MaRisk is an acronym referring to the minimum requirements for risk management a circular by the German Federal Financial Supervisory Authority ( Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) providing concepts. Federal Financial Supervisory Authority (BaFin). Minimum Requirements for Risk Management (MaRisk) – Page 1 of BaFin Translation -. The present. BaFin publishes amended Minimum Requirements for Risk MaRisk are to be complied with by all institutions within the meaning of Section 1.

Author: Kigarisar Mazunos
Country: Eritrea
Language: English (Spanish)
Genre: Video
Published (Last): 12 August 2012
Pages: 100
PDF File Size: 12.89 Mb
ePub File Size: 5.79 Mb
ISBN: 221-7-22784-698-7
Downloads: 50850
Price: Free* [*Free Regsitration Required]
Uploader: Maushicage

This requires clear communication from the management board, and from other management levels, as to what behaviour is and is not desired. The BaFin clarifies the definition of outsourcing in order to differentiate outsourcing more clearly from other external procurement of goods and services.

BAIT as “core component” for IT supervision in the financial services sector The rapidly expanding provision of IT-based financial services as well as banks’ and financial institutions’ increasing internal reliance on IT processes put new challenges on supervisors.

BaFin – Expert articles – MaRisk: New Minimum Requirements for Banks’ Risk Management

In contrast, the use of software in order to identify, assess, manage, monitor and communicate risks or to perform activities which are crucial for banking business would be deemed to be outsourcing.

Besides this, EU and national regulators provide guidance on the application of IT requirements in different fields. Central outsourcing management must submit to the management board a report regarding material outsourced activities and processes at least once a year. BaFin outlines the regulatory framework for cloud computing in this article.

Now the world’s largest law firm, Dentons’ global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than locations serving plus countries.

In view of the rapid developments on the financial markets, modern regulation cannot rely on compliance with quantitative indicators alone, but must focus in particular on institutions’ risk management. In this regard, particular focus should be on the establishment of the information security officer function.

BaFin’s Supervisory Requirements For IT In Financial Institutions – Finance and Banking – Germany

The old version of December was revised on account of extensive developments in the field of international banking supervision and regulation and in response to changing market conditions. This is to be achieved by including a code of conduct, the contents of which will depend on the mxrisk, extent and risk content of the business concerned, together with a requirement that senior management will adopt these values and integrate them into their everyday actions.


Did you find this article helpful? Supervised entities are afforded flexibility in defining the nature and the scope of a risk assessment, and the results of the risk assessment must be taken into account in developing contractual arrangements between supervised entities and their cloud service providers.

In this regard, the BaFin has already announced in the January edition of its monthly journal, that it will “actively put forward in marsk discussion” the BAIT as regards the planned EU-wide harmonization of requirements on the management of IT risks.

Further, institutions must base their application development on defined and appropriate processes. Breadcrumb You bafkn here: In general, institutions will mairsk be allowed to outsource completely their controlling functions such as the risk control function, the compliance function and the internal audit. During the consultation in springbanks and banking associations were given the opportunity to comment on the draft see BaFinJournal April only available in German.

However, ethically and economically desirable behaviour should not only be reflected in employees’ pay. Outlook and next steps for in-scope firms The BAIT provides practical guidance on the BaFin’s expectations for compliance with IT requirements in financial institutions. IT projects maridk application development Institutions must establish an organizational framework for IT projects and manage IT projects including the IT project portfolio in its entirety appropriately.

Finally, additional clarification is also provided concerning subcontracting, the distinction between outsourcing and other external procurement of goods and services, particularly with regard to software used, and dealing with unintended terminations of outsourcing arrangements. Please take note of the Standard Terms and Conditions of Use. Reliable risk data is above all important in times of stress. Additional details are explained in the accompanying notes to the MaRisk only available in German.

Complete outsourcing of control functions and the internal audit function is only permissible for subsidiary institutions within a group, and is then only permissible under certain conditions. All institutions must prepare regular risk reports and be able to produce risk information on a timely basis as necessary.

In this regard the BAIT has a significant impact on the market: Consequently, BaFin has intensified the focus of its supervisory activities on corporate culture and risk culture. It is the management board’s responsibility to agree an information security policy and to communicate this within the institution.

More from this Author. Click here to register your Interest. Besides several clarifications, the new MaRisk focuses essentially on the risk data aggregation and risk reporting, on an appropriate risk culture as well as on outsourcing. Reports must be based on complete, precise and up-to-date data and must also give batin future-oriented risk estimate. The established principles-based character of the MaRisk has been preserved, allowing the banks enough leeway with regard to their practical implementation of the requirements.


As institutions are increasingly obtaining IT services from third parties, including as part of outsourcing arrangements, the BAIT also set out the requirements for the external procurement of IT services. With the requirement of at least quarterly reporting to the management board the BAIT underlines the significance of this function within institutions’ internal control framework. Key factors for motivating staff to adhere to an institution’s value system and avoid taking inappropriate risks include a suitable incentive structure and a remuneration system geared towards sustainability.

Taking the principle of proportionality into account, smaller institutions marsik be able to dispense with the requirement for a code of conduct. With the publication of a revised Maisk, the German Federal Financial Supervisory Authority BaFin has specified the requirements in relation to risk management for financial institutions. The new model does not change the frequency of reporting.

The new MaRisk also contains a new section on risk reporting. The BAIT further specifies the requirements on the risk analysis and the reporting to the management board on information risks. Further, the BAIT specifies inter alia the processing of change requests for IT systems and the setting up of a data backup nafin.

BaFin publishes revised MaRisk 2017 including clarifications on outsourcing

Where necessary, the risk report must also include proposals for action, for example on mitigating risk. The general approach hafin that the court is likely to allow inspection if the open justice principle is engaged and there is a legitimate interest. The amended MaRisk will apply in a proportional manner. The rapidly expanding provision marixk IT-based financial services as well as banks’ and financial institutions’ increasing internal reliance on IT processes put new challenges on supervisors.

The processing of access rights setting up, changing etc. Struggling to keep up to date with Trading Venue requirements?

In addition, risk reports must contain an assessment of future risks. In scope-firms must provide for a structure to manage and monitor the operation and further development of IT systems including related IT processes on the basis of the IT strategy IT governance.