BaFin presented a revised version of its Minimum Requirements for Risk Management for Banks and Financial Services Institutions (MaRisk) in mid-December 2012. Just two years have passed since BaFin last revised MaRisk, thereby transposing international regulatory requirements into German supervisory practice. However in the course of 2011, it became clear that MaRisk would have to be revised once again. This was due to a number of additional developments in banking regulation, including some affecting risk management.

The revision of the EU Capital Requirements Directive (CRD) is the most obvious example. This revision primarily serves to transpose the new Basel framework on banking regulation, Basel III, into European law. This work, which is referred to as CRD IV, is still underway at this time and will culminate in a new EU regulation, the Capital Requirements Regulation (CRR), as well as a considerably amended CRD. Parallel to this, German legislators are working on implementing these future EU requirements, which will yield a completely revised Banking Act (Kreditwesengesetz – KWG).

EBA guidelines and ESRB recommendations

The European Banking Authority (EBA) was also busy during this time. In October 2011, it published its Guidelines on Internal Governance, which – as the name suggests – deals with issues relating to appropriate governance for banks. Moreover, the Committee of European Banking Supervisors (CEBS) – the EBA's predecessor institution – issued its Guidelines on Liquidity Cost Benefit Allocation at the end of 2010, too late to be taken into account in the 2010 revision of MaRisk. Two recommendations by the European Systemic Risk Board (ESRB) also addressed granting foreign currency loans and refinancing in US dollars. This set out the framework for the revision of MaRisk.

BaFin began to develop a draft of MaRisk adjustments together with the Deutsche Bundesbank at the beginning of 2012. The focus at that time was primarily on the issues named above. BaFin also took into account aspects of administrative practice, integrating them into the draft, as it did in previous revisions. Many of these changes are primarily intended to clarify matters. Findings BaFin has gleaned from discussions in its MaRisk expert committee are also reflected in the new MaRisk. Key changes were made to the four MaRisk topic groupings: capital planning, risk control, compliance functions, and allocation mechanisms for liquidity costs, benefits and risks.

Capital planning process

MaRisk now requires every institution to have a procedure in place for planning its future capital requirements. This places a much greater emphasis on capital planning. MaRisk has also always contained a future-oriented component; in their internal process to ensure risk-bearing capacity, institutions must also analyse how planned modifications to their own business activities or strategic objectives as well as expected changes in the economic environment would impact future risk-bearing capacity.

BaFin has developed these fundamental ideas further in the capital planning procedure now required. In order to identify future capital requirements as early as possible, a period extending beyond the risk analysis horizon of the risk-bearing capacity concept (usually one year) must be reviewed. The capital planning procedure should thus comprise an appropriate period of several years. This should add a stronger future-oriented component to the risk-bearing capacity concept and enable institutions to implement necessary corporate actions early.

By its very nature, analysis of future risks under the capital planning procedure is not as precise as the risk-bearing capacity concept itself. Therefore, institutions have to work with plausible assumptions regarding the development of risks. However, the analysis must allow for potentially adverse unexpected developments that would be detrimental to the institution. This allows institutions to anticipate the impacts on capital resources and requirements should expectations of the development of risks and the risk-taking potential paint too positive a picture.

Risk control function

Significantly increasing the weighting of risk control for key business and risk policy decisions was and is avowedly one of the major regulatory objectives. The European Commission and EBA have expressly committed to this in their regulatory initiatives. It therefore comes as no surprise that both the Capital Requirements Directive and the EBA Guidelines on Internal Governance assign an important role to the risk control function and its head, the chief risk officer.

This is reflected in the new MaRisk; the head of the risk control function must occupy as high a position in the hierarchy as possible – in the case of major international institutions this must expressly be at executive level. This ensures that risk issues are given high priority, addressed early and approached with emphasis.

In accordance with the planned CRD and EBA guidelines, the head of the risk control function should perform his or her duties exclusively. However, depending on its size and the nature, scope, complexity and risk content of its business activities, the institution may make deviations to ensure adherence to the principle of proportionality. Combining the risk control area with finance/accounting (chief financial officer) into one executive responsibility is thus no longer possible for large, internationally active institutions. Regarding further duties that cannot be assigned to the market or trading areas, BaFin will examine in each individual case the extent to which they align with the core responsibility of risk control, independent monitoring and communication of risks at the institution and can thus be permitted to be assigned to the executive risk control function.

Compliance function

The revised MaRisk now also contains requirements that aim first and foremost at an appropriate compliance organisation and culture at the institution. The compliance issue is of course nothing new. Naturally every company – no matter what sector – must ensure that it adheres to statutory and other legal requirements. This does not mean however that all legal areas must be scrutinised to the same extent by separate organisational functions or units. For this reason, it is customary to only assign certain legal areas, namely those that relate to special compliance-related risks, to a compliance function. From BaFin's point of view these necessarily include investment services, money laundering, prevention of (internal and external) fraudulent conduct, data protection and general consumer protection (e.g. in lending). Moreover, institutions are responsible, in accordance with MaRisk, for examining which areas present additional special compliance risks that are to be handled by the compliance function.

Supervisory compliance requirements already exist, for example, in the Securities Trading Act (Wertpapierhandelsgesetz – WpHG) and the provisions of the Banking Act (Kreditwesengesetz - KWG) on the prevention of money laundering. Thus from the point of view of institutions, it would appear appropriate to examine the extent to which the extended compliance spectrum can be included in existing organisational structures. MaRisk contains no stipulations on this. As a general rule, it will continue to be possible to have a centralised or decentralised compliance function, i.e. by legal area. Connecting the compliance function to other control units, for example the risk control function, is also possible; however institutions must observe special compliance requirements from other legal areas in terms of direct reporting obligations and organisational involvement of compliance officers. However, the possibility of the internal audit department performing compliance duties is excluded as this department cannot and should not perform any procedure-relevant checks.

Allocation mechanisms for liquidity costs, benefits and risks

In the new MaRisk, BaFin has revised the requirements for allocating liquidity costs, benefits and risks by making them more specific, based on the Guidelines on Liquidity Cost Benefit Allocation issued by the EBA's predecessor CEBS, which are in turn based on the planned CRD. Institutions must now set up appropriate mechanisms, the size, type, scope, level of complexity, risk content and refinancing structure of which are specific to the institution.

To sufficiently address the principle of proportionality, BaFin has accordingly included differentiation in the implementation. This means that institutions with primarily smaller scale client business and stable refinancing can use a simple cost allocation system. Major institutions with complex business activities on the other hand must create a liquidity transfer price system that is characterised by costs, benefits and risks being internally transferred at centrally fixed prices.

The aim of such a system is to charge the assets tying up liquidity with the respective liquidity costs in a manner that justly allocates cost to its source, at transaction level if possible, thus creating an internal control effect. The holding period and market liquidity of assets naturally play an important part in this, so institutions have to take express account of these aspects. Furthermore, this kind of system must also allocate the costs for liquidity reserves to be maintained, although this allocation may also be undertaken separately. However, liquidity costs should be internally charged as closely as possible to their source.