For the first time, BaFin intends to publish a circular on the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – “MaRisk”) for institutions within the meaning of the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – “ZAG”). We have taken a closer look at the regulations made there and compared them with the BaFin regulations for institutions within the meaning of the German Banking Act (Kreditwesengesetz– “KWG”).
In supervisory law, it is customary that the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht - “BaFin”) provides its administrative practice on the requirements for individual institutions in circulars.
BaFin made use of this for credit and financial services institutions as well as for large investment firms according to the KWG/WpIG and published the MaRisk BA (last amended in June 2023 with Circular 05/23 (BA)). There BaFin specified, among other things, the framework conditions with regard to the design of the risk management of the individual institutions.
The circular ZAG-MaRisk now published for consultation focuses on the institutions supervised under the ZAG. The central elements of the circular are BaFin regulations regarding the requirements for the proper business organisation of the institutions, specification of the security requirements, requirements for fraud prevention and specifications for outsourcing.
BaFin uses the circular to provide a practical framework for ZAG institutions and to define specific requirements that are intended to ensure proper business organisation. The essential features of this are, on the one hand, the creation of appropriate measures to manage the company and, on the other hand, control mechanisms and procedures to ensure that the institution fulfils its obligations.
Within the institutions, the management is responsible for the proper business organisation and its further development. This includes, in particular, risk management. In order to be able to assess risks and counter them accordingly, each manager must create control and monitoring processes and an appropriate risk culture. BaFin understands the latter to mean a clear commitment by the management to risk-appropriate behaviour and regular monitoring of whether this is realised and observed by the employees.
A risk analysis, which must be carried out by the institution, serves as the basis for controlling and monitoring possible risks. In order to be able to draw up a comprehensive risk profile, the institutions must also include ESG risks appropriately and explicitly. ESG risks are events or conditions from the areas of environment, social affairs or corporate governance, the occurrence of which has potentially negative effects for the company. It is therefore not a question of environmental risks emanating from the company. The ESG risks identified here can serve as a basis/supplement to other reporting obligations (e.g., CSRD).
If a risk is classified as "material" in this way or if a special risk arises due to the concentration, special measures must be taken by the institution. The new circular focuses on special risk constellations.
Within the framework of the safeguarding requirements for the acceptance of funds (Sections 17 and 18 ZAG), which payment institutions and electronic money institutions must fulfil, the new circular takes into account the fact that these institutions - unlike credit institutions - are not authorised to hold customer funds.
In order to comply with the safeguarding requirements, the ZAG offers the obligated institutions three options:
BaFin now specifies in the consultation draft which requirements a trust account must fulfil. The requirements essentially serve to prevent the mixing of client and institution funds for the protection of clients.
Furthermore, BaFin specifies in its consultation the requirements for dealing with (possible) fraudulent acts to the detriment of the clients of a ZAG institution.
This obliges ZAG institutions to establish appropriate organisational measures and procedures in order to
In individual cases, this means that the ZAG institution must be organisationally capable of monitoring security incidents, handling them appropriately and taking the necessary follow-up measures.
Furthermore, the ZAG institution must establish an appropriate contact point (meaning a customer support channel) that is available to its customers for the submission of security-related complaints and that is able to deal with clients complaints effectively and promptly.
Finally, ZAG institutions must establish appropriate procedures to comply with the legal reporting requirements (we reported on this). The procedures must be documented and designed in such a way that no conflicts of interest arise in the reporting process.
BaFin also presents the organisational requirements for the use of agents. However, this is only a summary of the requirements that are already laid down in the ZAG. However, the consultation draft does not provide any actual specifications or further-reaching requirements.
BaFin had already pointed out to ZAG institutions that the MaRisk for the KWG also provides guidance for ZAG institutions, especially in the area of requirements for outsourcing.
Consequently, the draft submitted for consultation differs from MaRisk BA with regard to the outsourcing of activities and processes by ZAG institutions only with minor editorial adjustments. In terms of content, BaFin continues its established administrative practice.
Thus, the one-time or occasional purchase of services or goods or the purchase of such services that are typically purchased by supervised entities and cannot be provided by them independently shall continue not to constitute outsourcing.
On the other hand, it continues to be the responsibility of the supervised institution to determine, by means of a risk analysis to be carried out independently, how a perceived service is to be qualified. If it is a "simple" outsourcing, the institution remains subject to the general requirements that the ZAG places on a proper business organisation. If, on the other hand, the institution determines in the course of the risk analysis that it is dealing with a "material" outsourcing, it is subject to more extensive obligations.
However, it is also true for the ZAG institutions that the management tasks of the business management cannot be the subject of an outsourcing and that it must be ensured at all times that the supervisory duties are complied with and that the outsourcing service provider remains subject to the instructions of the supervised institution at all times.
In the run-up to the publication of the circular, BaFin gives all ZAG institutions the opportunity to submit comments within the scope of the consultation. In order to promote the transparency of administrative action, BaFin intends to publish all comments on its website.
With its circular, BaFin is now also providing clarity on the scope and structure of the obligations that ZAG institutions must fulfil. This is to be welcomed. Even if the deviations from MaRisk BA appear minor at first glance, a thorough examination is recommended to ensure sufficient and qualitative compliance. In the future, it will be particularly exciting to see whether the administrative rules largely taken from MaRisk BA (even if they have already been implemented for the most part) also fit in practically with the supervision of institutions under the ZAG. For example, the requirements for new product processes in the constantly changing open banking/open finance sector could prove to be too slow.
With the kind support of Franziska Breuer, research assistant.