LogoRegulatory Alerts
2024-05-29

Minimum Requirements for Risk Management (MaRisk) - Explanations to Circular 06/2024

The German Federal Financial Supervisory Authority (BaFin) issued the Minimum Requirements for Risk Management (MaRisk) on May 29, 2024, to establish a flexible and practical framework for risk management in financial institutions under Section 25a of the German Banking Act (KWG). The regulation mandates that institutions implement robust governance arrangements, including internal control systems, risk steering processes, and specific functions for risk controlling and compliance, to ensure adequate risk-bearing capacity. Furthermore, it aligns national requirements with EU Directive 2013/36/EU (CRD IV) by enforcing rigorous supervisory review processes and detailed standards for specific business areas such as credit, trading, and real estate.

Deutsche Bundesbank logo

Germany

Deutsche Bundesbank

Click to view thumbnail

Minimum Requirements for Risk Management - MaRisk

Explanations to Circular 06/2024

29.05.2024

Annex 1: MaRisk dated 29.05.2024 – Text and Explanations

Table of Contents

AT 1 Preamble ...................................................................................................................................................................................................................................................................................5 AT 2 Scope of Application ........................................................................................................................................................................................................................................................................8 AT 2.1 Target Group .......................................................................................................................................................................................................................................................................9 AT 2.2 Risks ....................................................................................................................................................................................................................................................................................10 AT 2.3 Transactions ..............................................................................................................................................................................................................................................................................11 AT 3 Overall Responsibility of the Management Board .........................................................................................................................................................................................................................14 AT 4 General Requirements for Risk Management ....................................................................................................................................................................................................15 AT 4.1 Risk-Bearing Capacity .............................................................................................................................................................................................................................................................15 AT 4.2 Strategies ..............................................................................................................................................................................................................................................................................19 AT 4.3 Internal Control System ...................................................................................................................................................................................................................................................23 AT 4.3.1 Structural and Process Organization.........................................................................................................................................................................................................................23 AT 4.3.2 Risk Steering and Controlling Processes...................................................................................................................................................................................................24 AT 4.3.3 Stress Tests ...................................................................................................................................................................................................................................................................25 AT 4.3.4 Data Management, Data Quality, and Aggregation of Risk Data ..................................................................................................................................................27 AT 4.3.5 Use of Models...........................................................................................................................................................................................................................................................29 AT 4.4 Special Functions......................................................................................................................................................................................................................................................31 AT 4.4.1 Risk Controlling Function ....................................................................................................................................................................................................................................31 AT 4.4.2 Compliance Function..............................................................................................................................................................................................................................................33 AT 4.4.3 Internal Audit ........................................................................................................................................................................................................................................................34 AT 4.5 Risk Management at Group Level ......................................................................................................................................................................................................................36 AT 5 Organizational Policies ................................................................................................................................................................................................................................................................38 AT 6 Documentation................................................................................................................................................................................................................................................................................39 AT 7 Resources........................................................................................................................................................................................................................................................................................40 AT 7.1 Personnel.................................................................................................................................................................................................................................................................................40 AT 7.2 Technical and Organizational Equipment ...................................................................................................................................................................................................................41 AT 7.3 Business Continuity Management ..................................................................................................................................................................................................................................43 AT 8 Adaptation Processes......................................................................................................................................................................................................................................................................45 AT 8.1 New Product Process........................................................................................................................................................................................................................................................45 AT 8.2 Changes to Operational Processes or Structures .............................................................................................................................................................................................47 AT 8.3 Acquisitions and Mergers ............................................................................................................................................................................................................................................48 AT 9 Outsourcing......................................................................................................................................................................................................................................................................................49 BT 1 Special Requirements for the Internal Control System ...............................................................................................................................................................................................58 BTO Requirements for Structural and Process Organization ...................................................................................................................................................................................................59

