Minimum risk management requirements for ZAG institutions – ZAG-MaRisk

Minimum risk management requirements for ZAG institutions - ZAG-MaRisk

On 27 May 2024, the German Federal Financial Supervisory Authority (“BaFin”) published the final version of its circular “Minimum Requirements for Risk Management of ZAG institutions – ZAG-MaRisk

The version that has now been published corresponds to the draft that BaFin submitted for consultation eight months ago, with only a few, rather marginal changes.

We have reported on the consultation draft in our articles ZAG MaRisk AT and ZAG MaRisk BT.

What are the ZAG-MaRisk?

With the ZAG-MaRisk, BaFin defines a framework for the proper structuring of the business organisation of payment institutions and e-money institutions. Among other things, it focuses on specifying the requirements for the secure acceptance of customer funds and the management of operational risks.

The organisation and structure of the ZAG MaRisk largely correspond to the Minimum Requirements for Risk Management (MaRisk), which apply to credit institutions and large securities institutions subject to the German Banking Act (KWG).

Even though the ZAG-MaRisk are not legally binding, they are of paramount importance in practice. The structural and procedural organisation of payment and e-money institutions (“ZAG-Institutions“) subject to BaFin supervision must be measured against them.

Who is ZAG-MaRisk aimed at?

The circular is aimed at all ZAG-Institutions. The ZAG-MaRisk therefore also applies to payment initiation and account information service providers. Branches of German ZAG-Institutions abroad must also comply with ZAG-MaRisk. However, they do not apply to branches of companies based in another member states of the European Economic Area (EEA).

Principle of proportionality

The ZAG-MaRisk are very abstract. They follow the principle of so-called double proportionality, with which BaFin aims to create flexibility and practical relevance. Accordingly, the requirements for the institution-specific business organisation are based on the one hand on the type and scope of the business conducted by the respective ZAG-Institution and on the other hand on its specific risk profile. The measures taken by the ZAG-Institution must take both aspects into account in an appropriate manner.


Like the MaRisk, the ZAG-MaRisk is divided into a general section (“AT”) and a special section (“BT”).

The focus of the AT is the general business organisation. It contains requirements for the risk management system and the risk-controlling, compliance and internal audit functions of a ZAG-Institution. Like the MaRisk, the ZAG-MaRisk sets out very detailed rules for outsourcing activities and processes to other companies. BaFin defines the (potentially) material risk areas of ZAG-Institutions in the AT, for the management of which it formulates detailed requirements in the BT.

The BT is divided into three parts and defines requirements for the internal control system, which covers both customer money protection and risk management, the organisation of internal auditing and risk reporting.

Safeguarding of customer funds

Unsurprisingly, BaFin devotes the largest part of the organisational requirements (BTO) to the safeguarding of customer funds. There, it specifies its expectations regarding the safeguarding of customer funds by means of safeguarding accounts and sets requirements both for the organisation of the fiduciary relationship between the ZAG-Institution and the account-holding credit institution and for the specific handling of customer funds.

BaFin deals with the other safeguarding methods in far less detail, which corresponds to their minor practical significance.

Risks and their management

In line with the nature of the business of ZAG-Institutions, BaFin does not refer to the risk-bearing capacity of an institution in the ZAG MaRisk, but rather to the shielding of risks.

The focus of the requirements for risk management and controlling processes (BTR) is on operational risks, which BaFin describes as material per se in the ZAG-MaRisk and therefore treats as the top priority.

The explanations on the proper handling of counterparty default, market price and liquidity risks are considerably shorter than in MaRisk. The ZAG-MaRisk is often content with reproducing the central principles of MaRisk.

Outlook and implementation

With the publication of the ZAG-MaRisk, BaFin is clarifying its supervisory expectations. The ZAG-MaRisk entered into force at the time of its publication. However, BaFin has granted a transitional period until 1 January 2025 to implement the requirements of the ZAG-MaRisk. If this has not already been done on the basis of the consultation version, the ZAG-Institutions concerned should immediately check whether their organisation already meets the requirements of ZAG-MaRisk. If there are any gaps, these must be closed as quickly as possible, at the latest by the above-mentioned date.

By continuing, you accept our privacy policy.
You May Also Like