MaRisk Compliance for Banks and Financial Services

Minimum Requirements for Risk Management – From ICS to IT Requirements to Outsourcing Management

Free MaRisk Health-Check →

MaRisk (Mindestanforderungen an das Risikomanagement – Minimum Requirements for Risk Management) is the central BaFin circular for structuring risk management in German credit institutions. The current version MaRisk 7.0 (2023) specifies the requirements of § 25a of the German Banking Act (KWG) and implements European requirements such as the EBA guidelines on internal governance. MaRisk forms the basis for further specifications such as BAIT (IT requirements) and ZAIT (payment services) and has been the benchmark for regulatory audits for over 15 years.

Contents

  1. What is MaRisk?
  2. Who does MaRisk apply to?
  3. Key MaRisk Modules (AT, BT, BTR)
  4. AT 4.3: The Internal Control System (ICS)
  5. AT 7: IT Requirements and the Transition to BAIT
  6. AT 9: Outsourcing
  7. MaRisk vs. BAIT vs. DORA
  8. MaRisk Implementation: Step by Step
  9. Why Niagon?
  10. Frequently Asked Questions (FAQ)

What is MaRisk?

The Minimum Requirements for Risk Management (MaRisk) is a circular issued by the German Federal Financial Supervisory Authority (BaFin) that specifies the organizational obligations of credit institutions under § 25a of the German Banking Act (KWG). MaRisk defines how banks must structure their risk management, internal controls and governance frameworks.

The first version of MaRisk was published in 2005 and has since undergone several revisions. The current version MaRisk 7.0 was published in June 2023 and introduces significant changes regarding ESG risks, proportionality and outsourcing management.

The History of MaRisk

2005

MaRisk 1.0

Initial publication – consolidation of MaK, MaH and MaIR

2017

MaRisk 5.0

Comprehensive revision with focus on IT risks and outsourcing

2021

MaRisk 6.0

Implementation of EBA guidelines on loan origination and monitoring

2023

MaRisk 7.0

Current version: ESG risks, proportionality, enhanced governance

The Structure of MaRisk

MaRisk has a modular structure consisting of three main parts:

AT

General Part

Overarching requirements for governance, organization, risk management and internal controls – applies to all institutions.

BT

Special Part

Specific requirements for organization, internal audit and compliance function.

BTR

Special Requirements

Detailed requirements for specific risk types: credit risk, market risk, liquidity risk, operational risk.

Practical Significance

MaRisk is not just a formal set of rules – it is the audit benchmark used by BaFin. During special audits under § 44 KWG, examiners primarily assess whether an institution meets MaRisk requirements. Non-compliance results in:

  • Findings with remediation requirements and deadlines
  • Increased supervisory scrutiny and audit intensity
  • Capital add-ons in the SREP process for serious deficiencies
  • Reputational damage if issues become public
  • Personal liability of management for breaches of duty
Practical Insight: MaRisk contains both mandatory requirements ("must", "has to") and recommendations ("should", "can"). Deviations from recommendations should be documented with justification, as auditors may otherwise treat the deviation as a deficiency.

Who does MaRisk apply to?

MaRisk applies to all institutions within the meaning of § 1 para. 1b KWG as well as groups where an institution is the parent company. Specifically, this means:

1

Directly Affected Institutions

  • Credit institutions – Universal banks, private banks
  • Savings banks and Landesbanken
  • Cooperative banks (Volks- and Raiffeisenbanken)
  • Building societies
  • Securities institutions and securities trading banks
  • Financial services institutions (e.g., factoring, leasing)
  • Guarantee banks
  • Capital management companies (via KAIT)
2

Indirectly Affected Companies

  • IT service providers to banks
  • Data centers (e.g., Finanz Informatik, Fiducia GAD)
  • Cloud providers serving banking clients
  • Outsourcing service providers
  • FinTechs as cooperation partners
  • Audit and consulting firms

These companies must be able to meet MaRisk requirements, as their clients contractually require it (AT 9).

The Proportionality Principle

A central concept of MaRisk is proportionality: Requirements must be implemented in proportion to the nature, scope, complexity and risk profile of business activities. This means:

📏

Size-dependent Implementation

A small securities institution does not need the same complexity in risk management as a major bank. Structures must be appropriate.

🎯

Risk Orientation

Institutions with complex business models (e.g., proprietary trading, derivatives) face higher requirements than pure retail banks.

📝

Documentation Requirement

Application of the proportionality principle must be documented and justified – auditors require traceability.

Special Categories in MaRisk 7.0

MaRisk 7.0 introduced for the first time simplified requirements for small, non-complex institutions. These LSIs (Less Significant Institutions) with low risk profiles can apply reduced requirements in certain areas, such as:

  • Risk-bearing capacity concepts (simplified approaches)
  • Stress testing (reduced scope)
  • Remuneration systems (simplified disclosure)
  • Reporting (reduced frequency)

Where does your institution stand?

Our free MaRisk Health-Check gives you an overview of your compliance status in 15 minutes and identifies the most important areas for action.

Start MaRisk Health-Check →

Key MaRisk Modules (AT, BT, BTR)

MaRisk is organized into logical modules that build upon each other. Three areas are particularly relevant for daily practice:

AT – General Part

The General Part contains the overarching requirements that apply to all institutions:

AT 1

Preliminary Remarks

Scope and principles. Definition of proportionality and risk orientation.

AT 2

Overall Responsibility

Management board responsibility. "Tone at the Top" and risk culture. Collective and individual responsibilities.

AT 3

Organizational Guidelines

Written documentation of policies. Documentation of processes, responsibilities and controls.

AT 4

Risk Management

Core module: Strategies, risk-bearing capacity, ICS (AT 4.3), risk controlling, compliance.

AT 5

Organizational Structure

Organizational and process structure. Separation of functions between front and back office.

AT 6

Documentation

Recording obligations and retention. Audit-proof documentation.

AT 7

IT & Resources

IT requirements: Basis for BAIT. Personnel, technical equipment, emergency management.

AT 8

Adaptation Processes

New Product Process (NPP). Material changes in business activities.

AT 9

Outsourcing

Outsourcing management: Risk analysis, contracts, oversight, exit strategies.

BT – Special Part (Organization)

The Special Part regulates specific organizational requirements:

Module Content Relevance
BTO Special requirements for organizational and process structure Credit business, trading business
BTO 1 Credit business Credit processes, risk classification
BTO 2 Trading business Front/back office separation, limit systems
BT 1 Internal audit Independent audit function
BT 2 Compliance function Legal compliance, MiFID II

BTR – Special Requirements for Risk Management

BTR specifies the management of individual risk types:

  • BTR 1: Credit default risks – Credit risk, counterparty risk
  • BTR 2: Market price risks – Interest rate risk, currency risk
  • BTR 3: Liquidity risks – Funding, liquidity buffers
  • BTR 4: Operational risks – IT risks, legal risks, personnel risks

AT 4.3: The Internal Control System (ICS)

The Internal Control System (ICS) under MaRisk AT 4.3 is the heart of internal governance. It ensures that business processes operate properly, risks are managed, and regulatory violations are prevented.

The Three Lines of Defense

MaRisk AT 4.3 requires implementation of the Three Lines of Defense model:

1

First Line of Defense

Operational Units

Business units are responsible for their own risks. They perform controls, document processes and escalate anomalies.

  • Process-inherent controls
  • Four-eyes principle
  • Segregation of duties
  • Limit monitoring
2

Second Line of Defense

Risk Controlling & Compliance

Independent oversight functions not involved in operational processes. They set standards and monitor compliance.

  • Risk controlling function
  • Compliance function
  • Information security
  • Anti-money laundering officer
3

Third Line of Defense

Internal Audit

Independent audit function that audits all activities and processes of the institution in a risk-oriented manner.

  • Process and system audits
  • Follow-up of findings
  • Direct reporting line to management
  • No operational tasks

ICS Requirements

MaRisk AT 4.3 specifically requires:

  • Organizational structure and processes: Clear responsibilities, documented processes, adequate resources
  • Risk management and controlling processes: Identification, assessment, management and monitoring of all material risks
  • Internal audit: Independent audit of all activities, risk-oriented audit plan

Control Types in the ICS

Control Type Description Examples
Preventive Controls Prevent errors before they occur Access permissions, limit checks, approval processes
Detective Controls Detect errors that have occurred Reconciliations, sampling, log analysis
Directive Controls Set the framework Policies, training, work instructions
Corrective Controls Remedy identified errors Incident management, defect remediation
Audit Focus: The ICS is one of the most common audit focus areas in § 44 audits. Typical findings: incomplete control documentation, missing evidence of control effectiveness, unclear responsibilities.

For a detailed presentation of the ICS, see our ICS Pillar Page.

AT 7: IT Requirements and the Transition to BAIT

MaRisk AT 7 regulates resource requirements – particularly personnel, technical-organizational equipment and emergency management. The IT area is specified by BAIT (Bankaufsichtliche Anforderungen an die IT – Supervisory Requirements for IT).

Core Requirements of AT 7

AT 7.1

Personnel

Qualitative and quantitative staffing appropriate to business activities.

  • Adequate personnel resources
  • Professional competence and qualifications
  • Backup arrangements
  • Training and development
AT 7.2

Technical-organizational Equipment

IT systems must ensure integrity, availability, authenticity and confidentiality of data.

  • Appropriate IT systems
  • Information security
  • User access management
  • Change management
AT 7.3

Emergency Management

Emergency concept for time-critical activities and processes.

  • Business impact analysis
  • Emergency plans
  • Regular testing
  • Recovery planning

The Transition to BAIT

BAIT (Bankaufsichtliche Anforderungen an die IT – Supervisory Requirements for IT) specifies AT 7.2 and was first published in 2017. The current BAIT version (2021) includes the following modules:

BAIT Module Content MaRisk Reference
1. IT Strategy Strategic IT planning, IT governance AT 4.2 (Strategies)
2. IT Governance Organizational structure, roles and responsibilities AT 4.3.1 (Organization)
3. Information Risk Management Identification and management of IT risks AT 4.3.2 (Risk Controlling)
4. Information Security Management ISMS, security policies, awareness AT 7.2
5. User Access Management Access controls, recertification AT 7.2
6. IT Projects and Application Development Project management, SDLC, testing AT 7.2, AT 8.2
7. IT Operations Change management, backup, monitoring AT 7.2
8. Outsourcing IT outsourcing, cloud usage AT 9
9. Critical Infrastructures KRITIS requirements for relevant institutions

From BAIT to DORA

With the entry into force of DORA (Digital Operational Resilience Act) in January 2025, many BAIT requirements are superseded by European regulations. The hierarchy is as follows:

  • DORA: EU Regulation, directly applicable, highest level
  • MaRisk AT 7: National basis, remains valid
  • BAIT: Will prospectively be adapted or merged into DORA

More on the DORA-BAIT transition can be found in our DORA Guide.

AT 9: Outsourcing

MaRisk AT 9 regulates outsourcing management – an area that is becoming increasingly important given growing cloud usage and FinTech cooperation. The basic principle: An institution can outsource activities, but not responsibility.

What is Outsourcing?

Outsourcing occurs when another company (the outsourcing provider) is engaged to perform activities and processes related to banking or financial services that would otherwise be performed by the institution itself.

MaRisk distinguishes:

⚠️

Material Outsourcing

Affects regulatory-relevant processes whose failure would have significant impact.

  • Core banking systems
  • Payment processing
  • Securities settlement
  • Risk controlling
  • Core compliance functions

→ Notification to BaFin required

📋

Other Outsourcing

Support processes with lower criticality.

  • Facility management
  • Standard software without banking relevance
  • Training services
  • Marketing agencies

→ Simplified requirements

The Outsourcing Process under AT 9

1

Risk Analysis Before Outsourcing

A comprehensive risk analysis must be conducted before any outsourcing. The risks of outsourcing are weighed against the risks of in-house provision.

  • Materiality assessment
  • Dependency risks
  • Concentration risks
  • Data protection and information security
2

Due Diligence of Service Provider

Careful examination of the outsourcing provider before contract conclusion.

  • Professional competence and experience
  • Financial stability
  • IT security level
  • Subcontractors and sub-outsourcing
3

Contractual Arrangements

The outsourcing contract must contain minimum content as per AT 9.

  • Clear service description (SLAs)
  • Instruction and control rights
  • Audit rights (institution, BaFin, Bundesbank)
  • Information and reporting obligations
  • Termination rights
4

Ongoing Management

Continuous monitoring of the outsourcing throughout the contract period.

  • Regular performance assessment
  • SLA monitoring
  • Risk assessment (at least annually)
  • Escalation management
5

Exit Strategy

A documented exit plan must exist for material outsourcing.

