BaFin plans to publish a revised version of its Minimum requirements for risk management (MaRisk) in the second quarter of 2017. BaFin had submitted the draft for consultation on 18 February 2016. The essentially principles-based character of the MaRisk has been retained. This enables BaFin to preserve its necessary scope for flexibility in implementing the requirements in practice.

One of the central reasons for revising the MaRisk was the transposition of BCBS 239, the BCBS principles for effective risk data aggregation and risk reporting¹, into German supervisory practice. BaFin and the Bundesbank saw a particular need for improvements in the provisions relating to the capabilities of IT systems. Other objectives of the amendments were to establish an appropriate risk culture and to expand and clarify the requirements for outsourcing.

Risk data aggregation

The new module AT 4.3.4 of the MaRisk implements the BCBS requirements for risk data aggregation, which are of a somewhat technical nature. The module is intended to help improve the IT infrastructure of larger and more complex institutions. It is intended to ensure that institutions aggregate their risks on an up-to-date and accurate basis using automated processes as far as possible.

The new module is specifically aimed at global systemically important and other systemically important institutions² within the meaning of sections 10f and 10g of the German Banking Act (Kreditwesengesetz). The objective is to provide decision-makers at these banks with important data and information concerning internal reporting, enabling them to respond immediately to changes in the institution's risk situation and its economic environment. This can only happen if the data are as complete, accurate and up-to-date as possible. The banks will need to expand their capabilities for risk data aggregation and redesign their IT systems, which is bound to require a considerable effort. However, this should result in a noticeable improvement in the quality of reporting.

In order to organise the requirements for risk reporting in a clearer manner, BaFin has brought the previously existing risk reporting requirements together in a new module BT 3 and added additional provisions on a selective basis. The module is directed at all institutions, but makes it clear that the way they implement it must be proportional.

Appropriate risk culture

The development, encouragement and integration of an appropriate risk culture within an institution, as now demanded by the revised module AT 3, goes beyond the previous MaRisk requirements for an appropriate risk management system. The objective of those requirements was to ensure that institutions remained strictly within the levels of risk acceptance defined by management. But an appropriate risk culture goes further. BaFin based the structure of the module on international initiatives such as the Financial Stability Board's guidance on supervisory interaction with financial institutions on risk culture dated 7 April 2014. The real purpose is to promote conscious analysis of risk in the institutions’ day-to-day business and to firmly anchor this risk assessment in their corporate culture. The aim is to create an awareness of risk at all levels of the institutions, which shapes the everyday thought and action of all employees and decision-makers. This is intended to build up a system of values that demands economically and ethically desirable behaviour and ensures that undertakings are successful in the long term. Among other things, this requires a critical dialogue on risk-relevant topics to be initiated within an institution and encouraged by its management.

Outsourcing

Experience gained from supervisory practice and frequent questions relating to outsourcing prompted BaFin to clarify and add to the relevant requirements in module AT 9 of the MaRisk. The declared aim was to define the limits for outsourcing more clearly, especially in relation to risk control, compliance and internal audit.

It is now only possible to fully outsource the risk control function subject to strict preconditions. Only small institutions with very limited resources are permitted to outsource the compliance and internal audit functions, as further important control areas, in their entirety. However, it continues to be possible to outsource individual activities or processes in the control areas referred to. A new provision is that BaFin now requires a central outsourcing management system. Institutions with extensive outsourcing solutions, at least, will have to establish such systems in future. Other amendments clarify existing requirements such as those relating to sub-outsourcing, the distinction between outsourcing and external procurement or dealing with unforeseen terminations of outsourcing arrangements.

Entry into force

The new version of the MaRisk will come into effect upon its publication. Only the updated previous requirements must be implemented immediately, in order to allow the institutions sufficient time to adjust. The institutions have been granted one year for implementing the new requirements, and three years for the provisions of the new module AT 4.3.4 on risk data aggregation.

Footnotes: