Circular 06/2024 (BA): Minimum Requirements for Risk Management - MaRisk

Circular 06/2024 (BA) Minimum Requirements for Risk Management - MaRisk To all credit institutions and financial service providers in the Federal Republic of Germany 29.05.2024

Circular 06/2024 (BA) - Minimum Requirements for Risk Management - MaRisk Page 2 of 56

Contents AT 1 Preamble 6 AT 2 Scope of Application 8 AT 2.1 Target Group 8 AT 2.2 Risks 8 AT 2.3 Transactions 9 AT 3 Overall Responsibility of Management 10 AT 4 General Requirements for Risk Management 11 AT 4.1 Risk Bearing Capacity 11 AT 4.2 Strategies 13 AT 4.3 Internal Control System 14 AT 4.3.1 Structural and Process Organization 14 AT 4.3.2 Risk Steering and Controlling Processes 14 AT 4.3.3 Stress Tests 15 AT 4.3.4 Data Management, Data Quality and Aggregation of Risk Data 16 AT 4.3.5 Use of Models 17 AT 4.4 Special Functions 18 AT 4.4.1 Risk Controlling Function 18 AT 4.4.2 Compliance Function 19 AT 4.4.3 Internal Audit 20 AT 4.5 Risk Management at Group Level 20 AT 5 Organizational Policies 21 AT 6 Documentation 22

Circular 06/2024 (BA) - Minimum Requirements for Risk Management - MaRisk Page 3 of 56

AT 7 Resources 23 AT 7.1 Personnel 23 AT 7.2 Technical and Organizational Equipment 23 AT 7.3 Emergency Management 24 AT 8 Adaptation Processes 24 AT 8.1 New Product Process 24 AT 8.2 Changes to Business Processes or Structures 26 AT 8.3 Acquisitions and Mergers 26 AT 9 Outsourcing 26 BT 1 Special Requirements for the Internal Control System 31 BTO Requirements for Structural and Process Organization 31 BTO 1 Credit Business 32 BTO 1.1 Separation of Functions and Veto Rights 32 BTO 1.2 Requirements for Processes in Credit Business 33 BTO 1.2.1 Granting of Credit 35 BTO 1.2.2 Further Processing of Credit 35 BTO 1.2.3 Control of Credit Processing 36 BTO 1.2.4 Intensive Supervision 36 BTO 1.2.5 Treatment of Problem Loans 36 BTO 1.2.6 Risk Provisions 37 BTO 1.3 Requirements for Procedures for Early Detection of Risks and Treatment of Forbearance 38 BTO 1.3.1 Procedures for Early Detection of Risks 38 BTO 1.3.2 Treatment of Forbearance 38 BTO 1.4 Risk Classification Procedures 39 BTO 2 Trading Business 39 BTO 2.1 Separation of Functions 39

Circular 06/2024 (BA) - Minimum Requirements for Risk Management - MaRisk Page 4 of 56

BTO 2.2 Requirements for Processes in Trading Business 40 BTO 2.2.1 Trading 40 BTO 2.2.2 Settlement and Control 41 BTO 2.2.3 Representation in Risk Controlling 42 BTO 3 Real Estate Business 43 BTO 3.1 Structural Organization 43 BTO 3.2 Requirements for Processes in Real Estate Business 43 BTO 3.2.1 Acquisition or Construction of Real Estate 44 BTO 3.2.2 Further Processing and Monitoring 44 BTO 3.2.3 Processing Controls 44 BTR Requirements for Risk Steering and Controlling Processes 45 BTR 1 Counterparty Default Risks 45 BTR 2 Market Price Risks 46 BTR 2.1 General Requirements 46 BTR 2.2 Market Price Risks of the Trading Book 46 BTR 2.3 Market Price Risks of the Banking Book (including Interest Rate Risks) 47 BTR 3 Liquidity Risks 47 BTR 3.1 General Requirements 47 BTR 3.2 Additional Requirements for Capital Market-Oriented Institutions 49 BTR 4 Operational Risks 50 BTR 5 Credit Spread Risks in the Banking Book 50 BT 2 Special Requirements for the Design of Internal Audit 51 BT 2.1 Tasks of Internal Audit 51 BT 2.2 Principles for Internal Audit 51 BT 2.3 Audit Planning and Execution 52 BT 2.4 Reporting Obligations 52

Circular 06/2024 (BA) - Minimum Requirements for Risk Management - MaRisk Page 5 of 56

BT 2.5 Reaction to Identified Deficiencies 53 BT 3 Requirements for Risk Reporting 54 BT 3.1 General Requirements for Risk Reports 54 BT 3.2 Reports of the Risk Controlling Function 54

Circular 06/2024 (BA) - Minimum Requirements for Risk Management - MaRisk Page 6 of 56

AT 1 Preamble 1 This circular provides, on the basis of Section 25a (1) of the Banking Act (KWG), a flexible and practical framework for the design of risk management by institutions. It further clarifies the requirements of Section 25a (3) KWG (risk management at group level) and Section 25b KWG (outsourcing). Adequate and effective risk management, taking into account risk bearing capacity, particularly includes the definition of strategies and the establishment of internal control procedures. The internal control procedures consist of the internal control system and internal audit. The internal control system includes in particular

• regulations on structural and process organization,
• processes for the identification, assessment, steering, monitoring and communication of risks (risk steering and controlling processes) and
• a risk controlling function and a compliance function. Risk management creates a basis for the appropriate exercise of the supervisory functions of the supervisory body and therefore also includes its appropriate integration. 2 The circular also provides a qualitative framework for the implementation of significant articles of Directive 2013/36/EU (Banking Directive - "CRD IV") on the organization and risk management of institutions. Accordingly, institutions must in particular establish appropriate management, steering and control processes ("Robust Governance Arrangements"), effective procedures for identifying, steering, monitoring and communicating actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must have effective and comprehensive procedures and methods that ensure that sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process). The appropriateness and effectiveness of these procedures, methods and processes are to be assessed regularly by the supervisor as part of the supervisory review and evaluation process ("Supervisory Review and Evaluation Process"). The circular is therefore the regulatory framework for qualitative supervision in Germany, taking into account the principle of double proportionality. With regard to the methods for calculating the regulatory capital requirements of the Banking Directive, the requirements of the circular are designed to be neutral in that they can be met regardless of the method chosen. 3 The appropriate handling of the principle of proportionality by institutions also includes, in the principle-oriented structure of MaRisk, that institutions in individual cases take further measures beyond certain requirements explicitly formulated in MaRisk, insofar as this is necessary to ensure the appropriateness and effectiveness of risk management. In this regard, institutions that are particularly large or whose business activities are characterized by special complexity, internationality or special risk exposure must take further measures in the area of risk management than less large institutions with less complex structured business activities that do not show extraordinary risk exposure. The former institutions must also include the contents of relevant publications on risk management by the Basel Committee on Banking Supervision and the Financial Stability Board in their own responsibility in their considerations on the appropriate design of risk management. 4 The circular also implements Article 16 of Directive 2014/65/EU (Markets in Financial Instruments Directive - MiFID II) via Section 80 (1) of the Securities Trading Act (WpHG) in conjunction with Section 25a (1) KWG, insofar as this applies equally to credit institutions and financial service providers. This concerns the general organizational requirements according to Art. 5, the requirements for risk management and internal audit according to Art. 7 and 8, the requirements for management responsibility according to Art. 9 as well as for outsourcing according to Art. 13 and 14 of Directive 2006/73/EC (Implementing Directive to the Markets in Financial Instruments Directive). These requirements serve to realize the goal of the Markets in Financial Instruments Directive to harmonize financial markets in the European Union in the interest of cross-border financial services provision and uniform foundations for investor protection. 5 The circular takes into account the heterogeneous institutional structure and the diversity of business activities. It contains numerous opening clauses that enable simplified implementation depending on the size of the institutions, the business focus and the risk situation. In this respect, it can also be implemented flexibly by smaller institutions. The circular is open to the ongoing development of processes and procedures in risk management, insofar as these are in line with the objectives of the circular. For this purpose, the Federal Financial Supervisory Authority will maintain a continuous dialogue with practice. 6 Where MaRisk refers to significant institutions, this refers to institutions classified as significant in accordance with Article 6 of Regulation (EU) No 1024/2013 of the Council of 15 October 2013 (SSM Regulation). 7 The Federal Financial Supervisory Authority expects that the flexible basic orientation of the circular will be taken into account in the context of examination activities. Examinations are therefore to be carried out on the basis of a risk-oriented examination approach. 8 The circular is structured in modules, so that necessary adjustments in certain regulatory areas can be limited to the timely revision of individual modules. A general part (Module AT) contains fundamental principles for the design of risk management. Specific requirements for the organization of credit, trading and real estate business are set out in a special part (Module BT). Taking into account risk concentrations, this module also sets requirements for the identification, assessment, steering as well as the monitoring and communication of counterparty default risks, market price risks, liquidity risks and operational risks. Furthermore, Module BT provides a framework for the design of internal audit in institutions and for the design of risk reporting.

