The increase in work being done from home, the real estate market boom that has been going on for years, the issue of sustainability and, last but not least, the Guidelines on Loan Origination and Monitoring of the European Banking Authority (EBA): all of these are having an impact on institutions’ risk management. BaFin has therefore taken these developments into account in the now seventh amendment to the MaRisk. Preceding the release of this latest version of the requirements was a four-week consultation: BaFin had published the draft amendment and given the financial industry the opportunity to comment on it. More than 120 companies and associations provided feedback on the draft.

In the MaRisk, BaFin clearly sets out how it will apply indeterminate legal terms, as used in the German Banking Act (Kreditwesengesetz – KWG) for example, in supervisory practice. In addition, BaFin provides institutions with reliable criteria for appropriately designing their internal risk management. The requirements are designed in such a way that all institutions can apply them. Furthermore, they are so flexible that they also grant the supervised companies a degree of freedom: institutions are able to implement the requirements in a customised manner and at the same time in accordance with the law. BaFin first published the MaRisk in 2005.

EBA Guidelines on Loan Origination and Monitoring integrated

On 29 May 2020, the EBA published the German version of its Guidelines on Loan Origination and Monitoring. In general, guidelines issued by the European Supervisory Authorities (ESAs) must be transposed into national rules within a certain time limit. In Germany, BaFin is the authority responsible for this. It transposes the European guidelines into its own requirements for the German entities it supervises – for example, into circulars such as the MaRisk.

Some of the new requirements set out in the EBA guidelines were already included in the previous MaRisk. Other requirements for credit institutions are new, however – such as more nuanced and more specific rules for the lending process, depending on the category of borrowers (e.g. collateralised consumer loans or loans to small and microenterprises) and the type of financing (e.g. commercial real estate or project financing) in each case.

There are also new requirements for risk classification and, based on this classification, for drafting the contractual terms: institutions must consider more criteria when determining the creditworthiness of potential clients. In addition, they must be even more diligent in valuating collateral: as soon as there is reasonable doubt about a borrower’s ability to repay even under normal circumstances, the bank must calculate scenarios simulating a deterioration of the borrower’s creditworthiness. The results of these assessments must be taken into account in the drafting of the contract.

BaFin has now integrated all the EBA’s new requirements into the amended MaRisk: in some cases the MaRisk only include references that point to the relevant parts of the EBA Guidelines. This is the case, for example, with the processes used by banks to monitor their loan portfolios and the collateralisation. BaFin has revised all the other passages in such a way that they now fully reflect the EBA requirements for credit processes – it is thus no longer necessary to look them up in the original text of the EBA Guidelines.

Risk management models: closing the regulatory gap

The EBA Guidelines set out very extensive new requirements regarding institutions’ risk management models. BaFin has specified these criteria in a new section of the MaRisk: in module AT 4.3.5, in the General Part of the MaRisk. The new module regulates the data quality, validation and explainability of models used by institutions for their risk management.

If these types of procedures – such as scoring procedures for the granting of fast-track loans – are also used in the market, their results must be explainable. Specifically, if a bank rejects a loan application through an automated procedure, it must also be able to explain to clients its decisive criteria for rejecting the application and allow them to prove their creditworthiness by submitting further documents.

It must be borne in mind, however, that the requirements are technology-neutral – i.e. they apply irrespective of which digital tools banks actually use for risk management. Furthermore, the requirements regulate both the use of simple models and the use of advanced models that apply artificial intelligence and machine learning. These requirements thus fill a regulatory gap, since the European guidelines – like the MaRisk – did not sufficiently cover these innovative technologies in the past.

New module for institutions’ own real estate

In the last few years, many credit institutions have purchased real estate in order to benefit from the booming real estate market. The new module BTO 3 is BaFin’s response to this development. In this module, BaFin sets out requirements for voting, valuation and risk analysis for real estate investments. However, the requirements only apply if an institution’s own real estate holdings amount to more than two percent of its total assets or exceed the threshold of EUR 30 million. Real estate funds are not affected by the new requirements.

The reason for this is that by buying their own real estate, some banks are expanding their business strategy and taking on additional risks. The end of the boom in the real estate market and the end of the period of low interest rates, for example, could have a diminishing effect on the expected returns. The amendment to the MaRisk will help to ensure that banks are adequately managing such a risk.

Trading from home: pandemic-related regulations still applicable

During the COVID-19 pandemic, BaFin permitted securities trading from home – albeit only under certain conditions. The technical requirements were obvious: since it was essential to ensure that consultations and transactions could be carried out without disruption, traders were required to have the appropriate IT access to trading platforms outside the institutions’ business premises. Furthermore, the workplace at home had to comply with all regulatory requirements as they applied within business premises before the pandemic – for example, in terms of transaction security, IT security, data protection and confidentiality, also with regard to inside information.

At that time, BaFin stipulated that a trader’s home workplace had to be at a specified location. These home office arrangements had to enable confidential business transactions. In addition, institutions had to ensure that trading could be transferred to business premises in the event that (technical) problems arose in the context of the home office.

These simplified requirements will continue to apply for the time being. If international regulation should adopt differing standards, however, BaFin will adapt its requirements as necessary.

ESG risks: scientific findings helpful

In its Guidance Notice on Dealing with Sustainability Risks, BaFin has provided the institutions it supervises and other financial sector companies under its supervision with help on how to handle sustainability risks. The Guidance Notice defines the term “sustainability” in accordance with the environmental, social and governance (ESG) concept.

BaFin had received a great deal of feedback on this subject during the consultation process. The amended MaRisk now make clear that institutions are expected to measure their ESG risks using science-based scenarios. It is therefore neither necessary nor advisable for banks to make their own assumptions about climate change or about the transition to a sustainable economy. Instead, for example, they can make use of the scenarios developed by generally recognised institutions or networks and transfer them to their own business model.

The principle of proportionality also plays a particular role in this regard. Depending on how much they are exposed to ESG risks, e.g. because of their business model, smaller institutions are allowed to conduct a simplified risk assessment: for example, by reducing the complexity of the scenarios to be considered, by focusing the analysis only on the most affected exposures or portfolios or by choosing a solely qualitative approach for long-term considerations.

Transitional period for new requirements

The new version of the MaRisk will enter into force on 29 June 2023. As in the past, the revised MaRisk set out some clarifications that describe BaFin’s current administrative practice in detail. Such requirements are to be applied immediately after publication. The transitional period for implementing the changes that entail new requirements will run until 1 January 2024.