BaFin’s Draft WpI MaRisk: new regulatory risk management framework for small and medium-sized investment firms

Authors: Julia Siebrecht and Dr. Michael Huertas

QuickTake

On 6 August 2025, the German Federal Financial Supervisory Authority (BaFin) published a draft of the Minimum Requirements for Risk Management by Investment Firms (WpI MaRisk).available hereShow Footnote The draft specifies the supervisory requirements under the German Securities Institutions Act (Wertpapierinstitutsgesetz, WpIG) in particular Section 2 (16) and (17) WpIG, and is directed at small and medium-sized investment firms (Wertpapierinstitute, WpIs or herein also as firms). The contents of WpI MaRisk aims to provide a flexible, principles-based framework for structuring the business organisation and risk management of small and medium-sized WpIs in Germany.

Large WpIs, as defined in the WpIG, remain subject to the statutory supervisory framework under WpIG and the German Banking Act and the requirements based thereupon – including BaFin’s (well-established existing) MaRisk for credit institutions. Those requirements are more comprehensive and less flexible, particularly regarding governance, risk management, internal controls and reporting when compared to the new WpI MaRisk.

The flexible design of MaRisk allows for practical implementation but also places increased demands on the institutions’ own responsibility and documentation. BaFin will continue to develop MaRisk in dialogue with industry practice. This Client Alert assesses the current key considerations arising in the present draft WpI MaRisk and its potential impact on respective WpIs. As the WpI MaRisk moves from draft to its final form readers may wish to consult further thought leadership from PwC and Client Alerts from our EU RegCORE.

Key takeaways from the draft WpI MaRisk

Double proportionality principle: close alignment with MaRisk in the General Section and deviations in the Special Section

BaFin’s draft WpI MaRisk largely mirrors the approach taken by BaFin to date in the well-established MaRisk circular, with the General Section (AT) being almost identical between MaRisk and the new WpI MaRisk. More substantial deviations arise in the Special Section (BT), reflecting the “double proportionality principle”: on the one hand, proportionally between business model, size and risk profile of a WpI and the requirements for internal risk measurement and control procedures; on the other hand, proportionally with respect to the intensity and frequency of the risk control measures. This principle of double proportionality is a central theme in WpI MaRisk.

Both small and medium-sized WpIs are required to establish a strategy process, with smaller firms expressly permitted to adopt a simplified approach. Certain requirements – such as the performance of stress tests and rules on risk-bearing capacity – apply only to medium-sized institutions. In addition, risk-based opening clauses provide further flexibility.

Bafin emphasises that the WpI MaRisk are generally open to the ongoing development of risk management processes, provided that such developments remain consistent with regulatory objectives. If a company makes use of a significant opening clause proper documentation is required (AT6).

Relief is available primarily with regard to risk management. Small investment firms (WPIs) in particular benefit from significant relief in the area of risk management. For example, a qualitative assessment is generally sufficient for the assessment of materiality.

When conducting a risk inventory, small companies only have to carry out a detailed relevance assessment in accordance with BTR4 if this is necessary to determine whether a risk is relevant, taking into account their own business model.

The provisions on risk-bearing capacity apply directly only to medium-sized WPIs. These firms are required to assess the adequacy of their capital in relation to potential risks and ensure that their capital base remains sufficient. This obligation entails forward-looking capital planning, including the performance of stress scenarios. By contrast, small WPIs are largely exempt from these requirements: a formal, quantitative definition of risk-bearing capacity is not mandatory, and stress testing may be dispensed with.

Taking into account the principle of proportionality, it may be possible to deviate from the strict separation of functions with respect to risk management, compliance, and internal audit. While such consolidation may be considered practical for smaller institutions, it entails significant governance risk, in particular the risk of conflicts of interest and a reduction in the independence of key control functions.

Risk approach: from origin-based risk categories under MaRisk to an effect-oriented perspective under WpI MaRisk

The WpI MaRisk requires the establishment of an appropriate and effective risk management system that covers all material risks. In doing so the WpI MaRisk adopts a different perspective than the MaRisk. While MaRisk classifies risks according to their origin (e.g. counterparty default, market price, liquidity, operational risks), WpI MaRisk focus on the potential effects on those who may be harmed, namely customers, the market, and the institution itself. This is in keeping with the EU’s “K-Factors” concept introduced by the EU’s Investment Firms Regulation and Investment Firms Directive as implemented in Germany in the WpIG. Moreover, whereas MaRisk applies a fixed definition of material risks, WpI MaRisk require that the risks identified in the risk inventory are comparably more stringently assessed for their importance.

