FFinTech

Minimum requirements for risk management at ZAG institutions (1)

Mindestanforderung-Risikomanagement-ZAG
0
Shares
0
0
0
0
0
0

Update: The ZAG-MaRisk was published on May 27, 2024 after an extended consultation.

According to the BaFin’s letter accompanying the publication, the final version differs from the previous drafts on which this blog article is based. The version that has now been published corresponds to the draft that BaFin submitted for consultation eight months earlier, with only a few, rather marginal changes. We have summarised this version in this article.

The updated BaFin draft can be viewed here.

ZAG-MaRisk – General part

On 27 September 2023, the German Federal Financial Supervisory Authority (BaFin) presented its draft circular ‘Minimum Requirements for Risk Management at ZAG Institutions – ZAG-MaRisk’ for consultation.

Unsurprisingly, the draft for the ZAG-MaRisk is modelled on the MaRisk applicable to credit and financial services institutions, the 7th amendment of which was published in May of this year (https://paytechlaw.com/von-esg-risiken-die-siebte-marisk-novelle/). In particular, the General Part (AT) of MaRisk was largely adopted in the draft for ZAG-MaRisk.

In this article, I will deal with the General Part (AT) of the ZAG-MaRisk. In a follow-up article, we will look at the special sections of the ZAG-MaRisk.

What are the MaRisk?

With the MaRisk, BaFin expresses the requirements it places on appropriate and effective risk management for credit and financial services institutions. In the ZAG-MaRisk, BaFin goes one step further, at least in terms of language, and speaks globally of a framework for the business organisation of payment and e-money institutions.

Even though MaRisk and ZAG-MaRisk are not legally binding, they are of paramount importance in practice. The structural and procedural organisation of the institutions subject to BaFin supervision must be measured against them.

Who is the ZAG-MaRisk aimed at?

The circular is aimed at all institutions within the meaning of the ZAG, i.e. all payment and e-money institutions (ZAG institutions). The ZAG-MaRisk therefore also applies to payment initiation and account information services. Branches of German ZAG institutions abroad must also comply with ZAG-MaRisk. However, they do not apply to branches of companies based in another member state of the European Economic Area (EEA).

Principle of proportionality

The ZAG-MaRisk are very abstract. Like MaRisk, they follow the principle of so-called double proportionality. Accordingly, the institution-specific structure of the business organisation is based on the one hand on the type and handling of the business conducted by the respective ZAG institution and on the other hand on its specific risk profile. The measures taken by the ZAG institution must take both aspects into account in an appropriate manner.

Risks

The requirements of the ZAG MaRisk relate to the management of those risks that a ZAG institution considers to be material on the basis of its overall risk profile.

Operational risks, including IT risks, are generally categorised as material. Counterparty default, market price, business model and liquidity risks, on the other hand, are only considered material by ZAG-MaRisk depending on the business model and therefore differ from MaRisk.

General requirements for risk management

In general, ZAG-MaRisk requires that the material risks of a ZAG institution are sufficiently shielded. The central concept of MaRisk, namely risk-bearing capacity (RBC), and the very detailed regulations for ensuring this have not been included in ZAG-MaRisk.

Like KWG institutions, ZAG institutions are also obliged to implement an internal control system (ICS). In accordance with the principle of proportionality, the type, scope, complexity and risk content of the business activities must be taken into account. The requirements in the ZAG-MaRisk relate to both the structural and procedural organisation of ZAG institutions as well as the establishment of processes for risk management and controlling and the creation of corresponding functions. Regular stress tests must be carried out to validate the measures taken.

ZAG institutions must – again in line with their cousins in the banking or financial services sector – have a risk management or controlling function, a compliance function and an internal audit function. Their respective location in the organisational chart of a ZAG institution, tasks and competencies are specified in great detail in the ZAG-MaRisk.

Outsourcing

The requirements for significant outsourcing by KWG institutions in AT 9 of MaRisk are almost notorious. The ZAG-MaRisk has now adopted these almost word for word. The requirements for analysing outsourcing-specific risks, the necessary regulations in an outsourcing agreement and the monitoring of outsourced activities by the outsourcing ZAG institution are specified in great detail.

0
0

Joerg is a partner at Annerton Rechtsanwaltsgesellschaft mbH in Munich. He focuses on advising national and international banks and financial institutions on regulatory, civil and corporate law issues. He represents their interests - also in labour and competition law issues – in- and outside the courtroom.



By continuing, you accept our privacy policy.
You May Also Like
PPayment
Ist bei E-Geld ein Vertrag zwischen dem E-Geld-Herausgeber und der Akzeptanzstelle erforderlich? Is a contract between the e-money issuer and the merchant required for e-money?
Read More
  • 9 minute read

Is a contract between the e-money issuer and the merchant required for e-money?

This article examines the European Commission’s controversial interpretation of Article 11(7) EMD2 regarding the definition of electronic money. It focuses on whether a contractual relationship between the e-money issuer and the accepting merchant is required for electronic money acceptance. The article concludes that Article 11(7) EMD2 does not establish a general contractual requirement for the acceptance of e-money.
Read More
FFinTech
EUDI Wallet in the Draft Digital Identity Act (DIdG): Overview and Assessment from a Financial Sector Perspective 2
Read More
  • 5 minute read

EUDI Wallet in the Draft Digital Identity Act (DIdG): Overview and Assessment from a Financial Sector Perspective

On 26 March 2026, the German Federal Ministry for Digital Affairs and State Modernisation published a draft bill for a Digital Identity Act (DIdG). The draft serves to implement the eIDAS Regulation at national level, as amended by Regulation, thereby further specifying the legal framework for the introduction of the EUDI Wallet in Germany.
Read More
FFinTech
AML im Profifußball: Welche Pflichten in Zukunft konkret gelten AML in Professional Football: What Specific Obligations Will Apply in Future
Read More
  • 8 minute read

AML in Professional Football: What Specific Obligations Will Apply in Future

The new EU Anti-Money Laundering Regulation (AML Regulation) brings professional football systematically into the scope of AML compliance for the first time. Clubs and intermediaries must implement robust risk assessments, governance structures and KYC processes. This article outlines the key obligations and their practical impact, particularly in high-risk areas such as transfers, sponsorship and investor relations.
Read More