BaFin publishes revised MaRisk 2017 including clarifications on outsourcing

Background and overview

With the publication of a revised MaRisk, the German Federal Financial Supervisory Authority (BaFin) has specified the requirements in relation to risk management for financial institutions.

This updates the previous MaRisk of December 2012 and follows the BaFin’s February 2016 consultation paper on updating MaRisk, with the final revision being published on 27 October 2017.

The amendment to MaRisk has been driven mainly by the Basel Committee’s proposals on the principles for the effective risk data aggregation and risk reporting (BCBS 239), which are intended to strengthen bank’s risk data aggregation capabilities and internal risk reporting practices. Besides several clarifications, the new MaRisk focuses essentially on the risk data aggregation and risk reporting, on an appropriate risk culture as well as on outsourcing. The amended MaRisk will apply in a proportional manner. As a result, some requirements are explicitly addressed to global systemically important institutions (G-SII) and other systemically important institutions (O-SII). In principle, MaRisk applies from the day of its publication. However, in respect of new requirements which have been introduced, the BaFin has granted a transitional period under which institutions must implement these by 31 October 2018.

Essential content

Data management, data quality and risk data aggregation

With the revision of MaRisk a new section on data management, data quality and risk data aggregation has been included which deals with the Basel Committee’s provisions on data architecture and IT structure. These new provisions ensure that risk data are based on precise, complete and timely data. These requirements apply only to G-SII and O-SII. However, the BaFin encourages smaller institutions to examine to what extent data aggregation capacities can be improved. For the implementation of these new requirements, the BaFin has granted a transitional period of three years for O-SII. G-SII have had to meet these requirements since January 2016 in any event.

Risk reporting

The new MaRisk also contains a new section on risk reporting. Reports must be based on complete, precise and up-to-date data and must also give a future-oriented risk estimate. The institution must be able to report ad hoc if necessary, in addition to the regular reporting. Prompt risk management should be capable of being undertaken on the basis of the reports.

Risk culture

The BaFin requires all institutions to embed an appropriate risk culture as an essential part of their risk management by defining behavioural patterns and practices in order to identify risks and to ensure that these are appropriately handled. This is to be achieved by including a code of conduct, the contents of which will depend on the nature, extent and risk content of the business concerned, together with a requirement that senior management will adopt these values and integrate them into their everyday actions. Taking the principle of proportionality into account, smaller institutions may be able to dispense with the requirement for a code of conduct.

Outsourcing

Furthermore, the existing outsourcing provisions have been amended. The BaFin clarifies the definition of outsourcing in order to differentiate outsourcing more clearly from other external procurement of goods and services. Outsourcing is defined as the commissioning of another enterprise to provide activities and processes relating to the execution of banking business, financial services or any of an institution's other usual services that would otherwise be provided by the institution itself. Civil law arrangements may not change the existence of outsourcing. Regarding software, the BaFin considers an isolated purchase of software to be an example of an external procurement of services (eg the adaptation of software to meet the institution’s requirements and also other supporting measures). In contrast, the use of software in order to identify, assess, manage, monitor and communicate risks or to perform activities which are crucial for banking business would be deemed to be outsourcing. In general, institutions will not be allowed to outsource completely their controlling functions such as the risk control function, the compliance function and the internal audit. Rather, institutions must ensure that outsourcing of activities and processes relating to the control units and core banking units are carried out so that the institution itself has both sufficient sound knowledge and experience to enable it to carry out the outsourced activities and processes if required. To ensure the continuity and the quality of the outsourced activities, exit processes must be determined. In addition, the revised MaRisk requires large institutions and also institutions with extensive outsourced activities to establish an outsourcing management within the institution to ensure the overall monitoring and control of the outsourced activities. The outsourcing management shall provide a report on outsourced activities to senior management at least annually.

Conclusion

The revised MaRisk was published with no significant changes to the proposals on which the BaFin had consulted. implementation of the revised MaRisk will challenge institutions in the months and years ahead, especially with respect to the requirements around data management, data quality and risk data aggregation. The BaFin is aware of this and provides an appropriate transitional period regarding the new requirements. In exceptional cases, the BaFin would agree to determine an individual timetable for the institution concerned to ensure adequate implementation of the new rules.