More proportionality for smaller institutions and de-scoping of significant institutions – BaFin’s 9th revision of the MaRisk

The German financial services supervisory authority BaFin is consulting the 9^th revision of its Minimum Requirements for Risk Management (MaRisk) as of 1 April 2026. While the date of the consultation suggests otherwise, BaFin seems to be serious about its calls for simplification and deregulation, especially for smaller institutions. This blogpost provides a brief overview of the key changes proposed by BaFin.

I. Scope of application (AT 2.1 MaRisk)

The MaRisk have traditionally applied to all types of German institutions, irrespective of whether they were directly supervised by the ECB or not. Significant institutions therefore often found themselves trapped between compliance with BaFin’s administrative practice and the ECB’s expectations. The consultation now proposes clarity for significant institutions, to which the MaRisk shall no longer be applicable. 

However, it remains to be seen to what extent this will result in the complete dis-application of the MaRisk by significant institutions. The MaRisk provide for detailed requirements that the institutions and their auditors have applied for years. The continued adherence to – at least some of – the MaRisk requirements on a voluntary basis therefore seems to be a possible outcome. 

This applies in particular to areas in which neither the EBA nor the ECB have issued guidelines, such as the organisational requirements for trading (BTO 2 MaRisk). Examples include the obligation for traders to transfer their position responsibility to another trader at least once a year for ten trading days (BTO 2.1.(10) MaRisk) or the verification of the market conformity of transactions (BTO 2.2.2(4)(d) and (5) MaRisk).

However, the BaFin consultation will in any event conclude discussions that have been ongoing for years on the application of the MaRisk by the ECB.

The consultation proposes an extension of the scope of application to CRD third-country branches, i.e. the branches the establishment of which will be required under Article 21c CRD VI. Such branches will under the new section 53cg KWG be subject to governance and risk management requirements akin to institutions, which will generally also include the risk management requirements under section 25a KWG. An extension of the scope of application to CRD third-country branches therefore seems logical; however, it will need to be ensured that the MaRisk requirements are compatible with the various EBA guidelines on CRD third-country branches.

II. More proportionality (AT 1(3) MaRisk)

A key driver of the MaRisk consultation is the call for more proportionate regulation, especially for smaller institutions. The MaRisk currently provide for some facilitations for small institutions. 

The consultation now introduces three classes of institutions:

• Very small institutions: This includes institutions and CRD-third country branches with a balance sheet of less than EUR 1 billion. The threshold is calculated on the basis of the four-year average of the institution. Factoring institutions may be considered “very small” if their average receivable purchase volume does not exceed EUR 5 billion per year, calculated on the basis of the four-year average. Concessions for very small institutions can be found, for example, in AT. 4.4.2(4) MaRisk (compliance officer), AT 4.4.3(1) (internal audit), AT 9(2) and (13) MaRisk (outsourcing: risk analysis and reporting to senior management), BTO 1.1(1) (segregation of functions in credit decisions).
• Small institutions: Small institutions are small and non-complex institutions (SNCIs) as defined in Article 4(1) point 145 CRR, as well as class 2 CRD third-country branches. Very small institutions can also benefit from the facilitations for small institutions, even if they do not fulfil the SNCI criteria. Concessions for small institutions can be found, for example, in AT 4.2(1) (strategies), AT 4.4.1(1) (risk control function), BTO 1.2.2(3) MaRisk (monitoring of collateral).
• Other less significant institutions are institutions that are neither very small nor small. There are no specific facilitations for this group.

III. Overview of further changes

Many changes are intended to consolidate the explanations previously contained in the comments section and the text of MaRisk; they are predominantly of a technical nature and do not affect the content of the MaRisk. 

In our view, the following changes are worth noting:

• The revised AT 1(1) MaRisk clarifies that the MaRisk also serves to implement section 26c KWG, which came into force on 1 April 2026 and concerns the management of environmental, social and corporate governance (ESG) risks. The EBA guidelines on the management of ESG risks (EBA/GL/2025/01) and on environmental scenario analysis (EBA/GL/2025/04) are also being implemented (for example in AT 2.2(3) MaRisk).
• The commentary on AT 1(2) refers to the EBA guidelines, which were considered when drafting the MaRisk. Unless otherwise specified in the MaRisk, the EBA guidelines are deemed to have been fully implemented.
• The provision on group-level risk management has been moved from AT 4.5 MaRisk to AT 2.1(3) MaRisk.
• To define more precisely the concept of materiality, which is relevant for the risk inventory, the revised AT 2.2(1) MaRisk introduces a threshold (5% of the risk coverage potential). The risks associated with information and communication technology (ICT risks) are assigned to the operational risks.
• The provisions concerning the responsibilities of the supervisory body and its committees (AT 4.2(6), 4.3.2(3), 4.4.2(7) MaRisk, BT 2.4(4) MaRisk and BTR 3.1(4) MaRisk) are consolidated in the new AT 3.2 MaRisk.
• The provisions on risk-bearing capacity in AT 4.1(5) MaRisk make it clear that, in cases where the institution is unable to quantify individual risks, it may also maintain appropriate buffers. AT 4.1(10) MaRisk specifies that capital planning must be carried out at least annually and as and when required.
• The revised AT 4.2 MaRisk on strategies refers to the strategies for the management of ICT risks and ensuring digital operational resilience (as also referred to in Article 6 Regulation (EU) 2022/2554 (DORA)), which may be combined.
• AT 4.3.4 MaRisk on data management, data quality and the aggregation of risk data, which was intended solely for significant institutions, will be deleted.
• The requirements regarding the organisation of the internal audit function are being transferred from BT 2 MaRisk to AT 4.4.3 MaRisk.
• The commentary on AT 5(3) of the MaRisk clarifies that the organisational guidelines must also include an overview of the duties and individual responsibilities of members of the management board, the immediate line management and those holding key functions. This links to the new requirement under section 25c(4a) no. 8 KWG to draw up individual statements and a mapping of duties.
• The requirements set out in AT 7.2 and 7.3 of MaRisk regarding technical and organisational resources and emergency management are being amended to take greater account of the requirements of DORA.
• The new AT 8.2 MaRisk appears to limit the requirements applicable to the concepts that institutions have to prepare in the context of mergers and acquisitions. However, these new requirements will have to be read in conjunction with the new requirements on mergers and acquisitions under sections 2h and 2i KWG, which apply as of 1 April 2026 (see our separate blogpost for an overview). To the extent that the requirements under sections 2h and 2i KWG apply, the business plan required by the EBA Draft RTS on prudentially material transactions will complement (or rather replace) the requirement under AT 8.2 MaRisk.
• There is no longer any need to appoint an outsourcing officer (old commentary to AT 9(12) MaRisk) or to establish and maintain an outsourcing register (AT 9(14) MaRisk old) under the MaRisk. However, an outsourcing register will still be required under section 25b(1) sent. 4 KWG and the EBA Outsourcing Guidelines. While the guidelines do not require the appointment of an outsourcing officer as such, they still highlight the importance of oversight of outsourced functions. Appointing a dedicated outsourcing officer may therefore continue to be an option for compliance with the EBA Outsourcing Guidelines.
• The requirement to place accounting within a unit that is independent of market and trading activities (BTO(7) MaRisk) no longer applies.

IV. Next steps

BaFin is consulting the new MaRisk until 8 May 2026. It is not yet clear by when BaFin aims to publish the updated version of the MaRisk. Since BaFin is implementing the EBA Guidelines on internal governance, which are only available in draft form at the moment, it seems likely that the MaRisk will only be finalised after publication of the final EBA Guidelines.