AT 2 Scope of Application 1 The observance of the requirements of the circular by institutions should contribute to countering deficiencies in the credit and financial services sector which could endanger the safety of assets entrusted to institutions, impair the proper conduct of banking business or financial services, or cause considerable disadvantages to the overall economy. In the provision of investment services and investment ancillary services, institutions must also comply with the requirements with the proviso of protecting the interests of investment service customers.

AT 2.1 Target Group 1 The requirements of the circular are to be observed by all institutions within the meaning of Section 1 (1b) KWG or within the meaning of Section 53 (1) KWG. They also apply to the branches of German institutions abroad. They do not apply to branches of companies with their seat in another state of the European Economic Area according to Section 53b KWG. The requirements in Module AT 4.5 of the circular are to be observed by parent companies or parent financial conglomerate companies of an institutional group, a financial holding group or a financial conglomerate at group level. 2 Financial service providers and large investment firms within the meaning of Section 2 (18) of the Investment Firm Act (InvG), which are obliged to apply Sections 25a and 25b of the KWG due to the requirement of Section 4 of this Act, are to observe the requirements of the circular insofar as this appears appropriate against the background of the size of the institution as well as the type, scope, complexity and risk content of the business activities to comply with the statutory duties under Sections 25a and 25b KWG. This applies in particular to Modules AT 3, AT 5, AT 7 and AT 9.

AT 2.2 Risks 1 The requirements of the circular relate to the management of risks that are material to the institution. To assess materiality, management must regularly and on an ad hoc basis obtain an overview of the institution's risks as part of a risk inventory, taking into account the effects of ESG risks appropriately and explicitly (overall risk profile). The risks are to be recorded at the level of the entire institution, regardless of in which organizational unit the risks were caused. In principle, at least the following risks are to be classified as material: a) Counterparty default risks (including country risks), b) Market price risks, c) Liquidity risks and d) Operational risks. Risk concentrations associated with material risks are to be taken into account. Credit spread risks in the banking book can be determined together with other risk types or as a separate risk type. The presentation of credit spread risks in the banking book is to be done separately, regardless of the allocation. Appropriate measures are to be taken for risks that are classified as immaterial. 2 As part of the risk inventory, the institution must examine which risks could significantly impair the asset position (including capital adequacy), the earnings position or the liquidity position. The risk inventory must not be oriented exclusively to the effects in financial accounting and to formal legal designs.

AT 2.3 Transactions 1 Credit transactions within the meaning of this circular are in principle transactions in accordance with Section 19 (1) KWG (balance sheet assets and off-balance sheet transactions with counterparty default risks). 2 Within the meaning of this circular, a credit decision is any decision on new loans, loan increases, participations, limit exceedances, the determination of borrower-specific limits as well as counterparty and issuer limits, rollovers and changes to risk-relevant facts that formed the basis of the credit decision (e.g. collateral, purpose of use). It is irrelevant whether this decision is made exclusively by the institution itself or jointly with other institutions (so-called syndicated business). 3 Trading transactions are in principle all contracts that have a financial instrument within the meaning of Section 1 (11) KWG in the form of a a) money market transaction, b) securities transaction, c) foreign exchange transaction, d) transaction in tradable receivables (e.g. trading in loan participations), e) transaction in commodities, f) transaction in derivatives or g) transaction in crypto assets as the basis and are concluded in their own name and for their own account. Securities transactions also include transactions in registered bonds and securities lending, but not the initial issuance of securities. Trading transactions also include agreements on return or repurchase obligations and repo transactions, regardless of the subject matter of the transaction. 4 Transactions in derivatives include futures contracts whose price is derived from an underlying asset, a reference price, reference interest rate, reference index or a pre-defined event. 5 Real estate transactions within the meaning of this circular are transactions with real estate operated on own account of an institution, in which one of the following intentions is pursued: a) Acquisition or construction of real estate for income generation through rental/leasing, b) Acquisition or construction of real estate for resale (e.g. property development business) c) Existing real estate for income generation through rental/leasing or resale In addition to direct real estate transactions, real estate transactions operated on own account by subsidiaries of the institution within the meaning of Section 290 HGB are also considered real estate transactions of the institution, provided that the assets of the subsidiary consist exclusively or predominantly of real estate transactions or participations in real estate transactions. Subsidiaries are equated with companies on which institutions can jointly exercise a controlling influence. Real estate transactions that serve predominantly the institution's own business operations are not considered real estate transactions within the meaning of this circular.

