Banks and financial service providers are exposed to a whole range of risks which they must control in order to be able to operate successfully in the market and secure their survival on a sustainable basis. In view of the rapid developments on the financial markets, modern regulation cannot rely on compliance with quantitative indicators alone, but must focus in particular on institutions' risk management.
Minimum Requirements for Risk Management
This is where the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk) come in. The MaRisk provide a comprehensive framework for the management of all significant risks based on section 25a of the German Banking Act (Kreditwesengesetz – KWG), which governs the organisational requirements for institutions with regard to their internal risk management. The MaRisk, which were developed in collaboration with industry professionals, provide a principles-based framework that gives institutions the flexibility to implement solutions individually. Moreover, the MaRisk contain numerous opening clauses which ensure that smaller institutions can also comply with the requirements in a flexible way.
The MaRisk have a modular structure. The General Section (AT modules) contains basic requirements for internal risk management including outsourcing standards. Special requirements regarding the organisation of the internal control system for particular types of business and types of risk and the organisation of the internal audit function are laid down in modules in the Special Section (BT modules).
The MaRisk have undergone several revisions due to recent developments and international regulatory initiatives. BaFin has published the current valid version as Circular 09/2017 (BA) (only available in German).
Banking Supervisory Requirements for IT
Like the MaRisk, the Banking Supervisory Requirements for IT (Bankaufsichtliche Anforderungen an die IT – BAIT) specify the statutory requirements laid down in section 25a of the KWG. The BAIT describe what BaFin considers to be suitable technical and organisational resources for IT systems, with particular regard to information security and suitable contingency plans. As institutions are increasingly obtaining IT services from third parties, including as part of outsourcing arrangements, the BAIT also set out the requirements for the external procurement of IT services.
BaFin has published the current valid version of the BAIT as Circular 10/2017 (BA) (only available in German).