On 6 August 2025, the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, "BaFin") published its draft circular "Minimum Requirements for Risk Management by Investment Firms" (Mindestanforderungen an das Risikomanagement von Wertpapierinstituten, "WpI-MaRisk") for public consultation.
The WpI-MaRisk provide a central regulatory framework for the risk management by investment firms in Germany. They specify the statutory requirements of the German Securities Institutions Act (Wertpapierinstitutsgesetzes, "WpIG") in the area of risk management (see in particular sections 40 and 41 WpIG) and serve to ensure the appropriate and effective management of all material risks. The WpI-MaRisk are structured and designed to achieve objectives that correspond with the goals of the existing "Minimum Requirements for Risk Management" (Mindestanforderungen an das Risikomanagement, "MaRisk")1applicable to credit institutions and financial services institutions, but take into account the specific business models, risk profiles and size of investment firms. While the MaRisk cover a broad scope of application including credit and financial services institutions, the WpI-MaRisk are specifically tailored to the special characteristics and regulatory requirements of investment firms.
The WpI-MaRisk take into account the lower complexity and reduced risk profile of many investment firms. In this respect, numerous requirements are designed proportionately and provide for regulatory ease for smaller investment firms.
A. Scope
The WpI-MaRisk apply to all investment firms within the meaning of section 2 para. 1 WpIG that are not classified as "large investment firms" within the meaning of section 2 para. 18 WpIG. Hence, they address "small" and "medium-sized" investment firms within the meaning of section 2 paras. 16 and 17 WpIG.2.2
In the absence of a specific framework for investment firms, the MaRisk have been applied mutatis mutandis to small and medium-sized investment firms. With the introduction of the WpI-MaRisk, small and medium-sized investment firms will now be subject to separate risk management requirements.
For "large" investment firms, on the other hand, the German Banking Act (Kreditwesengesetz, "KWG") remains applicable to large extent, including section 25a KWG with regard to the requirements of a proper business organisation (cf. section 4 WpIG), so that the MaRisk continue to apply to them.
B. Substantive minimum requirements for the risk management of investment firms
I. General requirements for risk management
The WpI-MaRisk require investment firms to establish an appropriate and effective risk management system that covers all material risks. These include, in particular, risks to customers, the market, the investment firm itself and liquidity risks. Operational and ESG risks also need to be included in this respect.
The requirements for risk inventory are tailored to small and medium-sized investment firms in accordance with WpI-MaRisk and, taking into account the principles of proportionality for small investment firms, are only applicable to the extent necessary in light of the investment firm’s own business model. Compared to MaRisk, the risk management requirements under WpI-MaRisk are therefore less detailed and provide investment firms with more flexibility in the design of their risk management systems. Further, MaRisk also contain extensive requirements on risk categories, stress tests (in particular including the consideration of ESG risks and the performance of so-called "inverse stress tests") and risk concentrations. Requirements on risk-bearing capacities and stress tests are only required for medium-sized investment firms.
The WpI-MaRisk also take a more proportionate approach with regard to special functions (risk management/risk control function, compliance function, internal audit). In small investment firms, for example, the risk management function or compliance officer position can be assumed by a management board member (Geschäftsleiter), whereas MaRisk requires a stricter organisational separation and, as a general rule, the appointment of a designated person below management level (only in exceptional cases, the position of compliance officer can be taken over by a management board member). For reasons of proportionality, the internal audit function may also be performed by a member of the management in small and medium-sized investment firms.
Internal audit is required to be involved under WpI-MaRisk (i) in case of material instructions and decisions by the management board which need to be communicated to internal audit, (ii) in case of material changes in the risk management about which the internal audit function must be informed in due course, and (iii) in case of changes to operational processes or structures (AT 8.2 WpI-MaRisk). "Very small" investment firms (i.e. investment firms with no more than ten employees) are not required to set up an internal audit function. In this respect, the WpI-MaRisk offer greater flexibility and ease for smaller investment firms.
II. Organisational guidelines
The WpI-MaRisk require investment firms to implement clear and comprehensible organisational guidelines. These include, in particular, regulations on the structural and procedural organisation, the allocation of tasks and responsibilities, and ensuring the independence of the control functions. In this respect, the WpI-MaRisk are largely congruent with the MaRisk – however, the WpI-MaRisk do not explicitly require regulations for the consideration of ESG risks.
III. Outsourcing
The contractual arrangements under MaRisk and WpI-MaRisk that institutions must observe for material outsourcings are essentially identical. However, the WpI-MaRisk also expressly require provisions for the proper monitoring of outsourced tasks and for the management of the risks associated with outsourcings (AT 9 no. 7 lit. o WpI-MaRisk). Although investment firms need to conduct such monitoring and control also under MaRisk (AT 9 no. 9 MaRisk), the WpI-MaRisk require corresponding provisions in the outsourcing agreements.
In addition, when outsourcing to a cloud provider, the WpI-MaRisk require provisions on the cloud service model and delivery model as well as the locations of data storage (AT 9 no. 7 lit. p WpI-MaRisk).
With regard to the position of the outsourcing officer, the WpI-MaRisk impose less stringent requirements than the MaRisk. According to AT 9 no. 12 MaRisk, the central outsourcing officer must generally be part of an organisational unit that reports directly to the management board; if he or she is allocated in another unit, a direct reporting line to the management board is required. These requirements are not reflected in the WpI-MaRisk, which instead specify that investment firms may assign the function of the central outsourcing officer to a member of the management board if this is appropriate due to the size, nature, scope, complexity or risk profile of the business activities.
