Proper business organisation for ZAG institutions

BaFin's requirements for proper business organisation in accordance with Section 25a (1) KWG, which are relevant for credit and financial services institutions, have now been specified in the 7th amendment to the Minimum Requirements for Risk Management (MaRisk) of 29 June 2023. BaFin has now published the Minimum Requirements for Risk Management of Payment and Electronic Money Institutions (ZAG-MaRisk) in Circular 01/2024 (BA) on 27 May 2024. BaFin expects the requirements to be implemented by 1 January 2025.

With the final version of the circular, the supervisory authority has finally clarified its understanding of proper business organisation in accordance with Section 27 (1) ZAG. The ZAG MaRisk addresses

• Domestic payment and e-money institutions,
• domestic branches of companies based outside the European Union or the European Economic Area and
• branches of German institutions abroad that provide payment services or e-money transactions for their customers.

Although the circular provides this group of addressees with a flexible and practical framework for how they must structure their proper business organisation, it also formulates very extensive requirements within this framework, on the basis of which those affected must critically review their existing procedures. In addition, the circular specifies requirements for the secure receipt of funds (Sections 17 and 18 ZAG) and outsourcing (Section 26 ZAG). Compared to the draft of 27 September 2023, the final version contains only minor changes that either emphasise the objective of a regulation more strongly or accommodate the interests of ZAG institutions with less complex business models.

The structure of the ZAG MaRisk is strikingly modelled on the MaRisk for credit and financial services institutions. The requirements for the overall responsibility of the management, the organisational guidelines and documentation as well as the adjustment processes and outsourcing management of ZAG institutions largely correspond to the banking standard from MaRisk. This significantly raises the bar compared to before. The more extensive analogy of the defined requirements for the consideration of ESG criteria from the 7th MaRisk amendment for banks should be emphasised separately. Payment and e-money institutions should critically review their written organisation and established processes against the background of the market standard for banks, which is already used in regulatory auditing practice.

An important component of the ZAG MaRisk is the chapter on "Shielding risks". Based on their overall risk profile, ZAG institutions must ensure in future that the material risks are sufficiently shielded by the risk coverage potential, taking risk concentrations into account. A risk-bearing capacity calculation is mandatory for ZAG institutions. Like the requirements for the shielding of risks, the general sections on stress tests and strategies for ZAG institutions are somewhat less detailed than the requirements of MaRisk for credit institutions and financial service providers. It is to be expected that a specific market standard for ZAG institutions will emerge for these aspects.

In addition, the ZAG-MaRisk also takes into account the specific characteristics of the business activities of payment and e-money institutions. The organisational requirements for the provision of payment services and the operation of e-money transactions, the processes and procedures for hedging requirements and the hedging of liability cases are taken into account in the special section of the ZAG-MaRisk. The ZAG-MaRisk also requires the management to define a sustainable investment strategy and investment policy. The supervisory authority also specifies its expectations regarding processes and procedures for fraud prevention, monitoring and processing as well as follow-up measures in the event of security incidents and security-related customer complaints. If ZAG institutions work with agents, the organisational requirements for the use of agents must also be taken into account.

The requirements for data management and data quality, the aggregation of risks and the use of models are not taken into account in the ZAG MaRisk. The requirements for risk management at Group level are also not included in the ZAG MaRisk.

Similar to the MaRisk for credit institutions and financial services institutions, the ZAG-MaRisk provides for the fundamental principle of double proportionality. The integration of opening clauses enables a simplified implementation of the requirements, depending on the complexity of the business activities and specific risk situation.

In this way, the ZAG-MaRisk ensures that payment and e-money institutions can implement the requirements in a customised manner while at the same time complying with the regulatory requirements. However, experience has shown that the exercise of discretionary powers must be justified to the supervisory authority on the basis of the institution's own business and risk profile.

As expected, the circular contains both clarifications of existing administrative practice and innovations. If they have not already done so, ZAG institutions should plan their implementation promptly and have implemented the requirements by the end of 2024.

The first step is to participate in the consultation process and discuss critical points with BaFin.

The second step is to plan the implementation for each individual institution. The starting point for this should be a gap analysis. The deviations of the status quo from the requirements of the ZAG-MaRisk as well as the individual effects should be analysed. Fields of action should be derived and prioritised based on the results of the gap analysis.

The development of measures and the design of an implementation plan then enable the management of the institution-specific activities. The implementation of the measures should be documented accordingly.

We support you and your institution in the customised implementation of the new regulatory requirements. This begins with understanding the individual requirements for your institution. We contribute our expertise from credit institutions and financial services institutions as well as ZAG-specific market standards.

We support you in the deviation analysis to be carried out as well as in the joint implementation of the resulting measures to fulfil the relevant requirements. In doing so, we always take into account the principle of double proportionality and the specific circumstances of your institution.