Financial Services

BaFin publishes 7th amendment to MaRisk

Written by

Dr. Michael Huertas

RegCORE Client Alert | German Regulatory Developments


On 29 June 2023, the German Federal Financial Supervisory Authority (BaFin) BaFin has extensive supervisory powers which are set out in its founding legislation. BaFin issues Interpretative Decisions (Auslegungsentscheidungen), Guidance Notices (Merkblätter) or Circular (Rundschreiben) on several topics. Circulars, even though, in the strictest sense, not technically legally binding, are usually deemed to be a clear indication of the BaFin’s supervisory expectations i.e., they have a rulemaking effect. Moreover, these publications will usually constitute a binding principle with the effect that BaFin has to treat similar cases alike.Show Footnote published its updated and 7th amendment to its supervisory circular, i.e., a rulemaking instrument, on the minimum requirements on credit institutions i.e., banks’ risk management (MaRisk). This 7th amendment follows a four-week consultation period with the relevant industry. MaRisk is one of the key pillars in Germany’s financial services regulatory framework and the BaFin’s rulebook.

This latest amendment to MaRisk bundles together a set of current “priority areas”, including ESG, increases in “remote working” arrangements, the booming real estate market trend and business viability, all of which are now increasingly becoming relevant to credit institutions and their risk management practices to ensure they remain compliant with their obligations set at EU and German law. Moreover, MaRisk now also reflects the latest EBA Guidelines (here) on loan origination and monitoring, published on 29 May 2023. The EBA Guidelines specify pan-EU supervisory expectations that banks are to apply in their internal governance arrangements for granting and monitoring credit facilities throughout their lifecycle. The EBA Guidelines are addressed to competent authorities in the EU and thus are expected to be implemented into respective rulemaking frameworks. Consequently, the EBA Guidelines’ supervisory objectives are incorporated in MaRisk’s “Loan Processing” Module BTO 1.2 and in the “Risk Management” Module AT 4.3.5. Accordingly, MaRisk supplements the contents in the EBA Guidelines but crucially it communicates BaFin’s own supervisory expectations. Some of this includes new risk management requirements for banks with their own properties (Module BTO 3), rules on remote working (Module BTO 2.2.1) and on sustainability risks (Modules AT 2.2. and AT 4.1).

This Client Alert from PwC Legal’s EU RegCORE provides an overview, solely from a financial services legal perspective, of what BaFin’s latest MaRisk amendments entail for market participants and which steps should be taken accordingly. How will compliance with more differentiated and concrete rules for the lending process, varying depending on the category of borrower and the type of financing involved, be complied with going forward? Against the backdrop of persisting monetary tightening and macroeconomic pressures, the effects of which are commencing to unfold on the real economy, the 7th amendment to MaRisk now aims to ensure that credit institutions have robust risk management frameworks in place as the above-mentioned increasingly surfacing risks are set to affect the institutions’ prudential practices. Consequently, market participants should consider how best to align their business and control practices to BaFin’s newest changes to MaRisk. While the changes to MaRisk apply immediately after publication, BaFin expects credit institutions to be fully compliant until 1 January 2024. Affected firms will need to carefully consider whether and where to make targeted amendments to their own internal policies and procedures as well as systems and controls but equally to client and public facing documentation as well as related processes.

Readers of this Client Alert from PwC Legal are encouraged to read further extensive coverage (albeit, as at the time of writing hereof, available only in German) from our wonderful colleagues at PwC Germany and their analysis from a non-lawyers’ perspective. Readers may wish to reach out to their usual PwC contacts for technical assistance on this recent reform to one of BaFin’s core rulemaking instruments and any matters beyond the law, or to PwC Legal in relation to financial services and supervisory law matters.

Key takeaways

With the MaRisk, BaFin aims to provide forward guidance on how it will apply certain undefined legal terms stemming from the applicable regulatory framework. Accordingly, it provides supervised credit institutions with reliable guidelines for an appropriate design of their internal risk management and how to comply with legal requirements and supervisory expectations of the BaFin as administered in accordance with general EU and German principles of administrative law. While this approach allows for individual flexibility, both for BaFin and supervised firms in question, it is fundamental that the latter implement the respectively applicable requirements.

In principle, this latest amendment to MaRisk implements the comprehensive requirements contained in the EBA Guidelines on loan originating and monitoring into German supervisory law and BaFin’s practice. As mentioned above, other significant changes also relate to requirements for dealing with sustainability risks, precautions for dealing with real estate risks and the management of model risks.

While BaFin expects immediate compliance with the clarifications inserted by the 7th amendment to MaRisk, credit institutions are given until 1 January 2024 to adopt other changes. These include those aspects addressing risk quantification or the internal capital adequacy assessment process (ICAAP) as well as stress testing. The newly introduced modules on risk management models and own real estate business, as detailed below, will similarly have to be complied with by 1 January 2024 at latest.