  • Repatriation scenarios
  • Alternative service providers
  • Data migration
  • Transition periods

Cloud Outsourcing

Cloud usage is generally permitted but is subject to full AT 9 requirements. Special challenges include:

  • Audit rights: Hyperscalers like AWS, Azure or GCP generally do not accept individual on-site audits – pooled audits and SOC 2 reports are alternatives
  • Data location: Sensitive data should remain in the EU/EEA (GDPR, banking secrecy)
  • Concentration risks: Dependence on a few cloud providers must be assessed
  • Sub-outsourcing: Cloud providers often use subcontractors that must be monitored
BaFin Guidance: BaFin published a "Guidance Note on Outsourcing to Cloud Providers" in 2018, providing practical advice on MaRisk-compliant cloud usage.

MaRisk vs. BAIT vs. DORA

The regulatory landscape for IT requirements in the financial sector is complex. Here is an overview of the three most important frameworks:

Aspect MaRisk BAIT DORA
Legal Character BaFin circular (administrative regulation) BaFin circular (administrative regulation) EU Regulation (directly applicable)
Scope German institutions German institutions EU-wide financial sector
Focus Overall risk management IT-specific requirements Digital operational resilience
IT Depth Basic (AT 7) Detailed Very detailed + testing
Outsourcing AT 9 Chapter 8 Chapter V + Information Register
Testing Emergency tests (AT 7.3) Penetration tests recommended TLPT mandatory (for SIs)
Incident Reporting Ad-hoc reporting 4h/72h/1M reporting deadlines
Sanctions Supervisory measures Supervisory measures Up to €10M / 5% revenue

How Do the Frameworks Relate?

The frameworks form a hierarchical structure:

🏛️

MaRisk

Foundation

The overarching framework for all risk management aspects. AT 7 forms the basis for IT requirements.

💻

BAIT

IT Specification

Details the IT requirements from MaRisk AT 7. Remains as a national supplement.

🇪🇺

DORA

EU Harmonization

Supersedes BAIT in many areas. Brings new requirements (TLPT, Information Register) and EU-wide standards.

Practical Recommendation

For institutions, we recommend an integrated compliance approach:

  1. MaRisk as foundation: MaRisk compliance remains the basis – it is verified through audits
  2. DORA as target: Use DORA implementation to comprehensively modernize IT-GRC
  3. BAIT as checklist: BAIT provides practical detail for daily IT governance
  4. Leverage synergies: Many requirements overlap – once properly implemented, you satisfy all three

Integrated Compliance Consulting

Niagon combines MaRisk, BAIT and DORA into a coherent framework. We help you avoid redundancies and leverage synergies.

Schedule a Consultation →

MaRisk Implementation: Step by Step

A structured MaRisk implementation follows a proven approach. Whether initial implementation or optimization after an audit – these steps have proven effective in practice:

1

Conduct Gap Analysis

Systematically capture the current state and compare it with MaRisk requirements. Use our free MaRisk Health-Check as a starting point.

  • Document analysis (policies, manuals)
  • Interviews with key personnel
  • Process walkthroughs
  • Comparison with audit findings
2

Prioritization and Roadmap

Not all gaps have the same urgency. Prioritize by risk and audit relevance.

  • Critical gaps requiring immediate action
  • Medium-term improvements
  • Nice-to-have optimizations
  • Resource planning and budget
3

Establish Governance Structures

The foundation for MaRisk compliance is clear governance. Three Lines of Defense must be established.

  • Define roles and responsibilities
  • Strengthen risk controlling function
  • Establish compliance function
  • Reporting lines to management
4

Implement Processes and Controls

Develop and implement the required processes, controls and documentation.

  • Build risk-control matrix
  • Define key controls
  • Create work instructions
  • Configure IT systems
5

Complete Documentation

MaRisk requires comprehensive documentation. "Not documented = does not exist" applies in audits.

  • Update written policies
  • Finalize manuals and guidelines
  • Establish control evidence
  • Review outsourcing contracts
6

Training and Awareness

The best processes are useless if employees don't know or understand them.

  • Develop training concept
  • Target group-specific training
  • Awareness campaigns
  • Document participation
7

Continuous Improvement

MaRisk compliance is not a project but an ongoing process.

  • Regular self-assessments
  • Integration of audit findings
  • Adaptation to new MaRisk versions
  • Lessons learned from incidents

Typical Timeframe

Starting Position Typical Duration External Effort
Individual modules (e.g., AT 9) 3-6 months €15,000 – €40,000
Gap closure after audit 6-12 months €30,000 – €100,000
Bank-wide implementation 12-24 months €80,000 – €250,000

Costs vary significantly depending on institution size, complexity and internal resources. A high proportion of internal implementation reduces external costs but requires corresponding capacity.

Why Niagon for Your MaRisk Compliance?

Financial Sector Specialization

MaRisk is our core competency. We exclusively advise banks and financial services institutions and know BaFin's expectations from numerous projects.

Audit Experience

Our consultants have years of experience in financial auditing and IT audit. We know what BaFin auditors look for – and prepare you for it.

Integrated Approach

We combine MaRisk, BAIT and DORA into a coherent framework. Once properly implemented, you meet all regulatory requirements.

Our MaRisk Services

  • MaRisk Health-Check: Free status assessment with our online assessment
  • Gap Analysis: Systematic analysis against all MaRisk modules
  • ICS Development: Implementation of Internal Control System per AT 4.3
  • BAIT Implementation: IT governance and IT controls
  • Outsourcing Management: AT 9 compliance and cloud governance
  • Documentation: Creation of audit-ready policies and manuals
  • Audit Preparation: Ready for the § 44 audit
  • Finding Remediation: Structured resolution of audit findings

Ready for MaRisk Compliance?

Start with our free MaRisk Health-Check and find out in 15 minutes where your institution stands.

Start MaRisk Health-Check →

Frequently Asked Questions about MaRisk (FAQ)

What is MaRisk?

MaRisk (Mindestanforderungen an das Risikomanagement – Minimum Requirements for Risk Management) is a BaFin circular that regulates the organizational requirements for risk management in German credit institutions. The current version MaRisk 7.0 was published in 2023 and implements EBA guidelines on internal governance and credit risk.

Who does MaRisk apply to?

MaRisk applies to all credit institutions and financial services institutions in Germany subject to the German Banking Act (KWG). This includes banks, savings banks, cooperative banks, securities institutions and building societies. IT service providers to banks are indirectly affected, as their clients contractually require MaRisk compliance.

What is the difference between MaRisk and BAIT?

MaRisk regulates the overall risk management of banks, while BAIT (Bankaufsichtliche Anforderungen an die IT – Supervisory Requirements for IT) specifies IT-specific requirements from MaRisk AT 7. BAIT details topics such as IT strategy, information risk management, user access management and IT operations.

How much does a MaRisk gap analysis cost?

A MaRisk gap analysis typically costs between €20,000 and €80,000, depending on scope (entire bank vs. individual modules), institution size and business complexity. For specific modules such as AT 9 Outsourcing, the effort is usually €15,000-30,000.

What is AT 4.3 of MaRisk?

MaRisk AT 4.3 regulates the Internal Control System (ICS). It requires appropriate organizational structure and processes, risk management and controlling processes, and internal audit. The Three Lines of Defense form the basic framework.

What IT requirements does MaRisk AT 7 set?

MaRisk AT 7 requires that IT systems and processes ensure the integrity, availability, authenticity and confidentiality of data. The specific requirements are detailed by BAIT and include IT strategy, information risk management, IT operations and emergency management.

What does AT 9 regulate regarding outsourcing?

MaRisk AT 9 regulates outsourcing management. It requires a risk analysis before outsourcing, minimum contractual content, ongoing monitoring of service providers and exit strategies. Material outsourcing must be reported to BaFin and requires special care.

What changes with MaRisk 7.0?

MaRisk 7.0 (2023) brings stricter requirements for ESG risks, proportionality for small institutions, extended requirements for management qualification and clarifications on outsourcing management. Additionally, requirements for ICS and IT governance have been modernized.

How are MaRisk, BAIT and DORA related?

MaRisk is the overarching framework for risk management. BAIT specifies IT requirements from MaRisk AT 7. DORA as an EU regulation has harmonized ICT requirements EU-wide since 2025 and goes beyond BAIT in many areas. All three frameworks must be implemented in a coordinated manner.

How does Niagon support MaRisk compliance?

Niagon offers a comprehensive MaRisk consulting approach: Free health check for status assessment, detailed gap analysis against all MaRisk modules, building and optimizing the ICS, support for outsourcing projects, BAIT implementation and preparation for BaFin audits.

Ready for MaRisk Compliance?

Start now with our free MaRisk Health-Check and find out in 15 minutes where your institution stands.

Start Free Health-Check → Schedule a Consultation