Amendments to the MaRisk

On 27 October 2017, BaFin published the revised Minimum Requirements for Risk Management in banks (Mindestanforderungen an das Risikomanagement – MaRisk).¹ They contain significant amendments relating to data aggregation, risk reporting, risk culture and outsourcing.²

Stricter requirements for data aggregation

BaFin has tightened the requirements for data aggregation in order to ensure that the relevant information reaches the responsible decision-makers quickly. The new AT 4.3.4 module applies only to global and other systemically important institutions. Their IT infrastructures must be capable of aggregating the risk positions comprehensively and accurately and of providing this information to the bank's reporting systems in a timely manner.

In addition to meeting requirements relating to principles for data management, data quality and the aggregation of risk data applying across institutions and groups, the institutions are required to define responsibilities and establish controls for all steps in the processes. A department that is independent of the organisational units responsible for initiating or concluding business transactions must monitor whether employees are complying with the institution's internal rules, procedures, methods and processes.

Risk reporting

BaFin has brought together the existing risk reporting requirements and expanded them to include requirements from BCBS 239 in the new BT 3 module. It is directed to all institutions, although the principle of proportionality of course continues to apply. All institutions must prepare regular risk reports and be in a position to generate risk information at short notice if required. The risk reporting must be comprehensible and meaningful and must not only describe the risk situation but provide an evaluation as well.

Corporate and risk culture

BaFin has also intensified the regulatory focus on corporate and risk culture. The basis for this is the AT 3 MaRisk module. The module requires management to develop an appropriate risk culture, and to integrate and promote it within the institution. The aim is to create an awareness of risk at all levels of an institution, which shapes the everyday thoughts and actions of all employees.

BaFin requires senior management and also other levels of management to provide a clear definition of the types of conduct that are desirable and those that are undesirable. The key precondition for this is that responsibilities are clearly defined at all levels and that employees are aware of the consequences of any infringements. A code of conduct, as required by AT 5, is a major help.

Outsourcing

The amended MaRisk also set out the detailed requirements for the outsourcing of activities and processes. Risk control and the compliance function, as well as internal audit, should remain within the institutions as far as possible in the future. The complete outsourcing of the control functions and internal audit is now possible only in certain exceptional cases. The MaRisk also make it clear that an institution which outsources activities and processes in control and core banking areas must continue to have the expertise and experience to ensure that the services of the outsourcing provider are monitored effectively. The MaRisk additionally require institutions with extensive outsourcing arrangements to have a central outsourcing management function, able to support the management in controlling and monitoring the risks associated with outsourced activities and processes.

BAIT: Supervisory Requirements for IT in Financial Institutions

In November 2017, BaFin published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT).³ The BAIT now form a central component of BaFin's IT supervision of credit and financial services institutions in Germany. The requirements are addressed to the institutions' senior management.⁴

The aim of the BAIT is to create a comprehensible and flexible framework for the management of IT resources, IT risk and IT security. The BAIT are intended to contribute to raising the awareness of IT risk throughout the institutions and with respect to the outsourcing providers. BaFin has also made clear its expectations for the management and monitoring of the IT operation in the BAIT.

Interpretation of supervisory standards

BaFin interprets the statutory requirements of section 25a (1) sentence 3 nos. 4 and 5 of the German Banking Act (Kreditwesengesetz) in the BAIT. It sets out in detail what it understands by adequate technical and organisational IT resources, in particular with respect to IT security and an adequate contingency plan.

Since the institutions are continually increasing their purchases of IT services from third parties, the BAIT also interpret section 25b of the Banking Act. This section governs the outsourcing of activities and processes.

The BAIT address important issues in detail and this is intended to assist the institutions in putting in place a proper business organisation, including with respect to the IT infrastructure and their internal and external dependencies. However, the BAIT should not be regarded as a comprehensive catalogue of requirements. In accordance with module AT 7.2 of the MaRisk referred to above, the banks are still required to observe currently applicable standards when implementing the BAIT.

