2026-06-30
Added · Updated
The German Federal Financial Supervisory Authority (BaFin) issued Circular 06/2026 to establish the Minimum Requirements for Risk Management (MaRisk), providing a flexible framework for financial institutions to organize their risk management, internal control systems, and governance structures. The document mandates that institutions implement robust governance arrangements, effective risk identification and monitoring processes, and adequate internal capital adequacy assessment processes (ICAAP) in compliance with CRD IV/VI and relevant EBA guidelines. It further specifies detailed organizational and procedural requirements for credit, trading, and real estate businesses, while integrating ESG risk considerations and defining proportional application criteria for small and very small institutions.
Circular 06/2026 (BA) Minimum Requirements for Risk Management - MaRisk Status: 30.06.2026
BA 54 – MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin)
Table of Contents AT 1 Objective of the Circular 7 AT 2 Scope of Application 9 AT 2.1 Target Group 9 AT 2.2 Risks 10 AT 2.3 Business Activities 11 AT 3 Responsibility of Management and Supervisory Body 14 AT 3.1 Overall Responsibility of Management 14 AT 3.2 Responsibility of the Supervisory Body and its Committees 14 AT 4 General Requirements for Risk Management 15 AT 4.1 Risk Capacity 15 AT 4.2 Strategies 17 AT 4.3 Internal Control System 19 AT 4.3.1 Structural and Process Organization 19 AT 4.3.2 Risk Steering and Controlling Processes 20
BA 54 - MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin) Page 3 of 82 AT 4.3.3 Stress Tests 21 AT 4.3.4 Use of Models 22 AT 4.4 Special Functions 24 AT 4.4.1 Risk Controlling Function 24 AT 4.4.2 Compliance Function 25 AT 4.4.3 Internal Audit 26 AT 5 Organizational Guidelines 28 AT 6 Documentation 29 AT 7 Resources 30 AT 7.1 Personnel 30 AT 7.2 Technical and Organizational Equipment 30 AT 7.3 Emergency Management 31 AT 8 Adaptation Processes 32 AT 8.1 New Product Process 32 AT 8.2 Changes to Operational Processes or Structures; Acquisitions and Mergers 33
BA 54 - MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin) Page 4 of 82 AT 9 Outsourcing 34 BT 1 Special Requirements for the Internal Control System 40 BTO Requirements for Structural and Process Organization 40 BTO 1 Credit Business 41 BTO 1.1 Separation of Functions and Veto Rights 42 BTO 1.2 Requirements for Processes in Credit Business 45 BTO 1.2.1 Credit Granting 48 BTO 1.2.2 Post-Granting Credit Processing 49 BTO 1.2.3 Credit Processing Control 50 BTO 1.2.4 Intensive Supervision 51 BTO 1.2.5 Treatment of Problem Loans 51 BTO 1.2.6 Risk Provisions 53 BTO 1.3 Requirements for Procedures for Early Risk Detection and Treatment of Forbearance 54 BTO 1.3.1 Procedures for Early Risk Detection 54 BTO 1.3.2 Treatment of Forbearance 55 BTO 1.4 Risk Classification Procedures 56 BTO 2 Trading Business 57
BA 54 - MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin) Page 5 of 82 BTO 2.1 Separation of Functions 57 BTO 2.2 Requirements for Processes in Trading Business 58 BTO 2.2.1 Trading 58 BTO 2.2.2 Settlement and Control 60 BTO 2.2.3 Representation in Risk Controlling 64 BTO 3 Real Estate Business 64 BTO 3.1 Structural Organization 64 BTO 3.2 Requirements for Processes in Real Estate Business 65 BTO 3.2.1 Acquisition or Construction of Real Estate 66 BTO 3.2.2 Further Processing and Monitoring 67 BTR Requirements for Risk Steering and Controlling Processes 67 BTR 1 Counterparty Default Risks 68 BTR 2 Market Price Risks 69 BTR 2.1 General Requirements 69 BTR 2.2 Market Price Risks of the Trading Book 70 BTR 2.3 Market Price Risks of the Banking Book (including Interest Rate Risks) 70
BA 54 - MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin) Page 6 of 82 BTR 3 Liquidity Risks 73 BTR 4 Operational Risks 74 BTR 5 Credit Spread Risks in the Banking Book 75 BT 2 Requirements for Risk Reporting 76 BT 2.1 General Requirements for Risk Reports 76 BT 2.2 Reports by the Risk Controlling Function 77 List of Abbreviations 80
BA 54 - MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin) Page 7 of 82 AT 1 Objective of the Circular 1 This Circular, based on Section 25a(1) of the German Banking Act (KWG), provides a flexible and practical framework for the design of risk management by institutions. It further clarifies the requirements of Section 25b KWG (outsourcing) and Section 26c KWG (ESG risks).
CRD Third-Country Branches Since CRD third-country branches do not have a supervisory body, these institutions must instead involve their head offices in an appropriate manner.
2 The Circular also provides a qualitative framework for interpreting key articles of Directive 2013/36/EU (Capital Requirements Directive - "CRD IV", last amended by Directive (EU) 2024/1619 of 31 May 2024, "CRD VI") regarding the organization and risk management of institutions, the implementation of which has been enacted in the Banking Act. Accordingly, institutions must establish appropriate leadership, steering, and control processes ("Robust Governance Arrangements"), effective procedures for identifying, steering, monitoring, and communicating actual or potential risks, and appropriate internal control mechanisms. Furthermore, they must possess effective and comprehensive procedures and methods that ensure sufficient internal capital is available to cover all material risks (Internal Capital Adequacy Assessment Process - "ICAAP"). The Circular sets the framework for the proportional implementation of requirements by institutions and the intensity of supervision by the authorities.
EBA Guidelines The following EBA guidelines are implemented in the MaRisk, insofar as they concern the risk management of institutions:
Sections from the above-mentioned EBA guidelines are only to be observed in addition to the MaRisk requirements if the MaRisk refer to these sections; if these sections in turn refer to other sections or an annex of these EBA guidelines, these references may be disregarded. Otherwise, the aforementioned EBA guidelines are considered fully implemented in the MaRisk - i.e., to the extent that BaFin has declared compliance - in the MaRisk.
BA 54 - MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin) Page 8 of 82 3 The appropriate handling of the principle of proportionality underlying the MaRisk by institutions involves that institutions, in individual cases, take further measures beyond certain requirements presented in the MaRisk, insofar as this is necessary to ensure appropriate and effective risk management. In addition to the proportional application of requirements to all institutions, size classes are defined that grant concrete further relaxations. These are explicitly regulated in the relevant sections.
References to EBA Guidelines in the MaRisk and the Principle of Proportionality Insofar as the MaRisk refer to EBA guidelines, the requirements of the EBA guidelines may be implemented taking into account the proportionality criteria mentioned therein.
Small and Very Small Institutions within the Meaning of the MaRisk Small institutions within the meaning of the MaRisk are institutions classified as small and non-complex institutions (SNCI) pursuant to Article 4(1)(145) of the EU Capital Adequacy Regulation (Regulation (EU) No 575/2013, CRR) in its respective valid version, as well as CRD third-country branches of risk class 2. Very small institutions within the meaning of the MaRisk are institutions and CRD third-country branches that do not exceed a balance sheet total of 1 billion euros on average over a four-year period. Very small institutions may claim the relaxations for small institutions, even if they do not meet the SNCI criteria. Factoring institutions are additionally considered very small only if the annual volume of receivables purchased does not exceed an amount of 5 billion euros on average over a four-year period.
4 The Circular also clarifies the requirements of Article 16 of Directive 2014/65/EU (MiFID II) via Section 80(1) of the Securities Trading Act (WpHG) in conjunction with Section 25a(1) KWG, insofar as this applies equally to credit institutions and financial service institutions. This concerns the general organizational requirements pursuant to Article 5, the requirements for risk management and internal audit pursuant to Articles 7 and 8, the requirements for management responsibility pursuant to Article 9, and requirements for outsourcing pursuant to Articles 13 and 14 of Directive 2006/73/EC (Implementing Directive to MiFID II).
The regulations on the prevention of money laundering and terrorist financing must always be observed.
5 BaFin expects that the flexible basic orientation of the Circular is taken into account during examination activities. Examinations are to be carried out on the basis of a risk-oriented examination approach.
BA 54 - MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin) Page 9 of 82 6 The Circular is structured modularly, so that necessary adjustments in certain regulatory areas can be limited to the timely revision of individual modules. A general part (Module AT) contains fundamental principles for the design of risk management. Specific requirements for the organization of credit, trading, and real estate business are set out in a special part (Module BT). Taking into account risk concentrations, this module also sets requirements for the identification, assessment, steering, monitoring, and communication of counterparty default risks, market price risks, liquidity risks, and operational risks. Furthermore, Module BT provides a framework for the design of risk reporting.
AT 2 Scope of Application AT 2.1 Target Group 1 The requirements of this Circular apply to all institutions pursuant to Section 1(1b) KWG or Section 53(1) KWG, provided they are not classified as significant institutions within the meaning of Article 6 of Regulation (EU) No 1024/2013 of 15 October 2013 (SSM Regulation) and are therefore not subject to direct supervision by the ECB. Furthermore, the requirements also apply to CRD third-country branches within the meaning of Section 53c(1) KWG in accordance with Sections 53c-53cq. They also apply to branches of German institutions abroad. They do not apply to branches of companies with their seat in another state of the European Economic Area pursuant to Section 53b KWG.
Some requirements are only to be observed by institutions with a high NPL portfolio at the individual institution level or consolidated at the group level. These requirements are marked accordingly in the individual modules. For the applicability of these requirements, a threshold of non-performing loans (gross) of 5% or more applies.
2 Financial service institutions and large securities firms pursuant to Section 2(18) of the Securities Institutions Act (WpIG), which are obliged pursuant to Section 4 of this Act to apply Sections 25a, 25b, and 26c of the KWG, must observe the requirements of this Circular insofar as this appears justified due to the size of the institution and the nature, scope, complexity, and risk content of the business activities to comply with the statutory duties pursuant to Sections 25a, 25b, and 26c KWG. This applies in particular to Modules AT 3, AT 5, AT 7, and AT 9.
3 Parent companies of an institution group, a financial holding group, or a financial conglomerate must ensure that the requirements of this Circular are observed at the group level insofar as this appears sensible and necessary for appropriate risk management at the group level pursuant to Section 25a(3) KWG. This includes:
Design of Risk Management at Group Level The specific design of risk management at the group level depends in particular on the nature, scope, complexity, and risk content of the business activities conducted by the group, the size of the group, and the corporate law possibilities.
AT 2.2 Risks 1 The requirements of this Circular relate to the management of risks that are material to the institution. To assess materiality, management must regularly and on an ad-hoc basis gain an overview of the institution's risks as part of a risk inventory (overall risk profile). The risks must be captured at the level of the entire institution, regardless of in which organizational unit the risks were caused.
In principle, at least the following types of risks are to be classified as material: Risk Concentrations In addition to risk positions against individual counterparties that represent a risk concentration solely due to their size, risk concentrations can arise both through the correlation of risk positions within one risk type ("intra-risk concentrations") and through the correlation of risk positions across different risk types (due to common risk factors or interactions of different risk factors of different risk types - "inter-risk concentrations").
Information and Communication Technology Risks
BA 54 - MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin) Page 10 of 82 a) Counterparty default risks (including country risks), b) Market price risks, c) Liquidity risks, and d) Operational risks.
For the risk types listed here as fundamentally material, a separately documented materiality analysis may be omitted. Risk concentrations associated with material risks must be taken into account. Appropriate measures must be taken for risks classified as immaterial.
A threshold of 5% relative to the risk coverage potential is recognized as appropriate as the materiality threshold from an economic perspective.
Information and Communication Technology Risks (ICT Risks) are a component of operational risks and must be explicitly included in the risk inventory.
2 The institution must, as part of the risk inventory, examine which risks can significantly impair the asset position (including capital adequacy), earnings position, or liquidity position. The risk inventory must not be oriented solely at the impacts in financial accounting or formal legal structures. With regard to a holistic risk inventory, risks from off-balance sheet corporate structures must also be considered (e.g., risks from non-consolidated special purpose vehicles).
3 When assessing materiality as part of the risk inventory, the design of the internal control system (risk capacity concept, risk steering and controlling processes, processes within structural and process organization), the (risk) strategy, and reporting, the impacts of ESG risks must be appropriately considered.
This involves basing the assessment on various plausible scenarios that are in line with scientific findings. Relying solely on historical data is not sufficient. The assessment must take place from both a short- and medium-term perspective as well as over a long time horizon.
Consideration of ESG Risks ESG risks (ESG: Environmental, Social, Governance) are understood as events or conditions in the areas of environment, social issues, or corporate governance that act as risk drivers/factors and thus radiate onto the risk types listed in para. 1 a) - d) and other material risk types.
AT 2.3 Business Activities 1 The Circular further clarifies and details the particularly risk-relevant business types: credit business, trading business, and real estate business.
2 Credit business is fundamentally business (balance sheet assets and off-balance sheet business) with counterparty default risks.
Credit Business The classification as credit business applies regardless of whether the relevant positions are to be subject to securitization or not.
3 A credit decision is any decision on new credits, credit increases, participations, limit exceedances, the setting of borrower-related limits as well as counterparty and issuer limits, rollovers, and changes to risk-relevant facts that formed the basis of the credit approval (e.g., collateral, purpose of use). It is irrelevant whether this decision is made exclusively by the institution itself or jointly with other institutions (so-called syndicated business).
Rollovers With regard to the term "rollovers," no distinction is made between external and internal rollovers (e.g., internal extension of externally confirmed credit lines). Internal "monitoring templates," which serve solely for credit monitoring during the term, are not considered rollovers and thus not credit decisions.
Interest Rate Adjustments Interest rate adjustments following the expiry of interest fixation periods (which do not coincide with the total term) can be regarded as part of the overall credit contract that were (co-)reviewed before credit granting. Therefore, they are fundamentally not a separate credit decision.
Forbearance Forbearance does not constitute planned changes to the credit relationship from the outset and is thus to be qualified as a credit decision.
4 Trading business is fundamentally all transactions that constitute a business with crypto assets or a financial instrument pursuant to Section 1(11) KWG in the form of a) money market business, b) securities business, c) foreign exchange business, d) business in tradable receivables (e.g., trading in loan certificates), e) business in commodities, or f) business in derivatives.
Issuance Business The initial issuance of securities is fundamentally not trading business. However, the initial acquisition from an issuance constitutes trading business. In the initial acquisition, relaxations regarding the market fairness control are possible (see explanations to BTO 2.2.2, Settlement and Control in Trading Business, para. 5).
Traditional Commodity Business of Mixed-Economy Credit Unions The requirements for trading business apply mutatis mutandis to the traditional commodity business.
BA 54 - MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin) Page 11 of 82 that form the basis and are concluded in the institution's own name and for its own account. Securities business also includes business in bearer bonds and securities lending, but not the initial issuance of securities. Trading business also includes agreements on return or repurchase obligations and securities lending transactions, regardless of the business subject. Receivables pursuant to letter d) are to be qualified as trading business if the institution has a trading intent based on suitable criteria.
5 Business in derivatives includes futures contracts whose price is derived from an underlying asset, a reference price, reference interest rate, reference index, or a pre-defined event.
Guarantees/Aval Guarantees/aval and similar do not fall under the derivative definition of this Circular.
6 Real estate business is business with real estate conducted on the institution's own account, where one of the following intentions is pursued: a) Acquisition or construction of real estate for income generation through leasing/renting, b) Acquisition or construction of real estate for resale (e.g., property developer business), c) Income generation through leasing/renting of existing real estate or resale.
In addition to direct real estate business, real estate business conducted on the institution's own account by subsidiaries of the institution pursuant to Section 290 of the German Commercial Code (HGB) is also considered real estate business of the institution, provided that the assets of the subsidiary consist exclusively or predominantly of real estate business or participations in real estate business. Subsidiaries are equated with companies in this respect to which institutions can jointly exercise a controlling influence.
Real estate business that serves predominantly the institution's own business operations is not considered real estate business.
Establishment of Parent-Subsidiary Relationships The acquisition of real estate is equated with the establishment of a relationship with a company that becomes a subsidiary, provided that the assets of the subsidiary consist exclusively or predominantly of real estate business or participations in real estate companies.
BA 54 - MaRisk dated 30.06.2026 Federal Financial Supervisory Authority (BaFin) Page 12 of 82 AT 3 Responsibility of Management and Supervisory Body AT 3.1 Overall Responsibility of Management 1 All members of management are responsible for the proper organization of business and its further development, regardless of internal allocation of responsibilities. Management only fulfills this responsibility if they can assess risks and take the necessary measures to limit them.
This also includes the development, promotion, and monitoring of an appropriate risk culture within the institution and the group. The management of a parent company of an institution group, a financial holding group, or a financial conglomerate is also responsible for the proper organization of business in the group and thus for appropriate and effective risk management at the group level.
Risk Culture The risk culture generally describes the manner in which...