Minimum requirements for risk management at ZAG institutions (1)


Update: The ZAG-MaRisk was published on May 27, 2024 after an extended consultation.

According to the BaFin’s letter accompanying the publication, the final version differs from the previous drafts on which this blog article is based. The version that has now been published corresponds to the draft that BaFin submitted for consultation eight months earlier, with only a few, rather marginal changes. We have summarised this version in this article.

The updated BaFin draft can be viewed here.

ZAG-MaRisk – General part

On 27 September 2023, the German Federal Financial Supervisory Authority (BaFin) presented its draft circular ‘Minimum Requirements for Risk Management at ZAG Institutions – ZAG-MaRisk’ for consultation.

Unsurprisingly, the draft for the ZAG-MaRisk is modelled on the MaRisk applicable to credit and financial services institutions, the 7th amendment of which was published in May of this year ( In particular, the General Part (AT) of MaRisk was largely adopted in the draft for ZAG-MaRisk.

In this article, I will deal with the General Part (AT) of the ZAG-MaRisk. In a follow-up article, we will look at the special sections of the ZAG-MaRisk.

What are the MaRisk?

With the MaRisk, BaFin expresses the requirements it places on appropriate and effective risk management for credit and financial services institutions. In the ZAG-MaRisk, BaFin goes one step further, at least in terms of language, and speaks globally of a framework for the business organisation of payment and e-money institutions.

Even though MaRisk and ZAG-MaRisk are not legally binding, they are of paramount importance in practice. The structural and procedural organisation of the institutions subject to BaFin supervision must be measured against them.

Who is the ZAG-MaRisk aimed at?

The circular is aimed at all institutions within the meaning of the ZAG, i.e. all payment and e-money institutions (ZAG institutions). The ZAG-MaRisk therefore also applies to payment initiation and account information services. Branches of German ZAG institutions abroad must also comply with ZAG-MaRisk. However, they do not apply to branches of companies based in another member state of the European Economic Area (EEA).

Principle of proportionality

The ZAG-MaRisk are very abstract. Like MaRisk, they follow the principle of so-called double proportionality. Accordingly, the institution-specific structure of the business organisation is based on the one hand on the type and handling of the business conducted by the respective ZAG institution and on the other hand on its specific risk profile. The measures taken by the ZAG institution must take both aspects into account in an appropriate manner.


The requirements of the ZAG MaRisk relate to the management of those risks that a ZAG institution considers to be material on the basis of its overall risk profile.

Operational risks, including IT risks, are generally categorised as material. Counterparty default, market price, business model and liquidity risks, on the other hand, are only considered material by ZAG-MaRisk depending on the business model and therefore differ from MaRisk.

General requirements for risk management

In general, ZAG-MaRisk requires that the material risks of a ZAG institution are sufficiently shielded. The central concept of MaRisk, namely risk-bearing capacity (RBC), and the very detailed regulations for ensuring this have not been included in ZAG-MaRisk.

Like KWG institutions, ZAG institutions are also obliged to implement an internal control system (ICS). In accordance with the principle of proportionality, the type, scope, complexity and risk content of the business activities must be taken into account. The requirements in the ZAG-MaRisk relate to both the structural and procedural organisation of ZAG institutions as well as the establishment of processes for risk management and controlling and the creation of corresponding functions. Regular stress tests must be carried out to validate the measures taken.

ZAG institutions must – again in line with their cousins in the banking or financial services sector – have a risk management or controlling function, a compliance function and an internal audit function. Their respective location in the organisational chart of a ZAG institution, tasks and competencies are specified in great detail in the ZAG-MaRisk.


The requirements for significant outsourcing by KWG institutions in AT 9 of MaRisk are almost notorious. The ZAG-MaRisk has now adopted these almost word for word. The requirements for analysing outsourcing-specific risks, the necessary regulations in an outsourcing agreement and the monitoring of outsourced activities by the outsourcing ZAG institution are specified in great detail.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like