MaRisk 2026 – An outlook on the reorientation
The 9th amendment to the MaRisk marks one of the most significant structural overhauls in years. It pursues two main objectives: reducing complexity and strengthening proportionality. To this end, the existing regulations are being streamlined and a more risk-based approach is being adopted, which will grant supervised institutions greater autonomy in future.
- 9th Amendment to the MaRisk: Overview and Background
- Changes in the draft of the 9th amendment to MaRisk (MaRisk 2026)
- Institutional classification and opening clauses
- Risk assessment and risk tolerance
- Stress tests
- IRRBB
- CSRBB
- Risk reporting
- Technical and organisational resources: IT / ICT
- Emergency Management
- Outsourcing
- Lending business
- Compliance and Internal Audit
- Conclusion and Need for Action
- Sources
Included in this collection:
Open collection
Data as the foundation: Why compliance and reporting will determine survival in 2026
The “magic triangle” of surveillance: why harmony puts your bank at risk
Fit and Proper 2.0: Why the human factor determines your capital requirements
Preferential Treatment of Retail Exposures in the Credit Risk Standardised Approach (CRSA) – EBA clarifies requirements regarding the granularity criterion
Artificial Intelligence in Treasury – from periodic financial reporting to a continuous management function
Changes to the LSI Stress Test 2026
CRR III and the property business: Removing the brake on new business
Early repayment penalty: Are liquidity costs the same as counterparty risk costs?1
Interview: Making of msg.ORRP
ESG Risk Management: Compliance Monitors, Internal Audit Reviews!
9th Amendment to the MaRisk: Overview and Background
In its supervisory notice of 26 November 2024, the Federal Financial Supervisory Authority (BaFin) clarified its interpretation of the principle of proportionality and paved the way for a more risk-oriented supervisory approach. Supervisory action is to be aligned more closely with the principle of proportionality by explicitly identifying exemption clauses for small institutions.
In the Digital Supervisory Briefing of 5 February 2026, the planned relief for smaller institutions (LSI) through the extension of proportionality and the streamlining of supervisory processes was announced. Furthermore, BaFin is aiming for a more principles- and risk-based approach that relies less on rigid checklists than has been the case to date.
Risk management for SNCIs in the context of the 9th amendment to the MaRisk
The 9th amendment to the MaRisk opens up specific opportunities for small and non-complex institutions (SNCIs) – but making targeted use of these requires a careful examination of the new requirements. In our free online information session (only in German), our experts will provide practical guidance on how you can effectively implement the intended simplifications and flexibility provisions within your institution.
The 9th Amendment now incorporates the changes set out in the supervisory notice of 26 November 2024 into the MaRisk and refines its scope of application. In future, small and less complex institutions are to be relieved of administrative requirements in order to reduce the bureaucratic burden. At the same time, the new regulations are intended to ensure that the intensity of the supervisory review can be flexibly adapted to the respective risk profile and size of the institution.
Furthermore, the revised version introduces a reduction in complexity through a significant streamlining of the supervisory text, on the one hand by removing redundancies, and on the other hand through a less granular and more principle-based formulation. This is intended to provide small and medium-sized institutions with additional leeway, but also requires greater personal responsibility in the interpretation of the regulations.
In conjunction with the new approach of incorporating additional relief provisions, significant institutions (SIs) are excluded from the scope of MaRisk. SIs are in any case subject to the strict EBA guidelines, which are adopted by the ECB.
Changes in the draft of the 9th amendment to MaRisk (MaRisk 2026)
Institutional classification and opening clauses
With regard to the Less Significant Institutions (LSIs) remaining within the scope of application, BaFin now distinguishes between the following groups:
- Very small institutions: Total assets ≤ €1 billion (purely a size criterion; all MaRisk exemption clauses permitted)
- Small institutions or other SNCIs: Total assets ≤ €5 billion (more precisely: SNCI criteria in accordance with Article 4(1)(145) CRR)
- Other LSIs / non-SNCIs: For this group, it remains possible to apply those exemption clauses that are not expressly restricted to very small or small institutions (responsibility lies with senior management).
Overall, the scope of application for exemption clauses is being significantly expanded, which goes hand in hand with a paradigm shift at BaFin: small and very small institutions in particular are subject to less strict and detailed requirements, resulting in greater discretion in the interpretation of the rules. Nevertheless, the new institutional classification provides greater transparency regarding where institutions are categorised and which simplifications are available.
