MaRisk is an acronym referring to the minimum requirements for risk management a circular by the German Federal Financial Supervisory Authority ( Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) providing concepts. Federal Financial Supervisory Authority (BaFin). Minimum Requirements for Risk Management (MaRisk) – Page 1 of BaFin Translation -. The present. BaFin publishes amended Minimum Requirements for Risk MaRisk are to be complied with by all institutions within the meaning of Section 1.

Author: Zolokasa Gardakasa
Country: Colombia
Language: English (Spanish)
Genre: Software
Published (Last): 19 November 2004
Pages: 358
PDF File Size: 14.71 Mb
ePub File Size: 19.89 Mb
ISBN: 737-1-64556-461-8
Downloads: 20407
Price: Free* [*Free Regsitration Required]
Uploader: Galkree

More from this Author. Further, institutions must take into account that the BAIT and the MaRisk do not compile the supervisory expectations for compliance with the requirements for IT in financial institutions in an exhaustive way.

Additional details are explained in the accompanying notes to the MaRisk only available in German. Nonetheless, BaFin expects that, as a result of the requirements of AT 4. Media, Telecoms, IT, Entertainment.

BaFin publishes revised MaRisk 2017 including clarifications on outsourcing

The information security policy should serve as the basis for more specific information security guidelines and processes in the institution. If the procurement of cloud services constitutes a material outsourcing, BaFin makes clear that supervised entities, such as financial institutions and insurance companies, must ensure they have unrestricted information rights and audit rights with their cloud service providers.

Managing particular risks associated with outsourcing should be arranged more effectively, above all to avoid loss of control and loss of expertise. All institutions must prepare regular risk reports and be able to produce risk information on a timely basis as necessary.

Under the BAIT, user access management should be based on user access rights concepts.

BaFin – Expert articles – MaRisk: New Minimum Requirements for Banks’ Risk Management

BaFin would be granted the same level of rights, which would allow BaFin to monitor the outsourced services, including the option to perform on-site inspection.


Do you have a Question or Comment? Tools Switch to article “Risikomanagement” in language De utsch. Moreover, the MaRisk contain numerous opening clauses which ensure that smaller institutions can also comply with the requirements in a flexible way. Apart from the purely technical side, the BAIT’s impact on institutions’ general organizational set-up and governance arrangements must be analyzed and necessary amendments made.

Complete outsourcing of control functions and the internal audit function is only permissible for subsidiary institutions within a group, and is then only permissible under certain conditions.

Key tools here are bank-internal systems of checks and balances and risk awareness within institutions. The objective is to promote risk awareness that shapes the way employees across all levels of the institution think and act on a daily basis. Several papers issued by international standard-setters introduced further requirements for banks’ bafib management.

Where necessary, the risk report must also include proposals for action, for example on mitigating risk. Major IT projects and IT project risks are subject to reporting to the management body regularly and on an ad hoc basis. The MaRisk also require central outsourcing managementat least from institutions with extensive outsourcing arrangements.

Applications must be tested on the basis of a defined testing methodology. The MaRisk have a modular structure. In scope-firms must provide for marisj structure to manage and monitor the operation and further development of IT systems including related IT processes on the basis of the IT strategy IT governance.

These rights include the rights of access to the business premises, data centers, servers, and employees of the cloud service provider.

The MaRiskwhich were developed in collaboration with industry professionals, provide a principles-based framework that gives institutions the flexibility to implement solutions individually. Besides several clarifications, the new MaRisk focuses essentially on the risk data aggregation and risk reporting, on an appropriate risk culture as well as on outsourcing.


Ireland provides a responsible. In-scope firms will want to implement and adhere to the principles- based requirements of the BAIT as non-compliance might bring them into the supervisor’s focus. German financial services supervisor clarifies supervisory requirements on IT systems, processes and governance in financial institutions.

Moreover, in-scope firms may want to review and update their IT arrangements, project governance policies and procedures to ensure that justifications for certain actions and compliance measures can be evidenced and explained to supervisors. The BaFin clarifies the definition of outsourcing in order to differentiate outsourcing more clearly from other external procurement of goods and services.

More on this topic Format: Background and overview With the publication of a revised MaRisk, the German Federal Financial Supervisory Authority BaFin has specified the requirements in relation to risk management for financial institutions. The amendments also incorporate experience acquired by BaFin and the Deutsche Bundesbank in their day-to-day supervisory activities and in inspections.

BaFin – Risk management

The data structure and hierarchy must ensure that data can be clearly identified, aggregated and evaluated. According to the MaRisk Interpretative Guide Auslegungshilfe “other external procurement of IT service” does not qualify as “outsourcing” within the meaning of the MaRisk.

Risk culture The BaFin requires all institutions to embed an appropriate risk culture as an essential part of their risk management by defining behavioural patterns and practices in order to identify risks and to ensure that these are appropriately handled.

AT 3 of the MaRisk provides the foundation for this.