On 16 August 2021, BaFin published the 6th amendment to its minimum requirements for bank risk management (MaRisk). In particular, this implements the guidelines of the European Banking Authority (EBA) on non-performing and deferred exposures as well as on outsourcing. In addition, there are some requirements from the EBA guidelines regarding the management of ICT and security risks. This sixth MaRisk amendment came into force immediately upon publication. The deadlines for implementation of new rules are in the letter sent to financial institutions.
MaRisk: BaFin publishes sixth amendment
With the 6th amendment, BaFin implements in particular EBA guidelines in its regulatory system, namely the EBA Guidelines on the Management of Non-Performing and Deferred Exposures (EBA/GL/2018/06),the EBA Guidelines on Outsourcing (EBA/GL/2019/02) and the requirements of the EBA Guidelines for the Management of ICT and Security Risks (EBA/GL/2019/04).
Furthermore, the 6th amendment contains a very significant change for so-called significant institutions according to the SSM Regulation. Requirements that previously only applied to systemically important institutions now also apply to the number of significant institutions.
The basic set of significant German institutions (directly supervised by the ECB) currently contains (as of Jul 2021) 20 German institutions, whereas the systemically important institutions include only 1 or 13 institutions, depending on their interpretation (global or otherwise systemically important).
This means that 20 German institutions must now meet the following MaRisk requirements:
- Requirements and strategic statements on risk data aggregation (see also BCBS239)
- A separate organizational unit must be set up for the compliance function
- the exclusive performance of the management
- the risk controlling function must always be carried out by a managing director
- Prepare risk reports on liquidity risks and the liquidity situation at least monthly
Significant changes compared to the consultation phase concern:
- dealing with non-performing receivables
- the entire outsourcing cycle from the risk analysis to the design of the outsourcing contract to the management and monitoring of the risks of outsourcing
- Risk management and controlling processes, IT and emergency management, risk-bearing capacity calculations and stress tests
- Data management, data quality, and aggregation of risk data
Dealing with non-performing loans (NPLs)
The incorporation of the EBA guidelines into national supervisory practice follows the principle of proportionality. This means that the implementation according to the size, type, complexity and business model of the institutions is permissible.
- Institutions with NPLs above 5% must develop a strategy by 2022 to reduce exposures over a realistic time horizon.
- In the future, high NPL ratios will mean that a specialised settlement unit will have to be introduced in risk controlling and NPLs will have to be listed separately in risk reports.
- The requirement must be met as soon as the NPL ratio is exceeded on two consecutive quarterly reporting dates.
- Credit institutions will have to set up solid forbearance processes in the future and develop a forbearance policy
- Adjustments to the monitoring cycle of collateral and expert rotation for real estate collateral
- Analysis of the interactions between recovery periods through the new default definition, minimum coverage arrangements for NPE and additional process and governance requirements for high NPE stocks
Requirements for outsourcing management
For the control and monitoring of outsourcing, the designs of the minimum requirements provide for an in-depth risk analysis in the future, which is above the previous requirements.
- Institutions should take into account not only information and audit rights when outsourcing, but also the rights for access, access and access
- An outsourcing officer is to take over the control and monitoring of the outsourcing activities. In the case of complex outsourcing, a central outsourcing management system is intended to support this. This can also be set up at the level of the group or the federation.
- An outsourcing register shall be established to record the parameters set out in points 54 and 55 of the EBA Guidelines.
From the guidelines for the management of ICT risks, MaRisk implements requirements for emergency management in the revised section AT 7.3.
- Time-critical activities and processes must be subjected to a risk analysis.
- The emergency response must include a strategy for returning to normal operations and provide alternative solutions for an emergency.
- A process map should serve as the basis for the emergency concept
Changes from supervisory practice
BaFin has made changes that have proven necessary from supervisory practice. The rules on trading, liquidity and risk-bearing capacity have been updated.
- Increased requirements for data management and the aggregation of risk data (AT 4.3.4) apply not only to systemically important institutions, but to all significant institutions.
- The requirements for trading transactions now also apply to crypto assets
- In the future, a distinction will have to be made between institutional investors from the financial sector and other professional investors in liquidity
- With regard to risk-bearing capacity, the MaRisk regulations have been adapted to the revised Risk Bearing Capacity Guideline.
Preparation Outsourcing of credit and financial services according to MaRisk – no clarification for outsourcing to the cloud
No additions have been made specifically for the increasingly important outsourcing to the cloud in practice – e.g. with regard to audit rights for multi-client service providers
Outlook – 7th amendment in preparation
The Bafin has announced that it would begin preparations for a 7th amendment shortly after the 6th amendment comes into force. The EBA guidelines on lending and monitoring as well as the handling of sustainability risks are to be the focus of attention. The 7th amendment is expected to come into force in 2022.
BAIT – Update of banking supervisory requirements for IT
The update aims to implement the EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04). Although the content of the amended BAITs does not show any fundamental changes, they have been extended, adapted and detailed in certain places. Three additional BAIT chapters “Operational Information Security”, “IT Emergency Management” and “Managing Relationships with Payment Service Users” contain new requirements to be implemented.
Operational information security:
Requirements for the technical implementation of information security management and designation of tools to monitor the effectiveness of information security measures
Differentiation of information risk and information security management as a 2nd Line of Defense (LoD) to the 1st LoD. Emphasis on the responsibility of the 1st LoD to implement the overarching requirements for information security operationally and to ensure this organizationally / procedurally. Particular emphasis is placed on the obligation to identify and assess threats based on rules and the timely response to them (SOC/SIEM). Binding effectiveness checks and deviation analyses (gap analyses), vulnerability scans, penetration tests and simulation of attacks. The IT systems are regular and event-related
IT Emergency Management:
Specifications for time-critical processes and activities regarding the establishment of restart, emergency operation and recovery plans.
The basis for the chapter is Chapter AT 7.3 “Emergency Management” of MaRisk. For time-critical processes and activities, restart, emergency operation and recovery plans must be set up, which must also be checked annually for effectiveness. Tightening of the requirements for precautionary measures to prevent IT emergencies and the taking of measures in the event of IT emergencies. Close integration with Business Continuity Management (BCM). Requirements for systematically ensuring recoverability and ensuring the provision of services in the event of data center failures.
Management of relationships with payment service providers:
Specification of the requirements for the management of relationships with customers.
This part of the Circular “Payment Services Supervisory Requirements for the IT of Payment and E-Money Institutions” (ZAIT). Large parts of ZAIT are also relevant for BAIT.
Information security instead of IT security:
Providing active support and advice to payment service users on security-related risks in payment services. Requirements for processes, measures and communication.
Business processes must have an impact on the entire organization and not just on IT operations and application resources alone.Institutes need to develop a comprehensive program to educate and raise awareness of information security among employees. In the future, specialist departments will have to be identified and documented to determine the protection requirements of the respective processes. The chapter “Information Risk Management” explicitly emphasizes the need to inform about current external and internal threats and vulnerabilities. Furthermore, access controls and adequate perimeter protection are required.
ZAIT – New Regulation for Payment Institutions and E-Money Institutions
Completely new are the payment services supervisory requirements for the IT of payment and electronic money institutions (ZAIT) published by BaFin, with which BaFin implements requirements from the EBA Guidelines for the Management of ICT and Security Risks (EBA/GL/2019/04) and the EBA Guidelines on Outsourcing (EBA/GL/2019/02) for payment and electronic money institutions. With the ZAIT, the IT requirements, including IT outsourcing, are specified for the first time for these institutes.
- Risk management, which must be appropriate to the individual business model and the size of the respective institution, so that security incidents can be detected promptly and can ensure regular operation.
- ZaIT contains requirements for IT operational processes, IT infrastructure and business continuity management to ensure high availability of the service. In the future, the IT hardware and software must correspond to the state of the art.
- The regulations regarding the outsourcing of IT processes or IT activities are specified. The institutions must deal with the risks before outsourcing, which must always remain responsible for the IT processes and activities and monitor.