The key takeaways and amendments now introduced by the 7th and latest MaRisk can be summarised as follows: See BaFin Journal available hereShow Footnote

Integration of EBA Guidelines on Loan Origination and Monitoring (EBA/GL/2020/06)
The EBA Guidelines, published in May 2020, specify the internal governance arrangements for granting and monitoring credit facilities (not just loans) throughout their lifecycle. In ensuring that relevant in-scope supervised firms have robust and prudent standards for credit risk taking, management and monitoring as well as that newly originated loans are of high credit quality, the EBA Guidelines aim to improve relevant in-scope supervised firms’ governance arrangements, processes and mechanisms to this end. See EBA hereShow Footnote

BaFin has now integrated all new EBA requirements into the 7th MaRisk, into German supervisory law in their official German version. BaFin has used a direct reference approach for the first time to incorporate the EBA Guidelines into German supervisory law and practice in a manner to fully reflect the EBA requirements. See BaFin hereShow Footnote

Requirements for risk management models: closing a regulatory gap
By including a new module (AT 4.3.5) in the General Part of MaRisk, BaFin has integrated extensive new requirements as regards risk management models as also set out in the EBA Guidelines. Accordingly, this module regulates the quality of data, validation and ‘explainability’ of models used by relevant firms for their risk management. See BaFin hereShow Footnote

Where risk management models, such as “scoring procedures” (Scoringverfahren) for the underwriting of certain types of loans are employed, their results must be explainable. This is the first time that BaFin has defined uniform requirements for the management of models and the risks arising from them. Notably, these requirements are technology-neutral in as much as they apply regardless of the digital tools used in the risk management practice.

Consideration of ESG risks
In addition to the recommendations on dealing with sustainability risks (here), the 7th MaRisk now clarifies that banks should measure their ESG risks using scientifically based scenarios. BaFin has detailed that it is not advisable for banks to make assumptions on climate change and/or on the transition towards a sustainable economy and instead points to scenarios developed by generally recognised institutions or networks and implement these into their business models. See BaFin hereShow Footnote

The 7th MaRisk hence introduces challenges for the future design of IT data budgets as well as data availability for risk analysis exercises. This is because depending on the concentration of exposure to ESG risks, smaller firms might for instance adopt a simpler assessment, in line with the principle of proportionality. BaFin hereShow Footnote All of this may be subject to further change as the EU’s legislative reforms on ESG standards continue to take further shape.

Requirements for the real estate business
A number of credit institutions have purchased real estate assets in recent years profiting from the accommodative monetary policy and resulting booming real estate market. With a new risk category and the inclusion of the new BTO 3, BaFin now formulates its own clear requirements applicable to credit institutions in respect of their (own) real estate business as well as for foreclosures of assets.

However, these requirements only apply if a relevant institution's real estate portfolio accounts for more than two percent of its total assets or exceeds the threshold of 30 million euros. Real estate funds are not affected by these new requirements. BaFin hereShow Footnote

In summary, these new requirements are expected to have some impact on business processes and legal documentation. There will probably be more controls and supervisory measures across various firms. This means that supervised firms will have to plan more carefully and prepare internal and revised client-facing documentation to ensure that they comply with the new requirements. The costs of complying with the new rules may also increase. In addition, there could be delays in the implementation of real estate projects, as some firms could need more time and resources to adapt to the new regulations.

Remote working COVID-19 pandemic-related regulations continue to apply to trading activities
The 7th amendment to the MaRisk now formalises in a permanent manner certain COVID-19 measures that were introduced to facilitate trading activities conducted in remote working i.e., working-from-home arrangement.

These rules and supervisory expectations will now continue to apply for the time being, save where international regulations adopt deviating standards, in which case BaFin will adjust its requirements again. It remains to be seen whether the EU will publish pan-EU standards applicable to remote and/or hybrid working (including from outside the staff’s primary jurisdiction) given how office-centric systems and controls have been altered by new forms of working. See also coverage “Redefining the three lines of defence model during a time of prolonged pandemic preparedness and independent working”.

Outlook and next steps

The newest amendments to one of BaFin’s core pillars of a rulemaking instrument is a welcome means to clarify what BaFin expects of relevant in-scope supervised firms in how they should comply with the applicable legislative and regulatory framework for credit institutions operating in or from Germany.

Given that the 7th MaRisk’s remaining transition period expires on 1 January 2024, affected firms will want to take action to ensure a timely and resource-efficient implementation of the new requirements across the firm and in respect of its client-facing and other legal documentation.

Credit institutions are advised, throughout this process, to map out these the new requirements with their own strategic objectives. In as much as this will depend on the idiosyncrasies of each business model, coupled with the yet ongoing process of tightening of monetary policy, assessing how this changing environment will affect different markets and product segments represents a challenge that will have a significant impact on the lending business and firm-wide risk management systems and processes, as well as on the risk culture, the strategic process and internal governance.

Lastly, as with any legislative and regulatory driven change process, moving to ensure compliance will require comprehensive and cohesive cooperation of various stakeholders across all levels of a firm’s three-lines of defence model (i.e., from business units through to control functions (especially, Legal, Compliance, Risk and ultimately Internal Audit) as well as the relevant third-parties used by such firms to ensure compliance with the firm’s  legal and regulatory requirements along with the supervisory expectations in a future-proofed manner and across legal documentation.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 750 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Moreover, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via or our website or further analysis (in German) from our Risk & Regulation colleagues from PwC Germany.