Getting Started with BaFin MaRisk
MaRisk (Mindestanforderungen an das Risikomanagement) is BaFin’s circular on the minimum requirements for risk management in German credit institutions and financial services institutions. It implements the EBA Guidelines on internal governance and translates Basel requirements into binding supervisory expectations for the German market. The current version (MaRisk 7.0, effective 2023) incorporates requirements from the EBA Guidelines on ICT and security risk management, making it directly relevant to operational resilience and IT governance. MaRisk applies to all institutions supervised by BaFin under the KWG (German Banking Act). Matproof maps MaRisk requirements to controls, policies, and evidence workflows so you can demonstrate compliance during BaFin audits and Section 44 KWG examinations.Activate MaRisk under Settings - Frameworks - BaFin MaRisk. Controls are pre-populated across all MaRisk modules (AT, BT, BTR).
Am I in Scope?
MaRisk applies to:- Credit institutions (Kreditinstitute) under Section 1(1) KWG
- Financial services institutions (Finanzdienstleistungsinstitute) under Section 1(1a) KWG
- Payment institutions and e-money institutions (to the extent BaFin circular applies)
- Groups of institutions at both individual entity and group level
MaRisk Structure
MaRisk is organized into modules:| Module | Scope | Matproof Module |
|---|---|---|
| AT (Allgemeiner Teil) | General requirements: governance, risk strategy, internal controls, outsourcing | Policies, Controls, Vendor Risk |
| AT 7 | IT resources and IT risk management (incorporates EBA ICT Guidelines) | Controls, Evidence |
| AT 9 | Outsourcing | Vendor Risk |
| BT (Besonderer Teil) | Specific requirements for organizational structure and processes | Controls |
| BT 1 | Lending business | Controls |
| BT 2 | Trading business | Controls |
| BT 3 | Internal control system requirements | Controls, Audit Programs |
| BTR | Risk types: credit, market, liquidity, operational risk | Risk Management |
Key Requirements in Matproof
Risk Strategy
Policies, Risk ManagementDocument a risk strategy consistent with the business strategy. The management board is responsible for defining the institution’s risk appetite and ensuring adequate risk management.
IT Governance (AT 7)
Controls, EvidenceImplement IT risk management covering IT strategy, information security, IT operations, and IT project management. This module now incorporates EBA ICT Guidelines requirements.
Outsourcing (AT 9)
Vendor RiskClassify outsourced activities by materiality. Material outsourcing requires risk analysis, contractual safeguards, exit strategies, and ongoing monitoring.
Internal Control System
Controls, Audit ProgramsMaintain the three lines of defense: operational management, risk management and compliance, and internal audit. Document segregation of duties.
Operational Risk
Risk Management, IncidentsIdentify, assess, and manage operational risks including IT failures, fraud, and process errors. Maintain a loss database and report material incidents.
Business Continuity
Policies, ControlsMaintain business continuity plans for time-critical activities and processes. Test plans regularly and document results.
Recommended Implementation Plan
BaFin examiners pay close attention to AT 7 implementation. Ensure your information security officer (ISB) has sufficient authority and reports directly to the management board.
Common BaFin Examination Findings
| Finding | How to Avoid |
|---|---|
| Incomplete outsourcing register | Include all outsourced activities, not just IT. Review procurement records for missed arrangements. |
| IT risk management gaps (AT 7) | Ensure the ISB role is formally established with clear authority. Document IT risk assessments for all critical systems. |
| Missing segregation of duties | Map dual-control requirements for all risk-relevant processes. Document compensating controls where full segregation is not feasible. |
| Insufficient BCP testing | Test plans annually at minimum. Document test scenarios, results, and improvement actions. |
| Risk reporting gaps | Ensure ad-hoc reporting triggers are defined and management board reporting covers all material risk types. |
Relationship to Other Frameworks
| Framework | Overlap with MaRisk |
|---|---|
| DORA | DORA supersedes parts of MaRisk AT 7 for ICT risk. Institutions in scope for DORA should implement both, with DORA taking precedence for ICT-specific requirements. |
| ISO 27001 | Strong overlap with AT 7 information security requirements. ISO 27001 certification can serve as evidence for many AT 7 controls. |
| EBA Guidelines | MaRisk 7.0 incorporates EBA Guidelines on internal governance and ICT security risk management. Compliance with MaRisk generally satisfies the underlying EBA requirements. |
Next Steps
- Risk Management - building your MaRisk-compliant risk assessment framework
- Vendor Risk - outsourcing register and material outsourcing assessments
- Incidents - operational loss event tracking and reporting
- Audit Programs - internal audit planning for BaFin examinations