IV. Specific requirements for internal control mechanisms
The specific requirements of the WpI-MaRisk are tailored to the specific business models and risk profiles of small and medium-sized investment firms.
The special section (Besonderer Teil) of the WpI-MaRisk is divided into modules on special requirements for internal control mechanisms (BTO) – in this regard, requirements for the organisation of trading activities (with a focus on the separation of functions, settlement, control and risk management) and the involvement of tied agents – as well as requirements for risk management processes (BTR) for various types of risk (risks for customers, the market, the investment firm, other risks, liquidity risks, risk of disorderly settlement). Requirements for risk reporting are also envisaged.
- Special requirements for internal control mechanisms (BTO)
The specific requirements for the design of internal control mechanisms focus on the structural and procedural organisation, particularly in trading. A clear organisational separation of the trading activities from the functions of risk management, settlement and control is required up to management board level (BTO 1.1 no. 1 WpI-MaRisk). Such separation may be waived for non-risk-relevant trading activities, i.e. transactions in financial instruments (i) that are primarily transactions pursuant to section 15 para. 3 WpIG for the trading book, (ii) that are small in terms of transaction volume and (iii) where the structure of the trading activities is simple and the complexity, volatility and risk content of the positions are low (BTO 1.1 no. 2 WpI-MaRisk). Accounting and the review of material legal risks (usually as part of the legal department) must also be independent of trading (BTO 1.1 nos. 3 and 4 WpI-MaRisk). - Requirements for the organisation of trading activities
In trading, the agreement of the terms and conditions in full, the use of standardised wording for contractual arrangements and the documentation of all transactions are mandatory (BTO 1.2.1 no. 1 WpI-MaRisk). Trading activities on non-market terms are generally not permitted; in this respect, exceptions are strictly limited (in particular, exclusively at the customer’s request) and must be documented (BTO 1.2.1 no. 2 WpI-MaRisk). The settlement of transactions, including confirmation procedures, is subject to ongoing monitoring (in particular with regard to market conformity) and regular reconciliation of positions (BTO 1.2.2 nos. 4, 5 and 7 WpI-MaRisk). Discrepancies and anomalies must be clarified by a unit which is independent of trading (BTO 1.2.2 no. 6 WpI-MaRisk). - Involvement of tied agents
The activities of tied agents are considered as outsourcings (BTO 2 no. 2 WpI-MaRisk). The investment firm must ensure the professional competence (fachliche Eignung) and reliability (Zuverlässigkeit) of tied agents, systematically monitor their activities and control their compliance with legal requirements (BTO 2 nos. 2 and 4 WpI-MaRisk). Intermediaries must be integrated into the investment firm’s sales organisation and their status must be notified to BaFin (BTO 3 no. 1 WpI-MaRisk). - Requirements for risk management processes
The WpI-MaRisk require appropriate processes for identifying, assessing, managing and monitoring material risks. A distinction is made between risks for customers, the market, the investment firm itself, other risks, liquidity risks and the risk of disorderly settlement (BTR WpI-MaRisk). Operational risks must also be taken into account in each case. For material risks, appropriate mitigation measures such as limits/traffic light systems or qualitative instruments must be provided. The processes need to ensure that risks – including those arising from outsourced activities – are identified at an early stage and presented appropriately. The adequacy of the processes and methods is to be reviewed regularly and adjusted as necessary. - Risk reporting
The management board of small and medium-sized investment firms is required be informed regularly and on an ad hoc basis about the risk profile. Reports must be complete, up-to-date and meaningful, include stress test results and risk concentrations, and provide a forward-looking assessment. The investment firm needs to be in a position to prepare ad hoc reports if necessary.
C. Conclusion
The WpI-MaRisk provide for an independent framework for risk management tailored to the specific characteristics of small and medium-sized investment firms. Their general structure is based on the MaRisk, but they are less detailed. The requirements are designed to take into account the different business models, sizes and risk profiles of investment firms. Compared to the MaRisk, the WpI-MaRisk offer smaller investment firms in particular greater flexibility in implementing the regulatory requirements without neglecting the fundamental principles of effective risk management.
Against the background of the draft WpI-MaRisk currently under public consultation, small and medium-sized investment firms may already be advised to review their organisational guidelines to determine whether and to what extent the expected simplifications and flexibility in the area of risk management can be implemented for their respective risk management systems.
Comments on the draft WpI-MaRisk can be submitted until 19 September 2025.
[1] BaFin Circular 06/2024 (BA).
[2] An investment firm is classified as "small" within the meaning of section 2 paras. 16 WpIG if it meets the conditions of Art. 12 para. 1 of Regulation (EU) 2019/2033, i.e. if, among other conditions, the value of assets under management ("AUM") is less than EUR 1.2 billion and the value of client orders handled ("COH") is less than EUR 100 million per day for cash transactions or EUR 1 billion per day for derivatives. An investment firm is classified as a "medium-sized" investment firm within the meaning of section 2 paras. 17 WpIG if it does not meet the conditions of Art. 12 para. 1 of Regulation (EU) 2019/2033.
Forward