Risk assessment and risk tolerance (AT 2.2, AT 4.1, AT 4.2, BT)
The risk inventory is being standardised to a greater extent. In particular, from an economic perspective, the 5% threshold applies to all institutions as the upper limit for the sum of immaterial risks. Furthermore, ICT risks are considered an integral part of operational risks and are strategically relevant; an ICT strategy consistent with the business strategy is required.
With regard to validation of risk-bearing capacity, a longer cycle (two to three years) will be permitted for small and very small institutions in future.
Furthermore, these institutions can largely rely on validations carried out by central service providers. However, a representativeness analysis of the data pool for their own portfolio remains necessary. Simplifications regarding methodology and validation are being introduced for smaller institutions.
Stress tests (AT 4.3.3)
Even for small institutions, a significant reduction in the scope and complexity of stress tests is possible, in particular by omitting inverse stress tests, updating individual stress tests on a quarterly basis, and using standard scenarios provided by service providers.
Resilience analyses for environmental risks
For resilience analyses, the reference scenario assumed by the institution as the most likely outcome must be compared with at least one plausible adverse alternative scenario. Qualitative approaches may also be used for the analysis of long-term resilience.
For very small institutions, a single cross-risk stress test or one stress test per material risk category is sufficient. Furthermore, stress assessments in operational risk may be omitted if these are already covered in emergency management in accordance with AT 7.3.
IRRBB (BTR 2.3)
There is greater flexibility in the IRRBB framework.
CSRBB (BTR 5)
The definitions of credit spread risks in the investment portfolio will be updated and their scope of application revised.
Risk reporting (BT 3.1, BT 3.2)
In accordance with the supervisory circular of 26 November 2024, the reporting cycle is being made more flexible, with a stronger focus on risk-based reporting.
For small institutions / SNCI, longer reporting intervals are possible where reporting components remain stable. For risk categories where a low risk appetite is strategically established, an interim reference during the year is sufficient. Nevertheless, it is important to ensure the ability to provide ad hoc reporting at any time, particularly in the event of a crisis.
Technical and organisational resources: IT / ICT (AT 7.2, AT 4.3.1, point 2)
The provisions relating to IT authorisations, IT systems, IT risks (including the procurement of third-party software) and ICT are being removed from MaRisk, as DORA sets out detailed requirements in this regard.
Emergency Management (AT 7.3)
ICT-related emergency management is covered by DORA. A distinction is therefore made between ICT emergency management and the general emergency plan, which remains in force.
Outsourcing (AT 9, BTO 2.1)
The outsourcing officer’s responsibilities may remain within other departments, provided that control functions and operational activities are kept separate.
Smaller institutions have the option of transferring their outsourcing management entirely to a central group function. However, the institution should maintain a central register of third-party agreements (ICT / non-ICT).
Lending business (BTO 1)
The regulatory text on lending activities is being significantly streamlined, and detailed provisions are being scaled back. For example, most references to the requirements of the EBA Guidelines on Lending (including ESG) have been removed. Furthermore, the requirements for credit decisions and credit approval processes are being limited to the essential process steps.
The regulations on exposures with increased risks – intensive monitoring, problem loan processing and forbearance (BTO 1.2.4, 1.2.5 and 1.3.2) – are significantly streamlined and designed to be principles-based.
Compliance and Internal Audit (AT 4.4.2, AT 4.4.3, BT 2)
The compliance function is intended to advise senior management on compliance with key legal requirements and should therefore be structured in a risk-based manner.
The requirements for internal audit are being consolidated and streamlined. However, there is no reduction in the substance of the requirements.
Conclusion and Need for Action
With the new amendment to MaRisk, BaFin is bringing about a paradigm shift: institutions are subject to less detailed requirements, thereby opening up greater discretion in interpreting the regulations. The leaner and principle-based wording of the regulations goes hand in hand with a reduction in complexity. Furthermore, the new classification of institutions allows for the use of numerous opening clauses – specifically for small and very small institutions – meaning that the principle of proportionality is strengthened.
Nevertheless, the MaRisk amendment also presents challenges, as both decision-makers within institutions and auditors are likely to be required to make more discretionary decisions.
As the amendments are predominantly intended to ease compliance, it is expected that the MaRisk amendment will take effect immediately upon entry into force, without any transitional periods.
We recommend that all institutions supervised by BaFin address the new regulations promptly, as there is a need for adaptation and potential for simplification. By making appropriate use of the new regulations, operational flexibility can be created and costs reduced. Furthermore, in certain areas there will also be a need for adjustments involving significant effort, for example in the consistent consideration of ICT risks in operational risk management and the creation of an outsourcing register.
We would be delighted to support you in your project.
You must login to post a comment.