With the last MaRisk amendment (Circular 10/2021, Minimum Requirements for Risk Management), a number of issues relating to IT security were adjusted, from which Major implementation efforts have resulted. A little more than a year later, the German Federal Financial Supervisory Authority (BaFin) has now published its draft of the 7th MaRisk amendment for consultation.
IT security and IT risks play an important role in the financial market as well as in the regulatory environment due to increasing digitalization and the geopolitical situation. In the course of this, we address the question of the extent to which BaFin addresses these issues in the new MaRisk amendment.
1. Topic overview
First, we take a brief look at the changes made by BaFin. These relate in particular to the following six regulatory contents of MaRisk.
1.1 Loan origination and monitoring requirements (AT 4.3.5)
The focus of the new MaRisk amendment is on the implementation of the European Banking Authority’s (EBA; EBA/GL/2020/06) guidelines on loan origination and monitoring. These are the EBA’s final work package from the Economic and Financial Affairs Council’s(ECOFIN) action planon non-performing loans. They are intended to counter future crises with widespread deterioration in the credit quality of portfolios through requirements for more risk-sensitive lending.
The implementation of the guidelines will play a major role for the banking and financial services sector. This is true in view ofthe challenges posed by the expansion of the existing credit process flow but also because the guidelines bring with them new opportunities. The harmonization of requirements and their higher level of detail compared with MaRisk favor a standardization of the granting of loans and enable process automation to be driven forward more consistently. Similarly, necessary data collection promotes the digitization of information and thus its more efficient processing. The data collection process is also a key factor in the development of new products and services, particularly with regard to ESG factors (environmental, social, and corporate governance).
In the course of the implementation of EBA guidelines in general, BaFin has also indicated that in the future it will rely more heavily on references to European requirements. To date, it had incorporated their contents into MaRisk and other national requirements. The new approach had already been announced in advance in the course of the MaRisk expert commitee, where it met with criticism from national participants. However, due to the possibility of implementing European guidelines more quickly, BaFin will make greater use of this referral practice than in the past.
1.2 Innovations on real estate transactions (New – BTO 3)
Real estate transactions have not yet been explicitly regulated by MaRisk. The 7th amendment is intended to change this situation, as the real estate business is becoming increasingly important and, in contrast to the traditional lending business, has hitherto hardly required any organizational and procedural measures. are defined. This circumstance leads to ambiguities that BaFin would like to address.
Accordingly, the amendment includes specifications for the organizational structure and processes vor, which are based on those already known from the lending business, and are tied to thresholds the bound thresholds.
1.3 Business model analysis (AT 4.1, 4.2, 4.3.2, BT 3.1)
BaFin saw the need to clarify terms and existing requirements for the institutions ‘ business model analysis, clarify terms and existing requirements. Accordingly, adjustments were made to various modules. Here, BaFin requires that the business and capital planning of the institutions interlock. For the assessment of the business model, it will also require a report on the earnings respectively business situation of institutions. This is necessary in addition to the risk report.
1.4 Home Office Trading (BTO 2.2.1)
In view of increasing digitalization and from the experience gained from the Corona pandemic, trading activities in the home office were permitted on a permanent basis for the first time, despite the high regulatory requirements. Thus, on-site presence is less critical to the smooth running of such activities than access to trading platforms, he said. It is important, however, that operations from the business premises must be ensured in the event of an emergency, and accordingly a minimum attendance is to be fulfilled.
Working from home involves transferring the requirements relating to IT security, among other things, from the business premises to the home office. Policies must be in place to ensure that systems are stable, that an adequate level of IT security is guaranteed, and that confidentiality is maintained. Furthermore, the location must be firmly defined. Although this opens up the ability to work from home, it does not enable the increasing demand for mobile working.
1.5 Inclusion of sustainability risks
ESG risks are high up on the agendas of various regulatory authorities for the up-coming year. Accordingly, sustainability is also reflected in the MaRisk. BaFin has already provided institutions with guidance in the form of a fact sheet on dealing with sustainability risks. This already included the recommendation to adapt risk management and to deal strategically with ESG risks. BaFin is now making this mandatory by including it in the MaRisk. The aim is to ensure that companies adequately manage these risks depending on their business model and risk profile.
1.6 Regulations for promotional banks (AT 4.4.1, 4.4.2)
BaFin has already extended the scope of application of disproportionate regulations in the sixth MaRisk amendment and has now examined the extent to which these should also be extended to promotional banks. Relevant here are the requirements of AT 4.4.1 in the context of risk controlling and AT 4.4.2 in the context of compliance, which result from the EBA guidelines on internal governance (GL/2017/11).
These requirements are applicable to promotional banks with total assets of more than €70 billion.
2 Consequences for IT security
Although the 7th MaRisk amendment entails various innovations, there are few points of contact with the topic of IT security. Essentially, the innovations in the context of “trading from the home office” should be noted here, which should only be possible in compliance with an IT security standard corresponding to the ones applicable on business premises. As a result, the 7th MaRisk amendment is likely to result in only a small implementation effort from an IT security perspective.
In the future, however, BaFin’s new reference practice will be relevant in any case. It is to be expected that the user-friendliness of MaRisk will thus decrease noticeably. In future, careful examination of MaRisk will no longer be sufficient to identify all the requirements; instead, the European requirements to be implemented will also have to be read and examined in parallel.
We at ADWEKO are happy to assist you with IT security and support you with our expertise in the analysis, introduction and implementation of new requirements. Please feel free to contact us!