At the beginning of August, BaFin published its draft circular outlining the “Minimum Requirements for Risk Management in Investment Firms” (WpI MaRisk). With this consultation paper, BaFin completes the series of institution-type-specific risk management regulations. The objective of the circular is to provide a flexible and practice-oriented framework for investment firms (WpIs) to ensure proper business organisation in accordance with the German Investment Firm Act (WpIG).
Table of Contents
Close alignment with MaRisk
With the WpI MaRisk, BaFin continues its established approach. Similar to the Minimum Requirements for Risk Management in Payment Institutions (ZAG MaRisk), the WpI MaRisk closely follow the “original” MaRisk, which now apply only to credit institutions and large investment firms. In particular, the General Part (AT) of all three circulars is largely identical. The WpI MaRisk do not introduce any surprises.
Due to the nature of the different types of institutions, the most significant differences are found in the Special Parts (BT) of the circulars.
The principle of double proportionality
A key guiding principle of the WpI MaRisk is the concept of “double proportionality”, referring to proportionality both in terms of the business model and the size and risk profile of each institution on the one hand, and the requirements regarding internal risk measurement and control processes, as well as the frequency and intensity of their review, on the other.
The principle is already reflected in the volume of the circulars. While MaRisk and its explanatory notes span 122 pages, WpI MaRisk is limited to 60 pages.
Within the WpI MaRisk, different standards apply to small and medium-sized investment firms. While both are required to implement a strategy process, small firms are explicitly permitted to keep it simple. Certain requirements, such as stress testing, are mandatory only for medium-sized firms. Risk-based opening clauses further complete the picture.
Divergent risk approaches
A core element of the WpI MaRisk is the classification of material risks relevant to the institution.
Whereas MaRisk assumes certain risk types as inherently material, WpI MaRisk only requires firms to assess the materiality of specified risk types through a structured review. The two circulars differ in how they approach the definition of material risks: MaRisk focuses on the sources of risks—counterparty default, market price, liquidity, and operational risk—while WpI MaRisk takes a stakeholder-oriented perspective, defining material risks as those that affect clients, the market, or the investment firm itself.
General Part – tried and tested concepts remain
The General Part (AT) of the WpI MaRisk largely mirrors that of the MaRisk. The somewhat lower—particularly methodological—requirements for investment firms reflect the proportionality principle.
Even though certain requirements applicable to credit institutions and large investment firms have not been included in WpI MaRisk, this does not necessarily mean they are no longer relevant. For example, it would still be prudent for investment firms to regularly review their risk-bearing capacity assessment methods, even if not explicitly required.
The requirements for the key functions—risk management (referred to in MaRisk as risk control), compliance, and internal audit—are less stringent and more flexible in WpI MaRisk, again reflecting the proportionality principle. The strict separation between the risk management function and business units, even up to management level, is not mandatory under WpI MaRisk—except for trading activities that are not risk-irrelevant.
The extensive provisions of MaRisk regarding the internal audit function (BT 2) are not mirrored in WpI MaRisk. Only a few aspects have been incorporated into the General Part.
Unsurprisingly, the outsourcing rules from MaRisk have largely been adopted into WpI MaRisk.
Special Part
As in MaRisk, the requirements for the organisation of trading activities play a significant role in WpI MaRisk. The deviations from the “original” are minimal.
Due to the nature of WpI MaRisk, there is no module addressing lending activities.
Tied agents with their own module – no mere liability umbrella
A genuine innovation compared to MaRisk is the treatment of tied agents (vertraglich gebundene Vermittler – vgV).
Right at the start of the module, WpI MaRisk clarify that the engagement of tied agents is considered outsourcing, and the requirements of AT 9 apply.
WpI MaRisk also emphasise that the notification of liability under § 3 (2) WpIG is constitutive, i.e. it is a prerequisite for the vgV status. If notification is not provided, both the individuals acting as tied agents and the WpI itself are considered to be providing investment services without authorisation, exposing themselves to significant civil and criminal risks.
According to the explanatory notes, tied agents act legally and economically on behalf of the liable institution. The investment firm must therefore ensure that it itself issues invoices to clients. It is not permissible to engage tied agents solely by taking on liability, without becoming the contractual partner of the client. The firm must be the provider of the investment services rendered by the tied agent.
Proportional risk management requirements
The BTR module on risk management reflects the stakeholder-based risk approach. Even if a given risk does not directly affect the investment firm, client risks may still impact the firm indirectly, primarily in the form of liability claims.
Consistent with the principle of proportionality, most of the risk management requirements do not apply to small firms. They are exempt from setting and monitoring limits, such as counterparty or market risk limits.
Wind-down scenarios and plans
For the first time, a module on the risk of disorderly wind-down is included in risk management minimum requirements. WpI MaRisk require investment firms to identify wind-down scenarios and maintain plans for an orderly wind-down.
Conclusion
Investment firms that have so far followed the MaRisk framework have little to fear from the draft circular. Only the stakeholder-based risk approach and the obligation to maintain wind-down plans may present some new challenges for their risk management functions.
