Update: The ZAG-MaRisk was published on May 27, 2024 after an extended consultation.
According to the BaFin’s letter accompanying the publication, the final version differs from the previous drafts on which this blog article is based. The version that has now been published corresponds to the draft that BaFin submitted for consultation eight months earlier, with only a few, rather marginal changes. We have summarised this version in this article.
ZAG-MaRisk – special sections
On 27 September 2023, the German Federal Financial Supervisory Authority (BaFin) presented its draft circular ‘Minimum Requirements for Risk Management at ZAG Institutions – ZAG-MaRisk’ for consultation. In our article ZAG-MaRisk AT, we have already provided an overview of the general part of the ZAG-MaRisk. In the following article, we take a look at the special sections of ZAG-MaRisk.
Special requirements for the internal control system (BT 1)
Like the MaRisk, the ZAG-MaRisk explains the special requirements for the internal control system in the special section (BT 1). The requirements relate primarily to the structural and procedural organisation for the provision of payment services and the operation of e-money transactions (BTO). In a second part, as in MaRisk, the requirements for the appropriate organisation of risk management and risk controlling processes for operational risks, counterparty default risks, market price risks and liquidity risks are presented (BTR).
Organisational requirements (BTO)
In this module, special requirements are placed on the organisation of the processes of ZAG institutions. The requirements relate in particular to the processes for security requirements and securing liability cases, procedures for security incidents and security-related customer complaints and the utilisation of agents.
Depending on the complexity and risk content of the respective business activities, a simplified implementation of the organisational requirements of the BTO is possible.
In principle, however, ZAG institutions must formulate differentiated processing principles, create a clear and suitable authorisation structure and base their business on effective legal agreements.
Collateral requirements and collateralisation of liability cases (BTO 1)
BTO 1 of the ZAG-MaRisk regulates the requirements for safeguarding the funds of payment service users and e-money holders.
The requirements for the use of fiduciary accounts by ZAG institutions are hardly surprising. These correspond to BaFin’s previous administrative practice. Accordingly, the ZAG institution must conclude a suitable fiduciary agreement with the institution holding the fiduciary account. Some contractual clauses to be included in a trust agreement are listed in a non-exhaustive manner. In line with BaFin’s previous administrative practice, the ZAG-MaRisk clarifies that incoming funds must be received directly in the trust account and that the ZAG institution’s own funds may not be transferred to the trust account at any time. Chargebacks may only be authorised on individual fiduciary accounts, not on collective fiduciary accounts. The ZAG Institute must set up account reconciliation processes that are outside the operational business area.
The explanations on securing the funds by investing them in secure, liquid assets or by means of insurance or a comparable guarantee are scant and unclear. This reflects the relatively low importance of these security methods in practice.
Fraud prevention, security incidents and security-related customer complaints (BTO 2)
With regard to fraud prevention and the monitoring, handling and follow-up of security incidents and security-related customer complaints, ZAG institutions must implement appropriate organisational measures and procedures. In addition, ZAG institutions must set up a contact point as a point of contact for customers in the event of fraud, technical problems or concerns regarding receivables management. However, BTO 2 of the ZAG MaRisk only formulates general requirements in this regard without going into further detail.
Utilisation of agents (BTO 3)
The organisational requirements formulated in BTO 3 of the ZAG-MaRisk for the use of agents only reflect the requirements contained in Section 25 (2) ZAG. The requirement to enter into a written agreement with the agent that sets out the obligations of the agent and the rights of the ZAG institution, including rights to issue instructions and cancellation as well as control rights of the institution and its auditors, is already stipulated in Section 2 (1) of the Agent Verification Ordinance.
Requirements for risk management and risk controlling processes (BTR)
Like MaRisk, ZAG-MaRisk requires ZAG institutions to set up risk management and risk controlling processes with regard to operational risks, counterparty default risks, market price risks and liquidity risks, whereby ESG risks must also be taken into account appropriately.
From the fact that operational risks (BTR 1 of the ZAG MaRisk) are dealt with at the top of the list, it can be deduced that BaFin considers operational risks to be the most significant risk category for ZAG institutions. The requirements for the processes for managing and controlling operational risks correspond to the requirements of MaRisk.
Counterparty default risks (BTR 2 of MaRisk) are to be managed in particular by setting and monitoring limits, identifying risk concentrations and regularly assessing the risk of business relationships. MaRisk contains similar – albeit more detailed – requirements in this regard.
The requirements of ZAG-MaRisk for market price risks (BTR 3 of ZAG-MaRisk) and liquidity risks (BTR 4 of ZAG-MaRisk) are significantly ‘slimmed down’ compared to MaRisk. Accordingly, the assumption of market price risks must be limited and subjected to ongoing monitoring independent of the conclusion of transactions. With regard to the management of liquidity risks, ZAG-MaRisk stipulates, among other things, the preparation of an internal financing plan, which generally covers a period of several years.
Special requirements for the organisation of internal auditing (BT 2)
The requirements for the organisation of the internal audit of ZAG institutions can be found in module BT 2 of ZAG-MaRisk. They are identical to the corresponding requirements in MaRisk. The key difference is that the submission of a quarterly report to the management and supervisory body of the ZAG institution is not mandatory. An annual report is generally sufficient.
Requirements for risk reporting (BT 3)
Module BT 3 of ZAG-MaRisk sets out the requirements for risk reporting. The content requirements for risk reports are somewhat less stringent than the requirements set out in MaRisk. The ZAG-MaRisk stipulates an annual regular reporting cycle, whereas the MaRisk stipulates a quarterly regular reporting cycle.
