutions is intended to help to counteract undesirable developments in the banking and financial services sector that might endanger the safety of the assets entrusted to institutions, impair the proper conduct of banking business or provision of financial services or lead to serious disadvantages for the economy as a whole. Moreover, when providing invest￾ment services and ancillary investment services, institutions shall comply with the re￾quirements also in the light of protecting the interests of investment services custo￾mers.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 9 von 105 AT 2.1 Scope 1 The requirements set out in this Circular shall be complied with by all institutions within the meaning of section 1 (1b) of the Banking Act as well as section 53 (1) of the Banking Act. They also apply to the branches of German institutions located out￾side Germany. They do not apply to branches of enterprises domiciled in another state of the European Economic Area pursuant to section 53b of the Banking Act. The requirements laid down in module AT 4.5 of this Circular shall be observed at group level by the superordinated enterprises or by the superordinated financial conglom￾erate enterprises of a group of institutions, financial holding group or financial con￾glomerate. Scope in the case of NPL ratio of 5% or above Certain requirements set out in this Circular only apply to institutions with (gross) NPL ratios equal to or greater than 5% at an individual, sub-consolidated or consolidated basis. These requirements are flagged accordingly in the individual modules (hereinaf￾ter referred to as “institutions with high stocks of NPLs”). The supervisory authority can also require institutions that do not have NPL ratios exceeding the 5% threshold but that eg have a material share of NPEs in an individual portfolio to comply with these sections. NPL ratio (non-performing loans ratio) The non-performing loans ratio is calculated by dividing the gross carrying amount of non-performing loans and advances by the gross carrying amount of the total loans and advances (in line with the definition of NPEs). NPEs (non-performing exposures) NPEs are defined in accordance with the definition used in supervisory reporting. 2 Financial services institutions and large investment firms pursuant to section 2 (18) of the German Investment Institutions Act (Wertpapierinstitutsgesetz), which are required by section 4 of that Act to apply sections 25a and 25b of the Banking Act, shall comply with the requirements of this Circular to the extent that this appears necessary, given the institution’s size as well as the nature, scale, complexity and riskiness of its busi￾ness activities, in order to comply with the statutory duties set out in sections 25a and 25b of the Banking Act. This shall apply, in particular, to modules AT 3, AT 5, AT 7 and AT Finanzdienstleistungsinstitute und große Wertpapierfirmen gemäß § 2 Abs. 18 des Wertpapierinstitutsgesetzes, welche aufgrund der Vorgabe des § 4 dieses Gesetzes zur Anwendung der §§ 25a und 25b des KWG verpflichtet sind, haben die Anforderungen des Rundschreibens insoweit zu beachten, wie dies vor dem Hintergrund der Instituts￾größe sowie von Art, Umfang, Komplexität und Risikogehalt der Geschäftsaktivitäten zur Einhaltung der gesetzlichen Pflichten aus §§ 25a und 25b KWG geboten erscheint. Dies gilt insbesondere für die Module AT 3, AT 5, AT 7 und AT 9.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 10 von 105 AT 2.2 Risks 1 The requirements set forth in this Circular relate to the management of an institution’s material risks. In order to assess whether or not a risk is material, the management board shall, regularly and on an ad hoc basis, gain an over￾view of the risks faced by the institution in the context of a risk inventory (overall risk profile). The risks shall be captured at the level of the institution as a whole irrespective of the organisational unit in which they were caused. In principle, at least the following risks shall be considered material: a) counterparty and credit risk (including country risk), b) market risk, c) liquidity risk, and d) operational risk. The risk concentrations associated with material risks shall likewise be taken into account. Appropriate arrangements shall be made for any risks which are not considered material. Risk concentrations Besides risk exposures to single counterparties which constitute a risk concen￾tration on account of their size alone, risk concentrations can arise both from a co-movement of risk positions within a risk type (“intra-risk concentrations”) and from a co-movement of risk positions across different risk types (due to common risk factors or interactions between various risk factors of different risk types – “inter-risk concentrations”). 2 In the context of the risk inventory, the institution shall examine which risks may materially impair its financial position (including its capital resources), financial performance or liquidity position. The risk inventory should not focus exclusively on the impact on the institution’s accounting or on de jure views. Holistic risk inventory The risk inventory shall also take account of risks arising from off-balance-sheet entities (eg risks from special-purpose entities not subject to consolidation). Depending on the institution’s specific overall risk profile, other risks, such as reputational risks, should be considered material, where appropriate.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 11 von 105 AT 2.3 Business transactions 1 Credit business within the meaning of this Circular shall basically mean the transac￾tions pursuant to section 19 (1) of the Banking Act (asset items and off-balance-sheet items subject to counterparty and credit risk). Credit business Classification as credit business applies regardless of whether or not the relevant posi￾tions are to be used for securitisations. 2 A credit decision within the meaning of this Circular shall mean any decision on new loans, loan increases, equity investments, breaches of limits, the setting of borrower￾related limits as well as of counterparty and issuer limits, prolongations and changes in the risk-relevant circumstances on which a credit decision was based (eg collateral, designated use). It is irrelevant whether or not this decision was taken solely by the institution itself or together with other institutions (syndicated credit business). Prolongations With regard to the term “prolongations”, no distinction is made between external and internal prolongations (eg internal rollover of external loan commitments valid until further notice). Internal “loan monitoring actions”, which serve merely monitoring pur￾poses during the term of the loan, do not, however, count as prolongations and are thus not credit decisions within the meaning of this Circular. Interest rate adjustments Interest rate adjustments made after the expiry of interest rate fixation periods (that do not match the total term of the loan) may be considered part of the overall loan agree￾ment and thus processes which must (also) be reviewed prior to granting the loan. This is, therefore, generally not a separate credit decision within the meaning of this Circular. Deferrals Deferrals do not constitute changes to the credit relationship that are planned ex ante. They serve, for example, to bridge gaps briefly prior to restructuring, and should thus be classified as a credit decision within the meaning of this Circular. 3 Trading shall basically mean all trades based on a financial instrument pursuant to section 1 (11) of the Banking Act in form of a (a) money market transaction, (b) securities transaction, (c) foreign exchange transaction, (d) transaction involving tradable receivables (eg trading in borrower’s notes), (e) commodities transaction, (f) derivatives transaction, or (g) transaction in crypto assets Issuing business The initial issue of securities does not generally constitute trading within the meaning of this Circular. However, the first-time purchase of newly issued securities does con￾stitute a trade within the meaning of this Circular. In the case of first-time purchases, market conformity may be verified more simply (note on BTO 2.2.2 number 5). Classification of receivables as trading Regarding (d): receivables should be classified as trading if the institution intends to trade in them. The institution must define suitable criteria for this. Commodities transactions

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 12 von 105 which are concluded in the institution's own name and for its own account. Securities transactions shall also include transactions involving registered bonds as well as se￾curities lending, but not the initial issue of securities. Regardless of the underlying, trading shall also include any form of securities lending as well as repurchase agree￾ments. Regarding (e): commodities transactions shall include, in particular, trading in precious metals and commodities, as well as CO2 emission trading and electricity trading. Com￾modities transactions that constitute matched positions for the entire duration of the transaction as a result of outright agreements to accept or deliver the commodity in question at the time of performance do not qualify as commodities transactions within the meaning of this Circular. Traditional commodities transactions conducted by mixed-activity credit coop￾eratives (gemischtwirtschaftliche Kreditgenossenschaften) Corresponding implementation of the requirements for trading may be appropriate for traditional commodities transactions conducted by mixed-activity credit cooperatives depending on the nature, scale and riskiness of these business activities. 4 Derivatives transactions shall include forward transactions, the price of which is de￾rived from an underlying asset, a reference price, a reference interest rate, a reference index or a predefined event. Guarantees/sureties Guarantees/sureties and the like do not come under the definition of derivatives used in this Circular.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 13 von 105 AT 3 Joint responsibility of the management board members 1 All members of the management board (section 1 (2) of the Banking Act) shall be responsible for ensuring an institution’s proper business organisation and the further development thereof irrespective of the internal allocation of responsibilities. Taking account of outsourced activities and processes, this responsibility shall cover all ma￾terial elements of risk management. Members of the management board can fulfil this responsibility only if they are able to assess risks and take the necessary measures to limit them. These include developing, promoting and integrating an appropriate risk culture within the institution and the group. The members of the management board of a superordinated enterprise of a group of institutions or a financial holding group, or of a superordinated financial conglomerate enterprise shall be additionally responsible for ensuring the group’s proper business organisation and thus also for ensuring appropriate and effective risk management at group level (section 25a (3) of the Banking Act). Risk culture The risk culture refers in general to the manner in which the institution’s staff (should) deal with risks in the course of their duties. The risk culture should promote the identi￾fication and conscious handling of risks and ensure that decision-making processes lead to outcomes that are balanced also from a risk perspective. An appropriate risk culture is characterised above all by the management board’s clear commitment to risk-appro￾priate behaviour, strict compliance by all staff with the risk appetite communicated by the management board and the facilitation and promotion of a transparent and open dialogue on risk-related issues within the institution. 2 Irrespective of the management board’s joint responsibility for ensuring an institu￾tion’s proper business organisation and, in particular, appropriate and effective risk management, each management board member shall be responsible for ensuring that appropriate control and monitoring processes are put in place within his/her re￾spective area of responsibility.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 14 von 105 AT 4 General risk management requirements AT 4.1 Internal capital adequacy 1 Based on their overall risk profile, institutions shall ensure that their material risks, taking account of risk concentrations, are constantly covered by available financial resources (risk coverage potential), thus maintaining internal capital adequacy. Aggregation of immaterial risks If a number of risks are classified individually as immaterial but are material in total, the procedures used to ensure internal capital adequacy must guarantee that these aggregated risks are taken into account in an appropriate manner. 2 Each institution shall establish an Internal Capital Adequacy Assessment Process (ICAAP). The procedures used for this purpose shall take due account both of ensur￾ing an institution’s continuation as a going concern and of protecting creditors against economic losses. In order to fulfil these objectives procedures must be estab￾lished to ensure internal capital adequacy firstly from a normative perspective and secondly from an economic perspective. Design of the internal capital adequacy concepts Details of how to design the internal capital adequacy concepts can be found in the “Guidelines on the supervisory assessment of bank-internal capital adequacy con￾cepts”, as amended. 3 The Internal capital adequacy assessment shall be taken into account both when de￾fining strategies (AT 4.2) and when adjusting them. Furthermore, suitable risk man￾agement and risk control processes (AT 4.3.2) must be established for implementing the strategies and for ensuring internal capital adequacy. 4 Institutions shall specify any material risks that are not included in the internal capital adequacy concept. The exclusion of a material risk shall be plausibly substantiated and shall be permissible only if the risk in question cannot be meaningfully limited by means of available financial resources (risk coverage potential) owing to its specific nature (eg illiquidity risk). It shall be ensured that such risks are appropriately factored into the risk management and risk control processes. 5 If an institution does not have any suitable methods for quantifying individual risks that are to be included in the internal capital adequacy concept, it shall set a reason￾able risk amount for these risks based on a plausibility check. The plausibility check can be conducted using a qualified expert judgement.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 15 von 105 6 Where an institution factors risk-reducing diversification effects within or between risk types into its internal capital adequacy concept, the underlying assumptions shall stem from an analysis of the institution’s individual circumstances and shall be based on data that can be considered applicable to the institution’s individual risk situation. The underlying data histories shall be sufficiently long in order to reflect changes in the diversification effects during economic upswings and downturns. The diversifica￾tion effects shall be estimated conservatively enough to be assumed to be sufficiently stable even in economic downturns and under market conditions that are unfavour￾able for the institution’s business and risk structure. Data histories The determination of diversification effects through pure averaging across economic upswings and downturns is adequate only if the diversification effects have proved to be very stable over the entire economic cycle and there is nothing to suggest that they will not remain stable in the future. If the data history analysis shows that these condi￾tions are not met, diversification effects may be factored in, at most, to the extent that they also apply in market phases which are extremely unfavourable for the institution. The specification of diversification assumptions within market risks may, where appro￾priate, be based on time series that do not cover all of the phases of an economic cycle. It must be ensured, however, that diversification effects are also calculated over a period which constitutes an unfavourable market phase in respect of the institution’s current portfolio. If the observable data history does not contain a correspondingly suitable market phase, a hypothetical market phase structured in an appropriately conservative manner may be factored in exceptionally instead of a historical market phase. 7 The reliability and stability of the diversification assumptions shall be reviewed regu￾larly and, where appropriate, on an ad hoc basis. 8 The institution shall be responsible for choosing the methods and procedures for as￾sessing internal capital adequacy. The assumptions underlying the methods and pro￾cedures shall be plausibly substantiated. The specification of key elements of the in￾ternal capital adequacy management system and major underlying assumptions shall be approved by the management board. 9 The responsible expert staff shall review the appropriateness of the methods and pro￾cedures at least once a year. These reviews shall take due account of the limits and constraints arising from the methods and procedures employed, the underlying as￾sumptions and the input data used in quantifying the risk. In this respect, the stability and consistency of the methods and procedures, as well as the robustness and sig￾nificance of the risk calculation, shall be analysed critically. Review of the methods and procedures employed The institution shall ensure that it always has a full and up-to-date overview of the risk quantification methods and procedures employed. As all risk quantification methods and procedures are incapable of fully reflecting reality, the assessment of internal capital adequacy should take due account of the fact that the risk amounts contain inaccuracies – at both individual risk and aggregate level – or may underestimate the risk.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 16 von 105 If the risk amounts calculated using comparatively simple and transparent procedures are discernibly sufficiently conservative in terms of the limits and constraints of the pro￾cedures, a deeper analysis may be waived. If the methods and procedures, the underlying assumptions, parameters, or the input data are comparatively complex, an appropriate comprehensive quantitative and qual￾itative validation of these components and the risk results is necessary in respect of their use. External data Parameters determined on the basis of external data and assumptions taken over un￾critically from other sources shall not be used in the calculation of the risk coverage potential and the determination of risk or the aggregation of risk data. This does not apply to reviews of the accuracy of the content of publicly available market information (interest rates, market prices, yields, etc). If the assumptions regarding parameters of the risk calculation or risk coverage potential calculation are based on external data, the institution shall be able to plausibly demonstrate that the underlying data appropriately reflect the institution’s true circumstances. If risk is determined based on calculations performed by third parties (eg investment fund companies), the institutions must request robust and significant information on this, especially on key assumptions and parameters and on changes to these assump￾tions and parameters. 10 If the relative complexity of the methods and procedures, the underlying assumptions or the input data makes a comprehensive validation of these components necessary pursuant to number 9, an appropriate degree of independence between the devel￾opment and validation of risk quantification methods and procedures shall be en￾sured. The material validation results and any proposals for measures to deal with the known limits and constraints of the methods and procedures shall be submitted to the management board. 11 Every institution shall have in place a process for planning its future capital require￾ments and the capital available to meet these capital requirements. The planning horizon shall cover a suitably long period of several years. The institution shall also take due account of how changes in its own business activities or strategic objectives

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 17 von 105 and changes in the economic environment during this period impact its capital re￾quirements and its available capital. Potential adverse developments which deviate from expectations shall be appropriately factored in at the planning stage.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 18 von 105 AT 4.2 Strategies 1 The management board shall define a sustainable business strategy outlining the in￾stitution’s objectives for each material business activity and the measures to be taken to achieve these objectives. When defining or adjusting the business strategy, the management board shall take account of both external factors (eg market develop￾ments, the competitive situation or the regulatory environment) and internal factors (eg internal capital adequacy, liquidity, profit situation, staffing level or technical and organisational resources). It shall make assumptions with regard to how the relevant factors will develop in future. It shall review these assumptions at least annually and on an ad hoc basis; it shall adjust the business strategy as and when necessary. Audit activities of auditors of the annual accounts or the internal audit function The substance of the business strategy is solely the responsibility of the management board and is not subject to examination in the course of audit activities by auditors of the annual accounts or the internal audit function. The business strategy is to be drawn upon when examining the risk strategy in order to verify the consistency between the two strategies. The audit activities should also cover the strategy process set out in AT 4.2 number 5. Strategic objectives and measures to achieve them The description of the strategic objectives and the measures to be taken to achieve them define the key points of operational planning and must, therefore, be sufficiently specific to enable the objectives and measures to be plausibly incorporated into oper￾ational corporate planning. Special strategic aspects Given the significance of IT systems for the functioning of processes within an institu￾tion, the institution, depending on the nature, scale, complexity and riskiness of its business activities, must also provide statements on the planned future arrangement of its IT systems. Significant institutions are moreover, required to provide statements on options for improving capacities for aggregating risk data. Where there are extensive outsourcing activities, specifications in this regard are also required. Institutions with high stocks of NPLs shall define an NPE strategy plus an associated operational plan, and shall review these regularly. 2 The management board shall define a risk strategy that is consistent with the business strategy and the risks resulting therefrom. The risk strategy – where appropriate divided into sub-strategies for the material risks – Risk appetite In defining the risk appetite, the management board makes a conscious decision regarding the extent to which it is willing to take risks. The risk

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 19 von 105 shall include the risk management objectives for the key business activi￾ties and the measures to be taken to achieve these objectives. In particu￾lar, the institution’s risk appetite levels shall be set for all material risks, taking account of risk concentrations. Risk concentrations shall also be taken into account with regard to the institution’s profit situation (profit concentrations). This requires the institution to be able to delineate its sources of income and quantify them (eg with regard to the terms and structural contribution in the interest book). appetite can be expressed in many different ways. Besides purely quantita￾tive specifications (eg strictness of risk measurement, global limits, defini￾tion of buffers for certain stress scenarios), the risk appetite can also be reflected in qualitative specifications (eg requirement for the collateralisa￾tion of loans, avoidance of certain transactions). 3 Institutions with high stocks of NPLs shall establish an NPE strategy aiming to reduce NPEs to a predefined target (assuming this is not the underlying business model) over a realistic but sufficiently ambitious time horizon. The following steps form the core building blocks for developing and im￾plementing this strategy:

• Assessment of the operating environment and external conditions,
• Development of a strategy with short-, medium- and long-term tar￾gets, and
• Implementation of the operational plan. Assessment of the operating environment and external conditions The following elements shall be taken into account: a) A comprehensive annual self-assessment to evaluate the actual situa￾tion (especially with regard to the magnitude and drivers of NPEs, to the outcomes of NPE actions taken in the past, and to their operational capacities). The competent authority will require the institution to re￾port the results of the self-assessment to it. b) External conditions (eg analyses of the environment to determine ac￾ceptable levels of NPEs and the associated risk coverage, NPE investor demand, the availability and coverage of specialised servicers, and the regulatory, legal and judicial framework), c) The impact of the NPE strategy on the capital (especially the inclusion of suitable actions in capital planning to ensure that the level of available capital will always enable a sustainable reduction of NPEs on the balance sheet). Development of a strategy with short-, medium- and long-term tar￾gets Development should be informed by an analysis of the strategic options available for its implementation. Institutions should consider including a combination of strategies and action options (eg hold strategy, forbearance options, active portfolio reductions, changes in the type of exposure or col￾lateral, foreclosures of assets, legal options). In addition, the strategy shall include time-bound quantitative NPE targets. When de￾fining their short- to medium-term NPE targets, institutions shall establish a view of reasonable long-term NPE levels, both at portfolio level and at aggregate level, given their risk appetite. Targets shall be defined by time horizons (short-term – indicative one year – medium-term – indicative three years – and long-term), main portfolios and implementation options.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 20 von 105 Operational plan The operational plan shall define how the institution will operationally im￾plement its NPE strategy over a time horizon of at least one to three years (depending on the type and scope of measures required). Implementation of the operational plan Progress in implementing the plan shall be reviewed quarterly using NPE￾related key performance indicators (KPIs). The management board shall be informed promptly of material deviations from the operational plan, with appropriate remediation actions to be put in place. The competent authority will require the institution to report any material deviations from the oper￾ational plan to it, along with appropriate remediation actions. 4 The management board shall be responsible for defining and adjusting the strategies; this responsibility cannot be delegated. The management board shall see to it that the strategies are implemented. The level of detail of the strategies shall depend upon the scale, complexity and riskiness of the planned business activities. The institution may, at its own discretion, integrate the risk strategy into the business strategy. 5 The management board shall set up a strategy process which includes, in particular, the steps for planning, implementing, assessing and adjusting the strategies. To facilitate assessment, the objectives defined in the strat￾egies shall be formulated in a way that allows their achievement to be meaningfully reviewed. The causes of any deviations shall be analysed. 6 The strategies and, where appropriate, adjustments to the strategies shall be brought to the attention of and discussed with the institution’s supervisory board. In the event of deviations from the objectives, this discussion shall also include an analysis of the causes pursuant to AT 4.2 number 5. Supervisory board committees Strategies should generally be addressed to each member of the supervisory board. If the supervisory board has set up committees, the strategies may also be passed on to and discussed with a committee. The preconditions for this are that a corresponding resolution was adopted to set up the committee and that the chair of the committee reports regularly to the entire supervisory board. Moreover, every member of the su￾pervisory board must retain the right to inspect the strategies that have been passed on to the committee. 7 The contents of and adjustments to the strategies shall be communicated within the institution in a suitable manner.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 21 von 105 AT 4.3 Internal control system 1 Depending on the nature, scale, complexity and riskiness of the business activities conducted, every institution shall (a) set up rules governing the organisational and operational structure, (b) establish risk management and risk control processes, and (c) implement a risk control function and a compliance function.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 22 von 105 AT 4.3.1 Organisational and operational structure When designing the organisational and operational structure it shall be ensured that activ￾ities that are not compatible with each other are performed by different staff members and that conflicts of interest are avoided also when staff members change posts. If staff of trading or front office units move to back office units and control units, appropriate cool￾ing-off periods shall be applied to activities that violate the ban on self-audit and self-re￾view. Back office units and control units Back office units and control units within the meaning of this number are:

• risk control function,
• compliance function,
• back office,
• settlement and control. If the cooling-off periods would lead to a disproportionate delay in operating proce￾dures, smaller, less complex institutions may establish alternative, appropriate control mechanisms. Processes as well as the related tasks, competencies, responsibilities, controls and report￾ing channels shall be clearly defined and coordinated. Rights and competencies shall be assigned on a need-to-know basis and shall be swiftly adjusted, where necessary. This shall include regular and ad hoc reviews of IT access rights, authorities to sign and other com￾petencies that have been assigned within appropriate periods of time. The periods of time shall depend on the significance of the processes and, in the case of IT access rights, on the protection requirements of the processed data. The same shall apply to interfaces to material outsourced activities and processes. Reviewing rights and competencies Access rights in connection with transaction accounts and material IT access rights shall be reviewed at least annually, and all others at least every three years. Especially critical IT access rights, such as those held by administrators, shall be reviewed at least every six months.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 23 von 105 AT 4.3.2 Risk management and risk control processes 1 Each institution shall establish appropriate risk management and risk con￾trol processes in order to ensure that the material risks and associated risk concentrations are (a) identified, (b) assessed, (c) managed, (d) monitored and reported. These processes shall be factored into an integrated performance and risk management (Gesamtbanksteuerung). Suitable measures shall be taken to ensure that the risks and associated risk concentrations are ef￾fectively limited and monitored, taking internal capital adequacy and risk appetite into account. Limiting and monitoring of risks and associated risk concentrations Suitable measures to limit risks and associated risk concentrations can in￾clude quantitative instruments (eg limit systems, traffic-light systems) and qualitative instruments (eg regular risk analyses). Risks included in the internal capital adequacy approach are generally, where this is meaningful, limited and monitored on the basis of an effective limit system. Where risks cannot be meaningfully limited and monitored by a limit system, other, primarily qualitative instruments may be used. Intra-group claims Intra-group claims shall be duly taken into account in the risk management and risk control processes. Maintaining data on exposures and associated collateral The institution should maintain the data needed for appropriate risk assess￾ment, management and monitoring, and for the provision of information. This includes in particular data on collateral and on the relationship between collateral and the underlying transactions. 2 The risk management and risk control processes shall ensure that the ma￾terial risks – including risks resulting from outsourced activities and pro￾cesses – can be identified early, fully captured and adequately presented. To this end, the institution shall derive suitable indicators for the early identification both of risks and of potential consequences across different types of risk, which are based on quantitative and/or qualitative risk fea￾tures depending on the nature of the risk type concerned. 3 Risk reports on the risk situation, including existing risk concentrations, shall be sub￾mitted to the management board at appropriate intervals. Moreover, the manage￾ment board shall inform the supervisory board about the risk situation, including ex￾isting risk concentrations, at least quarterly in an appropriate written form. Details on reporting risks to the management board and the supervisory board are set forth in BT 3.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 24 von 105 4 Material risk-related ad hoc information shall be promptly passed on to the manage￾ment board, the responsible officers and, where appropriate, to the internal audit function, so that suitable measures or audit activities can be initiated at an early stage. A suitable procedure shall be established for this purpose. Duty to inform the internal audit function The internal audit function shall be informed whenever, in the opinion of the organisa￾tional units concerned, relevant risk-related shortcomings are identified, major loss or damage has been incurred, or there is a concrete suspicion that irregularities have oc￾curred. 5 The risk management and risk control processes, as well as the methods and procedures used to quantify risks, shall be reviewed regularly, and in the event of changing conditions their appropriateness shall be reviewed and adjusted if necessary. This applies in particular to plausibility checks of the outcomes and of the underlying data. AT 4.1 number 9 shall ap￾plyaccordingly.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 25 von 105 AT 4.3.3 Stress tests 1 Appropriate regular and ad hoc stress tests shall be carried out in respect of the material risks, which shall reflect the nature, scale, complexity and riskiness of the business activities. To this end, the material risk factors pertaining to the respective risks shall be identified. The stress tests shall additionally cover the assumed risk concentrations and diversification effects within and between risk types. The stress tests shall also take account of risks resulting from off-balance-sheet entities and securitisation transactions. Stress tests In the following, the term “stress tests” is used as a generic term for the various meth￾ods via which institutions examine the individual potential risk they face with regard, inter alia, to exceptional but plausible events at each relevant level of the institution (eg at portfolio level, at the firm-wide level, at business unit level). The stress test pro￾gramme includes sensitivity analyses (in which generally only one risk factor is varied) and scenario analyses (in which several or all risk factors are changed simultaneously in order to simulate a predefined event). 2 Regular and, where appropriate, ad hoc stress tests shall also be carried out in respect of the institution’s overall risk profile. Based on the nature, scale, complexity and riskiness of the institution’s business activities, suitable overarching scenarios shall be defined which reflect both institution-specific (idiosyncratic) and market-wide causes. Their combined potential impact on the material risk types shall be captured in a way that takes account of interaction between the risk types. 3 The stress tests shall also reflect exceptional but plausible events. Appropriate his￾torical and hypothetical scenarios shall be defined. Additionally, the stress tests shall be used to analyse the impact of a severe economic downturn on the firm-wide level of the institution. The institution’s strategic orientation and its economic environ￾ment are likewise to be taken into consideration when defining the scenarios. 4 In addition, the institution shall carry out reverse stress tests. Their content and im￾plementation shall depend on the nature, scale, complexity and riskiness of the busi￾ness activities and may be of a qualitative or quantitative nature. Reverse stress tests Reverse stress tests are carried out to examine what events could jeopardise the insti￾tution’s viability. Its viability may be assumed to be jeopardised if the original business model proves to be no longer feasible or sustainable. Reverse stress tests serve to complement other stress tests. Given their approach, re￾verse stress tests focus on a critical evaluation of the results. The results generally do not need to be taken into account when assessing internal capital adequacy. 5 The appropriateness of the stress tests and their underlying assumptions shall be periodically reviewed, at least once a year.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 26 von 105 6 The results of the stress tests shall be critically evaluated. Institutions shall determine whether and, if so, what action is required. The results of the stress tests shall also be duly taken into account when assessing internal capital adequacy. Particular at￾tention shall be paid to the impact of a severe economic downturn. Need for action An identified need for action does not automatically necessitate backing the identified risks with available financial resources (risk coverage potential). Alternative measures may be suitable, such as intensifying risk monitoring, modifying the limits or adjusting the objectives of the business strategy orientation. The identified risks have to be cov￾ered by available financial resources (risk coverage potential) in cases where the stress tests are consciously used to quantify internal capital requirements.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 27 von 105 AT 4.3.4 Data management, data quality and aggregation of risk data 1 The requirements set forth in this module are addressed to significant institutions and apply both at group level and at the solo level of each material legal entity of a group. The institution shall define institution-wide and group-wide principles for data management, data quality and the aggregation of risk data that shall be approved and put into force by the management board. Implementation of the principle of proportionality The requirements of this module shall be implemented in an appropriate manner that reflects the nature, scale, complexity and riskiness of the institution’s business activi￾ties. Aggregation of risk data The term “aggregation of risk data” refers to the end-to-end process chain beginning with the collection and recording of data, then its processing, and ending with its eval￾uation based on certain criteria and the reporting of risk data. 2 The data structure and data hierarchy shall ensure that data can be identified une￾quivocally, compiled and evaluated, and that they are available in a timely manner. Where possible, uniform naming conventions and identifiers for data shall be defined and communicated within the institution. Where different naming conventions and data identifiers are in use, the institution shall ensure that data are automatically rec￾oncilable. 3 The institution shall ensure that risk data are accurate and complete. The data must be evaluable according to different criteria and should, where possible and meaning￾ful, be aggregated automatically. The use and scope of manual processes and inter￾ventions shall be substantiated and documented, and shall be limited to the level necessary. The quality and completeness of the data shall be monitored on the basis of suitable criteria. To this end, the institution shall formulate internal requirements relating to the accuracy and completeness of data. Evaluability according to different criteria Evaluability covers not only risk categories and risk sub-categories but also, inter alia, the categories business area, legal entity, type of asset, sector and region; further cat￾egories may be necessary depending on the risk in question. It must also be possible to carry out multi-dimensional evaluations according to combined categories in an appropriate manner. 4 The risk data shall be reconciled with other information available at the institution and subjected to plausibility checks. Procedures and processes shall be set up to rec￾oncile the risk data with the data in the risk reports to allow data errors and weak￾nesses in data quality to be identified. Other information available at the institution The reconciliation and the plausibility checks of the risk data shall be carried out, for example, against data from accounting and, where appropriate, supervisory reporting. 5 The data aggregation capacities shall ensure that aggregated risk data are available in a timely manner, both under normal circumstances and in times of stress. The in￾stitution shall define the timeframe within which the aggregated risk data must be available taking into account the frequency of risk reports. Risk data in times of stress The data which must also be available in a timely manner in times of stress include:

• counterparty and credit risk at firm-wide/group level,
• aggregated exposure to large corporate borrowers,

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 28 von 105

• counterparty risk (resulting also from derivatives) – aggregated and allocated to individual counterparties,
• market risk, trading positions and operational limits and limit utilisation levels in￾cluding possible concentrations,
• indicators of possible liquidity risk/shortfalls,
• time-critical indicators of operational risk. 6 The data aggregation capacities must be sufficiently flexible such that ad hoc infor￾mation can be shown and analysed according to different categories. This includes the possibility to show and analyse risk positions at a wide range of levels (business areas, portfolios, where appropriate individual transactions). Ad hoc information according to different criteria The capability to generate and analyse the risk positions by country, sector, business area etc must likewise be ensured for ad hoc information requirements. To the extent possible and reasonable, it should be possible to break the main categories down to the individual transaction level. 7 Responsibilities shall be defined for all steps in the risk data aggregation process and appropriate process-related controls put in place. In addition, regular reviews shall be carried out to determine whether staff are complying with the internal rules, pro￾cedures, methods and processes. These reviews shall be carried out by a unit that is independent of organisational units that initiate and/or conclude transactions. Review by an independent unit The staff tasked with the review should, as far as possible, have sufficient knowledge of the IT systems and the reporting system.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 29 von 105 AT 4.4 Special functions AT 4.4.1 Risk control function 1 Each institution shall have an independent risk control function in place which is re￾sponsible for monitoring and reporting risks. The risk control function shall be seg￾regated organisationally, up to and including the management board level, from the organisational units that are responsible for initiating and/or concluding transactions. Segregation of duties This is without prejudice to the special requirements regarding the segregation of du￾ties set forth in BTO. Initiating and concluding transactions The units which initiate and/or conclude transactions include front office, trading as well as other units which are responsible for positions (eg treasury). As a general rule, this includes units which initiate and conclude non-risk-relevant credit business. In the case of institutions with no more than three management board members, the organ￾isational segregation of the front office for non-risk-relevant credit business from the risk control function up to directly below the management board level shall generally suffice if there are no discernible conflicts of interest and the management board member in question has no concentration of responsibilities. 2 In particular, the risk control function shall perform the following tasks:

• support the management board in all risk policy issues, in particular in devel￾oping and implementing the risk strategy and evolving a risk limitation system,
• carry out the risk inventory and draw up the overall risk profile,
• support the management board in developing and improving the risk manage￾ment and risk control processes,
• develop and improve a system of risk ratios and a procedure for the early de￾tection of risks,
• monitor the institution’s risk situation and internal capital adequacy as well as compliance with the risk limits in place on an ongoing basis,
• draw up the regular risk reports for the management board,
• assume responsibility for the processes for passing on material risk-related ad hoc information promptly to the management board, the responsible officers and, where applicable, the internal audit function. NPE-related requirements to be met by the risk control function In the case of institutions with high stocks of NPLs, the risk control function monitors and measures the NPE-related risks and the progress made towards reaching the NPE targets on a granular and aggregate basis, using NPE-related key performance indicators (KPIs). These KPIs should include, but not necessarily be limited to, the following: a) NPE metrics, b) borrower engagement and cash collection, c) forbearance activities, d) liquidation activities, and e) other (eg NPE-related profit and loss items, foreclosed assets, outsourcing activi￾ties). The impact on both internal and regulatory capital requirements shall also be taken into account.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 30 von 105 The risk control function can employ other non-front-office units and the information provided by these to perform these tasks, provided that it performs plausibility checks on it. 3 Staff of the risk control function shall be granted all necessary powers and unre￾stricted access to all information needed to perform their tasks. In particular, this shall include unrestricted access at all times to the institution’s risk data. 4 The head of the risk control function shall be involved in important risk policy deci￾sions of the management board. This task shall be assigned to an individual on a sufficiently high management level. This individual shall generally perform his/her tasks exclusively, depending on the institution’s size as well as the nature, scale, com￾plexity and riskiness of its business activities. Exclusive performance of the tasks of the head of the risk control function The exclusive performance of the tasks of the head of the risk control function means the exclusive performance of risk control tasks directly below management board level (2nd level). This includes a clear organisational segregation of the risk control function from the back office up to directly below management board level. In the case of in￾stitutions with no more than three management board members, the risk control func￾tion and the back office function may be placed under combined management of the 2nd level, and this management may also be granted voting powers and powers of approval as long as this does not result in any discernible material conflicts of interest and this management neither initiates transactions nor is involved in customer rela￾tionship. Furthermore, in the case of such institutions, the tasks of the head of the risk control function may also be assigned to the 3rd level as long as there is a direct re￾porting line to the management board level. With regard to the segregation of the risk control function at legally dependent foreign branches, BTO number 3 note 1 shall apply accordingly. 5 In the case of significant institutions, the exclusive performance of the tasks of the head of the risk control function shall, in general, be carried out by a member of the management board. This person shall also be permitted to be responsible for the back office as long as there is a clear organisational segregation of the risk control function and back office up to below management board level. The said member of the management board shall not be permitted to be responsible for finance/account￾ing or for organisation/IT. Exceptions to this rule shall be possible only at deputy level. Implementation of the principle of proportionality Implementation of these requirements in line with the principle of proportionality shall comply with section 184 and Title I of EBA/GL/2017/11. 6 The supervisory board shall be notified beforehand in due time if the head of the risk control function is replaced, stating the reasons for the replacement.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 31 von 105 AT 4.4.2 Compliance function 1 Each institution shall have a compliance function in place in order to counteract the risks that may arise from non-compliance with legal rules and regulations. The com￾pliance function shall ensure the implementation of effective procedures for comply￾ing with the legal rules and regulations that are material to the institution, and of corresponding controls. The compliance function shall additionally support and ad￾vise the management board with regard to complying with these legal rules and reg￾ulations. Responsibility of the management board members and the business units Notwithstanding the duties of the compliance function, the management board mem￾bers and the business units remain fully responsible for complying with legal rules and regulations. Relevance of other supervisory requirements This is without prejudice to all other compliance function requirements arising from other prudential supervisory legislation (in particular, section 80 (1) of the Securities Trading Act and Article 22 of Delegated Regulation (EU) 2017/565 in conjunction with Circular “Minimum Requirements for the Compliance Function and Additional Require￾ments Governing Rules of Conduct, Organisation and Transparency” (MaComp); sec￾tion 25h of the Banking Act in conjunction with corresponding administrative provi￾sions). 2 The compliance function shall regularly identify the material legal rules and regula￾tions, non-compliance with which might jeopardise the institution's assets, in the light of risk factors. 3 In general, the compliance function shall be directly subordinate to and report to the management board. It shall also be permitted to be linked to other control units as long as there is a direct reporting line to the management board. The compliance function shall also be permitted to be assisted by other functions and units in the performance of its duties. Depending on the institution’s size as well as the nature, scale, complexity and riskiness of the business activities, the compliance function shall be assigned to a unit that is independent of the front office and trading. Link to other control units Other control units may be, for example, the risk control function or the anti-money laundering officer, but not the internal audit function. 4 Significant institutions should, in general, set up an independent organisational unit for the compliance function. Independent compliance unit The proportionality criteria shall comply with the information set out in Title I of EBA/GL/2017/11. Other compliance-related control units (eg Securities Trading Act compliance, anti-money laundering officer, information security officer, data protec￾tion) may also be assigned to the independent unit for the compliance function.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 32 von 105 5 The institution shall appoint a compliance officer who is responsible for carrying out the compliance function tasks. Depending on the nature, scale, complexity and riski￾ness of the business activities as well as on the institution’s size, the compliance of￾ficer may in exceptional cases be a member of the management board. 6 Compliance function staff shall be granted sufficient powers and unrestricted access to all information needed to perform their tasks. They shall be notified of instructions and decisions of the management board that are material to the compliance function. The compliance function staff shall be notified in due time of material amendments of the rules that are intended to ensure compliance with the material legal rules and regulations. 7 The compliance function shall report to the management board on its activities at least once a year and on an ad hoc basis. Such reports shall address the appropriate￾ness and effectiveness of the rules that are intended to ensure compliance with the material legal rules and regulations. The reports shall also cover information on po￾tential deficits and on remedial measures. These reports shall be additionally passed on to the supervisory board and the internal audit function. Supervisory board committees Reports should generally be addressed to each member of the supervisory board. If the supervisory board has set up committees, the information may also be passed on solely to a committee. The preconditions for this are that a corresponding resolution was adopted to set up the committee and that the chair of the committee reports regularly to the entire supervisory board. Moreover, every member of the supervisory board must retain the right to inspect the reports that have been passed on to the committee. 8 The supervisory board shall be notified beforehand in due time if the compliance officer is replaced, stating the reasons for the replacement. AT 4.4.3 Internal audit function 1 Each institution shall have an effective internal audit function. At institutions at which establishing an audit unit would be incommensurate with the institution’s size, the tasks of the internal audit function may be performed by a member of the manage￾ment board. 2 The internal audit function is an instrument of the management board, being directly subordinated and reporting to it. It may also be subordinated to a single member of the management board, preferably to the chair of the management board. Notwith￾standing this, it shall be ensured that the chair of the supervisory board is able, with Obtaining of information by the chair of the supervisory board If the institution has established an audit committee, it may alternatively be ensured that the chair of the audit committee obtains information from the head of the internal audit function.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 33 von 105 the involvement of the management board, to obtain information from the head of the internal audit function directly. 3 The internal audit function shall examine and assess in a risk-oriented and process￾independent manner the effectiveness and appropriateness of the risk management system in general and of the internal control system in particular as well as the ap￾propriateness of all activities and processes in general, irrespective of whether or not they have been outsourced. This shall be without prejudice to BT 2.1 number 3. 4 The internal audit function shall be granted the complete and unrestricted right to obtain information to enable it to perform its tasks. This right shall be ensured at all times. To this end, the internal audit function shall be promptly provided with the necessary information and access to the necessary documentation, and be given in￾sight into the institution’s activities and processes as well as its IT systems. 5 The internal audit function shall be notified of instructions and decisions of the man￾agement board that may be of relevance to it. The internal audit function shall be notified in due time of any material amendments of the risk management system. 6 The supervisory board shall be notified beforehand in due time if the head of the internal audit function is replaced, stating the reasons for the replacement.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 34 von 105 AT 4.5 Risk management at group level 1 Pursuant to section 25a (3) of the Banking Act, the management board members of the superordinated enterprise of a group of institutions or a financing holding group as well as the management board members of the superordinated financial con￾glomerate enterprise of a financial conglomerate shall be responsible for establish￾ing appropriate and effective risk management at group level. Risk management at group level shall include all the group’s material risks, whether or not they are caused by enterprises subject to consolidation (eg risks arising from special-purpose vehi￾cles not subject to consolidation). The methods and procedures applied (eg IT sys￾tems) shall not hamper the effectiveness of risk management at group level. Special criteria may apply to risk management at group level resulting from specific legal regulations, such as those applying to building and loan associations (Bauspar￾kassen) regarding the treasury risk management of their collective savings and loans (Kollektivsteuerung) or to Pfandbrief banks. Structure of risk management at group level The specific structure of risk management at group level depends, in particular, on the nature, scale, complexity and riskiness of the group’s business activities as well as on the available options under company law. Focus on material risks Risk management at group level comprises all material risks. Thus, for example, sub￾ordinated enterprises whose risks are not considered material by the superordinated enterprise may be exempted from the risk management requirements at group level. This does not apply if the aggregated risks of all those subordinated enterprises with immaterial risks are considered material in an overall view. Reference to AT 9 Outsourcing The requirements of module AT 9 must be complied with at both individual institution and group level. The superordinated enterprise is responsible for ensuring compliance at group level. AT 9 number 15 shall apply notwithstanding. 2 The management board of the superordinated enterprise shall decide on a business strategy and a consistent risk strategy (group-wide strategies). The strategic orien￾tation of the group enterprises shall be aligned with the group-wide strategies. The management board of the superordinated enterprise shall ensure that the group￾wide strategies are implemented. 3 Based on the group’s overall risk profile, the superordinated enterprise shall establish an ICAAP at group level (AT 4.1 number 2). The group’s internal capital adequacy shall be maintained on an ongoing basis. 4 Appropriate workflow patterns shall be established at group level, ie processes, along with the related tasks, competencies, responsibilities, controls and reporting channels within the group, shall be clearly defined and coordinated. Timely reporting to the management board of the superordinated enterprise shall be ensured.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 35 von 105 5 The superordinated enterprise shall establish appropriate risk management and risk control processes integrating the group enterprises. Appropriate stress tests in re￾spect of material risks at group level shall be carried out regularly. Regular and, where appropriate, ad hoc stress tests shall also be carried out in respect of the overall risk profile at group level. The superordinated enterprise shall obtain information about the risk situation of the group at appropriate intervals. 6 As part of risk management at group level, the group internal audit function shall operate complementarily to the internal audit functions of the group enterprises. To this end, the group internal audit function shall also be permitted to consider find￾ings of the internal audit functions of the group enterprises. It shall be ensured that the same auditing principles and standards apply to the group internal audit function and the internal audit functions of the group enterprises, and that comparability of the audit findings is assured. Furthermore, audit plans and the procedures to monitor the punctual remedying of findings shall be coordinated. The group internal audit function shall report to the management board and the supervisory board of the superordinated enterprise on its activities at group level at appropriate intervals, at least quarterly, analogously to BT 2.4 number 4.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 36 von 105 AT 5 Organisational guidelines 1 The institution shall ensure that business activities are conducted on the basis of or￾ganisational guidelines (eg manuals, work instructions or workflow descriptions). The level of detail of the organisational guidelines depends on the nature, scale, complex￾ity and riskiness of the business activities. Presentational form of the organisational guidelines The organisational guidelines should be presented in a way that ensures, above all, that they are appropriate and comprehensible for the institution’s staff. Their precise form is at the institution’s own discretion. 2 The organisational guidelines shall be set down in writing and communicated to the staff members concerned in a suitable manner. It shall be ensured that the latest ver￾sion of these guidelines is available to these staff members. The guidelines shall be swiftly amended in the event of changes to the activities and processes. 3 In particular, the organisational guidelines shall contain the following: (a) rules governing the organisational and operational structure as well as the allo￾cation of tasks, the assignment of competencies, and responsibilities, (b) rules governing the organisation of the risk management and risk control pro￾cesses, (c) rules governing the procedures, methods and processes for risk data aggrega￾tion (in the case of significant institutions), (d) rules governing the internal audit function, (e) rules which ensure observation of legal rules and regulations (eg data protec￾tion, compliance), (f) rules governing procedures for outsourced activities and processes, (g) depending on the size of the institution and the nature, scale, complexity and riskiness of the business activities, a code of conduct for the staff. Rules governing outsourcing procedures The rules governing outsourcing procedures shall include the main phases of the life cycle of outsourcing arrangements and define the relevant principles, responsibilities and processes. The rules governing outsourcing procedures should ensure that the external service provider acts in a manner consistent with the outsourcing institution’s values and code of conduct. 4 The organisational guidelines shall enable the internal audit function to conduct an audit review.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 37 von 105 AT 6 Documentation 1 Business, control and monitoring documentation shall be systematical and written in a manner that is readily comprehensible for expert third parties and shall generally be saved for five years. It shall be ensured that the documentation is up to date and complete. 2 The actions and provisions material to ensuring compliance with this Circular shall be comprehensibly documented. This shall include provisions governing the use of ma￾terial opening clauses, which shall be substantiated where appropriate.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 38 von 105 AT 7 Resources AT 7.1 Staff 1 The quantity and quality of the institution’s staffing shall be commensurate, in partic￾ular, with its internal operational needs, business activities and risk situation. This shall also apply to the use of temporary staff. 2 Staff members and their deputies shall possess the expertise and experience needed for their tasks, competencies and responsibilities. Appropriate measures shall be taken to ensure that staff are suitably qualified. Qualification requirements for special functions The head of the risk control function and the head of the internal audit function as well as the compliance officer shall possess special professional and personal qualifications corresponding to their particular duties. 3 The absence, resignation or departure of staff should not lead to a persistent opera￾tional disruption.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 39 von 105 AT 7.2 Technical and organisational resources 1 The scope and quality of the technical and organisational resources shall be based, in particular, on the internal operating needs, business activities and risk situation. 2 The IT systems (hardware and software components), the related IT processes and other elements of the information domain shall ensure the integrity, availability, au￾thenticity and confidentiality of the data. To this end, generally established standards shall apply to the arrangement of the IT systems and related IT processes; in particular, processes shall be established for appropriately allocating IT access rights to ensure that staff have only those rights that they need to perform their particular tasks; IT access rights may be collated in a role model. The suitability of the IT systems and related processes shall be regularly reviewed by the responsible organisational unit staff and IT staff. Information domain An information domain includes, for example, business-relevant information, business and support processes, IT systems and related IT processes, and network and building infrastructures. Standards for IT systems design Such standards include, for example, the IT Grundschutz issued by the Federal Office for Information Security (BSI) and the ISO/IEC 270XX international security standards developed by the International Organization for Standardization. The adherence to es￾tablished standards does not mean that standard hardware or software must be used. In-house solutions are generally equally permissible. IT access rights The IT access rights allocated to staff should not conflict with their assignment to a particular organisational unit. It should be ensured that, especially when granting ac￾cess rights in conjunction with role models, the segregation of duties is observed and conflicts of interest are avoided. 3 The IT systems shall be tested before their first use and after any material changes and approved by both the responsible organisational unit staff and IT staff. To this end, a standard process of development, testing, ap￾proval and implementation in the production processes shall be estab￾lished. The production and testing environments shall be segregated. Changes to IT systems The assessment of the materiality of changes shall be based not on the extent of changes but on the impact they may have on the functioning of the IT system concerned. Approval by IT staff and organisational unit staff The approval process carried out by the staff of the organisational unit and IT staff should focus on the suitability and appropriateness of the IT systems for the institution’s specific situation. Third-party certifications may be taken into account in the approval process but cannot substitute it entirely. 4 In the case of IT risks, appropriate monitoring and management processes shall be set up, comprising, in particular, specification of IT risk criteria, identification of IT risks, determination of the required level of protection,

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 40 von 105 derivation of protective measures for IT operations and specification of corresponding measures for risk handling and mitigation. For software pro￾curement, the associated risks shall be appropriately assessed. 5 The requirements of AT 7.2 shall also be observed when using applications developed or run by staff belonging to the organisational units (end-user computing, EUC), in line with the criticality of the business processes sup￾ported and the importance of the applications for these processes. Measures to safeguard data security shall be tailored to the protection re￾quirements of the processed data.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 41 von 105 AT 7.3 Business continuity management 1 The institution shall define business continuity management objectives and establish a business continuity managementprocess on this basis. Arrangements shall be made for emergency situations in time-critical activities and processes (contingency plan). The measures defined in the contingency plan shall be suitable for reducing the ex￾tent of potential losses. The contingency plan must be updated on an ad hoc basis, reviewed annually to ensure that it is up to date, and communicated appropriately. The management board shall require written status reports on business continuity management to be submitted to it at least quarterly and on an ad hoc basis. Time-critical activities and processes The term “time-critical” applies to activities and processes whose impairment for de￾fined periods is expected to lead to damage to that the institution can no longer con￾sider as acceptable. The institution shall perform business impact analyses and risk impact analyses to iden￾tify time-critical activities and processes as well as supporting activities and processes, the IT systems needed for this plus other necessary resources, and potential threats. These analyses shall be based on an overview of all activities and processes (e.g. in form of a process map). Business impact analyses Business impact analyses examine the consequences for business operations of impair￾ments of activities and processes over different time periods. They should take due ac￾count of the following aspects, among other things:

• The nature and scale of the (non-)material losses,
• The point in time at which the failure occurs. Risk impact analyses Risk impact analyses are used to identify and assess potential threats to the identified time-critical activities and processes that could lead to the impairment of these time￾critical activities and processes. 2 The contingency plan shall include business continuity and recovery plans. Business continuity plans shall ensure that back-up solutions are promptly available in emer￾gencies. Recovery plans shall ensure that normal operations can be resumed within an appropriate time frame. Appropriate internal and external communication shall be ensured during emergencies. In the event that time-critical activities and processes are outsourced, the outsourcing institution and the external service provider shall have in place coordinated contingency plans. Contingency plan The contingency plan sets out responsibilities, objectives and measures for continuing or restoring time-critical activities and processes, plus classifi￾cation criteria and criteria for triggering the plans. Contingency scenarios The following scenarios shall be considered at a minimum:
• Partial or total site failures (eg as a result of flooding, major fires, clo￾sures of specific areas, or access control failures)

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 42 von 105

• Substantial failures of IT systems or of the communications infrastruc￾ture (e.g. due to errors or attacks)
• The non-availability of a critical number of staff (e.g. in the case of a pandemic, food poisoning, or strikes)
• Service provider outages (e.g. suppliers, utilities) 3 The effectiveness and appropriateness of the contingency plan shall be reviewed reg￾ularly. For time-critical activities and processes, this shall be demonstrated for all rel￾evant scenarios at least once a year and on an event-driven basis. Reviews of the contingency plan must be minuted. The results shall be analysed to establish any necessary improvements. Risks shall be managed appropriately. The results shall be communicated in writing to the persons responsible in each case. Reviews of the contingency plan The frequency and scale of reviews should be based on the threat landscape. Service providers shall be integrated appropriately. Among other things, reviews include:
• Testing of technical precautions
• Communication exercises, crisis management team and alarm exercises
• Simulation exercises or full-scale exercises.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 43 von 105 AT 8 Adjustment processes AT 8.1 New product process 1 Each institution shall have a sound understanding of the business activities it conducts. It shall decide on a strategic plan before commencing business activities involving new products or new markets (including new distribu￾tion channels). The strategic plan shall be based on the analysis of the riskiness of these new business activities and their impact on the overall risk profile. The strategic plan shall also outline the resulting material con￾sequences for risk management. Contents of the strategic plan The consequences outlined in the strategic plan should include those relat￾ing to organisation, staffing, necessary modifications to the IT systems and the methods of assessing the associated risks as well as any legal implica￾tions (in accounting law, tax law etc) where they are of material importance. 2 The institution shall maintain a catalogue of the products and markets that the busi￾ness activities will involve. It shall check at suitable intervals whether the products are still in use. Products that the business activity has not involved for an extended period of time shall be flagged. This shall not relate to the run-down of positions. The run￾off or continued management of exposures in the portfolio shall not constitute prod￾uct use. Before business activities involving flagged products are resumed, confirma￾tion of the continued existence of the business processes in place at the time of the last transaction shall be obtained from the organisational units involved in the oper￾ational processes. If changes have occurred, a check shall be carried out to determine whether the new product process needs to be followed again. 3 An organisational unit that is segregated from the front office or trading shall be involved in deciding whether business activities involve new prod￾ucts or new markets. 4 In the case of trading, a test phase shall be required before regular trading in new products or on new markets may commence. During the test phase, trading shall be limited to a modest scale. The institution shall ensure that it does not commence regular trading until after the test phase has been successfully completed and suitable risk management and risk control pro￾cesses are in place. Credit business and test phase A test phase may form the basis of the strategic plan in the case of credit business, too, depending on the complexity of the business. One-off transactions A test phase may be waived in the case of non-recurrent transactions. 5 The organisational units that will subsequently be involved in the opera￾tional processes shall participate in both the drafting of the strategic plan and the test phase. The risk control function, the compliance function and

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 44 von 105 the internal audit function shall also be involved within the scope of their duties. 6 The strategic plan and the commencement of regular business activities shall be approved by the responsible members of the management board in cooperation with the members of the management board responsible for monitoring the activities in question. The approval procedure may be del￾egated provided that clear guidelines have been laid down and that the management board is swiftly informed of the decisions. 7 The drafting of a strategic plan pursuant to number 1 and the provision of a test phase pursuant to number 4 are not required if the organisational units involved in the operational processes consider that activities involv￾ing a new product or a new market can be properly managed. 8 If the new product process frequently reveals cases in which

• the assumptions made in the strategic plans and the related analyses of the riskiness of the activities involving new products or new markets were essentially incorrect, or
• the consequences drawn in the strategic plans and from the test phases were essentially incorrect, or
• considerations pursuant to number 7 that activities involving new products or new markets can be properly managed have proved incor￾rect, the new product process shall be carried out on an ad hoc basis. The pro￾cess shall be promptly adjusted if any shortcomings are identified.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 45 von 105 AT 8.2 Modifications of operational processes or structures 1 Before material modifications are made to the organisational and operational struc￾ture or the IT systems, the institution shall analyse the impact of the planned modifi￾cations on the control mechanisms and control intensity. The organisational units that will subsequently be involved in the operational processes shall be involved in these analyses. The risk control function, the compliance function and the internal audit function shall also be involved within the scope of their duties.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 46 von 105 AT 8.3 Mergers and acquisitions 1 Prior to an acquisition of or a merger with other enterprises, the institution shall draw up a strategic plan that sets out the material strategic objectives, the prospective main implications for risk management and the material impact on the overall risk profile of the institution or group. This shall include the planned medium-term de￾velopment of the financial position and financial performance (Vermögens-, Finanz￾und Ertragslage), the prospective level of the risk positions, the necessary adjustments to the risk management and risk control processes and the IT systems (including the data aggregation capacities), and an outline of any material legal implications (in ac￾counting law, tax law etc).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 47 von 105 AT 9 Outsourcing 1 Outsourcing is the commissioning of another enterprise to provide activities and pro￾cesses relating to the execution of banking business, financial services or any of an institution's other usual services that would otherwise be provided by the institution itself. Arrangements and agreements made under civil law cannot negate a possible outsourcing a priori. Other external procurement of goods and services Other external procurement of goods and services is not to be classified as outsourcing within the meaning of this Circular. This includes the one-off or occasional purchase of goods and services. It also includes services that are usually provided by a supervised enterprise and which, owing to actual circumstances or legal provisions, the institution itself is normally unable to provide either at the time of external procurement or in the future. These include, for example,

• The use of central banking functions (within a network of affiliated financial institutions) or clearing houses in the context of payment transactions and securities settlement,
• Recourse to liquidity lines,
• The involvement of correspondent banks,
• The use of safe custody services for assets in accordance with the German Safe Custody Act (Depotgesetz),
• The use of publicly available data (including fee-based data) from market information providers (eg publicly available data from ra￾ting agencies that were not specifically generated/processed for the institution),
• The use of global payments infrastructures (eg card payment pro￾cedures),
• The use of global financial messaging structures that are subject to oversight by competent authorities, and
• The acquisition of services such as the provision of a legal o￾pinion, representation in front of the court and administrative bo￾dies, and utility services. The relevant provisions of section 25b of the Banking Act will normally not apply given the particular risks associated with such collaborations. Nonetheless, the institution must still comply with the general requirements relating to a proper business organi￾sation pursuant to section 25a (1) of the Banking Act in the case of other external procurement of services. As a rule, isolated software procurement shall generally be considered other external procurement. This shall also include, inter alia, the following support services:
• adapting software to a credit institution's requirements,

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 48 von 105

• development-based implementation of requested changes (programming),
• testing, approving and integrating software into the production processes when it is used for the first time and when major changes are made, especially to programming specifications,
• resolving errors (maintenance) in accordance with the description of require￾ments/errors of the client or vendor,
• other support services beyond pure consultation. This shall not apply to software used to identify, assess, manage, monitor or report risks or which is of material importance for the conduct of banking tasks; support ser￾vices for these types of software shall be classified as outsourcing. The same criteria apply to the operation of software by an external third party. Other usual services The reference to other usual services takes into account Article 13 (5) sentence 1 of the Markets in Financial Instruments Directive insofar as that article relates to the outsourc￾ing of operational functions which are critical for the provision of continuous and sat￾isfactory service to clients and the performance of investment activities. Other usual services of an institution can also include, for example, the ancillary services listed in Annex I Section B of the Markets in Financial Instruments Directive. 2 The institution shall perform a risk analysis to assess the risks associated with out￾sourcing. Based on this risk analysis, it must determine independently which out￾sourced activities and processes are critical or important from a risk perspective (“crit￾ical or important outsourced activities and processes”). It shall conduct both regular and ad hoc analyses based on framework requirements that apply uniformly to the whole institution or whole group. The results of the risk analysis shall be taken into account when managing outsourcing and in risk management. The relevant organisational units shall be involved in con￾ducting the risk analysis. The internal audit function shall also be involved within the scope of its duties. Risk analysis The risk analysis shall take due account of all aspects of outsourcing that are relevant to the institution (eg the important outsourcing risks, including potential risk concen￾trations (multiple outsourcing arrangements/outsourcing contracts with the same ex￾ternal service provider, among other things), risks arising from sub-outsourcing, polit￾ical risk, measures to manage and mitigate risk, the suitability of the external service provider, potential conflicts of interest, the protection requirements for the data trans￾ferred to the external service provider, and costs), whereby the intensity of the analysis shall depend on the nature, scale, complexity and riskiness of the outsourced activities and processes. In particular, the risk analysis must consider the extent to which an ac￾tivity or process that is to be outsourced must be classified as an important part of the institution’s process landscape. In the case of outsourcing with significant conse￾quences – such as the complete or partial outsourcing of the internal control functions risk control function, compliance function or internal audit or of core bank units – the

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 49 von 105 institution must intensively consider whether and how it can ensure that the out￾sourced activities and processes can be integrated into its risk management. The risk analysis shall be supplemented by a scenario analysis to the extent that this is advisable and proportionate. Where available, internal and external loss data shall be used in the scenario analysis. Small, less complex institutions may use qualitative ap￾proaches to risk analysis. 3 Outsourced activities and processes that are not regarded as material in terms of risk shall be subject to the general requirements relating to a proper business organisation pursuant to section 25a (1) of the Banking Act. 4 In general, activities and processes can be outsourced provided that the proper busi￾ness organisation pursuant to section 25a (1) of the Banking Act is not impaired. Out￾sourcing shall not entail the delegation of the management board’s responsibility to the external service provider. The management board’s management tasks shall not be outsourced. Special criteria for outsourcing arrangements arise from the complete or partial outsourcing of the special functions risk control function, compliance func￾tion and internal audit function. Special criteria may also arise from specific legal reg￾ulations (eg regulations that apply to building and loan associations regarding the treasury risk management of their collective savings and loans or that apply to Pfand￾brief banks regarding the management of the collateral register (Deckungsregister￾führung) and the coverage calculation (Deckungsrechnung). Outsourcing may not lead to an institution becoming merely an “empty shell”. Management tasks of the management board Management tasks of the management board that cannot be outsourced include corporate planning, coordination and control, as well as the filling of senior positions. They also comprise tasks which are explicitly assigned to the management board through legislation or other regulations (eg de￾ciding on large exposures pursuant to section 13 of the Banking Act or de￾fining strategies). Management tasks should be distinguished from func￾tions or organisational units which the management board uses to per￾form its management tasks (especially the risk control function, compli￾ance function and internal audit function). These can be delegated either internally or – under the conditions set out in number 5 – externally through outsourcing. External service provider’s authority to perform its services The institution shall ensure that the external service provider is authorised under the laws of its home country to perform the outsourced activities and processes, and that it is in possession of any necessary permits and registrations for this. In addition, where activities and processes are outsourced to undertakings domiciled outside the Euro￾pean Economic Area (EEA), the institution shall, to the extent these relate to outsourced activities or processes in conjunction with banking business the scale of which would, in Germany, require the approval of, or registration with, the competent supervisory authority, ensure that the external service provider is supervised by the competent su￾pervisory authorities in the third country concerned and that a corresponding cooper￾ation agreement, eg in the form of a memorandum of understanding or a College

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 50 von 105 agreement, exists between the competent supervisory authorities responsible for su￾pervising the institution and the competent supervisory authorities responsible for su￾pervising the external service provider. 5 Activities and processes in control units and core bank units may be outsourced in compliance with the requirements set out in number 4 to a degree that ensures that the institution retains the expertise and experience needed to ensure the effective monitoring of services carried out by external service providers. It shall be ensured that, if necessary – should the outsourcing arrangement be terminated or the group structure change – the institution can maintain properly functioning operations in these units. Complete outsourcing of the internal control functions risk control func￾tion, compliance function or internal audit is only permissible for subsidiary institu￾tions within a group of institutions to the extent that the outsourcing institution can be considered as not being significant in terms of its size and complexity and the riskiness of its business activities for the domestic financial sector, or in terms of its importance within the group.. The same shall apply to groups in which the parent enterprise is not an institution and is domiciled in Germany. Furthermore, the com￾plete outsourcing of the compliance function or of the internal audit function is solely permissible at small institutions insofar as the internal establishment of these func￾tions would appear inappropriate given the institution’s size and the nature, scale, complexity and riskiness of its business activities. 6 In the case of material outsourced activities and processes, the institution, in the event of an intended or expected termination of the outsourcing arrangement, shall take safeguards to ensure the continuity and quality of the outsourced activities and pro￾cesses also after the termination of the outsourcing arrangement. In cases of unin￾tended or unexpected termination of these outsourced activities and processes that might seriously impair business activity, the institution shall examine the feasibility of and adopt possible courses of action. This shall entail, as far as meaningful and pos￾sible, defining corresponding exit processes. The courses of action shall be reviewed both regularly and on an ad hoc basis. Courses of action and exit processes Exit processes shall be defined with a view to ensuring that the necessary continuity and quality of the outsourced activities and processes can be maintained or restored within an appropriate period of time. If no courses of action have been specified, appropriate options must at least be taken into account in the contingency planning process. 7 In the case of material outsourced activities and processes, the outsourcing contract, which shall be documented in writing (“Textform” pursuant to section 126 b of the BGB), shall specifically The institution’s power to give instructions/internal audit inspections An explicit agreement granting the institution the power to give instructions can be waived if the service to be performed by the external service provider is specified clearly in the outsourcing contract. Furthermore, the outsourcing institution’s internal

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 51 von 105 a) specify and, where appropriate, delineate the services to be pro￾vided by the external service provider, b) agree the start date and, as applicable, the end date of the out￾sourcing arrangement, c) agree the law governing the outsourcing arrangement in those cases in which the laws of Germany do not apply, d) agree the locations (ie the regions or countries) in which the service will be performed and/or where relevant data will be kept and processed, including a requirement to notify the insti￾tution if the external service provider proposes to change the location, e) define the agreed service levels, including precise performance targets, f) where applicable, agree that the external service provider shall submit proof of insurance cover against certain risks, g) agree the requirements to implement and test business contin￾gency plans, h) set out appropriate internal and external auditors’ rights of in￾formation and review, i) ensure that the competent authorities pursuant to section 25b (3) of the Banking Act retain unrestricted information and audit rights and the ability to supervise with regard to the outsourced activities and processes, j) include powers to give instructions, where necessary, k) include rules ensuring compliance with data protection provi￾sions and other security requirements, l) specify termination rights and appropriate notice periods, m) include rules covering the possibility and modalities of subcon￾tracting which ensure that the institution continues to comply with the prudential supervisory requirements, n) obligate the external service provider to inform the institution of any developments that might impair the proper performance of the outsourced activities and processes. audit function may waive its own audit activities subject to the conditions set forth in BTR 2.1 number 3. These waivers may also be applied where activities and processes are outsourced to “multi-client service providers”. Information and audit rights Wherever possible, information and audit rights pursuant to number 7 h) and i) should also be agreed for non-criti￾cal or non-important outsourcing arrangements to the extent that it can be expected that the latter could become critical or important within the meaning of number 2 in the near or medium-term future. Information and audit rights pursuant to number 7 h) and i) also comprise the rights required to ensure physical and logical access. Escalation in the event of underperformance Before drafting the contract, the institution shall define internally the degree of under￾performance that it is prepared to tolerate. Termination rights The outsourcing arrangement should oblige the external service provider, if the ar￾rangement is terminated, to support the institution in transferring the outsourced ac￾tivity or process to another external service provider or in reintegrating it within the institution. Other security requirements Rules governing other security requirements should be contractually agreed for all outsourcing arrangements, ie including non-critical or non-important ones. Other security requirements notably include physical access rights to rooms and build￾ings (eg in the case of data centres) as well as access rights to software solutions de￾signed to protect material data and information. Compliance with these requirements must be monitored continuously. Institutions should adopt a risk-based approach to data storage and data processing locations and information security considerations. It must be ensured that the data held by the institution can still be acces￾sed in cases in which the external service provider becomes insolvent, is liquidated, or discontinues its business operations.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 52 von 105 Place of performance of the service In addition to number 7 d), the institution must be aware at all times of the place of performance of the service (eg the city or, where necessary, the precise address). 8 With respect to subcontracting, where possible, either the outsourcing institution shall be given the right to reserve approval or concrete provisions shall be agreed in the outsourcing agreement specifying when individual work and process steps may be subcontracted. At the very least, it shall be contractually ensured that the agreements the external service provider has with subcontractors are consistent with the contractual arrangements of the original outsourcing agreement. In ad￾dition, the contractual requirements shall include, in the case of subcontracting, an obligation on the part of the external service provider to provide information to the outsourcing institution. It must be ensured that, in the event that the exter￾nal service provider subcontracts activities or processes to a third party, it remains responsible for reporting to the outsourcing institution. 9 The institution shall appropriately manage the risks associated with outsourcing and shall monitor the provision of the outsourced activities and processes in a due and proper manner. In the case of the outsourcing of critical or important activities and processes, this also comprises continuously monitoring the external service provider’s performance using defined criteria (eg key performance indicators, key risk indicators) and contractually agreed information supplied by the external service provider; the quality of the services provided shall be assessed on a regular basis. 10 The institution shall clearly specify the responsibilities for documenting, managing and monitoring material outsourced activities and processes. If special functions pur￾suant to number 5 are completely outsourced, the management board shall appoint a responsible officer for each function who shall ensure that the respective tasks are being properly performed. The requirements of AT 4.4.3 and BT 2 shall be complied with accordingly. Special tasks of the audit officer The audit officer should draw up the inspection plan together with the commissioned third party. The audit officer should also, where appropriate together with the com￾missioned third party, draw up the overall report in accordance with BT 2.4 number 4 and review pursuant to BT 2.5 whether the identified findings have been remedied. The audit officer shall be directly subordinated to the management board. Depending on the nature, scale, complexity and riskiness of the institution’s business activities, the audit officer’s tasks may be performed by an organisational unit, a staff member or a member of the management board. It shall be ensured that this person or unit has both sufficient knowledge and the necessary independence to perform these tasks.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 53 von 105 11 The requirements governing the outsourcing of activities and processes shall be com￾plied with also in the event that the outsourced activities and processes are subcon￾tracted. Risk analysis pursuant to AT 9 number 2 The risks associated with sub-outsourcing shall be assessed in the course of the risk analysis. This shall also include assessing the criticality or im￾portance of the sub-outsourcing. The extended requirements for outsourcing critical or important activities and processes shall only apply to critical or important sub-outsourced ac￾tivities and processes from a risk perspective. In addition, due account should be taken of the risk that long and complex chains of sub-outsourcing could reduce the ability of institutions to oversee the outsourced ac￾tivities and processes. 12 Each institution that performs outsourcing shall establish the position of a central out￾sourcing officer at the institution itself. In addition, depending on the nature, scale and complexity of the outsourcing activities, the institution must establish a central outsourcing management function to support the central outsourcing officer. The tasks to be performed include, but are not limited to, the following: (a) Implementing and further developing an appropriate outsourcing management and corresponding control and monitoring processes, (b) Creating and maintaining full documentation of outsourcings (including subcon￾tracted activities and processes), (c) Supporting the business units with regard to internal and statutory requirements for outsourcing, (d) Coordinating and reviewing the risk analysis pursuant to number 2 conducted by the responsible units. Central outsourcing officer The central outsourcing officer shall be assigned to an organisational unit that is di￾rectly subordinated to the management board. He or she can also be attached to other units provided that a direct reporting line to the management board is ensured. Small, less complex institutions may also entrust this function to a member of the man￾agement board. The head of the central outsourcing management function can also be appointed as the outsourcing officer. 13 The outsourcing officer or the central outsourcing management function shall prepare a report on the critical or important outsourced activities and processes at least once a year and shall make this available to the management board. In addition, ad hoc reports must be submitted. Taking into account the information available to the insti￾tution or the institution's internal evaluation of the quality of the services provided by the service provider, the report shall contain an assessment of whether the services provided by the external service providers correspond to the contractual agreements, whether the outsourced activities and processes can be appropriately managed and monitored and whether further risk mitigation measures are to be taken. Reporting by small, less-complex institutions It is sufficient for small, less-complex institutions to report in the context of manage￾ment board meetings.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 54 von 105 14 The institution shall maintain an updated register of information on all outsourcing arrangements. The minimum requirements for the content of the register of all out￾sourced activities and processes can be found in section 54 of the EBA Guidelines on outsourcing (EBA/GL/2019/02), while those for critical or important outsourced activ￾ities and processes can be found in section 55. The register of existing outsourcing arrangements covers all outsourcing arrangements, including outsourcing arrange￾ments with service providers within a group of institutions or an institutional protec￾tion scheme. Furthermore, where critical or important outsourced activities and pro￾cesses are sub-outsourced, the outsourcing institution shall specify whether the part that is to be sub-outsourced is critical or important and whether this critical or im￾portant part shall be entered in the register. 15 The following simplifications apply with regard to groups pursuant to AT 4.5 or institutional protection schemes: a) In the case of activities and processes that are outsourced within a group or an institutional protection scheme, effective measures at group or an institutional protection scheme level, and especially uni￾form, comprehensive risk management and rights of intervention can be considered when preparing and adapting the risk analysis pursuant to number 2 so as to mitigate the risk involved. b) In the case of activities and processes that are outsourced by multiple institutions within a group or an institutional protection schemeto one or more common external service providers, a central outsourcing management function can be established at group or at institutional protection scheme level if this central outsourcing management func￾tion meets the requirements set out in module AT 9 or, if this module does not apply, the requirements of EBA/GL/2019/02. c) In the case of risk reporting by service providers that are used within a group/an institutional protection scheme, a preliminary central anal￾ysis can be made, facilitating further use by the outsourcing institu￾tions. d) Exit processes and courses of action do not have to be prepared in the case of activities and processes that are outsourced within a group or an institutional protection scheme. e) If a central register of outsourcing arrangements is established and maintained within a group or an institutional protection scheme, it Joint contingency plans (pursuant to AT 7.3) If the institutions within a group of institutions or an institutional protection scheme have agreed on a joint contingency plan for a critical or important outsourced activity or process, the institutions must receive the section of the contingency plan that is relevant for them.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 55 von 105 must be ensured that the individual institution and the competent au￾thority receive the individual register of outsourcing arrangements without significant delay where required.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 56 von 105 BT 1 Special requirements relating to the internal control system 1 This module sets forth special requirements relating to the structure of the internal control system. The requirements relate primarily to the organisational and opera￾tional structure in credit business and trading (BTO). Additional requirements relate to the structure of the risk management and risk control processes for counterparty and credit risk, market risk, liquidity risk and operational risk, taking due account of risk concentrations (BTR).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 57 von 105 BTO Requirements relating to the organisational and operational structure 1 This module primarily sets out requirements relating to the organisational and op￾erational structure in credit business and trading. Depending on the size of the in￾stitution, the business focus and the risk situation, the BTO requirements may be implemented in simplified form. 2 This Circular distinguishes between the following organisational units: (a) the unit which initiates credit transactions and has a vote in credit decisions (front office), (b) the unit which has an additional vote in credit decisions (back office), and (c) trading. It also distinguishes between the following functions: (d) the functions serving to monitor and report risk (risk control), and (e) the functions serving to settle and monitor trading. Note on the use of the word “unit” A “unit (Stelle) that is independent of the front office and trading” may be answerable to the same member of the management board who is responsible for trading or the front office. A “unit (Bereich) that is segregated from trading and the front office” is organisationally separated from trading and the front office right up to and including the management board level. 3 The organisational structure shall ensure that the front office and trading are segre￾gated up to and including the management board level from the organisational units or functions listed in number 2 under (b), (d) and (e) as well as in BTO 1.1 number 7, BTO 1.2 number 1, BTO 1.2.4 number 1, BTO 1.2.5 number 1 and BTO 1.4 number 2. Segregation of duties at legally dependent foreign branches Organisational segregation up to and including management board level means that both functional and disciplinary responsibility are separated. However, functional re￾sponsibility and disciplinary responsibility may diverge at legally dependent foreign branches. The precondition for this is that at least functional responsibilities are sep￾arated in line with the aforementioned principle of the segregation of duties up to and including management board level. Note on clause 2 BTO 1.1 number 7: the review of certain collateral items to be determined in terms of risk and decisions regarding risk provisioning for significant exposures.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 58 von 105 BTO 1.2 number 1: responsibility for the development and quality of loan processing, credit processing control, intensified loan management, the processing of problem loans and risk provisioning. BTO 1.2.4 number 1: responsibility for the development, quality and regular review of the criteria governing when an exposure shall be subjected to intensified loan man￾agement. BTO 1.2.5 number 1: responsibility for the development, quality and regular review of the criteria governing when an exposure shall be transferred to recovery or liquidation as well as the main responsibility for the recovery or liquidation process or for moni￾toring these processes. BTO 1.4 number 2: responsibility for the development and quality of the risk classifi￾cation procedures and for monitoring their application. 4 Market risk control functions shall be segregated up to and including the manage￾ment board level from those units which bear responsibility for the respective posi￾tions. 5 The segregation of duties shall also be maintained at deputy level. A suitable mem￾ber of staff from below management level may also act as deputy. 6 The member of the management board responsible for risk control functions may collaborate in a committee tasked by the management board with risk management without breaching the principle of the segregation of duties. 7 Accounting tasks, especially the setting of the accounting rules and the development of the accounting system, shall be assigned to a unit that is independent of the front office and trading. Segregation of duties at institutions with significant trading Given the extensive discretionary scope in valuing certain trades (eg structured prod￾ucts), institutions with significant trading should ensure that accounting is located in a unit that is segregated from trading. 8 Material legal risks shall be assessed by a unit that is independent of the front office and trading (eg the legal department). 9 In the case of IT-based processing, the segregation of duties shall be ensured by appropriate procedures and safeguards.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 59 von 105 BTO 1 Credit business 1 This module sets out requirements relating to the organisational and operational structure, the procedures for the early detection of risks and the procedures for risk classification in credit business. Individual provisions in this module may be waived in the case of trading and equity investments if their implementation is not relevant in view of the specific features of these types of business (eg the requirements in BTO 1.2.2 number 1 to monitor the purpose of the loan). Corresponding implementation in the case of equity investments Corresponding implementation in the case of equity investments shall comprise an equity investment strategy and the establishment of an equity investment control function – regardless of whether the particular equity investment is a credit-equiva￾lent/credit-substituting equity investment or a strategic equity holding. In the case of a credit-equivalent or credit-substituting equity investment, the requirements regard￾ing the organisational and operational structure shall generally be observed in addi￾tion. In the case of equity investments in a network of affiliated financial institutions or of mandatory equity investments (eg equity investments prescribed by legislation applying to the savings bank sector or by the articles of association, or equity invest￾ments in SWIFT), the establishment of a separate risk control function may be waived. In these cases, the necessary monitoring activity may also be achieved by other means (eg by examining annual financial statements or annual reports or by monitoring the equity investment accounts).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 60 von 105 BTO 1.1 Segregation of duties, and voting 1 The core principle for structuring credit business processes shall be the clear organ￾isational segregation of the front office and back office up to and including manage￾ment board level. Exceptions to the segregation of duties may be made under certain circumstances in the case of small institutions. Simplified implementation for small institutions Where complying with the required segregation of duties between the back of￾fice/other functions independent of the front office and the front office up to and including management board level would be disproportionate owing to the institu￾tion’s small size, the requirement to segregate duties may be waived if direct man￾agement board involvement in the granting of risk-relevant loans ensures that credit business continues to be handled in a manner that is proper and commensurate with the existing risks. In such cases, the management board shall itself process and ap￾prove risk-relevant loans. Absent management board members shall be subsequently informed of any decisions taken in risk-relevant business. This simplified implementation may be applied if, in toto, the following conditions are met:

• the overall credit volume does not exceed €100 million,
• there are only two management board members, and
• the institution’s credit business is simply structured. Staff loans In the case of loans to staff and to management board members, the organisational requirements often cannot be implemented one-to-one, particularly because there is no front office involvement. A suitable unit not involved in loan processing, such as Human Resources, shall generally be involved in such credit decisions. The actual pro￾cessing may also be performed, where appropriate, by the loan processing staff. 2 Depending on the nature, scale, complexity and riskiness of the exposure in question, a credit decision shall require two positive votes by the front office and back office. This shall be without prejudice to other provisions referring to the act of decision￾making (eg the Banking Act, articles of association). Where these decisions are made by a committee, the voting structure within that committee shall be defined such that the back office cannot be outvoted. Documenting the votes, and substantive plausibility check The votes may be summarised in a single document. In this case, the (positive) vote by the back office should be documented by the responsible staff member’s signature. It must not be an uncritical, complimentary signature. Depending on how the credit processes are assigned between the front office and back office, the vote by the back office should at least be based on a substantive plausibility check. The substantive plausibility check need not repeat activities already carried out by the front office. It should focus instead on the comprehensibility and justifiability of the credit decision.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 61 von 105 This includes assessing the robustness of the front office vote and the extent to which the loan amount and type are justifiable. The intensity of the substantive plausibility check also depends on the complexity of the credit transactions in question. The staff member responsible for the vote by the back office must at least have access to all material credit documents. 3 Counterparty and issuer limits for trading shall be set by a back office vote. 4 For credit decisions with regard to transactions that are considered immaterial in terms of risk, the institution may determine that only one vote is necessary (“non￾risk-relevant credit transactions”). Simplified implementation is also possible in cases where credit transactions are initiated by third parties. The organisational segrega￾tion of the front office and back office is thus only relevant for credit transactions for which two votes are necessary. Where a second vote is unnecessary, it shall be en￾sured that the requirements set out in BTO 1.2 are implemented appropriately. Differentiation between risk-relevant and non-risk-relevant credit business Each institution is individually responsible for differentiating between risk-relevant and non-risk-relevant credit transactions in terms of risk. For instance, standardised retail business could normally count as non-risk-relevant credit business. Third-party initiation Simplified implementation of the segregation of duties is also possible where credit transactions are initiated by third parties. In development lending business, for in￾stance, it is normally unnecessary to obtain two internal votes within the institution because the credit transactions are often initiated by a principal bank of a borrower (Hausbank) or a holding company. Similar situations can occur, inter alia, in the case of credit transactions by institutions via dealer organisations, by building and loan associations via commercial agents, by guarantee banks via a principal bank or, in the case of syndicate members, by the lead manager in syndicated loans. In the case of risk-relevant credit decisions, the additional vote to be obtained within the institution should be generally submitted by a unit independent of the front office, ie the back office, where one exists. Third-party initiation/process standardisation via external rules The requirement to obtain an additional vote can also be waived if decision-making is so standardised by external rules (eg owing to statutory requirements such as in the German Housing Promotion Act (Wohnraumfördergesetz) that the institution follows standard procedures and thus has little discretionary scope with regard to the grant￾ing of loans. De minimis limits De minimis limits may be used to a certain degree for defining risk-relevant business. Thus simplified implementation may be considered appropriate where an additional

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 62 von 105 credit application is filed for a relatively small amount even though the customer’s total exposure is classified as being risk-relevant. 5 Each member of the management board may, within the scope of his/her individual credit approval authority, independently make credit decisions and also maintain customer contacts. This shall be without prejudice to the organisational segregation of the front office and back office. In addition, two votes shall be obtained where this is considered necessary in terms of risk. If the decisions made within the scope of a management board member’s individual credit approval authority differ from the votes or where they are made by the member of the management board responsible for the back office, they shall be highlighted in the risk report (BT 3.2 number 3). Individual credit approval authority and management board members Individual credit approval authority can only be exercised by a management board member. A management board member’s right to autonomously make credit deci￾sions within the scope of his/her individual credit approval authority is not automati￾cally transferred to his/her deputy below management board level. Risk-relevant credit decisions made by the entire management board or made jointly by several management board members also generally necessitate appropriate pro￾cessing as well as two votes from the front office and back office. 6 The institution shall establish a clear and consistent credit approval structure for de￾cision-making in credit business. Decision-making rules shall be defined in the credit approval structure for divergent votes: in such cases the loan shall be rejected or escalated to a higher level of authority for a decision (escalation procedure). 7 The review of certain collateral items, which shall be determined in terms of risk, shall be conducted outside the front office. This assignment of competence shall apply likewise to decisions regarding risk provisioning for significant exposures. The com￾petence for all other processes and sub-processes mentioned in BTO 1.2 (such as loan processing or loan processing sub-processes) shall be assigned at the institu￾tions’ discretion, unless this Circular stipulates otherwise. Valuation appraisals The making of valuation appraisals for certain collateral items may also be entrusted to suitably qualified staff members from the front office as long as it is assured that the valuations are subject to a substantive plausibility check by a unit segregated from the front office. Review of legal validity The legal validity of collateral may also be reviewed by a unit that is independent of the front office and trading (eg the legal department). BTO 1.2 Requirements relating to credit business processes 1 The institution shall set up processes for loan processing (the granting and further processing of loans), loan processing control, intensified loan management, the pro￾cessing of problem loans, and risk provisioning. Responsibility for the development and quality of these processes shall lie outside the front office. Methodological responsibility Processes may also be developed in the front office provided it is ensured that a back office unit assures the quality of these processes on the basis of a substantive plausi￾bility check.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 63 von 105 2 The institution shall draw up processing principles for credit business processes which, where necessary, shall be suitably differentiated (eg by loan type). Further￾more, the types of collateral accepted by the institution and the procedures for the valuation, management and realisation of this collateral shall be defined. When de￾fining the procedures for the valuation of collateral, suitable valuation procedures shall be applied. The procedures to be used for collateral valuation shall be reviewed at least on an annual basis and shall be approved by the management board before being used for the first time and following major amendments. However, regular reviews of valuation procedures do not have to be performed to the extent that the institution uses a generally recognised, standardised procedure (that is in line, eg, with the German Regulation on the Determination of the Mortgage Lending Value (Beleihungswertermittlungsverordnung). Differentiated processing principles Differentiated processing principles should also be drawn up for transactions with hedge funds and private equity enterprises, eg with regard to procuring financial and other information, analysing the purpose and structure of the transaction that is to be financed, the nature of the collateral provided or analysing the counterparties’ capac￾ity to repay. Differentiated processing principles should likewise be drawn up for foreign currency loans that take account of the particular risks involved in this loan type. 3 The experts entrusted with valuing real estate collateral must possess the necessary qualifications and experience and may not be involved in the loan origination pro￾cess, in loan processing or in the loan decision. External appraisers can be used for these purposes. Potential conflicts of interest in connection with the valuation shall be ruled out. Appropriate rotation of the persons responsible for the valuation shall be ensured. External valuations of real estate collateral The institution shall have a panel of independent and qualified appraisers at its dis￾posal to perform external valuations of real estate collateral. The external appraisers’ performance shall be reviewed and a decision made on this basis as to whether changes should be made to the panel of appraisers. Independence of internal appraisers At institutions for which establishing a separate unit for internal appraisers is dispro￾portionate, the persons entrusted with valuations can process other exposures pro￾vided that they do not prepare any valuations for the cases they handle. Rotation of the experts entrusted with valuations A rotation should be performed if the expert entrusted with performing the valuation has made two consecutive individual appraisals of the same property. 4 If external appraisers are used to value real estate collateral, the institution must perform a plausibility check on the valuation and must include any own insights and information in the assessment. 5 All aspects material to the counterparty and credit risk of the credit exposure shall be identified and assessed, with the intensity of these activities depending on the riskiness of the exposures. Due account shall be taken of sectoral risk and, where applicable, country risk. Critical aspects of an exposure shall be highlighted and, where applicable, considered under various scenarios.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 64 von 105 6 The use of external credit assessments shall not relieve the institution of its obliga￾tion to form its own opinion on counterparty and credit risk and to factor its own knowledge and information into the credit decision. 7 In the case of property/project financing, the institution shall ensure in the course of loan processing that not only the economic examination but also notably the tech￾nical feasibility and development as well as the legal risks associated with the prop￾erty/project are included in the assessment. In this context, the institution may also draw on the expertise of an expert and competent organisational unit that is inde￾pendent of the borrower. To the extent that external sources are used for these pur￾poses, their qualification shall be reviewed beforehand. Inspections and the moni￾toring of building construction progress shall be carried out during the development phase of the project/property at intervals deemed necessary in terms of risk. Property/project financing Property/project financing refers to the financing of properties/projects where the re￾payments are drawn primarily from the income generated by the financed assets and not from the borrower's independent debt-servicing capacity. Economic examination and technical feasibility The economic examination may include aspects such as

• project analysis,
• funding structure/equity ratio,
• collateral strategy, or
• ex ante and ex post calculations. Technical feasibility and development can also be taken into account by conducting inspections or monitoring building construction progress. 8 Depending on the riskiness of the credit transactions, the risks associated with an exposure shall be evaluated using a risk classification procedure, both in the context of the credit decision and in regular or ad hoc assessments. The risk score shall be reviewed annually. Intensity of assessment Annual risk assessments are required, eg by the German Commercial Code (Han￾delsgesetzbuch), also for low-risk exposures that would otherwise not be subject to the risk classification procedure. However, the assessment may be less intense in such cases and, for example, may be limited to validating the proper repayment of the loan by the borrower. 9 There should be a verifiable link between the risk score in the risk classification pro￾cedure and the terms and conditions of the loan. 10 The institution shall establish a procedure consistent with the credit approval struc￾ture that stipulates how breaches of limits shall be handled. To the extent acceptable in terms of risk, the requirements set forth in BTO 1.1 and BTO 1.2 may be imple￾mented in a simplified manner on the basis of clear rules for breaches of limits as well as prolongations.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 65 von 105 11 A procedure shall be put in place to monitor the timely submission of the requisite credit documentation and ensure its timely evaluation. A suitable reminder proce￾dure shall be set up for outstanding documents. 12 The institution shall use standardised credit documents where this is possible and appropriate given the different types of transactions; the structure of the credit doc￾uments shall depend on the nature, scale, complexity and riskiness of the credit transactions. 13 Contractual agreements in credit business shall be concluded on the basis of legally validated documentation. 14 Legally validated standard texts shall be used for the individual loan agreements and updated on an event-driven basis. Where it is planned to deviate from the standard texts for a given exposure (eg in the case of customised agreements), legal validation shall be carried out by an organisational unit that is independent of the front office prior to concluding the agreement, to the extent deemed necessary in terms of risk. Validation by a front office expert Where it is planned to deviate from legally validated standard texts, validation of non￾risk-relevant credit transactions may also be carried out by an expert from the front office. BTO 1.2.1 Granting of loans 1 The process of granting loans encompasses the necessary operational steps up to the loan payout. All factors which are material for assessing the risk shall be ana￾lysed and assessed, taking particular account of the debt-servicing capacity of the borrower or the property/project, with the intensity of the assessment depending on the riskiness of the exposures (eg creditworthiness assessment, risk score in the risk classification procedure or an assessment based on a simplified procedure). Foreign currency loans Foreign currency loans should only be granted to borrowers whose creditworthiness has been assessed with a view to whether they are likely to be able to repay the loan also in the event that exchange rates and the foreign currency interest rate level de￾velop particularly unfavourably. Debt-servicing capacity Taking particular account of the debt-servicing capacity essentially necessitates con￾sidering the individual borrower’s financial circumstances, whereby risks to the bor￾rower’s future financial position and, if applicable, its liquidity position, must be fac￾tored into the analysis. The intensity of the assessment depends on the riskiness of the loan. Assessing debt-servicing capacity based on a simplified procedure does not, however, amount to a general waiver of such activities. 2 In the case of credit agreements for consumers relating to immovable property, likely future income fluctuations shall also be incorporated into the analysis of debt-

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 66 von 105 servicing capacity. All the information pertaining to the granting of loans shall be documented in full and kept for the term of the loan. 3 As a general rule, the value and legal validity of collateral shall be reviewed prior to granting the loan. The valuation shall plausibly take into account any circumstances which have a bearing on the value and be substantiated in the assumptions and parameters. When reviewing the value of collateral, available collateral values may be relied on if there are no indications of any change in value. Review of collateral value In the context of granting and also, where appropriate, further processing a loan, the review of collateral value, depending on the type of collateral, above a certain thresh￾old which the institution shall define in terms of risk, shall include an inspection of the property. 4 If the collateral value depends largely on the situation of a third party (eg a guaran￾tee), the third party’s counterparty and credit risk shall be appropriately reviewed. BTO 1.2.2 Further processing of loans 1 The further processing of loans includes monitoring the borrower’s compliance with the contractual agreements. In the case of special-purpose loans, the institution shall verify whether the funds provided are being used for the agreed purpose (ver￾ification of earmarked use). 2 Counterparty and credit risk shall be assessed annually, with the intensity of the assessments depending on the riskiness of the exposures (eg creditworthiness as￾sessment, risk score in the risk classification procedure or an assessment based on a simplified procedure). Bullet loans In the case of bullet loans, the institution shall assess the borrower’s repayment capa￾bilities, depending on the level of risk associated with the exposure, because continu￾ous payment by the borrower of the interest amounts due is not sufficient reason to assume that the final bullet repayment of the loan will take place. The borrower’s re￾payment capabilities shall include eg an adequate assessment of the borrower’s finan￾cial situation, based on sufficient information and taking into account relevant factors such as the debt-servicing capacity and the overall indebtedness of the borrower, or the value of the property/the project. 3 The value and legal validity of collateral shall be monitored during further loan pro￾cessing, based on the type of collateral. Above a certain threshold, which the insti￾tution shall define in terms of risk, the collateral shall be reviewed at appropriate intervals and revalued where necessary. Use of market volatility concepts for real estate collateral Since market volatility concepts can deliver no more than an initial indication of general events in a given market segment, they are not intended to be a sole reference point when monitoring the value of real estate collateral. As a supplementary measure, the institution shall itself observe the market and perform additional analyses for the col￾lateral portfolio concerned and shall examine the extent to which the market volatility concept is representative for its own portfolio and, consequently, the properties for which it can be used.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 67 von 105 4 Ad hoc reviews of exposures, including collateral, shall be promptly conducted at the very least whenever the institution obtains information from external or internal sources that indicates a material negative change in the risk assessment of the ex￾posures or the collateral. Such information shall be promptly passed on to all of the organisational units that are to be involved. BTO 1.2.3 Credit processing control 1 Process-related controls shall be put in place for loan processing in order to ensure compliance with the requirements of the organisational guidelines. The controls can also be carried out as part of the customary four-eyes principle. 2 Such controls shall particularly examine whether the credit decision was made in line with the established credit approval structure and whether the preconditions and/or requirements set out in the loan agreement were met before the loan was provided. BTO 1.2.4 Intensified loan management 1 The institution shall specify criteria governing when an exposure shall be assigned to intensified loan management. Responsibility for the development and quality of these criteria and their regular review shall lie outside the front office. Criteria for initiating intensified loan management The institution may freely decide whether the criteria constitute an automatic trigger, or whether they are indicators which serve as a basis for the review. The aim is to swiftly identify problem exposures so as to enable suitable measures to be initiated as quickly as possible. The same applies to the criteria for subjecting exposures to prob￾lem loan treatment (BTO 1.2.5 number 1). Exemptions from intensified loan management, recovery and resolution As in applying the procedure for the early detection of risks, the institution may ex￾empt certain types of credit transactions, depending on the riskiness of these trans￾actions, or credit transactions below certain thresholds from intensified loan manage￾ment and from recovery and resolution. Institutions may also waive intensified loan management or problem loan treatment if objective circumstances hinder access to the required data and the institution has

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 68 von 105 consequently also opted not to set up a procedure for the early detection of risks (third-party-initiated business). The institution shall nonetheless ensure that it is noti￾fied of all material events concerning the borrower. 2 When exposures are transferred to intensified loan management, measures shall be taken and monitored with the aim of returning them to normal management. Intensified loan management measures Potential measures forming part of intensified loan management can include the following:

• Intensified customer contact,
• Close monitoring (eg using the watch list),
• Intrayear analysis of the customer’s financial situation, or
• Restructuring of exposures (eg refinancing, collateral enhancement. 3 Exposures that are subject to intensified loan management shall be reviewed at predefined intervals to determine what further treatment they require (further in￾tensified loan management, return to normal loan management, initiation of re￾covery or resolution proceedings). BTO 1.2.5 Treatment of problem loans 1 The institution shall define criteria governing the transfer of an exposure to, or the involvement of the staff or organisational units specialising in, recovery or resolu￾tion. Responsibility for the development and quality of these criteria and their reg￾ular review shall lie outside the front office. The main responsibility for the recovery or resolution process or for monitoring these processes shall lie outside the front office. Criteria for initiating problem loan treatment The above note on the criteria for initiating intensified loan management also applies to the criteria for initiating problem loan treatment (see BTO 1.2.4 number 1). When determining these criteria, due account must also be taken of the indicators for clas￾sification as non-performing exposures (NPEs). It must be ensured that the definition of NPEs is applied uniformly in all branches and establishments. The uniform applica￾tion of these criteria to individual customers and within groups of connected clients must be ensured. Review of non-standardised agreements in recovery cases The requirement to have non-standardised agreements reviewed by a unit independ￾ent of the front office can be waived in recovery cases if the recovery is pursued by specialists whose expertise and experience enables them to draw up such contractual documents autonomously and without any additional independent review.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 69 von 105 Votes on recovery loans and exposures in legacy portfolios One vote from the back office is sufficient for decisions on recovery loans. The same applies to exposures in legacy portfolios, whereby the portfolios and the institution’s intention in each case shall be comprehensibly documented (eg in a legacy portfolio strategy). NPE workout units Institutions with high stocks of NPLs should establish specialised NPE workout units that are appropriate to their size, nature, complexity and risk profile, and should en￾sure that these units are separate from the loan origination process. The NPE workout unit shall be established outside the front office; it is also possible to assign it to the area responsible for the treatment of problem loans. If overlaps with the staff involved in loan origination are unavoidable, it must be ensured that conflicts of interest are avoided. When designing the NPE workout units, due account shall be taken of the specificities of the institution’s own NPE portfolios (eg retail banking, corporate bank￾ing), with sufficiently qualified staff specialised in NPE workouts being used to analyse the NPE portfolios concerned. 2 When exposures are transferred to recovery or resolution, the value of the collateral shall be reviewed and, where necessary, a new valuation determined from a realisa￾tion perspective shall be made. A review shall be performed at least annually, and due account shall be taken of material volatility and in particular of any significant decrease in the value of the collateral. Staff or, if necessary, external specialists with the requisite expertise shall be involved in the value review/valuation process. Valuation from a realisation perspective Valuations from a realisation perspective relate to exposures in resolution. The value of the collateral shall be determined, generally starting with the fair value, by deter￾mining the probable liquidation proceeds, taking the expected liquidation costs and the expected liquidation period into account. The value of the collateral shall be dis￾counted where necessary. Appropriate haircuts shall be applied when calculating it. The waiver or use of haircuts must be justified appropriately. 3 If the institution decides to keep an exposure in intensified loan management even though the criteria for initiating a recovery or resolution process are met and the exposure exhibits material non-performing features, it shall be ensured that the ex￾posure’s counterparty and credit risk can be mitigated or limited. The procedure shall be coordinated with the staff specialised in recovery or resolution. Legal risks and the value of collateral shall be reviewed in this regard. 4 If an institution considers pursuing the recovery option, it shall require submission of a restructuring plan in order to assess the extent to which the borrower can be restructured and shall use this as a basis for making its own independent assessment of whether a recovery can be achieved.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 70 von 105 5 The institution shall monitor the implementation of the restructuring plan and the impact of the measures taken. 6 In the case of significant exposures, the responsible members of the management board shall be regularly notified of the state of the restructuring process. If neces￾sary, the institution may enlist the help of external specialists with the requisite ex￾pertise during the restructuring process. 7 If an exposure is to be liquidated, a liquidation plan shall be drawn up detailing suitable liquidation measures. The measures shall be monitored regularly. Staff or, if necessary, external specialists with the requisite expertise shall be involved in the collateral liquidation process. Monitoring of liquidation measures The institution should monitor the period needed to liquidate the collateral or to en￾force a guarantee. 8 If an institution is considering foreclosing assets, it shall develop guidelines detailing how the collateral furnished is to be acquired. The guidelines shall also specify the intended holding period and procedures for the appropriate valuation and review of the assets acquired. Foreclosures of assets Foreclosures of assets are defined as the acquisition of collateral (eg real estate, me￾ans of transport) that are subsequently disclosed as assets on the institution’s ba￾lance sheet. 9 As part of the monitoring of non-performing exposures, the institution shall set out suitable maximum periods for the treatment of secured and unsecured NPEs that ensure that stocks of non-performing exposures are reduced within an appropriate period. Monitoring of non-performing exposures The institution shall assess the extent to which non-performing exposures that are in long-term arrears can be collected. A check shall be made in this context as to whether sufficient provisions have been established. The institution shall observe the supervisory requirements (eg CRR) when de￾termining the maximum periods and the minimum coverage for secured and unsecured NPEs. BTO 1.2.6 Risk provisioning 1 The institution shall define criteria on the basis of which, taking due account of the accounting standards used, write-downs, impairments and provisions for credit business (including country risk provisions) shall be formed (eg an internal claim valuation procedure). A review of the collateral or, where necessary, a new valuation shall be performed when determining the risk provisions required.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 71 von 105 2 The necessary risk provisions shall be calculated and updated in a timely manner. Should substantial risk provisions be required, the management board shall be no￾tified promptly. 3 The institution shall regularly back-test the risk provisioning methods and proce￾dures so as to avoid as far as possible differences arising between the impairments recognised and the actual losses incurred in the period until the exposure is written off in full. BTO 1.3 Requirements relating to the procedure for the early detection of risks and the treatment of forbearance BTO 1.3.1 Procedure for the early detection of risks 1 The procedure for the early detection of risks serves, in particular, to identify in good time borrowers whose exposures are starting to show signs of heightened risk. The aim is to enable the institution to initiate countermeasures (eg to implement for￾bearance measures or perform intensified loan management of exposures) as early as possible. 2 To this end, the institution shall develop early risk identification indicators based on quantitative and qualitative risk features. 3 The institution may exempt certain types of credit business, to be defined in terms of risk, or credit transactions below certain size thresholds from the procedure for the early detection of risks. The function of early detection of risks may also be performed by a risk classification procedure, provided that it allows risks to be de￾tected at an early stage. Exemptions for loans via a principal bank The requirement to establish a procedure for the early detection of risks may be waived if objective circumstances hinder access to the requisite early risk detection data. This may be assumed where credit transactions are initiated via, and subse￾quently managed by, a third-party institution (eg principal bank (Hausbank) in credit business of development banks (Förderbanken) or also of banks mainly granting bank guarantees (Bürgschaftsbanken)). The institution providing the credit must nonethe￾less ensure that it is notified of any material events concerning the borrower. Risk classification procedure and early detection of risks

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 72 von 105 A risk classification procedure shall notably contain the following components in due consideration of the operational needs if it is to simultaneously serve as a procedure for the early detection of risks.

• The procedure’s underlying indicators (eg account turnover, cheque returns) should be able to detect impending risks early (“indicator-based component”),
• the indicators should facilitate the ongoing detection of impending risks (“pe￾riod-based component”), and
• signals provided by the early risk detection procedure should also swiftly trigger suitable measures by the institution (eg intensified customer contact, acceptance of new collateral, suspension of repayments) to minimise the potential that risks may materialise as losses (“process-based component”). BTO 1.3.2 Treatment of forbearance 1 When defining the criteria to be used for the transfer to intensified loan management or problem loan treatment, the institution shall also take due account of exposures to which forbearance measures apply. The objective of forbearance measures is a return to a sustainable, performing repayment status Definition of forbearance Forbearance is defined in accordance with the definition used in supervisory report￾ing. 2 Guidelines shall be implemented for forbearance measures that contain the following points at least: (a) The processes and procedures for granting forbearance measures, including responsibilities and decision-making, (b) A description of the available forbearance measures, including measures em￾bedded in contracts, (c) Information requirements for assessing the viability of the measures, (d) Documentation of the measures granted, (e) The process and metrics for monitoring their effectiveness. Forbearance guidelines The guidelines can also include standardised forbearance solutions, eg for homo￾geneous portfolios of less complex exposures. 3 The institution shall establish criteria for the appropriate classification and, if neces￾sary, transfer of forborne exposures to the non-performing or performing categories. Forborne exposures An exposure can be classified as forborne if the borrower is in financial difficulties and concessions are made as a result.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 73 von 105 A suitable cure period shall be observed when reclassifying forborne and non-perfor￾ming exposures. An assessment of the borrower’s financial situation is required be￾fore any change to or reclassification of the status is made. When classifying the exposure, a distinction can be made between non-performing forborne exposures, performing forborne exposures and non-performing exposures. A forborne exposure shall be classified as non-performing if one of the following cri￾teria applies:

• The forborne exposure is supported by an inadequate payment plan,
• It includes contract terms that delay the time for the regular repayment instal￾ments on the transaction in such a way that its assessment for a proper classifi￾cation is hindered, such as when a grace period of more than two years for the repayment of the principal is granted, or
• Amounts are derecognised. When reviewing whether to exit exposures from non-performing status, the impact of such an exit on other exposures of the borrower that are not the subject of forbe￾arance measures must also be considered. The existence of contract terms that ex￾tend the repayment period for existing non-performing exposures should confirm the classification of the forborne exposures as non-performing. 4 The assessment of a borrower’s financial difficulties that is required for the purpose of implementing forbearance measures shall be based solely on the borrower’s situa￾tion and shall not take any collateral provided or guarantees into account. Changes to contract terms The institution shall assess the borrower’s financial situation if changes to the contract terms impact the latter’s payment performance. A distinction shall be made between renegotiations with borrowers that are not in financial difficulties and for￾bearance measures granted to borrowers in financial difficulties. 5 The institution shall distinguish between viable forbearance measures contributing to reducing the borrower’s exposure and non-viable forbearance measures. Both short￾term and long-term forbearance measures can be considered, depending on the na￾ture and duration of the loans; however, the implementation period for short-term measures should not exceed a maximum of two years. Assessing the viability of forbearance measures When assessing the viability of forbearance measures, the institution shall take due account of the following factors in particular: a) The borrower’s repayment ability and hence debt-servicing capacity, b) A reduction in the borrower’s balance is expected in the medium to long￾term, c) Forbearance measures with a short-term time horizon are applied tempora￾rily, to the extent that it is reasonably expected that the borrower will have the ability to repay the original or modified amount commencing from the expiry date of the short-term temporary arrangement, d) The measure does not result in multiple consecutive forbearance measures having been granted to the same exposure.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 74 von 105 6 The institution shall monitor at appropriate intervals the process for granting forbe￾arance measures and the effectiveness of the measures granted. Monitoring of forbearance measures The following metrics can be used for monitoring, depending on the portfolio and the nature of the forbearance measures: a) Forbearance cure rate, b) Cash collection rate from forborne exposures, c) Partial write-offs that may result from granting a forbearance measure. BTO 1.4 Risk classification procedures 1 Each institution shall set up informative risk classification procedures for the initial, regular or ad hoc assessment of counterparty and credit risk and, where appropriate, property/project risk. Criteria shall be specified that ensure the logical and transpar￾ent assignment to a risk category without undue delay as part of the risk assessment procedure. 2 Responsibility for the development and quality of the risk classification procedures, and for monitoring their application, shall lie outside the front office. 3 Core indicators for determining counterparty and credit risk in the risk classification procedure shall include not only quantitative criteria but also, where possible, qual￾itative criteria. Special consideration shall be given to the borrower’s ability to gen￾erate future income streams with which to repay the loan. 4 The classification procedures shall be appropriately incorporated into the credit busi￾ness processes and, where appropriate, into the credit approval structure.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 75 von 105 BTO 2 Trading 1 This module sets out requirements regarding the organisational and operational structure in trading. BTO 2.1 Segregation of duties 1 The core principle applying to the structuring of trading processes is to ensure the clear organisational segregation of trading from the risk control function and settle￾ment and control functions up to and including the management board level. Customer advisors It is compatible with this Circular for customer advisors to forward customer orders to trading within a given limit for pricing purposes. They should not fix prices and rates independently or build up their own positions. 2 An institution may simplify the principle of segregation up to and including the man￾agement board level if the whole of its trading is focused on trades which may be considered immaterial in terms of risk (“non-risk-relevant trading”). Non-risk-relevant trading This simplified implementation may be applied if the following conditions have been met in toto:

• the institution applies or can apply the simplified implementation offered under Article 94 (1) CRR (non-trading book institution),
• trading is focused on long-term assets or the liquidity reserve,
• the volume of trading is small relative to the total business volume,
• trading has a simple structure, and the positions have a low level of complexity, volatility and riskiness. The above conditions do not have to be met cumulatively. The determining factor is the overall view, ie taking account of the above factors and their respective weight in each case. Where an institution applies this simplified implementation, organisational segrega￾tion may likewise be waived with respect to duties independent of trading, eg their assignment to different units. However, activities that are not compatible with each other must be performed by different staff members (AT 4.3.1 number 1). Hence staff members tasked with trading must generally not be given responsibility for duties independent of trading. Simplified implementation for small institutions and very limited trading

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 76 von 105 If it is not possible to segregate duties in trading owing to the institution’s small size, the proper conduct of trading must be ensured through direct involvement of the management board. If an institution engages in trading only on a very limited scale, such that there would be insufficient work for one staff member, the requirement to segregate duties may be met through temporary assignment to other staff members who are otherwise not tasked with trading. BTO 2.2 Requirements relating to trading processes BTO 2.2.1 Trading 1 When trades are concluded, the terms and conditions, including any covenants, shall be agreed in full. The institution shall use standardised contract texts insofar as this is possible and appropriate with respect to the types of transaction in ques￾tion. Internal trades shall be concluded only on the basis of clear regulations. Internal trades Internal trades within the meaning of this Circular are trades within a legal entity which serve to transfer risk between individual organisational units or sub-portfolios (eg trades between an institution’s own branches, organisational units or portfolios etc). It shall be ensured that the requirements applying to external trades are correspondingly adhered to in internal trades. 2 As a general rule, trades that do not conform to usual market conditions shall not be permitted. Exceptions to this may be made in individual cases if (a) they are made at the customer’s request, they are objectively justified, and the deviations from usual market conditions are clearly shown in the transaction documentation, (b) they are made on the basis of internal rules detailing the types of transaction, the range of customers, the scope and the structure of these trades, and (c) significant deviations are reported to the management board. Documenting deviations from usual market conditions Deviations from usual market conditions that are to be documented in the transac￾tion documentation are generally documented by disclosing them to the customer in the trade confirmation. 3 The conclusion of transactions outside the business premises shall be permissible only insofar as this is allowed by internal rules. In particular, these rules shall specify the authorised individuals, as well as the purpose, scope and recording of such transactions. Prompt confirmation in suitable form (eg written or electronic) shall

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 77 von 105 be requested from the counterparty in the case of trades that are not entered di￾rectly in a settlement or confirmation system used by the bank. Such trades shall be promptly reported by the trader in a suitable form to the own institution. All trans￾actions concluded outside the business premises must be flagged and brought to the notice of the responsible member of the management board or to an organisa￾tional unit authorised by the latter using suitable reports at the latest on the working day following the transaction date. 4 An audio recording shall be made of traders’ transaction conversations and kept for at least three months. 5 Trades shall be promptly recorded after conclusion of the trade together with all the relevant transaction data, included in the calculation of the relevant position (updating of positions) and passed on to the settlement office together with all the documentation. Transaction data may also be passed on automatically via a settle￾ment system. Transaction data Relevant transaction data include the transaction type, volume, terms and conditions, maturity, counterparty, date, time, trader, consecutive transaction number and cove￾nants. 6 Where transactions are recorded directly in the IT systems, it shall be ensured that a trader can enter trades only under his/her own trader ID. It shall be ensured that the date and time of recording as well as consecutive transaction numbers are gen￾erated automatically and cannot be altered by the trader. 7 Trades concluded after the cut-off time for settlement (late trades) shall be flagged as such and shall be included in the calculation of that day’s positions (including subsequent settlement) if they lead to material changes. Transaction data and doc￾umentation relating to late trades shall be promptly passed on to an organisational unit outside trading. Duty to flag late trades Late trades do not have to be flagged separately if a fixed timeframe is defined for the settlement’s cut-off time and a late trade is thus readily identifiable from the time or, where appropriate, time zone in which it is concluded. 8 Prior to the conclusion of trading contracts, in particular in the case of master agree￾ments, netting agreements and collateral agreements, an organisational unit that is independent of trading shall determine whether, and to what extent, the agree￾ments are legally enforceable. 9 Staff who are organisationally assigned to trading shall be authorised signatories for transaction accounts only jointly with staff from an organisational unit that is independent of trading.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 78 von 105 10 The institution shall ensure by means of suitable measures that traders’ responsibil￾ity for specific positions is annually transferred to another employee for an uninter￾rupted period of at least ten trading days. During this period, the institution shall ensure that an absent trader does not access the positions for which he/she is re￾sponsible. BTO 2.2.2 Settlement and control 1 Based on the transaction data received from trading, the settlement office shall issue the trade confirmations or contract notes and carry out subsequent settlement tasks. Settlement systems Depending on their nature, scale, complexity and riskiness, trades shall generally be settled electronically; existing settlement systems shall be used as far as possible. 2 As a general rule, trades shall be promptly confirmed in suitable form (eg in writing or electronically). The confirmation shall include the required transaction data. If the trade is transacted via a broker, the broker shall be named. The prompt receipt of the reconfirmations shall be monitored, whereby it must be ensured that the incom￾ing reconfirmations are sent first and directly to the settlement office and are not addressed to trading. Missing or incomplete reconfirmations shall be promptly claimed, unless all parts of the trade in question have been duly executed. Reconfirmations for foreign trades If reconfirmations cannot be obtained, the institution must verify the existence and details of the transaction in another suitable manner. Confirmation procedure for complex products If the master agreements for complex products stipulate that only one of the two parties draws up the contract, ad hoc (short-form) confirmation from both parties and preparation of the (long-form) contract by the relevant party once all the details have been clarified are sufficient. Ad hoc confirmation should include the material information on the agreed trade. Agreements relating to the confirmation process The confirmation process within master agreements may specify that silence follow￾ing expiration of a previously agreed deadline shall be taken to indicate reconfirma￾tion. Cancellations and amendments Particular attention should be paid in the cancellation and amendment procedures to an accumulation of cancellations or amendments by individual staff members or in certain trades. 3 The confirmation procedure may be waived where trades are recorded in a settle￾ment or confirmation system which ensures automatic matching of the relevant transaction data and executes trades only if the data match (matching). Where there Confirmation process for OTC derivatives In the case of transactions in OTC (over-the-counter) derivatives, a confirmation pur￾suant to Art. 11 (1 a)) of Regulation EU No 648/2012 (EMIR) is sufficient to the extent

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 79 von 105 is no automatic matching of the relevant transaction data, the confirmation proce￾dure may be waived if the settlement or confirmation system allows both counter￾parties to access the transaction data at any time and if the control of these data is verified. that it is issued independently of trading and the duty to report the transaction to a transaction register is complied with. Both counterparties must be able to access the settlement data in the transaction register at all times. The institution must access the data and must document this. 4 Trades shall be subject to ongoing control. In particular, it shall be controlled whether (a) the transaction documentation is complete and is quickly available, (b) the information supplied by traders is correct and complete and matches the details on broker confirmations, printouts from trading systems or the like, where these are available, (c) the transactions are within the defined limits with respect to their type and scope, (d) usual market conditions have been agreed, and (e) any deviations from prescribed standards (eg master data, delivery channels, payment methods) are agreed. Amendments to and cancellations of transaction data or bookings shall be controlled outside trading. Automatic forwarding to the settlement office Controls of (a) and (b) may be waived if the transaction data entered by the traders are forwarded to the settlement office automatically and without the possibility of further intervention by the traders. 5 Suitable procedures shall be established for verifying the market conformity of trans￾actions, where applicable differentiated according to transaction type. The member of the management board responsible for verifying market conformity shall be noti￾fied promptly if, in deviation from BTO 2.2.1 number 2, trades are concluded which do not conform to usual market conditions. Note on verifying market conformity For liquid spot, future and forward instruments, verification may take the form of sample checks, provided such checks are acceptable in terms of risk. Verification of market conformity can be waived in the case of trades executed di￾rectly or via third parties (eg via a correspondent bank) on an exchange or on another organised market. The following lists can be used to identify the markets which may be regarded as exchanges or other organised markets within the meaning of this requirement:

• The overview of exchanges or other regulated markets in EU member states and in the other signatories to the Agreement on the European Economic Area pub￾lished by the European Securities and Markets Authority (ESMA) (accessible as

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 80 von 105 at the time of publication of this Circular at: https://registers.esma.eu￾ropa.eu/publication/– searchRegister?core=esma_registers_upreg using “Entity type: Regulated mar￾ket” or “Entity type: Multilateral Trading Facility”).

