At the end of October, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht - BaFin) launched a consultation on its draft amendments to the “Minimum Requirements for Risk Management” (MaRisk). As with the last amendment to the MaRisk circular, the revision primarily incorporates guidelines issued by the European Banking Authority (EBA) into the MaRisk under the principles-based approach. The current changes implement the guidelines on the management of non-performing and forborne exposures (EBA/GL/2018/06) and on outsourcing (EBA/GL/2019/02), while further adjustments are based on the guidelines on the management of information and communication technology and security risks (EBA/GL/2019/04).
The consultation is scheduled to run until 4 December 2020, after which time comments will be considered and possibly published. The application date is yet to be determined.
What is new?
Some of the major changes introduced in this 6th amendment are listed here:
- Large and complex institutions are now defined as institutions whose total assets at individual institution level or consolidated at group level reach or exceed EUR 30 billion.
- Transactions in crypto currencies are considered trading transactions within the meaning of the German Banking Act (Kreditwesengesetz – KWG).
- Several risks defined by institutions as "insignificant" must be adequately addressed in the internal capital adequacy framework. And the terms "normative" and "economic" perspective in internal capital adequacy assessment and planning are introduced.
- Data for collateral and its association to a transaction must be maintained or improved.
- New requirements for the further development of the compliance function, i.e., integrating compliance-related areas or separating other areas (e.g., outsourcing management, information security, business continuity management) and a clear separation from risk controlling
- Extension of the requirements on emergency management to include impact analyses, risk analyses, and a regular review of emergency concepts for time-critical activities and processes
- Clarification that the responsibility for meeting outsourcing requirements lies both at individual institution level and at group level
- Extension of information and auditing rights in the event of outsourcing, the establishment of a central outsourcing officer, and the preparation of joint emergency plans
- Assessment of the work of external property valuers.
- Regular assessment of the borrower's ability to repay, even in the case of bullet loans
- Separate chapter on "Treatment of Forbearance" (definition, development of forbearance guidelines, identification of affected risk positions, changes in contractual conditions, evaluation, and monitoring)
- Minor adjustments to trading transactions in terms of market conformity, list of authorised exchanges, and admissibility of issuer limits.
- Extension of the scope of technical and organisational resources to cover the information network, which also includes business-relevant information, business and support processes, IT systems and network, and building infrastructure.
- Individually recorded operational risk incidents must be aggregated; the assessment procedures must include at a minimum historical knowledge, current weaknesses, and potential events. This expressly includes IT security and compliance as well as emergency and outsourcing management.
What gets easier?
A few aspects have been simplified for institutions, e.g., compliance reporting to supervisory bodies can be delegated to a committee and the valuation of real estate collateral may also be carried out by internal experts. Forborne exposures are no longer automatically subject to intensive support, rather the institution itself sets the criteria. The list of services that are not considered as outsourcing has been extended to include market-data information services, payment services, legal opinions, and utility services. Smaller, less-complex institutions are given discretionary powers for outsourcing and larger institutions may take more individual responsibility for outsourcing if appropriate risk analyses have been carried out.
Who is particularly affected?
Institutions with a sizeable non-performing exposure (NPE) portfolio, i.e., NPE-ratio of 5% or greater, must meet specific requirements. This is valid at the individual level and partially consolidated or fully consolidated at group level. (It also applies to individual portfolios!) Changes affect the following aspects:
- Alignment with international default definitions
- Mitigation strategies and implementation plans for monitoring by the supervisor
- Separate monitoring by risk controlling
- Establishment of specialised NPE processing units
- Valuation of collateral from the point of view of realisation
- Regular monitoring of resolution arrangements
- Guidelines for bail-out purchases for problem loans
- Development of methods and procedures for backtesting the differences between value adjustments and incurred losses
The 5% cut-off could become a problem for some institutions next year if corona-related relief is removed!
BaFin Konsultation 14/2020 - MaRisk (6. Novelle)