Organisational guidelines: Flexibility and proportional requirements under WpI MaRisk when compared to MaRisk

Like MaRisk, WpI-MaRisk also requires that WpIs implement clear and comprehensible organisational guidelines. The following core requirements are applicable to small and medium sized WpIs:

a)   Risk management and governance

• Overall responsibility of management: The management board bears overall (non-delegable) responsibility for proper business organisation and risk management.  They must be able to assess risks and take measures to limit them within the scope of an explicitly defined and communicated risk appetite reflective of quantitative and qualitative measures.  Developing and monitoring an appropriate risk culture, with accountability at all levels, is central. So too are the expectations in defining business and risk strategies, and establishing internal control mechanisms. Risk inventories must be conducted regularly and must capture all material risks, including ESG risks.  Regular, comprehensive risk reports to management and, where applicable, supervisory boards, including forward-looking assessments and stress test results is emphasised by the WpI MaRisk. Supervisors may look to assess WpI’s ability to generate timely risk information in response to emerging risks or market events.
• Strategies: WpIs must develop a business strategy and a consistent risk strategy, both of which must be regularly reviewed and adjusted.  The risk strategy must define the risk appetite and measures for managing all material risks. 

b)   Internal control mechanisms

• Organisational structure and processes: WpI MaRisk requires a clear separation of incompatible functions, particularly in trading activities, where trading, risk management and control functions must be separated up to the management level unless trading is immaterial.  The risk management function, compliance function, and (where proportionate) internal audit must be established, with independence and direct reporting lines to management.  Internal audit, where required, must operate independently of other control functions and report directly to the management board.  Escalation procedures must be in place for control failures or audit findings, including prompt reporting to management and, where applicable, the supervisory board.  The documentation of all findings, remediation actions, and follow-up is mandatory, with clear assignment of responsibilities for implementation and oversight.
• Risk management, compliance function and internal audit: Every WpI must have these functions in place, with simplifications available for small firms (e.g., the risk management function or compliance function may be performed by a managing director).  Internal audit may be omitted for very small firms or performed by a board member.

c)   Risk management processes

• Identification, assessment, management, and monitoring: Material risks must be identified early, fully captured and appropriately presented in risk inventories.  This includes, as part of the K-Factors risks to clients, the market, the firm itself, other risks, liquidity risks and the risk of disorderly wind-down. Quantitative tools (such as limits, risk indicators, and scenario analyses) and qualitative tools (such as regular risk assessments and expert judgement) must be used to manage and monitor risks and concentrations.  All risk management methods and processes must be subject to regular validation and adjustment to ensure ongoing adequacy.
• Stress testing: Medium-sized firms must conduct regular and ad hoc stress tests. including scenario design that reflects the firm’s risk profile and business model.  The results of stress tests must be critically evaluated, with documented action plans for addressing identified vulnerabilities.   For small firms, considering an adverse scenario as part of capital planning is generally sufficient.

Reporting and communication obligations

WpI MaRisk mandates regular, comprehensive risk reporting to the management board and, where applicable, the supervisory board.  Reports must include a current assessment of all material risks, the results of stress tests, risk concentrations, and the adequacy of capital and liquidity.  Reports must be based on complete, accurate, and up-to-date data, and must include both quantitative and qualitative analysis.  Ad hoc risk reporting is required in response to emerging risks or significant market events.

In addition, all significant changes to strategies, risk appetite, or organisational structure must be communicated internally to relevant staff and, where appropriate, to the supervisory board. The frequency, content, and recipients of all reports must be clearly defined in internal policies.

Outsourcing: alignment with MaRisk and specific clarification under WpI MaRisk

The WpI MaRisk’s requirements on outsourcing (and intra-group outsourcing) largely correspond to those in MaRisk. This is particularly the case for the following key principles:

• Outsourcing of key functions is permitted but must not result in an “empty shell.”
• The management board’s responsibility is non-transferable.
• For material outsourcing, extensive contractual and organisational safeguards are required.
• Documentation and outsourcing management requirements are less stringent if the risks are assessed as low.

