On May 27, 2024, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – “BaFin“) published the final version of the Circular on the Minimum Requirements for Risk Management of Payment Institutions (“ZAG-MaRisk“). As a result, payment institutions are subject to payment specific minimum requirements for the first time and may not rely on the Minimum Requirements for Risk Management for Credit Institutions (“MaRisk (BA)“) anymore. The ZAG-MaRisk specifies the requirements for the proper business organization of institutions on the basis of Section 27 (1) of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – “ZAG“). In addition, it includes specific provisions on security requirements (Sections 17 et seq. ZAG) and outsourcing (Section 26 ZAG). Compared to the Consultation Draft of September 27, 2023, there have been no significant changes in the final version. Rather, individual items have been specified and complemented. The ZAG-MaRisk entered into force upon publication, however, BaFin has granted an implementation period until January 1, 2025.
In line with the previous structure of MaRisk (BA), ZAG-MaRisk is again divided into a general section (Allgemeiner Teil – AT) and a special section (Besonderer Teil – BT).
Particular emphasis in the general section of ZAG-MaRisk is given to the identification of individual or concentrated risks by the institutions, the development of a corresponding risk strategy, methods for monitoring (including stress tests) and core elements of risk reporting.
The special section outlines the requirements for the design of the internal control system and refers in particular to the organizational and operational structure, the risk management and risk controlling processes, counterparty default risks, market price risks and liquidity risks.
With reference to the heterogeneous structure of institutions and the diversity of their business activities, BaFin once again emphasizes that the principle of proportionality applies to the requirements of ZAG-MaRisk. Risk management requirements may therefore be reduced or increased depending on the type, scope, complexity, and risk content of the institution’s business activities.
The final version of the ZAG-MaRisk highlights BaFin’s intention to introduce a uniform risk management standard similar to that applicable to credit institutions. In addition, the supervisory authorities are becoming increasingly vigilant in their scrutiny of payment institutions, therefore affected institutions are recommended to begin implementing the required (minimum) standards as of now.