• The list of authorised exchanges and of other organised markets pursuant to section 193 (1) numbers 2 and 4 of the German Capital Investment Code (Kapita￾lanlagegesetzbuch) for such markets in countries outside the EU member states and outside the other signatories to the Agreement on the European Economic Area (BaFin interpretation of 16 February 2011; accessible as at the time of pub￾lication of this Circular at: https://www.bafin.de/SharedDocs/Veroeffen￾tlichungen/DE/Auslegungs– entscheidung/WA/ae_080208_boersenInvG.html ,only available in German). Verification of market conformity cannot be waived in the case of organised trading facilities (OTFs), due to the lower level of requirements applicable there. In the case of first-time purchases of newly issued securities, market conformity may be verified more simply, depending on the nature and structure of the business. For instance, where a security is issued via public auction/bid, market conformity may be verified simply by ensuring that the issue price has been settled correctly. The task of verifying market conformity shall also cover internal trades. Exceptions to this are possible, subject to the corresponding conditions set out in BTO 2.2.1 num￾ber 2. 6 Any discrepancies and incongruities identified during settlement and control shall be clarified promptly under the main responsibility of an organisational unit which is independent of trading. The institution shall establish suitable escalation procedures for any discrepancies and incongruities that cannot be plausibly clarified. 7 The positions calculated in trading shall be regularly matched with the positions in the downstream processes and functions (eg settlement office, accounting unit). The matching operations shall also cover dormant portfolios and dummy counterparties. Particular attention shall be paid to the matching of intermediate and suspense ac￾counts. Any incongruities concerning these accounts shall be clarified promptly. Audit trail To ensure appropriate matching processes, the institution may have to establish pro￾cesses and procedures which enable the full history of positions and cash flows to be verified at any time (audit trail).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 81 von 105 BTO 2.2.3 Capturing in risk control 1 Trades, including covenants that generate positions, shall be promptly captured in risk control. Capturing in risk control This is without prejudice to the ability to access data from the accounting unit for risk control purposes.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 82 von 105 BTR Requirements relating to risk management and risk control processes 1 This module sets out specific requirements for risk management and risk control processes (AT 4.3.2), taking account of risk concentrations, in respect of (a) counterparty and credit risk (BTR 1), (b) market risk (BTR 2), (c) liquidity risk (BTR 3), and (d) operational risk (BTR 4).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 83 von 105 BTR 1 Counterparty and credit risk 1 The institution shall take suitable steps to ensure that counterparty and credit risk and associated risk concentrations can be limited in relation to its internal capital adequacy. Counterparty and credit risk concentrations These comprise counterparty and sectoral concentrations, regional concentrations and other concentrations in credit business which, in relation to the available financial re￾sources (risk coverage potential), could lead to considerable losses (eg concentrations with regard to borrowers, products or underlyings of structured products, to sectors, distributions of exposures across size and risk classes, collateral and, where appropri￾ate, countries and other highly correlated risks). 2 No credit transaction may be concluded without a borrower-related limit (single bor￾rower limit, connected-clients borrower limit), ie without a credit decision. 3 As a general rule, trades may be concluded only with contracting parties for whom counterparty limits have been agreed. All trades with a given counterparty shall be counted towards the specific limit applying to that counterparty. Replacement risk and settlement risk shall be included in calculating the level of utilisation of counter￾party limits. The individuals responsible for the positions shall be promptly informed of the limits that apply to them and their current utilisation level. Counterparty limits Exempted from this are exchange-traded transactions and spot transactions in which the countervalue has been delivered or has to be delivered on a delivery-versus-pay￾ment basis or for which corresponding cover has been provided. 4 In addition, issuer limits shall generally be set for trading. Where trading does not yet have issuer limits, they may be agreed at short notice for trading purposes on the basis of clear rules, without first having to perform the respective full processing procedure defined in terms of risk. The respective processing procedure must have been performed within three months at the latest. The applicable rules shall take due account of risk aspects. They shall be consistent with the objectives set out in the institution’s strategies. Recognition of the issuer’s specific risk Setting a separate limit for the issuer’s counterparty and credit risk may be waived if the issuer’s specific risk has been duly taken into account in setting the market risk limit using appropriate procedures. Due account must be taken of risk concentrations. Liquid credit products (eg loan trading) Counterparty or issuer limits must be set in accordance with this Circular prior to com￾mencing trading in liquid credit products which are traded on the secondary markets like securities. The simplified implementation set forth in number 4 may be applied when setting issuer limits. Short-term issuer limits for trading purposes Counting trades towards issuer limits that have been granted at short notice is suffi￾cient provided that such issuer limits have been derived from the internal capital ad-

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 84 von 105 equacy calculation and the corresponding limit system, and that sufficient risk cover￾age potential exists. No predefined processing procedure needs to be triggered or executed if securities in the trading book do not remain with the institution for longer than three months. If the securities remain for longer or such a longer stay is foresee￾able, the predefined processing procedure shall be triggered promptly and must have been completed after three months at the latest. In the case of transactions for the banking book, the predefined processing procedure should have been performed in its entirety before the trade is executed. However, if the issuer is not yet known at the time of acquisition of the securities for the banking book due to technical trading processes particularly for new issuances, the processing procedure should be trig￾gered promptly at the latest once the issuer becomes known. 5 Transactions shall be promptly counted towards the borrower-related limits. Com￾pliance with the limits shall be monitored. Any breaches of the limits and, where appropriate, the measures taken in response shall be documented. Breaches of counterparty and issuer limits above a level defined in terms of risk shall be reported daily to the responsible members of the management board. 6 Risk concentrations shall be identified. Due account shall be taken of any interde￾pendencies. The assessment of risk concentrations shall be based on qualitative and, where possible, quantitative procedures. Risk concentrations shall be managed and monitored using suitable procedures (eg limits, traffic light systems or other precau￾tionary measures). Interdependencies Interdependencies may occur, inter alia, as economic dependencies or legal depend￾encies between enterprises. 7 The institution shall ensure that proceeds from the liquidation of credit exposures and the related historical values of the credit collateral are recorded appropriately in a recovery rate documentation. The experience gained from the recovery rate docu￾mentation shall be appropriately taken into consideration when managing counter￾party and credit risk. Recovery rate documentation This also includes recovery rates from foreclosed assets.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 85 von 105 BTR 2 Market risk BTR 2.1 General requirements 1 A limit system shall be established, based on the institution’s internal capital ade￾quacy, in order to limit market risk, taking due account of risk concentrations. Structure of BTR 2 In BTR 2.1 the Circular sets out general requirements that apply to all types of market risk (including interest rate risk in the banking book). BTR 2.2 complements BTR 2.1, adding rules which apply to market risk in the trading book. BTR 2.3 sets out simplified implementation for market risk in the banking book. Market risk Market risk includes the following:

• price/rate risk,
• interest rate risk,
• foreign exchange risk, and
• market risk arising from commodities business (including electricity derivatives and CO2 emission certificates). However, market risk arising from traditional commodities business conducted by mixed-activity credit cooperatives should be disregarded. Market-related risk which results from a change in a counterparty's creditworthiness (eg specific position risk or potential changes in credit spreads) or which is attributable to market liquidity must be adequately covered by the risk management and risk con￾trol processes. 2 No transaction subject to market risk shall be concluded without a market risk limit. 3 The procedures for assessing market risk shall be reviewed regularly. Such reviews shall examine whether the procedures produce robust results also in the event of severe market disruptions. Alternative valuation methods shall be defined for mate￾rial positions in the event that market prices are unavailable, out of date or distorted for a prolonged period.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 86 von 105 4 Regular plausibility checks shall be conducted on the outcomes calculated by the accounting and risk control units. BTR 2.2 Market risk in the trading book 1 Measures shall be taken to ensure that trading book transactions subject to market risk are promptly counted towards the relevant limits and that the person responsi￾ble for the position is kept up to date concerning the limits relevant for him/her and their current level of utilisation. Suitable measures shall be taken in the event that limits are exceeded. An escalation procedure shall be initiated, where applicable. 2 Trading book positions subject to market risk shall be valued daily. 3 A trading book result shall be calculated daily. The current risk positions shall be aggregated into overall risk positions at least once a day at the close of business. 4 The results of the quantified risk amounts derived from models shall be compared with the actual outcomes on an ongoing basis. BTR 2.3 Market risk in the banking book (including interest rate risk) 1 Banking book positions subject to market risk shall be valued at least once a quarter. 2 A banking book result shall likewise be calculated at least once a quarter. 3 Suitable measures shall be taken to ensure that limit breaches due to interim changes in risk positions can be avoided. 4 Depending on the nature, scale, complexity and riskiness of the banking book posi￾tions, daily, weekly or monthly valuation, result calculation and risk reporting may also be necessary. 5 The procedures for assessing interest rate risk in the banking book shall capture the material features of interest rate risk. Treatment of interest rate risk in the banking book The institution is basically free to decide in what way it will manage interest rate risk in the banking book. Interest rate risk may be treated either sep￾arately in the trading book and in the banking book or in an integrated

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 87 von 105 manner at the level of the institution as a whole (taking due account of the daily valuation of risk positions and daily profit/loss calculation that is man￾datory for the trading book). Positions to be included The on-balance-sheet and off-balance-sheet positions in the banking book which are subject to interest rate risk shall be included in the assessment. 6 The calculation of interest rate risk may be based on the impact of interest rate changes on the institution’s profit and loss as recorded in the financial statements or on the market or present values of the relevant positions as the procedure that is of primary relevance to risk management. Due account shall be taken of the impact of the respective alternative risk management perspective. If this results in further interest rate risk on a significant scale, this shall be taken into account in the risk management and control processes as well as in the assessment of internal capital adequacy. Where the calculation of interest rate risk is based on the impact on profit and loss as recorded in the financial statements, developments after the balance sheet date shall be duly taken into account. Monitoring developments after the balance sheet date when apply￾ing an earnings-based approach Monitoring developments after the balance sheet date takes account of the fact that there is generally a time lag before interest rate risk has an impact on the profit and loss as recorded in the financial statements. The length of the monitoring period should be chosen with due regard to the individual portfolio structure. The appropriate monitoring period could be gauged, for example, by the average interest rate maturity for on-balance-sheet and off-balance-sheet positions included in the calculation. 7 Appropriate assumptions shall be specified regarding the inclusion of positions with an indeterminate capital or interest rate lock-in period (non-maturity positions). Non-maturity positions (positions with an indeterminate capital or interest rate lock-in period) Non-maturity positions may comprise, for example,

• positions where the behavioural interest rate maturity differs from the contractual interest rate maturity (mainly sight deposits and savings deposits), or
• optional components (eg deposits with notice terms, loan prepayment features, repayment options). Equity components that are available to the institution for an indefinite pe￾riod must not be included in the economic-value calculation of interest rate risk. 8 Institutions that incur material interest rate risk in different currencies shall calculate the interest rate risk in each of these currencies.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 88 von 105 BTR 3 Liquidity risk BTR 3.1 General requirements 1 The institution shall ensure that it can meet its payment obligations at all times. In doing so, the institution shall, if necessary, also take measures to manage intraday liquidity risk. Sufficient diversification of funding sources and of the liquidity buffers shall be ensured. Concentrations shall be effectively monitored and limited. Institutional network solutions (Verbundlösungen) The requirement in sentence 3 may also be fulfilled via existing institutional network or group structures. Diversification of funding sources and of the liquidity buffers Possible key criteria for diversification are, for example, counterparties or issuers, products, maturities and regions. Intraday liquidity risk Intraday liquidity risk may arise, in particular, when using real-time settlement and payment systems. 2 The institution shall ensure that any imminent liquidity shortfall is identified early. It shall implement appropriate procedures and review their suitability regularly and at least once a year. The impact of other risks (eg reputational risk) on the institution’s liquidity shall be taken into account in such procedures. 3 The institution shall draw up one or more informative liquidity overviews for an ap￾propriate period listing the anticipated inflows and outflows of funds. The liquidity overviews shall be suitable for modelling the liquidity position in the short, medium and long-term horizon. This shall be appropriately reflected in the specified assump￾tions on which inflows and outflows of funds are based and in the breakdown into time buckets. The liquidity overviews shall take due account of the usual volatility in payment flows that also occur in normal market phases. Assumptions about inflows and outflows of funds The assumptions should also take account of any drawdowns on liquidity and credit lines which the institution has made available to third parties. 4 The institution shall continuously review its ability to cover any liquidity needs that may arise, including in a tense market environment. The review shall focus among other aspects particularly on asset liquidity. The institution shall regularly verify that it has permanent access to the funding sources that are relevant to it. The institution shall maintain sufficient sustainable liquidity buffers (eg highly liquid, unencumbered Calculation of the liquidity buffers The liquidity buffers shall be calculated in such a way that any liquidity needs that may occur either in normal market phases or in predefined stress scenarios can be bridged entirely by the liquidity buffers. Recognition of asset encumbrance

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 89 von 105 assets) to cover any deteriorations in the liquidity position that may occur in the short term. The procedures for managing and assessing liquidity risk shall also ensure that the amount, nature, scale and development of encumbered assets are identified swiftly and reported to the management board. Due account shall be taken of the impact of stress scenarios. The liquidity contingency plan (number 9) shall also take due account of asset encumbrance. 5 The institution shall set up a suitable internal allocation system for liquidity costs, benefits and risks. The design of this allocation system shall depend on the nature, scale, complexity and riskiness of the institution’s business activities as well as its funding structure. The allocation system for liquidity costs, benefits and risks shall be approved by the management board. Simplified implementation for granular customer business Institutions with predominantly granular customer business on both the asset and the liability side and stable funding may also comply with the requirements by means of a simple allocation system. 6 Large institutions with complex business activities shall establish a liquidity transfer pricing system in order to allocate internally and in line with the point of origination the respective liquidity costs, benefits and risks. The determined transfer prices shall be factored into the integrated performance and risk management via allocation at transaction level wherever possible. This shall apply both to on-balance-sheet and off-balance-sheet business activities. The institution shall take account of the assets’ holding period and market liquidity when determining the relevant transfer prices. It shall make appropriate assumptions in the case of uncertain cash flows. The costs of maintaining the requisite liquidity buffers shall also be factored into the liquidity transfer pricing system. Liquidity transfer pricing system A liquidity transfer pricing system within the meaning of this requirement is a special type of the allocation system described in number 5 and is typically characterised by internal allocation of costs, benefits and risks by means of centralised transfer pricing. Allocation in line with the point of origination In a liquidity transfer pricing system, costs, benefits and risks shall be allocated at transaction level wherever possible; products and transactions with similar liquidity features may be aggregated. 7 Responsibility for the development and quality as well the regular review of the li￾quidity transfer pricing system shall be assigned to an organisational unit that is in￾dependent of the front office and trading. The current liquidity transfer prices shall be made transparent to the staff concerned. The consistency of the liquidity transfer pricing systems used within the group shall be ensured. 8 Appropriate liquidity risk stress tests shall be conducted regularly. Both institution￾specific (idiosyncratic) and market-wide causes of liquidity risk shall be incorporated into the analysis. Third, they shall encompass both aspects in combination. The in￾stitution shall define the stress tests individually. The stress tests shall be based on time horizons of differing lengths. In the stress scenarios the institution shall deter￾mine its expected survival horizon as a going concern. Institution-specific (idiosyncratic) and market-wide causes Institution-specific (idiosyncratic) causes may result in, for example, withdrawal of cus￾tomer deposits at a given institution. Market-wide causes may lead, for example, to a deterioration in the funding conditions of some or all institutions.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 90 von 105 9 The institution shall specify the measures to be taken in the event of a liquidity short￾fall (liquidity contingency plan). This shall include a description of the liquidity sources available in such cases, taking due account of possibly reduced proceeds. The communication channels to be used in the event of a liquidity shortfall shall be defined. The operational feasibility of the planned measures shall be reviewed regu￾larly and the measures modified if necessary. The stress test results shall be taken into account in this process. 10 The extent to which the intra-group transfer of liquid funds and unencumbered as￾sets may be incompatible with company law provisions and with regulatory and op￾erational constraints shall be reviewed. 11 An institution that incurs material liquidity risk in foreign currencies shall implement appropriate procedures for managing foreign exchange liquidity in the major cur￾rencies in order to safeguard its payment obligations. For the currencies concerned, this shall include at least one separate liquidity overview, separate foreign currency stress tests and explicit inclusion in the liquidity contingency plan. Material liquidity risk arising from different foreign currencies Material liquidity risk arising from different foreign currencies exists, in particular, if a significant part of the assets or liabilities is denominated in a foreign currency and, at the same time, there are significant currency mismatches or maturity mismatches be￾tween the respective foreign currency assets and liabilities. 12 The institution shall set up an internal funding plan that appropriately reflects the strategies, the risk appetite and the business model. The planning horizon shall cover a period of an appropriate duration generally spanning several years. Consideration shall be given to how changes in the institution’s own business activity or its strategic goals as well as changes in the economic environment impact on the funding re￾quirement. Due account shall be taken in the planning process of potential adverse developments which depart from expectations. Internal funding plan The internal funding plan serves solely internal management purposes and can, de￾pending on the nature and scale of the liquidity risk, be designed to suit the individual institution. Such a plan shall be distinguished from funding plans required pursuant to the EBA guidelines for funding plans of credit institutions (EBA/GL/2014/04) and submitted by certain institutions to the EBA. These are not the subject matter of the requirement; nevertheless, the requirement may be fulfilled by a funding plan pre￾pared for the EBA. BTR 3.2 Additional requirements relating to capital market-oriented institutions 1 The institution shall be able to bridge its liquidity needs arising from the institution￾specific stress scenarios over the time horizon of at least one month using the liquid￾ity buffers required pursuant to BTR 3.1 number 4, as further specified in BTR 3.2 number 2. Capital market-oriented institutions Section 264d of the German Commercial Code applies accordingly to the criterion of capital market orientation. 2 In order to bridge its short-term liquidity needs of at least one week, the institution shall maintain, besides central bank money, highly liquid assets which can be liqui￾dated at any time in private markets without significant losses of value and which Private markets The term private markets is used to differentiate such transactions from those with central banks (eg open market operations or marginal lending facilities).