The principle of dual proportionality also applies in full to the BAIT, as it does to the MaRisk. According to that principle, both the management tools available to a bank and the intensity of supervision should match the risks of the institution.

Raising IT risk awareness

A central objective of the BAIT is to raise the awareness of IT risk in the institutions – especially at management levels (see info box "IT risk").

IT strategy

The most important requirement with respect to the IT strategy is that the management board regularly addresses the strategic implications of the different aspects of IT for the business strategy.

IT governance

The management board is also responsible for the effective implementation of the rules on IT governance within the institution and in dealings with third parties. In particular, it is responsible for ensuring that the IT risk and IT security management functions, the IT operations and the development of applications are adequately staffed. This is important from BaFin's point of view so that the risk of any qualitative or quantitative under-resourcing of these areas can be identified at an early stage and eliminated as swiftly as possible.

Information security management

The management board is responsible for agreeing on an information security policy in the light of the institution's risk situation and publishing the policy internally. The protection requirements defined as part of the information risk management system should be specified in detail in the form of information security guidelines. The information security officer has central responsibility for maintaining and monitoring information security within the institution and with regard to third parties. This function must be established on an independent basis with respect to the organisation and business processes.

Further development of the BAIT

The modular structure of the BAIT allows BaFin to make changes or additions if they become necessary in the light of new international or national requirements. Currently, for example, BaFin is considering what additions to the BAIT are required to implement in full the "Fundamental Elements of Cybersecurity for the Financial Sector" published by the G-7 nations in October 2016.

Circular on interest rate risk

BaFin has revised its Circular 11/2011 (BA) on interest rate risk in the banking book of 2011 and published the proposed amended version for consultation in the fourth quarter of 2017. The purpose of the revision was to transpose the EBA guidelines on the management of interest rate risk dated May 2015 into German administrative practice, to the extent that this had not already been implemented with the publication of the Minimum Requirements for Risk Management (MaRisk) dated 27 October 2017 (section BTR 2.3). The German Banking Industry Committee has submitted wide-ranging comments on the Circular and put forward a number of suggested changes, including in particular changes designed to avoid double reporting. At the time of going to press, it was not yet clear whether these changes to the Circular can be made without compromising the implementation of the EBA guidelines.

The principal changes are the inclusion of negative interest, the removal of the alternative procedure for banks unable to measure interest rate risk in present value terms, the inclusion of direct pension obligations and currency aggregation as well as the option of presenting margins in accordance with internal procedures. In future, the institutions will be able to use cash flows excluding margins for the purpose of calculating interest rate risk, i.e. based on the internal rate of interest or the money and capital market rate of interest for the corresponding maturities. This is subject to the condition that they reflect the risk resulting from margins in their internal risk management procedures, for example in the management of business risk.

The permitted option of an alternative procedure enabling banks unable to measure interest rate risk in present value terms to calculate an approximation of their risk is no longer necessary, since the new MaRisk require the institutions to measure their interest rate risk in present value terms as well as from an earnings point of view. In future, therefore, banks will have to take both risk management perspectives into account.

Basel rules not pre-empted

The planned amendments to the Circular on interest rate risk are not intended to pre-empt the future Basel rules on the measurement and management of interest rate risk in the banking book, since these have not yet been codified at European level. It is therefore limited as before in particular to the requirements for calculating the effects of a parallel shift of 200 basis points upwards and downwards in the yield curve. The rules for the remaining four present value Basel shock scenarios have not yet been finalised. Apart from that, it is BaFin's intention in implementing the current EBA guidelines to anticipate foreseeable changes in the European legislative process in some respects, in order to keep down the renewed costs of transition for the institutions.

BaFin has responded to the comments submitted during the consultation process by making individual changes to the draft. As a result of these changes, among other things, double reporting by the systemically important institutions to the European Central Bank (ECB) and the national supervisory authorities is avoided and definitions are clarified, for example, with respect to the pension obligations to be included as well as supervisory measures in response to particular threshold values for the level of interest rate risk.

Footnotes: