ZAG institutions take note! BaFin has updated its Circular 08/2023 on the monitoring and governance of banking products in the retail banking sector. This has implications for the implementation of ZAG-MaRisk.
As my colleague Jörg Streißle has already explained in his blog post , the requirements of Circular 08/2023 on the supervision and governance of banking products in retail banking (Circular 08/2023) have also applied to payment and e-money institutions since 1 May 2024, insofar as they wish to offer their payment and e-money accounts, services and instruments to consumers.
As product manufacturers, payment and e-money institutions are responsible in particular for ensuring that their payment services and e-money products are suitable for the interests, objectives and characteristics of their defined target market. The financial capacity of the target market is a key criterion for assessing suitability.
The regulations of Circular 08/2023 include in detail:
- Product monitoring and governance for product manufacturers
These include guidelines on establishment, proportionality, verification and documentation (Guideline 1), the product manufacturer’s internal control functions (Guideline 2), target market identification and updating (Guideline 3), product testing (Guideline 4), product monitoring (Guideline 5) and corrective actions (Guideline 6), distribution channels (Guideline 7) and information for product distributors (Guideline 8):
- Product monitoring and governance for product distributors (guidelines 9 to 12); product distributors are companies that offer and / or sell payment services and e-money products.
- Outsourcing.
Circular 08/2023 makes it clear in several places that the requirements contained therein must be integrated into the general risk management of product manufacturers.
On 27 May 2024, BaFin published Circular 07/2024 (BA), in which it specifies the minimum requirements for the risk management of ZAG institutions ( ZAG-MaRisk ). As a result, the passages of Circular 08/2023, which previously only referred to MaRisk for credit institutions (Circular 06/2024 (BA)), were amended by BaFin on 30 August 2024. In the updated version of Circular 08/2023, BaFin now explicitly refers to the ZAG MaRisk in paragraphs 15, 18, 20 and 49. BaFin thus makes it clear that it expects the provisions of Circular 08/2023 to be integrated into the implementation of the requirements of ZAG-MaRisk.
In detail, the payment and e-money institutions are to
- When introducing a new regulated product for retail clients, ensure that the regulations for product monitoring and governance are implemented in accordance with AT 8.1 ZAG-MaRisk as part of the authorisation strategy for new products (new product process, NPP);
- ensure that the regulations for product monitoring and governance are integrated into its governance and risk management framework in accordance with ZAG-MaRisk. To this end, the management body of the ZAG institution must approve the definition of the regulations and subsequent reviews.
- integrate the responsibilities for the supervision of this process by the risk controlling function and the compliance function into the usual tasks in accordance with AT 4.4.1 and AT 4.4.2 of ZAG-MaRisk;
- ensure that they fulfil the requirements set out in AT 9 of the ZAG-MaRisk on outsourcing if the activity of product manufacturing and/or product distribution is outsourced in whole or in part to third parties or performed by another entity in some other way.
In addition, BaFin made editorial changes to paragraphs 6 b) and c) of Circular 08/2023.
ZAG institutions are obliged to implement the updated Circular 08/2023 by 1 January 2025 at the latest. This deadline corresponds to the implementation deadline of the ZAG-MaRisk. The editorial amendments will enter into force on 30 August 2024, as BaFin intends to adhere to its previous administrative practice.
In summary, it should be noted that payment and e-money institutions must align their products designed for consumers with the interests, objectives and characteristics of the target market and integrate the regulations for product monitoring and governance into their corporate governance and risk management framework within the meaning of ZAG-MaRisk by 1 January 2025.