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 91 von 105 are eligible as central bank collateral. For the ongoing liquidity needs up to the end of the time horizon of at least one month, it shall be possible to use other assets as additional components of the liquidity buffers if these can be liquidated without sig￾nificant losses of value within the given time horizon. Capability to liquidate assets without significant losses of value The capability to liquidate assets may also be achieved by possible recourse to repur￾chase agreements (repos) or other forms of collateralised funding provided that no significant losses of value occur in the assets to be used as liquidity buffers. The assets eligible for this purpose should have a high credit rating, be easy to value and it should be possible to liquidate them in markets that are sufficiently deep and broad also in stress phases. The size of the liquidity effect to be achieved in stress phases is reflected in the haircuts to be applied by the institution. Only assets that demonstrably fulfil the criteria for the envisaged liquidation channel may be earmarked as components of the liquidity buffers. Prospective fulfilment of the criteria at some point in the future is not sufficient. 3 The institution shall consider stress scenarios under which the liquidity buffers pur￾suant to number 1 shall also be measured. The stress tests shall, first, encompass stress scenarios based on institution-specific causes. They shall, second, separately encompass stress scenarios due to market-wide causes. And they shall, third, en￾compass both aspects in combination. A scenario based on institution-specific causes shall also model a significant rating downgrade, incorporating at least the following assumptions:

• Withdrawal of a substantial portion of the unsecured funding by institutional investors at least during the first week of the stress scenario; whereby a complete withdrawal of this unsecured funding within the first week shall be assumed for financial sector entities,
• Withdrawal of part of the retail deposits. In addition, the following assumptions shall be incorporated into a scenario based on market-wide causes:
• General decline in the prices of marketable assets, particularly securities, Institutional investors Institutional investors are professional market participants:
• Financial sector entities (eg banks and insurance companies, hedge funds, pen￾sion funds), including central banks outside the euro area,
• Other professional market participants not belonging to the financial sector (eg other sizeable entities). Operational deposits by financial sector entities For deposits stemming from financial sector entities that are used to maintain the op￾erating business of these companies (operational deposits), the assumption of a com￾plete withdrawal in the scenarios based on institution-specific causes can be waived in justified cases. General deterioration in funding conditions A general deterioration in funding conditions may be reflected, for example, in the non-rollover also of secured institutional funding, the shortening of funding maturities or a general widening of funding spreads.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 92 von 105

• General deterioration in funding conditions. 4 The institution shall ensure that the deployment of the liquidity buffers is not incom￾patible with any legal, regulatory or operational constraints. The liquidity buffers’ diversification and their dispersion across different jurisdictions shall accord with the structure and business activities of the institution and the group.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 93 von 105 BTR 4 Operational risk 1 The institution shall perform an appropriate risk management to take account of operational risk. To this end, operational risk shall be internally defined and deline￾ated uniformly and communicated to members of staff. Definition of operational risk The definition should include a clear delineation from other risks considered by the institution. Treatment of boundary events and near-losses The processes for managing operational risk should also cover the treatment of risks that are not unambiguously assignable (boundary events), near-losses and related events. "Boundary events" is a term used to classify losses which are or have already been assigned to another risk (eg credit losses), but which have or had their origin in events such as inadequate processes and controls. "Near-losses" is a term used to describe events triggered by errors or deficiencies which have not led to any loss (eg erroneous payment to the wrong counterparty; repayment by the counterparty). 2 It shall be ensured that any material operational risk is identified and assessed at least once a year. 3 The institution shall ensure an appropriate recording of damage events. The causes of material damage events shall be analysed promptly. Recording of damage events To do this, larger institutions shall set up an event database for damage events which ensures the complete recording of all damage events above appropriate thresholds. Collective losses Collective losses that are recognised separately but can be assigned to the same event shall subsequently be processed in the aggregate. 4 The procedures for assessing operational risk must cover the main characteristics of operational risk. Significant types of risk Due account shall be taken of historical findings (in particular losses) and potential events when assessing the significant types of risk.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 94 von 105 Findings relating to current weaknesses – and particularly those deriving from the in￾ternal audit, information security management and compliance functions, the modifi￾cation processes, and business continuity and outsourcing management – shall also be used to identify and assess relevant potential events. 5 The operational risks identified shall serve as the basis for deciding whether, and if so what, measures are to be taken to eliminate the causes, or what risk management measures are to be taken. Implementation of the measures to be taken shall be mon￾itored. Risk management measures Risk management measures include eg insurance, backup procedures, the reorienta￾tion of business activities, and business continuity management measures.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 95 von 105 BT 2 Special requirements relating to the internal audit function BT 2.1 Tasks of the internal audit function 1 As a general rule, the auditing operations of the internal audit function shall cover all of the institution’s activities and processes on the basis of a risk-oriented audit approach. 2 The internal audit function, while guarding its independence and avoiding conflicts of interest, shall be involved in key projects. 3 Where activities are outsourced to another enterprise, the institution’s internal audit function shall be permitted to waive conducting its own audit activities, provided that the audit activity conducted by other audit functions complies with the require￾ments in AT 4.4.3 and BT 2. The outsourcing institution's internal audit function shall regularly verify compliance with these requirements. The audit findings that are rel￾evant to the institution shall be passed on to the internal audit function of the out￾sourcing institution. Auditing activity performed by other audit functions The auditing activity may be performed by

• the internal audit function of the external service provider,
• the internal audit function of one or more of the outsourcing institutions on be￾half of the outsourcing institutions,
• a third party commissioned by the external service provider, or
• a third party commissioned by the outsourcing institutions. In the course of its internal audit activities, the internal audit function can also rely on evidence or certifications based on current standards. Due account shall be taken in this context not only of the level of detail, topicality and suitability of the evidence or certifications and the associated audit reports but also of the suitability of the certifi￾cation body or auditor. However, a supervised enterprise may not rely solely on these when performing its internal audit activities in the case of critical or important out￾sourced activities and processes.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 96 von 105 BT 2.2 General principles relating to the internal audit function 1 The internal audit function shall perform its tasks autonomously and independently. In particular, it shall be ensured that it is not subject to any instructions in connection with reporting and evaluating the audit findings. The management board’s right to order additional audits shall not conflict with the autonomy and independence of the internal audit function. 2 As a general rule, staff employed in the internal audit function shall not be entrusted with tasks which are unrelated to auditing. In particular, they shall not perform any tasks which are incompatible with auditing activities. Provided that the independence of the internal audit function is ensured, it may, as part of its tasks, provide advisory services to the management board and other organisational units of the institution. 3 As a general rule, staff employed in other organisational units of the institution shall not be entrusted with the internal audit function’s tasks. This shall not, however, pre￾clude other members of staff working for the internal audit function on a temporary basis in legitimate individual cases on account of their specialist knowledge. An ap￾propriate cooling-off period of, generally, at least one year shall be envisaged for members of staff from other organisational units who move to the internal audit func￾tion, during which time these members of staff shall not be permitted to audit any activities that breach the ban on self-audit and self-review. Simplified implementation of the transitional periods is possible for institutions, depending on the nature, scale, complexity and riskiness of their business activities.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 97 von 105 BT 2.3 Planning and conduct of the audit 1 The internal audit function’s activities shall be based on a comprehensive audit plan, which shall be updated once a year. Audit planning shall be risk-oriented. The insti￾tution’s activities and processes, including those outsourced, shall be audited at ap￾propriate intervals, as a general rule within three years. An annual audit shall be con￾ducted where particular risks exist. The three-year audit cycle may be waived in the case of activities and processes which are immaterial in terms of risk. The risk classifi￾cation of activities and processes shall be reviewed regularly. Activities and processes which are immaterial in terms of risk A waiver of the three-year audit cycle for activities and processes which are immaterial in terms of risk does not imply largely forgoing audit activities in these areas. They, too, shall be integrated into the audit planning and audited at appropriate intervals. 2 The risk assessment procedures of the internal audit function shall include an analysis of the potential risk of the activities and processes taking due account of any fore￾seeable changes. This requires appropriate consideration of the various sources of risk and the vulnerability of the processes to manipulation by members of staff. 3 Audit planning, methods and quality shall be reviewed and refined with regard to their appropriateness regularly and on an ad hoc basis. 4 It shall be ensured that any special audits required at short notice, eg due to deficiencies which have arisen or certain informational requirements, can be performed at any time. 5 Audit planning as well as any material modifications thereto shall be approved by the management board.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 98 von 105 BT 2.4 Reporting requirement 1 The internal audit function shall swiftly prepare a written report on each audit and, as a general rule, submit it to the responsible members of the management board. In particular, the report shall detail the audit subject and the audit findings, including the envisaged remedial measures, where appropriate. Any material findings shall be highlighted. In addition, the results of the audit shall be evaluated. In the event of serious findings, the report shall be promptly submitted to the management board. Grading of findings This Circular distinguishes in BT 2 between “material”, “serious” and “particularly seri￾ous” findings. This means that the relevant identified findings are graded in terms of their (potential) significance in terms of risk. The individual institution is free to decide the precise definition of the individual grades. The institution may decide at its discre￾tion to define its own classification system for identified findings that are less relevant in terms of risk. 2 The audits shall be documented by working documents. These shall show the work that has been performed as well as the identified findings and conclusions in a way that is comprehensible for expert third parties. 3 If there is no agreement between the audited organisational unit and the internal audit function regarding the measures to be taken in order to remedy the findings, the audited organisational unit shall issue a statement on this matter. 4 The internal audit function shall swiftly write a quarterly report on the audits it has performed since the cut-off date for the last quarterly report and swiftly submit it to the management board and the supervisory board. The quarterly report shall provide information on the material or more highly ranked findings, the adopted measures as well as the status of these measures. Furthermore, it shall contain an account of whether and to what extent the audit plan’s specifications have been adhered to. The internal audit function shall also provide the management board and the supervisory board with concise information on the serious findings identified by the internal audit function during the course of the year and on any material findings that have not yet been remedied (annual report). The serious findings that have been discovered, the measures adopted to remedy them, and the status of those measures shall be spe￾cially highlighted. The internal audit function shall promptly report any particularly serious findings. Method of reporting findings in the quarterly report A highlighting approach may be used for reporting the findings. Similar individual find￾ings as well as the status of the adopted implementation measures may be summa￾rised. Reporting to the supervisory board Reporting to the supervisory board may be routed via the management board if this does not entail any significant delay in informing the supervisory board and the content of the reports to the management board and the supervisory board is identical. Combining the quarterly report for the fourth quarter with the annual report The quarterly report for the fourth quarter and the annual report may be combined as separate sections in a single report.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 99 von 105 5 If the audits reveal serious findings concerning members of the management board, this shall be reported promptly to the management board. The management board shall promptly inform the chair of the supervisory board as well as the supervisory authorities (BaFin, Deutsche Bundesbank). If the management board fails to meet its reporting obligation or if it fails to adopt appropriate remedial measures, the internal audit function shall inform the chair of the supervisory board. 6 Audit reports and working documents shall be kept for six years.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 100 von 105 BT 2.5 Reaction to identified findings 1 The internal audit function shall monitor in an appropriate form whether the findings identified during the audit are remedied within the specified timeframe. A follow-up audit shall be conducted where applicable. 2 If the material findings are not remedied within an appropriate period of time, the head of the internal audit function shall first inform the responsible member of the management board of this in written form. If the findings are still not remedied, the management board shall be informed in writing of the outstanding findings in the next overall report at the latest.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 101 von 105 BT 3 Risk reporting requirements BT 3.1 General requirements relating to risk reports 1 Risk reports on the risk situation shall be submitted to the management board on a regular basis. The risk reports shall be written in a comprehensible and meaningful manner. They shall cover both a description and an assessment of the risk situation. The reports shall be based on complete, precise and current data. The reports shall also provide a forward-looking risk assessment and shall not rely solely on current and historical data. If necessary, the risk reports shall include proposals for action, for example on mitigating risk. Comprehensibility and meaningfulness of the risk reports Comprehensible and meaningful risk reporting also requires an appropriate substan￾tive balance between quantitative information (regarding position size, risk) and a qualitative assessment of material positions and risks. Timeliness of data Data shall be aggregated and reported as at the date of the risk report. Where prelim￾inary data or data from previous periods are used, this must be flagged and justified if necessary. 2 In particular, the risk reports shall include the results of stress tests and their potential impact on the risk situation and the available financial resources (risk coverage po￾tential). The key assumptions underlying the stress tests shall likewise be described. The risk reports shall, moreover, address risk concentrations and their potential im￾pact separately. 3 Besides regular risk reports (overall risk report, reports on individual risk types), the institution shall also be able to generate ad hoc risk information where this appears warranted based on the institution’s current risk situation or the current situation of the markets in which the institution operates. 4 The risk reports shall be produced within an appropriate timeframe that facilitates the active and timely management of risks on the basis of the reports, whereby the pro￾duction time shall also depend on the nature and volatility of the risks. 5 The management board shall inform the supervisory board at least quarterly of the risk situation, including existing risk concentrations, in an appropriate written form. The reports shall be written in a comprehensible and meaningful manner, and shall cover both a description and an assessment of the risk situation. The reports shall separately address particular risks to business development and the management Supervisory board committees Risk reports should generally be addressed to each member of the supervisory board. If the supervisory board has set up committees, the information may also be passed on solely to a committee. The preconditions for this are that a corresponding resolution was adopted to set up the committee and that the chair of the committee reports

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 102 von 105 board’s intended remedial measures. The management board shall promptly pass on material risk-related information to the supervisory board. A suitable procedure for this shall be established by the management board along with the supervisory board. regularly to the entire supervisory board. Moreover, every member of the supervisory board must retain the right to inspect the reports that have been passed on to the committee.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 103 von 105 BT 3.2 Reports produced by the risk control function 1 The risk control function shall draw up at regular intervals, at least once a quarter, an overall risk report on the risk types classified as being material and submit this to the management board. With regard to the individual risk types classified as being ma￾terial, it may be necessary, depending on the risk type, the nature, scale, complexity, riskiness and volatility of the respective positions and on market developments, for reports on individual risk types to be made monthly, weekly or daily. Reporting during stress phases Institutions are expected to increase the frequency of reporting when they themselves experience stress phases if this appears necessary for the purpose of active and timely risk management. Risk types classified as material Risk types classified as material include at least those listed under AT 2.2 number 1. 2 Besides containing key information on the individual risk types classified as being material, the stress test results and information on risk concentrations, the overall risk report shall also contain information on capital adequacy, on regulatory and eco￾nomic capital, on the current capital ratios and liquidity ratios and on the funding positions. Moreover, it shall also contain projections on the development of capital and liquidity ratios and the funding positions. Guidance on risk reporting If the institution considers it meaningful, risk reports to the management board may be supplemented by concise presentations (eg a management summary). Where there are no relevant changes to information that was provided in previous reports, the current report may refer to such earlier information. As risk aspects cannot be discussed in isolation from cost and income aspects, the latter may also be included in the risk report. In general, a discussion of the proposals for action with the responsible units is unproblematical as long as it is ensured that the information contained in the risk report or in the proposals for action is not improperly distorted. 3 A risk report on counterparty and credit risk containing the main structural features of credit business shall be drawn up and made available to the management board periodically, at least once a quarter. The risk report shall contain the following infor￾mation: (a) the performance of the credit portfolio, broken down, for example, by sector, country, risk class and size or collateral category, taking particular account of risk concentrations, (b) the scope of the agreed limits and external lines; in addition, large exposures and other noteworthy exposures (eg recovery and resolution loans of material importance, loans of material importance under intensified management) shall also be listed and, where appropriate, commented on, Individual credit approval authority by the member of the management board responsible for the back office in the case of recovery loans Since noteworthy exposures (eg recovery and resolution loans of material importance) must be reported pursuant to number 3 (b), there is no need for an additional reporting requirement applying to decisions on recovery loans taken by a member of the man￾agement board responsible for the back office within the scope of his/her individual credit approval authority.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 104 von 105 (c) a separate analysis of country risk, where appropriate, (d) significant limit breaches (including reasons), (e) the scope and development of new business, (f) the development of the institution’s risk provisioning, (g) credit decisions of material importance which deviate from the strategies, (h) credit decisions in risk-relevant credit business taken by members of the man￾agement board acting within the scope of their individual credit approval au￾thority, either where these decisions diverge from the votes or where they are taken by a member of the management board responsible for the back office, and (i) in the case of institutions with high stocks of NPLs, a separate presentation of non-performing and forborne exposures, and of changes in the assets acquired (where foreclosed assets form part of the institution’s NPE strategy). 4 A risk report on the market risk, including interest rate risk, incurred by the institution shall be drawn up and made available to the members of the management board periodically, at least quarterly. The report, which shall also cover internal trades, shall contain the following information: (a) an overview of the risk and profit and loss development of the positions subject to market risk, (b) significant breaches of the limits, (c) changes in the major assumptions or parameters on which the procedures for assessing market risk are based, (d) incongruities that came to light during the matching of trading positions (eg with regard to trading volumes, impact on the profit and loss statement, cancel￾lation rates). The overall risk positions and results to be determined pursuant to BTR 2.2 number 3 and the limit utilisation levels shall be reported to the member of the management Profit and loss development For the purposes of the risk report, reference may be made either to the change in profit and loss as recorded in the financial statements (including gains and losses in the course of settlement) or to the change in the operating result. Daily reporting In the case of institutions that apply or can apply the simplified implementation of￾fered under Article 94 (1) CRR (non-trading book institutions) and which have limited trading book positions in terms of risk, daily reporting may be waived in favour of a less frequent reporting frequency.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Anlage 1: Erläuterungen zu dem MaRisk in der Fassung vom 16.08.2021 Seite 105 von 105 board responsible for risk control early on the following business day. The report shall be agreed with trading. This is without prejudice to reporting duties pursuant to BTO 2.2.1 number 2 (c) (sig￾nificant trades that deviate from usual market conditions). 5 A risk report on the liquidity risk and the liquidity position shall be drawn up and made available to the management board on a regular basis, at least once per quarter. The risk report shall additionally contain stress test results and material modifications of the liquidity contingency plan. Particular liquidity risk arising from off-balance￾sheet entities and from different foreign currencies as well as any intraday liquidity risk shall be addressed separately. Significant institutions or capital-market-oriented institutions shall draw up the risk report on liquidity risk and the liquidity position at least once a month. This report shall also cover the amount, the quality and the com￾position of the liquidity buffers. 6 The management board shall be informed at least annually of significant losses, ma￾terial weaknesses and material potential events (pursuant to BTR 4 number 4 note) resulting from operational risks. The reports shall cover the nature of the loss/risk, the causes, the scale of the loss/risk, and countermeasures initiated and already taken. 7 The management board shall be informed at least quarterly of the other risks identi￾fied by the institution as being material. The reports shall cover the respective risk, the causes, the possible implications and, where appropriate, the countermeasures initiated and already taken. It must be clear from the reports what the current risk position is and, where appropriate, what measures have been taken or can be taken to address these risks.