MaRisk is an acronym referring to the minimum requirements for risk management a circular by the German Federal Financial Supervisory Authority ( Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) providing concepts. Federal Financial Supervisory Authority (BaFin). Minimum Requirements for Risk Management (MaRisk) – Page 1 of BaFin Translation -. The present. BaFin publishes amended Minimum Requirements for Risk MaRisk are to be complied with by all institutions within the meaning of Section 1.

Author: Shagore Yogal
Country: Trinidad & Tobago
Language: English (Spanish)
Genre: Environment
Published (Last): 6 February 2011
Pages: 73
PDF File Size: 5.10 Mb
ePub File Size: 19.47 Mb
ISBN: 718-7-61359-296-9
Downloads: 95203
Price: Free* [*Free Regsitration Required]
Uploader: Daishakar

The new model does not change the frequency of reporting.

A code of conduct, as is now required by AT 5, is an important tool here. The MaRisk provide a comprehensive framework for the management of all significant risks based on section 25a of the German Banking Act Kreditwesengesetz — KWGwhich governs the organisational requirements for institutions with regard to their internal risk management. Tools Share content Share Webcode https: In order that risks can be identified and managed promptly, it is crucial that the relevant information quickly reaches the responsible decision-makers.

BaFin publishes revised MaRisk 2017 including clarifications on outsourcing

In-scope firms will want to implement and adhere to the principles- based requirements of the BAIT as non-compliance might bring them into the supervisor’s focus. The MaRisk have undergone several revisions due to recent developments and international regulatory initiatives.

BaFin has brought together the requirements for risk reporting in the new module BT 3. Appropriate arrangements must ensure that after the application goes live the confidentiality, integrity, availability and authenticity of the data to be processed are comprehensively assured. Outsourcing and other external procurement of IT services Under the BAIT, risk assessments must be conducted prior to each instance of “other external procurement of IT services”.

Civil law arrangements may not change the existence of outsourcing. Major IT projects and IT project risks are subject to reporting to the management body regularly and on an ad hoc basis. Special requirements regarding the organisation of the internal control system for particular types of business and types of risk and the organisation of the internal audit function are laid down in modules in the Special Section BT modules.


This is intended to ensure that a central unit has an overview of outsourced activities and processes and is able to support the management board in controlling and monitoring the associated risks. All institutions must prepare regular risk reports and be able to produce risk information on a timely basis as necessary. Entry into force The new version of the MaRisk entered into force upon publication. Spanning jurisdictions, navigator covers mafisk areas of financial services and tax regulation.

MaRisk – Wikipedia

Central outsourcing management must submit to the management board a report regarding material outsourced activities and processes at least once a year.

To ensure the continuity and the quality of the outsourced activities, exit processes must be determined. In light of the BAIT, institutions should prudently review and, where necessary, amend their IT arrangements and processes.

The information security policy should serve as the basis for more specific information security guidelines and processes in the institution. For smaller firms, however, it might be difficult to identify which provisions allow for a flexible or simplified implementation. The objective is to promote risk awareness that shapes the way employees across all levels of the institution think and act on a daily basis.

IT governance In scope-firms must provide for a structure to manage and monitor the operation and further development of IT systems including related IT processes on the basis of the IT strategy IT governance.

More from this Author. The audit right should also not be dependent on the concept of commercial reasonableness. Tools Switch to article “MaRisk: BaFin outlines the regulatory framework bafi cloud computing in this article. With the requirement of at least quarterly reporting to the management board the BAIT underlines the significance of this function within institutions’ internal control framework.

Specialist advice should be sought about your specific circumstances. Complete outsourcing of control functions and the internal audit function is only permissible bzfin subsidiary institutions within a group, and is then only permissible under certain conditions. Energy and Matisk Resources.

BaFin also indicates that it plans to release more detailed guidance on the issue of cloud computing over the course of this year. Such unrestricted rights must also be granted to BaFin via the outsourcing contract between the supervised entity and its cloud service provider, as a way to make sure BaFin would have the ability to monitor the outsourced cloud computing activities and processes. In exceptional cases, the BaFin would agree to determine an individual timetable for the institution concerned to ensure adequate implementation of the new rules.


According to the MaRisk Interpretative Guide Auslegungshilfe “other external procurement of IT service” does not qualify as “outsourcing” within the meaning of the MaRisk. In future, therefore, the risk control function, the compliance function and the internal audit function must remain within institutions as far as possible. Harald GlanderYaprak Akyol. A sound risk culture also requires a critical internal dialogue concerning key risk issues that is also supported by management.

Banks and financial service providers are exposed to a whole range of risks which they must control in order to be able to operate successfully in the market and secure their survival on a sustainable basis. Weaknesses in corporate governance can have substantial consequences, not only for the financial sector, but also for the economic system as a whole. We appreciate your feedback helpful less helpful.

Please note This article reflects the situation at the time of publication and will not be updated subsequently. As a result, some requirements are explicitly addressed to global systemically important institutions G-SII and other systemically important institutions O-SII. Finally, additional clarification is also provided concerning subcontracting, the distinction between outsourcing and other external procurement of goods and services, particularly with regard to software used, and dealing with unintended terminations of outsourcing arrangements.

For this reason, the new MaRisk provide a stronger foundation for sustainable corporate governance.

To this end, principles for data managementdata quality and the aggregation of risk data, to be applied on an institution-wide and group-wide level, must be specified and approved and implemented by the management board. Applications must be tested on the basis of a defined testing methodology. However, ethically and economically desirable behaviour should not only be reflected in employees’ pay.

The benchmark for systemically important institutions is hereby much higher than for smaller, less complex institutions.