Key components of MaRisk include risk strategy, risk identification, risk measurement and assessment, risk limitation and monitoring, risk reporting, internal control system, and internal audit.
Risk management is a critical aspect of financial crime mitigation and data protection. BaFin is the overarching supervisory body for the German financial sector, focusing on risk management, business continuity, de-risking outsourcing, cooperation with regulators, data management, data security, and confidentiality. MaRisk (Mindestanforderungen an das Risikomanagement, English translation: minimum requirements for risk management) is an initiative from BaFin that defines the minimum requirements for risk management compliance.
MaRisk is based on Section 25a (1) of the German Banking Act (Kreditwesengesetz, KWG), which covers “Particular organizational duties; authority to issue orders.” Section 25a is related to Article 88 of Directive 2013/36/EU, which outlines expected internal governance structures in covered entities in the financial services sector.
What is MaRisk compliance?
MaRisk is a regulatory document that forms a framework for implementing financial business in Germany. The focus is to de-risk the financial sector’s activities in Germany and consequently across the world, as German FIs (financial institutions) work internationally.
MaRisk is concerned with guiding the safe and secure functioning and integrity of the financial system in Germany. It is an administrative regulation and acts as a “Supervisory Review and Evaluation Process (SREP)” for banks that fall under the second pillar of Basel III.
MaRisk is a comprehensive framework covering areas of financial risk in internal risk management and outsourcing risks. Covered entities come under the supervision of BaFin and include banks, insurance companies, and securities.
How Akamai helps an organization comply with MaRisk
MaRisk provides a comprehensive framework for de-risking a financial organization’s activities. This includes securing their environment against malware, phishing, and unauthorized access. Akamai security solutions provide intelligence and end-to-end protection to protect financial data from breaches and accidental exposure, minimizing risks following MaRisk cybersecurity controls. Akamai’s security platform provides the dynamic security needed to apply Zero Trust principles to data protection across the expanded supply chain. Akamai helps your security teams to maximize the effectiveness and ROI of your security investments by moving beyond traditional endpoint detection to provide a powerful Zero Trust solution to the security and privacy of data.
Akamai provides:
- A global security platform that enforces Zero Trust security with comprehensive coverage of your IT, IoT, and OT environment
- Deep visibility into assets, access, and network flows
- Granular enforcement of security policy
History of MaRisk
MaRisk was first published in December 2005. It came about because of the Basel Committee on Banking Supervision’s framework Basel II. The principles of Basel II, and now Basel III, are reflected in section 25a (1) of the German Banking Act (Kreditwesengesetz — KWG) and MaRisk.
MaRisk was an initiative by BaFin to consolidate earlier risk management frameworks into one comprehensive risk management framework. In addition, BaFin designed MaRisk to modernize these more niche frameworks, incorporating the provisions in Basel II and the Banking Directive.
Since 2005 there have been several amendments and new requirements, including these recent three:
- Technical requirements for risk data aggregation and updates focus on outsourcing risks with a new central outsourcing management system requirement. (2017 MaRisk amendment)
- Alignment of MaRisk with the EBA Guidelines which included some ICT cybersecurity risks. (2021 MaRisk amendment)
Integration of ESG risk management requirements into the general risk management framework. The inclusion of small and medium-sized banks and financial institutions under the lending and credit monitoring requirement of MaRisk under EBA guidelines (2022 MaRisk amendment: current and seventh version of MaRisk)
MaRisk and risk-managed outsourcing
Supply chain attacks and data risks are a core element of the inclusion of stringent outsourcing risk management by MaRisk. AT 9 Outsourcing of MaRisk (minimum requirements for risk management) offers guidance to FIs on meeting the outsourcing regulatory requirements in section 25b of the German Banking Act (Kreditwesengesetz). The German Banking Act specifies that financial institutions take “reasonable precautionary measures” to avoid risk when outsourcing projects and tasks.
Types of organizations required to comply with MaRisk
Risk in the financial sector is at an all-time high: Evidence of concerns around risk comes from the Bank of England survey, which identified cyberattacks as the most concerning cited risk to the UK financial system (79% of respondents). MaRisk attempts to redress this by providing a framework to help the banking sector and associated companies to reduce risks of their activities.
Banks and MaRisk
German banks have experienced significant data breaches in recent years, an example being the 2022 cyberattack at Deutsche Bank, which resulted in 60 GB of stolen customer data. Banks and other financial sector entities come under the German Banking Act, BaFin, and MaRisk regulatory umbrella. Under MaRisk, the document “Supervisory Requirements for IT in Financial Institutions” sets out the measures required to meet the IT security requirements for banks. In addition, MaRisk requires German banks to secure their data flows, and one of the latest amendments to the regulation has included adding security to ”home trading” that requires a minimum standard of IT security to guarantee data confidentiality. Zero Trust principles of least privilege enforce access controls from all locations, including home offices.
Cloud service suppliers to banks
'The supply chain of cloud service providers to the banking sector in Germany comes under MaRisk regulation. Cloud service providers must follow the IT supervisory requirements to help ensure that a client (bank or other financial institution) implements risk control to comply. A risk assessment should demonstrate that information risk management, information security, and emergency response measures are in place, and comply with MaRisk and associated BAIT and BaFin. Cloud and IT service providers will typically include these assessments in client contracts. Cloud service providers should explore Zero Trust approaches to robust access controls across a distributed service architecture.
MaRisk and BAIT
Financial institutions must adhere to a comprehensive set of risk management regulations in MaRisk, BAIT, and other BaFin initiatives: Using these as frameworks, BaFin acts to control and manage risk in the financial sector.
MaRisk is a sister regulation to BAIT, the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT), with BAIT building on the components of MaRisk. BAIT outlines the appropriate technical and organizational resources for IT systems, particularly information security and contingency plans in the financial sector. In 2021, BAIT was updated alongside MaRisk version 6.
BAIT compliance incorporates requirements from the EBA Guidelines for the Management of ICT and Security Risks (EBA/GL/2019/04), which came into force in 2020. The EBA guidelines responded to the increasing volumes, complexity, and levels of cyberthreats against FIs. In addition, the interconnectedness of banking was also a consideration in the EBA updated guidelines.
Two new areas were included in the update to BAIT:
- Operational information security: requirements for information security monitoring and controls
- IT service continuity management: minimum requirements for business continuity management in line with MaRisk AT 7.3
MaRisk 7.3 “Business continuity management” includes failure of IT systems caused by cyberattacks.
BaFin works to ensure the interconnectedness of the requirements of EBA, BAIT, and MaRisk. For example, the latest MaRisk version’s extensions encompass outsourcing guidance; therefore, ICT risk management extends to financial supply chain vendors.
What Akamai solutions can help an organization with MaRisk compliance?
The German BaFin authority suite of regulations overlaps in many areas, including protecting IT systems and data. Risk management is a central pillar of robust cybersecurity. Maintaining secure financial systems is essential to a risk-managed approach to financial infrastructures and data. Akamai’s suite of anti-fraud, regulatory testing, and security solutions provides the tools to meet MaRisk compliance. Akamai's suite of award-winning security solutions includes the following:
- Application and API protection: Prevent DDoS and safeguard assets.
- Akamai Account Protector: Proactively identify and block fraudulent human activity and account takeovers based on advanced machine learning, behavioral analytics, and reputation heuristics.
- Access and authorization: Zero Trust architecture provides simplification of compliance.
Frequently Asked Questions (FAQ)
MaRisk, or minimum requirements for risk management, is a mandate issued by the German Federal Financial Supervisory Authority (BaFin) that provides a framework for the management of all significant risks encountered by financial institutions in Germany.
All German banks and financial institutions, including credit institutions, are required to comply with MaRisk. Indirectly, MaRisk also impacts cloud service providers and other IT suppliers.
Why customers choose Akamai
Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away.