MaRisk: BaFin publishes minimum requirements for the risk management of securities institutions

BaFin has published a circular with the Minimum Requirements for Risk Management of Securities Institutions (WpI MaRisk).
Categories:
,
Picture of Aristotelis Zervos

Aristotelis Zervos

Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.

On August 6, the German Federal Financial Supervisory Authority (BaFin) published a new circular with the Minimum Requirements for Risk Management of Securities Institutions (WpI MaRisk for short) on the Consultation published. This new set of rules is explicitly aimed at Small and medium-sized investment firms within the meaning of Section 2 (16) and (17) WpIG and replaces the previous regulatory requirements from the KWG environment. The most important points at a glance.

WpI MaRisk: Background and structure

The aim is to flexible, principle-based and proportionate framework for structuring the business organization and risk management of these institutions.

The circular consists of two main parts:

  • General part (AT)Contains fundamental requirements for management, risk strategies, risk-bearing capacity, internal control mechanisms, staffing and resources, Documentation etc.

  • Special part (BT): Establishes additional requirements for trading transactions, risk management, outsourcing, liquidity risks and risk reporting.


These are the main new features:

1. proportionality principle with double graduation

A central element is the Principle of double proportionality. The requirements of the WpI MaRisk are not aimed at all institutions across the board, but rather are divided according to both the Size of the institute (small or medium-sized within the meaning of section 2 (16) and (17) WpIG) as well as according to the the nature, complexity and scope of their business activities and risk structure graded.

This double staggering means:

  • First graduation - institution-specificDepending on whether an institution is classified as a small or medium-sized securities institution, different far-reaching requirements apply, e.g. for capital planning, internal auditing or outsourcing controls.

  • Second graduation - risk-orientedWithin the size categories, the existence of particular risk potential is also taken into account. Institutions with a simple business structure and low risk exposure can greatly simplify processes, while more complex institutions must maintain detailed procedures and stronger controls.


The aim is to avoid over-regulation and at the same time ensure a high level of protection for customers and market participants.

2. obligation to take a risk inventory and consider ESG risks

All institutions are obliged to regularly carry out a comprehensive Risk inventory to be carried out. The aim of this inventory is to systematically identify and assess all potential risks and classify them as "material" or "not material". The assessment is carried out on an institution-specific basis, taking into account the respective business models and areas of activity.

A particular focus is on the inclusion of ESG risks:i.e. risks relating to the environment, social issues and good corporate governance. These must be explicitly integrated into the risk analysis, even if they only have an indirect impact on the institution.

The classification of risks is based on the Delegated Regulation (EU) 2023/1668which sets out binding standards for materiality assessment and delineation. For medium-sized institutions in particular, there is a stronger formalization obligation: the risk assessment methodology used, the assumptions made and the results must be documented, regularly reviewed and adjusted if necessary.

Small institutions can use simplified procedures, but must ensure that the identification and management of material risks is always comprehensible and auditable.

3. risk-bearing capacity and capital planning

Medium-sized securities institutions are obliged to establish a procedure for the Determination of risk-bearing capacity to be established. This procedure must ensure that all material risks - in particular operational, market, credit and ESG-related risks - are quantified in terms of their potential extent and compared with the available internal capital. This is based on the institution's overall risk profile.

Building on this, medium-sized institutions must forward-looking capital planning carry out. This must be carried out in scenarios that cover both normative and economic perspectives. Including Adverse stress scenarioswhich simulate unusual but plausible crisis situations. The aim is to ensure that there is a sufficient capital base even under adverse conditions.

Small institutions are generally exempt from the quantitative capital planning requirement. However, they must develop a qualitative understanding of possible capital requirements and incorporate this into their strategic considerations. Here too, the principle of transparency and risk orientation must be upheld.

4 Internal control mechanisms and special functions

The WpI MaRisk stipulates the establishment and permanent effectiveness of three central control functions:

  • Risk management function
  • Compliance function
  • Internal audit (with specific exemptions for micro-institutions)


These functions must always be independent The organizational separation of the functions is mandatory, i.e. they must not be in conflict with other operational activities. The organizational separation of functions is mandatory, unless the institution can provide appropriate justification for combining them while maintaining independence.

For small institutions Under certain conditions, BaFin permits a Personal unione.g. if individual functions are assumed by members of the Executive Board. However, the prerequisite is always that the functionality of the control and the objective performance of the tasks remain guaranteed.

The Internal audit may be waived entirely for micro-institutions if an appropriate alternative monitoring concept is implemented (e.g. regular external audits).

The responsibility for setting up, managing and monitoring these functions ultimately always lies with the management, which must regularly evaluate their effectiveness.

5. requirements for outsourcing

Outsourcing is one of the processes in the risk management of securities institutions that requires special monitoring. Every form of outsourcing - whether complete, partial, to affiliated companies or external Third - is to be regarded as potentially risky and requires an independent assessment.

The WpI MaRisk provides for the following measures in particular:

  • Risk assessment before each outsourcing: In the run-up to outsourcing, institutions must analyze the resulting risks for business continuity, control capability, data protection and IT security are created.
  • Minimum contractual requirements: Clear contractual regulations are required, including on rights to issue instructions, audit and control rights, data protection requirements, subcontracting and exit strategies.
  • Removal register: All existing outsourcing relationships must be documented in a continuously updated register, including details of the service provider, service content, risk analysis, inspection rights and responsibilities.
  • Central outsourcing officer: For coordination, control and communication in connection with outsourcing, a central office or responsible Person to be named.
  • Special features of outsourcing abroad / Cloud: For outsourcing to third countries or when using cloud services, increased requirements apply with regard to access, data transparency, retrievability and regulatory audit access.
  • Smaller institutes: They can apply simplified procedures for non-significant outsourcing, but must prove in case of doubt that control and management is guaranteed even with limited resources.

Wpl MaRisk: Practical implications for institutions

Small investment firms

  • Simplified requirements for strategy processes, stress tests and internal auditing
  • Qualitative materiality test sufficient
  • Possibility of personal union with Compliance and risk management


Medium-sized securities institutions

  • Detailed obligations for capital planning and stress tests
  • Obligation to report material risks in writing
  • Obligation to consider the risk of disorderly liquidation


Link tip: General-purpose AI Code of Practice: EU presents new AI code

Conclusion and recommended action on Wpl MaRisk

The new BaFin circular represents an important step towards an independent and proportional supervisory framework for securities institutions. Institutions should:

  1. Checkwhich size category they fall into according to § 2 WpIG.
  2. Evaluate risk management systems and governance structures.
  3. Responsibilities and Documentationin particular on ESG risks, stress tests and outsourcing.
  4. Technical and organizational resources with regard to the new requirements.

Small institutions in particular have the opportunity to operate in compliance with regulatory requirements with lean structures. Provided that the processes are comprehensibly documented and risk-oriented.

BaFin will accept comments on its circular until September 19, 2025 by e-mail to Konsultation-15-25@bafin.dewith the subject "Consultation 15/2025".

Link tip: BaFin Circular - Minimum requirements for the risk management of securities institutions ("WpI MaRisk")

Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.

Contact us
Tags:
,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts