ESG and more - BaFin updates its MaRisk

On 26 September 2022, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) launched the consultation of the seventh iteration of the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement, MaRisk). The MaRisk codify BaFin’s administrative practice regarding risk management for German banks and further specify the statutory requirements stipulated in section 25a of the German Banking Act (Kreditwesengesetz, KWG), which transposes Articles 88 et seq. of Directive 2013/36/EU (CRD 5). The seventh MaRisk amendment now proposes to further detail existing requirements and include new requirements that, among others,

• transpose the European Banking Authority's (EBA) Guidelines on Loan Origination and Monitoring (EBA/GL/2020/06) (see I. below);
• integrate ESG risk management requirements into the general risk management framework (see II. below); and
• stipulate specific requirements with respect to real estate investments of banks (see III. below).

In addition to these three amendments that we would like to focus on below, BaFin is also proposing to further specify the rules for real estate development loans (Immobiliarförderkredite), the business model analysis, trading activities in the home office and significant development banks (bedeutende Förderbanken).

Overview on proposed amendments

I. Implementation of the EBA Guidelines on Loan Origination and Monitoring

As already announced during EBA's comply-or-explain process, BaFin will use the 7th MaRisk amendment to implement the EBA Guidelines on Loan Origination and Monitoring of 29 May 2020 (EBA/GL/2020/06). BaFin will predominantly use the reference technique and incorporate the provisions of EBA/GL/2020/06 in the relevant modules of MaRisk by simple reference.

To be welcomed is the clarification in the commentary to AT 1 paragraph 3 MaRisk that institutions, when complying with the provisions of the EBA/GL/2020/06, may apply the principle of proportionality and the criteria set out in paragraph 16 (b) to (d) of the EBA/GL/2020/06.

However, there is also a potential "gold plating" associated with the proposed amendment. The MaRisk and its BTO 1 on the organisational and operational structure in credit business is applicable to all assets and off-balance sheet items within the meaning of section 19 KWG. Insofar as BTO 1 MaRisk is "enriched" by way of reference, the EBA/GL/2020/06 would therefore, in Germany, also apply to assets and transactions which are actually expressly excluded from its scope of application, namely derivatives, debt securities and securities financing transactions (see page 8 of the final report on EBA/GL/2020/06). Further, the exemption of loans and advances to credit institutions, investment firms, financial institutions, insurance and reinsurance undertakings, central banks and sovereigns from Section 6 EBA/GL/2020/06 on pricing is also not reflected in the proposed amendment to the MaRisk.

II. ESG risks

In addition to the implementation of the sections of the EBA Guidelines on Loan Origination and Monitoring that relate to ESG risks, BaFin proposes to include general requirements for the risk management of ESG risks into the MaRisk. In this context, BaFin refers both to its own Guidance Notice on Dealing with Sustainability Risks (Merkblatt zum Umgang mit Nachhaltigkeitsrisken) of 20 December 2019 and to ongoing European initiatives in this area.

With its Guidance Notice on Dealing with Sustainability Risks, BaFin was one of the first banking supervisory authorities ever to publish a compendium of non-binding good practice guidelines for the management of ESG risks (summarised in this blog post) – long before the ECB, for example, published its Guide on climate-related and environmental risks in November 2020 for significant banks. In its Guidance Notice of 2019, BaFin had recommended a strategic approach to ESG risks and an adjustment of relevant risk management frameworks of the entities under its supervision, including banks, investment firms, insurance undertakings, pension funds and asset management companies, and expressed its expectation that the supervised entities deal with the impact of ESG risks and document their efforts in this respect.

Just like the ECB, which followed up and assessed the progress made in the implementation of its expectations on the management of climate-related and environmental risks through a self-assessment of the ECB supervised significant banks (the insights gained are summarised in this blog post), BaFin initiated a survey in April 2021 on the implementation of its Guidance Notice to find out where the entities under its supervision currently stand. In its survey report of 17 November 2021, BaFin found that, while almost all of the companies surveyed were making efforts to address the topic of ESG risks, many entities, particularly in the banking sector, had some catching up to do on risk management procedures, in particular relating to the use of internal stress tests but also in strategic and organisational decision-making. BaFin found that only a few of the smaller and medium-sized banks included in the survey (unlike the significant institutions directly supervised by the ECB) viewed ESG risks as material and that e.g. only 31% of the banks surveyed had so far incorporated ESG risks in their internal risk management guidelines.

Against this background, BaFin emphasises in the context of the current consultation that the proposed 7th MaRisk amendment now incorporates the guidelines from its Guidance Notice into the regulatory text and thus establishes audit-relevant requirements. ESG risk-related requirements are embedded comprehensively into the MaRisk’s risk management framework and can be summarised as follows:

• Risk inventory: The impact of ESG risks (which are not qualified as a new risk category but rather as a risk driver for risks that are already covered by the risk management framework, such as credit risk, market risk, liquidity risk and organisational risk) must be appropriately and explicitly included in the institutions’ risk inventory to identify material risks (AT 2.2 para. 1 MaRisk);
• Management responsibility: Managing directors fulfil their overall responsibility for a proper business organisation only if they can assess relevant risks, including ESG risks, and take necessary measures to limit them (AT 3 para. 1 MaRisk);
• Risk-bearing capacity: The impact of ESG risks must be adequately and explicitly taken into account in internal processes for ensuring the institution’s risk-bearing capacity – in this context, BaFin clarifies that it is not sufficient to focus on existing data histories (AT 4.1 para. 1 and 2 MaRisk);
• Business strategy: When defining and adjusting the business strategy, banks are required to carry out an in-depth, forward-looking analysis of their business model, taking into account, among other things, changing environmental conditions and transitions to a sustainable economy and possible developments over an appropriately long period of time (AT 4.2 para. 1 MaRisk);
• Risk strategy/appetite: The impact of ESG risks must be appropriately and explicitly taken into account in the institution’s risk strategy and the determination of the risk appetite (AT 4.2 para. 2 MaRisk);
• Risk management and controlling processes: The impact of ESG risks must be explicitly considered in the institutions’ processes to identify, assess, control, monitor and communicate risks – in this context, BaFin clarifies that the impact of ESG risks on other risks must be assessed and documented comprehensively and, as far as reasonable and possible, also quantitatively (AT 4.3.2 para. 1 MaRisk; also specifically for credit risk (BTR 1 para. 1 MaRisk), for market risk (BTR 2.1 para. 1 MaRisk), for liquidity risk (BTR 3.1 para. 1 MaRisk) and for organisational risk (BTR 4 para. 2 MaRisk));
• Stress tests: The impact of ESG risks must be taking into account in the stress tests for the institution’s material risks – in this context, BaFin expects that the impact of ESG risks is mapped over an appropriately long period of time and beyond the regular risk assessment horizon (AT 4.3.3 para. 1 MaRisk);
• Organisational guidelines: Regulations on how banks consider the impact of ESG risks must be included in their organisational guidelines (AT 5 para. 3 MaRisk);
• Risk reporting/report of risk control function: Internal risk reporting must provide the management board with an up-to-date and, as far as this is meaningful and possible, quantitative overview of the impact of ESG risks (BT 3.1 para. 1 MaRisk); the risk control function’s quarterly overall risk report shall include meaningful information and data that demonstrates the impact of ESG risks on the business model, strategy and overall risk profile of the institution, including ESG-related sectoral and geographical risk concentrations (BT 3.2 para. 1 MaRisk).

As a result, supervised banks are expected to develop an approach to ESG risks that is appropriate to their business model and risk profile, taking into account the principle of proportionality. BaFin notes that it is aware that ESG risks are sometimes difficult to measure and manage due to the frequent lack of historical data, the many factors to be taken into account over a longer period of time and various uncertainties about future climate and political scenarios. Nevertheless, BaFin expects supervised institutions to adapt existing processes and develop new measurement, control and risk mitigation instruments, especially since both physical risks and transition risks could also materialise at very short notice.

With its requirements, BaFin also refers to the current initiatives at the European level and, to a certain extent, anticipates upcoming requirements and prepares the German institutions for them. In its proposal for CRD 6 of 27 October 2021, the European Commission puts an emphasis on the strengthening of ESG risk management requirements. Under the proposed rules, banks will be required to include short-, medium- and long-term horizons of ESG risks in their strategies and processes for evaluating internal capital needs, as well as adequate internal governance. Eventually, the EBA SREP Guidelines will be amended to integrate the relevance of ESG risks for the SREP process and EBA Guidelines on the management and supervision of ESG risks will be adopted – for a taste of the latter, see EBA’s Report on management and supervision of ESG risks for credit institutions and investments firms of 23 June 2021.

III. Real Estate Transactions

The years of low interest rates have caused a significant expansion of institutions’ direct real estate investments. The 7th MaRisk amendment now addresses real estate transactions for the first time explicitly. To this end, a new module (BTO 3) will be included in a separate section of the MaRisk. The MaRisk define real estate transactions as follows:

“Transactions with real estate, in which one of the following intentions is pursued: (a) Acquisition or construction of real estate for the purpose of generating income through renting/leasing; (b) Acquisition or construction of real estate with a view to resale (e.g. property development business); and (c) Existing real estate for the purpose of generating income by letting/leasing or resale.”

The MaRisk clarify that real estate held by a subsidiary within the meaning of section 290 of the German Commercial Code (Handelsgesetzbuch, HGB) will also be captured by this definition. BaFin does, however, not specify whether this would also cover investments into real estate funds that are controlled by an institution. Real estate transactions that predominantly serve the institution’s own business operations are excluded.

The organisational and procedural requirements stipulated by the draft MaRisk are similar to those for institutions’ credit business and entail, among others, the following requirements:

• Division of responsibilities: The front office in the real estate business must be separated from the back-office and the risk-control functions, as well as valuation expert mentioned in BTO 3.2 para. 3 MaRisk up to and including the level of the management board.
• Voting: The decision to enter into a real estate transaction requires two affirmative votes by front office and back-office functions. Further decision-making regulations (e.g. KWG, Articles of Association) remain unaffected by this.
• Valuation: When determining the procedures for determining the value of the real estate, suitable valuation procedures must be used. A property inspection must be carried out as part of the valuation. The market value of the property must be determined by experts (BTO 3.2 para. 3). The value of real estate shall be reviewed annually.
• Annual report: At least annually, a report on real estate transactions shall be prepared and made available to the management board.

In order to avoid overburdening institutions with only marginal real estate business with the new requirements, a threshold of 2% of an institution’s balance sheet total is proposed. In addition, an absolute threshold of EUR 10 million is proposed. As such, even smaller institutions would have to comply with the new requirements of BTO 3 MaRisk at an early stage, but not necessarily from the first property. The EUR 10 million threshold is, therefore, likely going to be the subject of some debate in the consultation process.

Next steps

BaFin is requesting feedback on these proposed amendments by 28 October 2022. Thereafter, BaFin will consider feedback from respondents. It is not clear yet, when the MaRisk will be finalised. Given that BaFin intended to transpose the EBA/GL/2020/06 already by June 2022, it seems likely that the new MaRisk will be finalised rather sooner than later.