GE BaFin issued the draft circular on the Minimum requirements for risk management of ZAG institutions – ZAG MaRisk for public consultation based on business structures.
Based on S. 27 Para 1 of Payment Services Supervision Act (ZAG(GE)), the circular provides institutions with flexible/practical framework for structuring their businesses.
It specifies requirements for security (s17 and 18 - ZAG) and outsourcing (s26 - ZAG).
A proper business organization includes appropriate corporate management measures proper performance of supervisory body's monitoring functions and includes control mechanisms and procedures that ensure that the institution fulfills all of its obligations.
Internal control mechanisms consist of the internal control system and internal audit and include structure, assessing and controlling risk, and all internal audit operations.
Circular provides a regulatory framework for the qualitative supervision of institutions and the appropriate handling of consideration of the double proportionality principle.
Principle of proportionality on the part of institutions is included in principle-oriented structure of the ZAG-MaRisk and requires institutions to take extra care as necessary.
To take precautions in the area of risk management than institutions with less complex structured business activities that do not involve exceptional risk exposure for firms.
GE BaFin expects the flexible basic orientation of the circular is taken into account in the context of audit procedures, and will look at procedures as part of its supervision.
The circular is aimed at all of the types of institutions that are supervised under ZAG.
Effectiveness
Comments on the consultation can all be provided by stakeholders until Dec. 6, 2023.
On May 27, 2024, GE BaFin published circular 01/2024 on minimum risk requirements for risk management of ZAG institutions (ZAG-MaRisk) and a letter to the associations.
On the basis of section 27 (1) ZAG, ZAG-MaRisk provides a flexible and practical framework for the design of a proper business organisation of the institutions.
Compared to the consultation version, changes have been made in some places.
Some are intended to emphasize supervisory objective more strongly, but also meet legitimate interests, particularly of institutions with less complex business activities.
ZAG-MaRiskin force upon publication; implementation expected by Jan. 1, 2025.
Document dated May 27, 2024, was received on Jun. 18, 2024 due to a fixed feed.
Ge BaFin changed circular number from 01/2024 to 07/2024 for numeric consistency.
Compared to the consultation version, GE BaFin has made changes in some places, some of which are intended to highlight the supervisory objective more clearly.
While other changes also meet legitimate interests, particularly of institutions with less complex business activities, and all personal designations are seen as gender-neutral.
GE Bundesbank worked closely with the ZK group to develop the ZAG-MaRisk.
The ZAG-MaRisk will come into force upon publication, as stated by GE BaFin.
GE BaFin agrees with requests in the consultation responses regarding transitional periods and expect the requirements to be implemented by Jan. 1, 2025.
This updated circular affects all payment institutions and e-money institutions.
In Aug. 2024, GE BaFin updated retail banking product monitoring cir, see #224447.
