Fit and Proper as a Executive Manager: What KWG, BaFin and MaRisk require – and what actually counts in practice

The progression from executive to board member requires a fundamental shift in perspective. Whilst executives, as operational problem-solvers, must be highly content-focused and socially competent, a board member is expected to possess the skills of a strategic corporate leader.

In addition to a brief overview of the formal regulatory requirements, this blog post focuses on professional competence in practice. Specifically: what are the business, risk management and regulatory basics that a executive must be equipped with in relation to their prospective role on the board? Therefore, this article is addressed to executives whose strategic goal is to join the management board of a financial institution.

The associated change of role and the resulting requirements for management and leadership – i.e. the soft skills – will be covered in a separate article.

Formal requirements

Section 25c(1) KWG (German Banking Act) sets out the regulatory requirements for executive managers:

This means: Professional suitability = Theoretical knowledge + Practical knowledge + Management experience

Since November 2025, these initially undefined KWG requirements have been specified in Circular 11/2025 on Members of Management Bodies and Supervisory Bodies pursuant to KWG [1]. This so-called ‘Fit & Proper Guidance’ of BaFin (German Federal Financial Supervisory Authority) specifies the assessment criteria for ‘Professional suitability’ (para. 94 ff.) across

[1] Previously, the requirements for senior managers on the one hand and members of supervisory bodies on the other were governed by separate guidance notes.

1. Presumption of compliance (para. 96 ff.)
2. Theoretical knowledge (para. 100 ff.)
3. Practical knowledge (para. 101)
4. Management experience (para. 102)

In addition to these requirements – each addressed individually to the respective executive director – lit. e Professional suitability in its entirety (para. 103, 104) explicitly sets out requirements for the management board as a collective body, i.e. the collegial body ‘management board’, thereby reflecting the requirements of Section 25c(1a) KWG.

This means that a supervisory assessment of the prospective executive’s profile is always carried out in the context of the individual job profile, and that professional specialisation is therefore also permissible.

However, the management board must in its composition ensure that it collectively “possesses an adequate balance of knowledge, skills and experience appropriate to the business model, risk appetite, strategy and markets in which the institution operates” (cf. para. 104).

Professional competence in practice

Which skills are actually required in order to take on overall responsibility for the management of a credit institution? What are the key factors for being ‘fit and proper’ for a role on the board?

Focus: Business Policy

a) Understanding the business model

This means identifying and understanding the institution’s value drivers – in other words, having a clear picture of the sources of its success. In the big picture, this means knowing, on the one hand, what is earned from customer business (risk-neutral interest income, interest expense, and commissions). And, on the other hand, the return on risk capital allocated, in the sense of a return in excess of the risk capital employed. The core task of credit institutions is the transformation function and thus the assumption of the risks associated with customer business (in particular from credit transformation, maturity transformation and liquidity transformation) in return for adequate risk premiums. Here, a glance at the recent past alone – from a long-standing environment of negative interest rates, through a rise in interest rates in 2022 that was unique in its magnitude, to the subsequent consolidation – shows that the earnings model of most credit institutions has since undergone an almost complete transformation. This leads on to the next aspect:

b) Recognising and assessing influencing factors

In the aforementioned example, the influencing factors of ‘interest rate levels’ and ‘yield curve’ have turned the financial institutions’ revenue model on its heels over the past four years: money can once again be made from customer deposits; however, maturity transformation still fails to deliver a positive contribution to earnings. Managers therefore have a responsibility to identify cause-and-effect relationships and derive appropriate assumptions for strategic planning. This applies to external factors (customer behaviour and expectations, markets, geopolitical developments, etc.) as well as internal factors (AI and its potential applications, resources, capitalisation, etc.). Given the increasingly volatile operating environment, it is more important than ever to consider potential development scenarios with realistic probabilities of occurrence rather than committing to ‘the one’ planned scenario.

c) Developing business strategy

Section AT 4.2 MaRisk (Minimum Requirements for Risk Management) requires: “The management board must establish a viable business strategy in which the institution’s objectives for its key business activities and the measures to achieve these objectives are set out.”  Three things are clear here:

• • Strategic work is not delegable!
  • Business activities = distinguishable, plannable or targetable earnings contributions
  • Viable = economically sustainable success (return on equity > cost of equity)