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 3 of 122

BTO 1 Credit Business......................................................................................................................................................................................................................................................................62 BTO 1.1 Segregation of Duties and Veto Rights......................................................................................................................................................................................................................62 BTO 1.2 Requirements for Processes in Credit Business .......................................................................................................................................................................................67 BTO 1.2.1 Granting of Credit.............................................................................................................................................................................................................................................73 BTO 1.2.2 Further Processing of Credit ...............................................................................................................................................................................................................................75 BTO 1.2.3 Control of Credit Processing ........................................................................................................................................................................................................................77 BTO 1.2.4 Intensive Supervision ...........................................................................................................................................................................................................................................77 BTO 1.2.5 Treatment of Problem Loans.............................................................................................................................................................................................................78 BTO 1.2.6 Risk Provisions..................................................................................................................................................................................................................................................80 BTO 1.3 Requirements for Procedures for Early Detection of Risks and Treatment of Forbearance...............................................................................................81 BTO 1.3.1 Procedures for Early Detection of Risks..............................................................................................................................................................................................81 BTO 1.3.2 Treatment of Forbearance .....................................................................................................................................................................................................................82 BTO 1.4 Risk Classification Procedures.............................................................................................................................................................................................................................84 BTO 2 Trading Business..................................................................................................................................................................................................................................................................85 BTO 2.1 Segregation of Duties ...................................................................................................................................................................................................................................................85 BTO 2.2 Requirements for Processes in Trading Business ...................................................................................................................................................................................86 BTO 2.2.1 Trading.................................................................................................................................................................................................................................................................86 BTO 2.2.2 Settlement and Control............................................................................................................................................................................................................................88 BTO 2.2.3 Representation in Risk Controlling ..................................................................................................................................................................................................................91 BTO 3 Real Estate Business ...........................................................................................................................................................................................................................................................92 BTO 3.1 Structural Organization..................................................................................................................................................................................................................................................92 BTO 3.2 Requirements for Processes in Real Estate Business.............................................................................................................................................................................93 BTO 3.2.1 Acquisition or Construction of Real Estate .........................................................................................................................................................................................................94 BTO 3.2.2 Further Processing and Monitoring ....................................................................................................................................................................................................94 BTO 3.2.3 Processing Controls.................................................................................................................................................................................................................................95 BTR Requirements for Risk Steering and Controlling Processes..............................................................................................................................................................................96 BTR 1 Counterparty Default Risks........................................................................................................................................................................................................................................................97 BTR 2 Market Price Risks .................................................................................................................................................................................................................................................................99 BTR 2.1 General Requirements....................................................................................................................................................................................................................................99 BTR 2.2 Market Price Risks of the Trading Book ............................................................................................................................................................................................................. 100 BTR 2.3 Market Price Risks of the Banking Book (including Interest Rate Risks) ....................................................................................................................................... 100 BTR 3 Liquidity Risks............................................................................................................................................................................................................................................................... 103 BTR 3.1 General Requirements................................................................................................................................................................................................................................. 103 BTR 3.2 Additional Requirements for Capital Market-Oriented Institutions ............................................................................................................................................................ 106

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 4 of 122

BTR 4 Operational Risks ...................................................................................................................................................................................................................................................... 108 BTR 5 Credit Spread Risks in the Banking Book ........................................................................................................................................................................................................................... 110 BT 2 Special Requirements for the Design of Internal Audit .................................................................................................................................................................. 111 BT 2.1 Tasks of Internal Audit ................................................................................................................................................................................................................................. 111 BT 2.2 Principles for Internal Audit .......................................................................................................................................................................................................................... 112 BT 2.3 Audit Planning and Execution....................................................................................................................................................................................................................... 113 BT 2.4 Reporting Obligations ................................................................................................................................................................................................................................................................... 114 BT 2.5 Reaction to Identified Deficiencies ............................................................................................................................................................................................................................. 116 BT 3 Requirements for Risk Reporting .................................................................................................................................................................................................................. 117 BT 3.1 General Requirements for Risk Reports ................................................................................................................................................................................................ 117 BT 3.2 Reports from the Risk Controlling Function .................................................................................................................................................................................................................. 119

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble

1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have a supervisory body according to Section 53 KWG, these institutions must instead involve their corporate headquarters in an appropriate manner.

2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive – “CRD IV”) regarding the organization and risk management of institutions. Accordingly, institutions must establish in particular appropriate leadership, steering, and control processes (“Robust Governance Arrangements”), effective procedures for the identification, steering, monitoring, and communication of actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - “ICAAP”). The appropriateness and effectiveness of these procedures, methods, and processes are to be regularly assessed by the supervisor as part of the banking supervisory review process (“Supervisory Review and Evaluation Process”). The circular is therefore designed taking into account the

Federal Financial Supervisory Authority (BaFin) Annex 1: MaRisk dated 29.05.2024 – Text and Explanations Page 5 of 122

AT 1 Preamble 1 This circular provides, on the basis of Section 25a(1) of the German Banking Act (KWG), a flexible and practice-oriented framework for the design of risk management in institutions. It further specifies the requirements of Section 25a(3) KWG (Risk management at group level) and Section 25b KWG (Outsourcing). Adequate and effective risk management, taking into account risk-bearing capacity, includes in particular the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular:

  • Regulations on structural and process organization,
  • Processes for the identification, assessment, steering, monitoring, and communication of risks (risk steering and controlling processes), and
  • A risk controlling function and a compliance function.

Risk management creates a basis for the proper performance of the supervisory functions of the supervisory body and therefore also includes its appropriate involvement.

Branches according to Section 53 KWG Since branches of companies with their seat abroad do not have

Share