AT 3 Overall Responsibility of Management 1 All members of management (Section 1 (2) KWG) are responsible for the proper business organization and its further development, regardless of the internal allocation of responsibilities. This responsibility relates to all essential elements of risk management, taking into account outsourced activities and processes. Management members only fulfill this responsibility if they can assess the risks, including ESG risks, and take the necessary measures to limit them. This also includes the development, promotion, integration and monitoring of an appropriate risk culture at all levels within the institution and the group. The management members of a parent company of an institutional group or financial holding group or a parent financial conglomerate company are also responsible for the proper business organization in the group and thus for an adequate and effective risk management at group level (Section 25a (3) KWG). 2 Regardless of the overall responsibility of management for the proper business organization and in particular for an adequate and effective risk management, each management member is responsible for the establishment of appropriate control and monitoring processes in their respective area of responsibility.

AT 4 General Requirements for Risk Management AT 4.1 Risk Bearing Capacity 1 On the basis of the overall risk profile, it must be ensured that the material risks of the institution are continuously covered by the risk coverage potential, taking into account risk concentrations, and thus the risk bearing capacity is given. The effects of ESG risks within the meaning of AT 2.2 para. 1 are to be taken into account appropriately and explicitly. 2 The institution must establish an internal process to ensure risk bearing capacity. The procedures used for this purpose must appropriately take into account both the goal of the continuation of the institution and the protection of creditors from losses from an economic perspective. To achieve these goals, procedures for ensuring risk bearing capacity must be established from both a normative perspective and an economic perspective. 3 Risk bearing capacity must be taken into account when defining strategies (AT 4.2) and when adapting them. To implement the strategies or to ensure risk bearing capacity, suitable risk steering and controlling processes (AT 4.3.2) must also be established. 4 Material risks that are not included in the risk bearing capacity concept must be defined. Their non-inclusion must be justifiable and is only possible if the respective risk cannot be meaningfully limited by risk coverage potential due to its nature (e.g. the risk of insolvency). It must be ensured that such risks are appropriately considered in the risk steering and controlling processes. 5 If an institution does not have suitable procedures for quantifying individual risks that are to be included in the risk bearing capacity concept, a risk amount must be determined for these based on a plausibility check. The plausibility check can be carried out on the basis of a qualified expert estimate. 6 If observed developments from the past flow into the procedures for risk quantification, and if the observation period exclusively or predominantly includes times of orderly and calm market conditions, the effects of stronger parameter changes must also be appropriately taken into account in the risk quantification. 7 If an institution takes into account risk-reducing diversification effects in the risk bearing capacity concept within or between risk types, the underlying assumptions must be made based on an analysis of the institution-specific circumstances and be based on data that can be considered transferable to the individual risk situation of the institution. Diversification effects must be estimated so conservatively that they can be assumed to be sufficiently stable even in economic downturn phases or in market conditions unfavorable with regard to the business and risk structure of the institution. The reliability and stability of the diversification assumptions must be checked regularly and, if necessary, on an ad hoc basis. 8 The choice of methods and procedures for assessing risk bearing capacity lies in the responsibility of the institution. The assumptions underlying the methods and procedures must be justifiable. The definition of essential elements of risk bearing capacity steering and essential underlying assumptions must be approved by management. 9 The appropriateness of the methods and procedures must be reviewed at least annually by the professionally responsible employees. In the context of the review, sufficient account must be taken of the limitations and restrictions arising from the methods and procedures used, the assumptions underlying them, and the data flowing into the risk quantification. The stability and consistency of the methods and procedures as well as the statement value of the risks determined with them must be critically analyzed in this regard. 10 If a comprehensive validation of these components according to para. 9 is necessary due to the comparative complexity of the methods and procedures, the underlying assumptions or the data flowing in, appropriate independence between method development and validation must be ensured. The main results of the validation and, if necessary, proposals for measures to deal with known limitations and restrictions of the methods and procedures must be submitted to management. 11 Each institution must have a process integrated into the earnings and risk...