Focus: Risk Management

In this regard, the management’s responsibility lies in “establishing a risk strategy that is consistent with the business strategy and the resulting risks” (see AT 4.2, para. 2, MaRisk). In a nutshell, therefore, it is a matter for senior management to identify the risks associated with the implementation of the business strategy and to make a conscious decision as a collegial body as to the extent to which they are prepared to take on these risks (= risk appetite). Specifically, this requires:

a) “Being able to identify and delineate risks”

• • Assessment of the risk inventory (process) and risk profile (outcome)
  • Recognition of cause-and-effect relationships (‘risk = risk factor × exposure’)
  • Consideration of ESG risks as risk drivers acting on the risk factors
  • Assessment of the appropriateness of materiality thresholds with regard to the periodic and economic perspective of risk-bearing capacity

Regardless of the operational role of the risk controlling function, it is the management board’s responsibility to set the strategic framework for this.

b) „Assessing risk capital allocation”

This means understanding:

• • which risk capital is allocated to which risk class
  • what return/performance expectation is set against this.

Taking on risks is therefore not an end in itself, but should always follow a risk/return calculus (e.g. RORAC (Return on Risk-Adjusted Capital)).

c) „Understanding risk-bearing capacity’“

Risk-bearing capacity is more than the static comparison of risks and risk coverage masses. As a key element of a risk appetite framework, it represents the management board’s conscious decision on the allocation of risk capital and the willingness to accept risks. This requires not only the ability to assess cause-and-effect relationships from both a normative and an economic perspective. It also specifically concerns the interactions and interdependencies between the two perspectives.

d) Stress testing = thinking in scenarios

Section AT 4.3.3 MaRisk describes stress tests as an umbrella term for various methods by which institutions review their individual risk exposure with regard to exceptional but plausibly possible events. For the management board, this means developing an understanding of which possible events – related to the individual business model – may represent risk exposure. Building on this, the board must make an assessment and, where necessary, initiate measures. Scenarios provided by associations or central service providers can serve as a starting point, but responsibility for their institution-specific appropriateness cannot be delegated – it remains with the board.

Focus: Regulatory Framework

Why is it essential for (prospective) senior managers to understand the regulatory framework? As financial intermediaries, credit institutions are of fundamental importance to financial stability. They are therefore subject to a particularly high level of regulatory oversight. Through the Basel Framework as a driver and the European legislator on the one hand, and the Single Supervisory Mechanism (SSM) of the Eurozone on the other, banking supervision extends far beyond the national supervisory framework (KWG, circulars).

The regulatory framework therefore represents a further external influencing factor – an important constraint that must not only be known, but in particular understood. In other words: it is about senior managers understanding ‘how a supervisor thinks’. From this develops the ability to engage in dialogue at eye level – whether in institution-specific supervisory discussions, regulatory reviews and so on – or in advocacy through exchange formats offered by BaFin and the Bundesbank (e.g. ‘bank evenings’).

Particularly in the context of current regulatory developments and discussions, the issue of ‘proportionality’ is increasingly coming to the fore. For senior managers, it is therefore more important than ever to review their own risk management for proportionality leeway and to take advantage of reliefs. This in turn requires taking responsibility and being able to explain for oneself why the institution has implemented which requirements, how, and to what extent.

It is undisputed that requirement profiles for board appointments must always be assessed:

• institution-specifically (business model, size of the institution) and
• role-specifically (commercial/trading board member, back-office/supervisory board member, size and composition of the collective body)

and require operational skills and experience not addressed in this article. Accordingly, the competencies outlined here should be understood as basics for being able to participate and make decisions in the collective body of the management board – regardless of the specific role.

Conclusion: Professional competence is necessary – but not sufficient

The regulatory requirements for senior managers are clearly defined: Section 25c KWG and BaFin Circular 11/2025 set the formal framework. What they cannot provide is an answer to the decisive practical question: which executive is actually capable of becoming effective within the management board?

The three areas of competence – business policy, risk management and regulatory framework – form the professional foundation for this. They are not optional extras, but prerequisites for the ability to engage in discussion and make decisions in the boardroom. Those who do not master these basics will become a bottleneck within the collective body – regardless of how precisely the individual role profile is tailored.

The real challenge, however, begins where professional competence alone is no longer sufficient: in dealing with complexity, contradictions and power. How executives navigate this transition is the subject of the follow-up article on management and leadership.