WpI MaRisk explicitly clarifies regulatory relevant outsourcing as compared to other forms of third-party procurement. That being said, WpI MaRisk also confirms that the activities of contractually bound intermediaries/tied agents (“gebundene Vermittler”) are to be considered as outsourcing and are subject to special monitoring and documentation requirements.

Liquidation scenarios: New requirements for defining and planning orderly wind-downs under WpI MaRisk

The WpI MaRisk’s requirements set out new, detailed requirements for scenario-based planning of orderly wind-downs/solvent exit plans, including operational, legal and financial aspects. Firms must critically assess wind-down scenarios, identify risks and develop actionable plans to mitigate disorderly outcomes.  Accordingly, WpIs are required to define scenarios that could lead to liquidation and result in uncontrolled negative effects on customers, counterparties and markets. Both external factors that may trigger liquidation and internal business decisions to exit the market must be considered. Based on the defined scenarios, WpIs must prepare a plan for orderly liquidation.

Key considerations for WpIs

The WpI MaRisk’s focus on a proportionate application of well-established EU-level and BaFin rules and supervisory expectations are certainly welcome. However, a lot in terms of determining the level of compliance to be applied and the overall structure will mean a number of WpIs may need to more closely self-evaluate their size/complexity and resulting regulatory classification so as to apply the right MaRisk requirements in a suitably proportionate manner.

WpIs will also want to ensure they have appropriate forward-planning in place so as to rapidly (i) review and adjust internal governance, risk and control structures and equally (ii) adapt (internal and client-facing) documentation, reporting and stress testing to proportional requirements and expectations. This forward planning goes both ways i.e., firms transitioning from small to medium to large and vice versa. If a WpI is part of a group, group-wide risk management and reporting requirements may also apply, increasing the complexity of compliance.

More fundamentally WpIs, in particular when becoming subject to WpI MaRisk may want to consider how they evidence the appropriateness of changes from MaRisk to WpI MaRisk but equally the tracking, triaging and tackling (including implementing) overall legal and regulatory compliance in internal and market-/client-facing documentation. This may include stepping up:

• Regular identification and assessment of legal risks as part of the overall risk inventory and new product processes, including those arising from new regulations, contractual obligations and litigation.
• Ongoing monitoring of changes in the legal and regulatory environment, with prompt adaptation of internal policies and procedures.
• Drafting, reviewing, and updating internal policies, handbooks and procedures to reflect current legal and regulatory standards.
• Ensuring that documentation is clear, accessible and communicated to all relevant staff. In particular market-/client-facing contracts and client disclosures must include clauses that enable the identification, assessment, and management of risks, including operational, legal and compliance risks. Agreements with clients and counterparties should address the handling of conflicts of interest, the segregation of client assets and the firm’s obligations in the event of business disruptions or resolution scenarios. Outsourcing agreements, in particular, must contain detailed provisions on service levels, audit and information rights, data protection, termination, and contingency planning, as required by AT 9 of WpI MaRisk.
• Maintaining records of all key decisions, risk assessments, and compliance activities for the required retention periods (typically five years) and must be accessible for internal and external audits.

Outlook

The WpI MaRisk provides a risk-based, flexible framework that allows small and medium-sized WpIs to implement requirements more suitably tailored to their risk profile.  Large firms remain subject to the stricter requirements of the KWG and MaRisk.

With the draft WpI MaRisk, BaFin closes a significant gap in the supervisory framework for investment firms. While smaller institutions are expected to face only limited adjustments due to the principle of proportionality, medium-sized firms will encounter additional obligations, particularly regarding stress testing, risk-bearing capacity and wind-down planning. It remains to be seen to what extent the revised risk perspective will shape supervisory expectations and practice.

Regulated entities should regularly review their business model, complexity, and risk profile and adjust their MaRisk implementation accordingly. Documentation, clear assignment of responsibilities, and ongoing review of the adequacy of processes are critical success factors for compliance and for avoiding regulatory risks.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” and the “2025 Regulatory, Governance and Compliance Technology Award in 2025”.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.