BRUBEG: The new draft law for less bureaucracy for banks

The Banking Directive Implementation and Bureaucracy Relief Act – BRUBEG

With the passing of the Banking Directive Implementation and Bureaucracy Relief Act (BRUBEG) (read in German), German legislation is completing the necessary national implementation of the requirements of the Capital Requirements Directive (CRD VI), which was made necessary by Amendment Regulation 2024/1619. Although the implementation act is not yet in force, the proposed text of the act suggests that few changes are to be expected.

The content of the act includes

• the adoption of changes in the areas of supervisory powers, sanctions, branches from third countries,
• the inclusion of environmental, social and corporate governance risks (ESG risks) in the Banking Act, and
• the reduction of bureaucracy for credit institutions.

Based on this state of affairs, it is now up to the institutions to pick up the pace in dealing with these issues and to start the sometimes very extensive implementation measures.

The law makes ESG risks binding in the German Banking Act (KWG): What does the law require?

With the Banking Directive Implementation and Bureaucracy Relief Act, ESG risks (environmental, social, governance) are being anchored in the German Banking Act (Sections 26c and 26d KWG) for the first time. This obliges banks and savings banks to systematically record, assess and manage ESG risks (Article in German) as independent risk drivers in addition to the requirements of MaRisk.

Overall responsibility lies with the management, which must ensure that the necessary resources are provided. Many requirements that were previously regulated by MaRisk are now laid down by law and are therefore relevant for auditing purposes.

New requirements, new challenges: What does this mean for banks and savings banks?

The implementation of Sections 26c and 26d of the German Banking Act (KWG) presents institutions with further challenges.

• ESG risks in all processes: Section 26c KWG requires ESG risks to be taken into account in all phases of risk management – from identification and measurement to control and monitoring. This is already covered by the MaRisk requirements.
• Risk strategy with a focus on ESG: The risk strategy must reflect the short-, medium- and long-term effects of ESG factors and be reviewed regularly. This adds to the various deadlines for the existing MaRisk requirements.
• ESG risk plan as a requirement: Section 26d of the German Banking Act (KWG) requires the creation of an ESG risk plan with individual targets and key figures tailored to the institution’s business model and activities.
• Relief for SNCIs: Small and non-complex institutions (SNCIs) do not have to submit their ESG risk plan until January 2027 and can initially limit it to climate risks and qualitative information.

What to do now – recommendations for banks and savings banks

In order to successfully implement the new requirements from BRUBEG and KWG, banks and savings banks should take the following steps:

• Establish ESG risks as an integral part of risk management: Develop and integrate new processes for identifying, assessing and managing ESG risks.
• Develop an ESG risk plan: Define targets and key performance indicators that fit your own business model. Document the plan formally and update it regularly.
• Review your business and risk strategy: Business and risk strategies should be reviewed regularly for the impact of ESG risks and adjusted as necessary.
• Strengthen internal cooperation: Risk management, sustainability officers and senior management must work closely together to implement the requirements efficiently.
• Start early: SNCIs in particular should use the transition periods to prepare for the new obligations and gain initial experience.

Conclusion

Review previous implementations from MaRisk and EBA guidelines against the requirements of Section 26c KWG and take measures to eliminate existing gaps.

Transfer your previous and future approach to your ESG risk plan, taking into account the requirements of Section 26d KWG.

Is the business of foreign branches of third-country institutions coming to an end?

The adoption of the CRD VI Directive (EU) 2024/1619 creates a new, harmonised regime for third-country branches (TCBs) within the EU. The aim is to create uniform standards for authorisation, governance, capital adequacy, liquidity and reporting. The corresponding ITS Regulation will enter into force on 28 December 2026, and all underlying requirements will apply in full from 11 January 2027.

For banks, this means that every branch of an institution based outside the EU will in future have to provide detailed data – both at branch and group level. This will involve a authorisation procedure by the supervisory authority, which the institutions will have to go through. This applies both to institutions that are already active and to institutions that wish to take up core banking business in one of the Member States.

The exact requirements of the authorisation procedure and the associated process are currently under consultation. In certain cases, the supervisory authority may also require the establishment of a subsidiary in the EU.

The challenge lies in the complexity and granularity of the new reporting requirements. The EBA drafts for the Implementing Technical Standards (ITS) provide for extensive templates, which are structured in two annexes:

• Annex I: TCB-specific data (assets, liabilities, liquidity, internal transactions, capital endowment, DGS information)
• Annex II: Head undertaking data (aggregated EU activities, Basel III ratios, recovery plans, reverse solicitation services)

The frequencies vary depending on the risk class:

• Class 1 TCBs (higher risk): monthly, quarterly and half-yearly
• Class 2 TCBs: half-yearly or annually

In addition, banks must check whether they can use equivalence relief – this depends on the supervision and standards of the country of origin. Without early preparation, there is a risk of operational bottlenecks, increased compliance costs and data quality risks.

The solution: proactive implementation and digital transformation of reporting processes

Institutions should:

• Conduct a relevance check: Do the new requirements have an impact on their corporate structure? Does the approval process have to be completed?
• Start a gap analysis: Which data points are missing? Which systems need to be adapted?
• Push for automation: Manual processes are not viable for monthly LCR reports and granular exposure analyses.
• Use technology: Implement a reporting solution that meets these requirements. Our BAIS software will meet the requirements of the supervisory authority and thus the reporting capabilities of institutions.
• Start implementation early: The first full ITS reporting period begins as early as 2027. Acting in good time ensures compliance and reduces costs. However, before reporting, organisational measures must first be taken and the approval process must be completed.