MaRisk is an acronym referring to the minimum requirements for risk management a circular by the German Federal Financial Supervisory Authority ( Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) providing concepts. Federal Financial Supervisory Authority (BaFin). Minimum Requirements for Risk Management (MaRisk) – Page 1 of BaFin Translation -. The present. BaFin publishes amended Minimum Requirements for Risk MaRisk are to be complied with by all institutions within the meaning of Section 1.

Author: Yonos Gorisar
Country: Burma
Language: English (Spanish)
Genre: Literature
Published (Last): 20 September 2012
Pages: 388
PDF File Size: 18.22 Mb
ePub File Size: 19.32 Mb
ISBN: 906-1-80868-591-9
Downloads: 85421
Price: Free* [*Free Regsitration Required]
Uploader: Shakazragore

Amongst others, these requirements include the strategic development of the institution’s organizational and operational structure of IT and of the outsourcing of IT services, the responsibilities and integration of information security into the organization and the strategic development of the IT architecture. BaFin plans to publish special guidance that will provide market participants with greater details regarding the supervisory requirements related to the use of cloud services.

Risk reporting must be comprehensible and meaningful and must provide both a presentation and an assessment of the risk situation.

BaFin – News – MaRisk: BaFin publishes English translation

The management board must define an IT strategy that is consistent with bafn institution’s business strategy marlsk contains at least the minimum requirements specified in the BAIT.

In addition, the revised MaRisk requires large institutions and also institutions with extensive outsourced activities to establish an outsourcing management within the institution to ensure the overall monitoring and control of the outsourced activities. The MaRisk also specify that the institution must still possess the knowledge and experience required to ensure effective monitoring of the services performed by the external service provider in the event that activities and processes in the control and core bank areas are outsourced.

All institutions must prepare regular risk reports and be able to produce risk information on a timely basis as necessary. In this regard, particular focus bafinn be on the establishment of the information security officer function. In future, therefore, the risk control function, the compliance function and the internal audit function must remain within institutions as far as possible.


Institutions must establish an organizational framework for IT projects and manage IT projects including the IT project portfolio in its entirety appropriately. In general, institutions will not be marizk to outsource completely their controlling functions such as the risk control function, the compliance function and the internal audit.

Important incentives may also include awards and other career-enhancing reward systems. Under the BAIT, user access management should be based on user access rights concepts. Risk culture The BaFin requires all institutions to embed an appropriate risk culture as an essential part of their risk management by defining behavioural patterns and practices in order to identify risks and to ensure that these are appropriately handled. Further, the BAIT specifies inter alia the processing of change requests for IT systems and the setting up of a data backup strategy.

Key tools here are bank-internal systems of checks and balances and risk awareness within institutions. The new module AT 4. Outsourcing and other external procurement of IT services Under the BAIT, risk assessments must be conducted prior to each instance of “other external procurement mariek IT services”.

In future, the management board will be required to develop a suitable risk culture and to integrate and promote this within their institutions.

This report must provide an assessment of whether the services performed by the external service provider correspond to the contractual agreements, whether the outsourced activities can be appropriately controlled and monitored and whether any further risk mitigation measures should be taken.

BaFin publishes revised MaRisk 2017 including clarifications on outsourcing

BaFin has brought together the requirements for risk reporting in the new module BT 3. This is directed at all institutions.

Tools Share content Share Webcode https: Outsourcing is defined as the commissioning of another enterprise to provide baafin and processes relating to the execution of banking business, financial services or any of an institution’s other usual services that would otherwise be provided by the institution itself. The supervisory authorities have identified shortcomings in this area, particularly in larger, complex institutions.


Outsourcing individual activities and processes of the control functions and the internal audit function, however, remains a possibility for all institutions. In our latest European Securities Law Update we provide a high-level insight into the recently published technical standards relating to risk retention and disclosure requirements.

BaFin – Expert articles – MaRisk: New Minimum Requirements for Banks’ Risk Management

BAIT as “core component” for IT supervision in the financial services sector ,arisk rapidly expanding provision of IT-based financial services as well as banks’ and financial institutions’ increasing magisk reliance on IT processes put new challenges on supervisors.

Now the world’s largest law firm, Dentons’ global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than locations serving plus countries.

BaFin would be granted the same level of baffin, which would allow BaFin to monitor the outsourced services, including the option to perform on-site inspection. News About this Firm. According to the MaRisk Interpretative Guide Auslegungshilfe “other external procurement of IT service” does not qualify as “outsourcing” within the meaning of the MaRisk.

Further, the ,arisk emphasizes once more the necessity that the management board displays the required IT competency and assumes the ultimate responsibility for financial institutions’ compliance with the supervisory requirements on IT. Struggling to keep up to date with Trading Venue requirements? Interested in the next Webinar on this Topic?

BaFin outlines the regulatory framework for cloud computing in this article. As a result, firms that are within the scope of the BAIT will need to carefully identify and compile the IT requirements applicable to them as a result of the BAIT and multiple other requirements stipulated in EU and local regulation as well as supervisory guidance.