The more complex markets become, the better prepared banks need to be in order to be able to react to newly emerging risks. Weaknesses in corporate governance can have substantial consequences, not only for the financial sector, but also for the economic system as a whole. For this reason, the new MaRisk provide a stronger foundation for sustainable corporate governance. Key tools here are bank-internal systems of checks and balances and risk awareness within institutions. The established principles-based character of the MaRisk has been preserved, allowing the banks enough leeway with regard to their practical implementation of the requirements.

During the consultation in spring 2016, banks and banking associations were given the opportunity to comment on the draft (see BaFinJournal April 2016 (only available in German)). Various aspects from these comments and from the subsequent discussions have been incorporated into the final version of the MaRisk and will serve to facilitate the banks’ practical implementation of the requirements.

International developments

2014 not only saw the complete restructuring of European banking supervision through the transfer of the supervision of significant institutions in the eurozone to the European Central Bank, the regulatory requirements for banks were also increased through the Capital Requirements Directive IV (CRD IV) and the Capital Requirements Regulation (CRR).

Several papers issued by international standard-setters introduced further requirements for banks' risk management. In 2013, the Basel Committee on Banking Supervision (BCBS) published its "Principles for effective risk data aggregation and risk reporting". Two years later, it published its revised "Corporate governance principles for banks". In 2014, the Financial Stability Board (FSB) published its "Guidance on Supervisory Interaction with Financial Institutions on Risk Culture" (see also BaFin expert article).

Data aggregation: systemically important institutions

In order that risks can be identified and managed promptly, it is crucial that the relevant information quickly reaches the responsible decision-makers. To facilitate this, data must be made available within a very short space of time, and must also be as complete and precise as possible. Reliable risk data is above all important in times of stress. The supervisory authorities have identified shortcomings in this area, particularly in larger, complex institutions.

For this reason, BaFin has increased the requirements for data aggregation. The new module AT 4.3.4 of the MaRisk applies solely to global systemically important institutions and other systemically important institutions. Their IT infrastructure must facilitate comprehensive and precise aggregation of risk exposures and must promptly make this information available to the banks' reporting systems. As a result, not only can information required for risk identification, monitoring and controlling be generated more quickly, but institution and group-wide decision-making processes can also be improved.

The data structure and hierarchy must ensure that data can be clearly identified, aggregated and evaluated. To this end, principles for data management, data quality and the aggregation of risk data, to be applied on an institution-wide and group-wide level, must be specified and approved and implemented by the management board. In addition, responsibilities must be defined for all process steps and controls must be put in place. A unit that is independent from the organisational unit that initiates or concludes transactions must also check whether staff members comply with the institution's internal regulations, procedures, methods and processes.

Risk reports: all institutions

BaFin has brought together the requirements for risk reporting in the new module BT 3. This is directed at all institutions. The principle of proportionality, of course, continues to apply (see also interview with Raimund Röseler). The new model does not change the frequency of reporting. As before, the management board is required to inform the supervisory board of the institution’s risk situation in writing on a quarterly basis, and is also required to promptly submit material risk-related ad hoc information to the supervisory board. Nonetheless, BaFin expects that, as a result of the requirements of AT 4.3.4, systemically important institutions will prepare reports more quickly than has sometimes been usual up to now.

All institutions must prepare regular risk reports and be able to produce risk information on a timely basis as necessary. Risk reporting must be comprehensible and meaningful and must provide both a presentation and an assessment of the risk situation. The MaRisk also clarify that risk reports must be based on complete, accurate and up-to-date data. These requirements should be understood in proportion to the institution's business activities and the risks taken: all institutions should produce information in the quality actually required to control and monitor risks. The benchmark for systemically important institutions is hereby much higher than for smaller, less complex institutions. In addition, risk reports must contain an assessment of future risks. Where necessary, the risk report must also include proposals for action, for example on mitigating risk. The reports must separately address particular risks to business development and the management board’s intended remedial measures.

Risk culture

Current discussions surrounding letterbox entities (Panama Papers) and dividend stripping, or cum/ex trades, have made one thing clear: conduct that is at the very least morally questionable, without regard to the matter of legality, does not only directly affect an individual institution, it also weakens trust in the banking sector as a whole. Consequently, BaFin has intensified the focus of its supervisory activities on corporate culture and risk culture.

AT 3 of the MaRisk provides the foundation for this. In future, the management board will be required to develop a suitable risk culture and to integrate and promote this within their institutions. The objective is to promote risk awareness that shapes the way employees across all levels of the institution think and act on a daily basis. Employees should deal with risks consciously and critically in their day-to-day activities. This requires clear communication from the management board, and from other management levels, as to what behaviour is and is not desired. It is also essential that responsibilities across all levels of an institution are clearly specified and that employees are aware of the consequences of possible breaches. A code of conduct, as is now required by AT 5, is an important tool here.

A sound risk culture also requires a critical internal dialogue concerning key risk issues that is also supported by management. If employees and management are open to alternative points of view, then it is guaranteed that decisions will be made with consideration for all relevant factors.

Key factors for motivating staff to adhere to an institution's value system and avoid taking inappropriate risks include a suitable incentive structure and a remuneration system geared towards sustainability. However, ethically and economically desirable behaviour should not only be reflected in employees' pay. Important incentives may also include awards and other career-enhancing reward systems.

Outsourcing

The new MaRisk also specify the requirements relating to the outsourcing of processes and activities, as BaFin has frequently observed shortcomings in this area. The requirements primarily provide greater clarification regarding the limitations of outsourcing. Managing particular risks associated with outsourcing should be arranged more effectively, above all to avoid loss of control and loss of expertise.

In future, therefore, the risk control function, the compliance function and the internal audit function must remain within institutions as far as possible. Complete outsourcing of control functions and the internal audit function is only permissible for subsidiary institutions within a group, and is then only permissible under certain conditions. Simplified implementation is also envisaged for smaller institutions: these may still fully outsource both their compliance function and their internal audit function if establishing these functions internally does not seem appropriate taking into consideration the size of the institution as well as the nature, scale, complexity and riskiness of the institution’s business activities. Outsourcing individual activities and processes of the control functions and the internal audit function, however, remains a possibility for all institutions.

The MaRisk also specify that the institution must still possess the knowledge and experience required to ensure effective monitoring of the services performed by the external service provider in the event that activities and processes in the control and core bank areas are outsourced. The institution must also ensure that proper functioning can be continued in the outsourced area in the event that the outsourcing arrangement ends or the group structure changes. The MaRisk also require central outsourcing management, at least from institutions with extensive outsourcing arrangements. This is intended to ensure that a central unit has an overview of outsourced activities and processes and is able to support the management board in controlling and monitoring the associated risks. Central outsourcing management must submit to the management board a report regarding material outsourced activities and processes at least once a year. This report must provide an assessment of whether the services performed by the external service provider correspond to the contractual agreements, whether the outsourced activities can be appropriately controlled and monitored and whether any further risk mitigation measures should be taken.

Finally, additional clarification is also provided concerning subcontracting, the distinction between outsourcing and other external procurement of goods and services, particularly with regard to software used, and dealing with unintended terminations of outsourcing arrangements.