Bafin Seeks Public Comment On The 9th Amendment To The MaRisk

QuickTake

On 1 April 2026, the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdientsleistungsaufsicht - Bafin)¹ published the draft of the 9th amendment to the “Minimum Requirements for Risk Management (MaRisk)”² for consultation. According to the draft, the MaRisk are to be fundamentally revised.

The revised version is intended to significantly reduce the complexity of regulatory requirements. Furthermore, a new transparent classification of small and very small institutions is intended to simplify the proportional gradation of the applicable requirements in future.

Furthermore, as part of this process, BaFin is also implementing the guidelines on environmental scenario analysis (EBA/GL/2025/04), as well as the guidelines on internal governance (EBA/GL/2021/05).

Key Takeaways

Reducing complexity

As part of the consultation, there is a noticeable new focus on individual risk assessment in accordance with the principle of proportionality. For example, in the case of very small institutions, approval from the front and back offices may be dispensed with if senior management is directly involved in the granting of risk-relevant loans and this ensures that lending activities are handled properly and in a manner appropriate to the existing risks.³ In non-risk-relevant lending business, financial institutions may generally benefit from relief (e.g. in conducting sensitivity analyses), provided that risks are assessed appropriately and consumer protection requirements are met.⁴ Furthermore, very small institutions may dispense with risk-type-specific stress tests if the overall stress test risk profile negatively impacts all material risks, and for small institutions, a severe economic downturn is sufficient as a bank-wide scenario; further scenarios are not required.⁵

Redundant content and provisions already regulated by law are also removed to make MaRisk more streamlined and clearer.

Facilitating proportional differentiation

For setting regulatory requirements, institutions are divided into three size categories:

1. Very small institutions (total assets up to €1 billion):
   Very small institutions are institutions, factoring institutions and CRD⁶ third-country branches that do not exceed a balance sheet total of €1 billion on a four-year average (Factoring institutions are, in addition, only considered very small if the annual volume of receivables purchased does not exceed €5 billion on a four-year average.)
2. Small and Non-complex Institutions (SNCIs) (up to €5 billion total assets):
   Small institutions are those referred to in Article 4(1) (145) of the Capital Requirements Regulation (Regulation (EU) No 575/2013 – CRR) as well as third-country branches of risk class 2 under the CRD).⁷
3. Less Significant Institutions (LSIs)

This approach sets out fixed thresholds that enable clear classification and reduces the regulatory burden on smaller and less significant institutions, as the above examples regarding credit risk analysis and stress tests demonstrate.⁸ This is likely to lead to a significant reduction in the burden of implementing regulatory requirements. The result is a stronger focus on the individual risks of the institutions.

Furthermore, MaRisk will not be applicable to significant institutions (SIs) in order to avoid double regulation. SIs remain under the direct supervision of the European Central Bank.

Adjustment of the exemption clauses

As additional requirements regarding the exemption clauses have largely been removed, the exemption clauses for small and very small institutions, enabling them to claim relief or exemptions from MaRisk requirements, are now easier to apply.

For example, previously, in the case of the functional separation of the front-office and back-office areas in the lending business, the requirements for waiving the separation were a credit volume of no more than €100 million, the presence of only two senior managers, and a simple structure of the lending business.⁹Under the new version, it is now sufficient for small institutions with up to three senior managers to generally have an organizational separation between risk control and the market division for ‘non-risk-relevant’ lending business, provided there are no conflicts of interest.¹⁰

Another example is the change from a rigid requirement for an annual review of the procedures for valuing collateral in the lending business (“must be reviewed annually”)¹¹ to a more flexible version that now only requires a certain degree of regularity (“The procedures for valuing collateral must be reviewed regularly, at least every two years for small institutions.”).¹²

With regard to stress tests, very small institutions may dispense with risk-specific stress tests, provided that all material risks are negatively affected in the stress test for the overall risk profile.¹³ For small institutions, a severe economic downturn (or a comparable stagflation scenario) is generally sufficient as a bank-wide scenario, provided that all material risks are negatively impacted therein.¹⁴

Implementation of the Guideline on Environmental Scenario Analysis (EBA/GL/2025/04)¹⁵

Furthermore, the Guideline on Environmental Scenario Analysis is being implemented in line with the current version of MaRisk. According to this, from 1 January 2027 financial institutions are obliged to systematically take climate-related risks into account in their risk diversification. To this end, institutions are required to develop ‘what-if’ scenarios regarding the resilience of their business models across various time horizons in order to identify risks at an early stage.

Implementation of the Guidelines on Internal Governance (EBA/GL/2021/05)¹⁶

In addition, the Guidelines on Internal Governance, which are currently only available as a consultation draft, are also included. These dictate comprehensive internal rules, processes and mechanisms to ensure effective and prudent management.

Note: Sections from the above-mentioned EBA guidelines need only be observed in addition to the requirements of MaRisk if MaRisk refers to these sections. Otherwise, the EBA guidelines are deemed to have been fully implemented in MaRisk.

Outlook and next steps

It remains to be seen which changes will actually take effect by the time MaRisk is finalized. Nevertheless, it is already clear that the trend is moving away from rigid regulatory over-regulation toward greater flexibility and a stronger focus on proportional—and thus more individualized—risk assessment.

Comments on the draft may be submitted to Bafin and the Deutsche Bundesbank by May 8, 2026.

Footnotes

1 The abbreviation for the Federal Financial Supervisory Authority is now written with a lowercase ‘f’.

2 Comparison version | Draft for Consultation

3 MaRisk Consultation BTO 1.1 Separation of powers and voting (Funktionstrennung und Votierung), Page 42, Rn. 1.

4 MaRisk Consultation BTO 1.2.1 Provision of credit (Kreditvergabe), Page 48 ff, Rn. 1.

5 MaRisk Consultation AT 4.3.3 Stress tests (Stresstests), Page 21, Rn. 2-4.

6 Capital Requirements Directive (EU) 2013/36.

7 MaRisk Consultation AT 1 Purpose of the letter (Ziel des Rundschreibens), Page. 8, Rn. 3.

8 MaRisk Consultation BTO 1.1 Separation of powers and voting (Funktionstrennung und Votierung), Page 42, Rn. 1, BTO 1.2.1 Provision of credit (Kreditvergabe), Page 48 ff, Rn. 1.

9 MaRisk Consultation (Comparison version) BTO 1.1 Separation of powers and voting (Funktionstrennung und Votierung), Page 76 ff., Rn. 1, on the right.

10 MaRisk Consultation BTO 1.1 Separation of powers and voting (Funktionstrennung und Votierung), Page 42, Rn.1.

11 MaRisk Consultation (Comparison version) BTO 1.2 Requirements for credit business processes (Anforderungen an die Prozesse im Kreditgeschäft), Page 84, Rn. 2.

12 MaRisk Consultation BTO 1.2 Requirements for credit business processes (Anforderungen an die Prozesse im Kreditgeschäft), Page 46, Rn. 2, on the left.

13 MaRisk Consultation AT 4.3.3 Stress tests (Stresstests), Page 21, Rn. 2.

14 MaRisk Consultation AT 4.3.3 Stress tests (Stresstests), Page 21 f., Rn. 3.

15 Guidelines on environmental scenario analysis_DE_COR.pdf; Vgl. MaRisk Consultation AT 1 Purpose of the circular (Ziel des Rundschreibens), EBA-Guideline (EBA-Leitlinen), Page 7, Rn. 2.

16 Guidelines on internal governance under CRD_DE - updated.docx; Vgl. MaRisk Consultation AT 1 Purpose of the circular (Ziel des Rundschreibens), EBA-Guideline (EBA-Leitlinien), Page 7, Rn. 2.