Fintechs & MaRisk

While traditional financial service providers & banks have been applying the Minimum Requirements for Risk Management (MaRisk) for many years, the efficient implementation often still poses very specific challenges for affected FinTechs.

The draft of the 7th MaRisk amendment published on September 26, 2022 confronts financial institutions with numerous new requirements for risk management and processes in the front and back office.

With the adoption of the directive as of June 29, 2023, clarifications are to be implemented directly by institutions, while amendments and adjustments have a transition period until January 1, 2024. As a result, auditors will be able to raise objections to unimplemented changes as early as the 2023 annual financial statement audits.

Depending on the business model and license, FinTechs must already comply with the MaRisk obligations in the currently valid version or will be required to do so in the future

When is a FinTech obliged to comply with MaRisk?

Business model:
Depending on the design, there may be a permit requirement / licensing by BaFin and require MaRisk compliance.
Thresholds are exceeded, which is why the FinTech must meet MaRisk requirements.
Outsourcing service provider:
In the outsourcing context, the FinTech is obliged to comply with some parts of MaRisk (outsourcing partner).
Many services provided by FinTechs can basically be divided into banking transactions, securities services, financial services, payment services and the e-money business. Depending on the design of the business model, permission from BaFin is required prior to commencing business operations. However, the scope of application of MaRisk (Section 1 (1b) KWG and Section 53 (1) KWG) is even narrower, so that BaFin approval does not automatically result in mandatory application of MaRisk. 

However, we recommend that you take the MaRisk requirements into account when designing your processes, systems, risk management structures and outsourcing activities, irrespective of their direct application obligation. 

There are two main reasons for this:
  • FinTechs are driven by a spirit of innovation and are rapidly evolving from start-ups with yet undefined processes, created from a technological perspective, into valuable partners for financial institutions. In this context, credit institutions place high demands on established processes and a stable environment. Already in the growth phase efficient risk management is crucial to effectively control and minimize potential risks depending on business size, complexity and risk assessment
  • Established financial service providers, banks and asset managers select their service providers with great care, among other things due to AT 9 "Outsourcing" of MaRisk as well as §25b German Banking Act. Selection criteria in negotiations with the potential outsourcing partner are for example
    • Efficient and effectively designed business processes
    • measurable quality criteria based on agreed service level agreements (SLAs),
    • meaningful and regular outsourcing reporting to monitor the outsourcing company, and
    • the implementation of certain contingency plans.
FinTech as potential outsourcing partners are thus indirectly obliged to comply with parts of MaRisk. It should be an established and credible financial service provider in the market that does not pose a high reputational risk for the credit institution.
Business model
BaFin authorization 
generally required?
MaRisk to be complied 
with directly?
Digital Banking / Neo Banks
Automated investment advice (Robo Advice)
Automatic trading
Automated financial portfolio management
Open Banking / Open Finance
Innovative payment methods:
  • Payment Triggering Services
  • Mobile Payments
  • Buy Now Pay Later
  • Electronic Wallets
  • Contactless payment
to be checked individually
We are happy to advise and assist you in reviewing the (in)direct compliance obligation according to MaRisk and support you in ensuring an efficient, pragmatic implementation.

Significant changes due to the 7th MaRisk amendment

Even if you have already implemented the previous MaRisk, it is urgently necessary to implement most of the following key changes by the end of the year.

In accordance with the MaRisk principle of "double proportionality", certain discretionary leeway can be considered for your specific business model.

We have summarized the changes that are relevant for FinTechs as follows.


Transposition of the EBA Guideline on Lending and Monitoring (EBA/GL/2020/06) into German Law
Qualitative and quantitative consideration of sustainability risks (ESG)
New requirements for model risk management - machine learning and AI mentioned for the first time
Extended specifications for risk culture (monitoring of the culture in practice and improvement through measures)
09. 2022
Draft 7th amendment
08. 2021
6th MaRisk amendment
06. 2023 Adoption
7th MaRisk amendment
  • - Clarifications must be implemented directly
  • - A transition period until 01.01.2024 applies for adaptations and amendments
The EBA guidelines for lending and monitoring will be fully transposed into German law with the new MaRisk amendment and must be implemented accordingly. The focus here is the comprehensive regulation on the consideration of ESG risks in lending and the expansion of sensitivity analyses in lending. The implementation process is still ongoing even at many SSM banks, which were already required to apply the rules much earlier.
Already in 2019, the BaFin bulletin on dealing with sustainability risks set the expectations of the supervisory authority for the consideration of sustainability risks. After another three years, "ESG" has now become one of the central, mandatory requirement fields of the 7th MaRisk amendment, in particular the consideration of the impact of ESG risks on the material risk types. In addition to the qualitative effects, quantitative effects are also to be analyzed and included in the economic as well as normative internal capital adequacy assessment (ICAAP). Stress tests are also to be prepared taking ESG criteria into account.

However, the specific wording of the requirements is so vague in many places that there is considerable scope for discretion and interpretation, which can be actively used in line with the proportionality principle of MaRisk.
FinTechs have "models" in use in many business areas.

The requirements for model risk management are defined and regulated as such for the first time in the new MaRisk amendment (AT 4.3.5 Use of models). I

t is clarified, for example, that the choice of models is the responsibility of the company, that a regular appropriateness and suitability check of the model must be carried out, and that a procedure for checking the quality of the input data must be implemented. In addition, high importance is attached to the explainability of cause-effect relationships between input and output data, especially regarding machine learning and artificial intelligence.
There are numerous other changes and innovations in MaRisk that we would be happy to analyze for relevance and impact for your company. 

Among others, the following topics could be relevant for your FinTech:
  • Clarification for business model analysis (integration into the regular strategy review process, planning horizon of three to five years, robustness of the business model is to be analyzed).
  • Expanded requirements for risk culture (monitoring of risk culture in practice, use of measures to improve risk culture)
  • Regulations on home office for treasurers (requirements on technology, data security and discretion must be met)
  • Extension of the requirements for the organization of real estate transaction
We would be happy to advise you on the implementation of the changes resulting from the 7th MaRisk amendment, which changes are relevant for you and which opportunities are available to you (Financial Services Solutions - PAS Financial Advisory (

Our support for you

Our MaRisk consulting is characterized by an efficient and audit-proof implementation considering proportionality and the specifics of your business model.

Our Financial Service Team has been supporting the efficient implementation of all MaRisk amendments for SSM banks up to startups since the first MaRisk in 2005.

Impact analysis

We conduct an impact analysis for you and help you to understand and evaluate the specific MaRisk requirements (direct, indirect and optional) for your company.


For each (new) MaRisk requirement, we identify the specific need for adaptation to your current situation and work with you on concrete implementation options to close potential gaps.

Operational implementation

We take over operational requirements from the MaRisk implementation for you and give you the flexibility to focus on the growth of your company

Support of special audits

We conduct a quick, detailed examination of your documents and implement measures together with you so that any deficiencies can be eliminated. We prepare you for upcoming audit meetings and take over classic PMO activities.

Regulatory - Findings Management

In close cooperation with you, we prioritize identified findings, support you in resource management and, if required, take over the implementation of concrete measures as well as the coordination with the auditor.

Internal audit support

Our service includes the support of your internal audit. We are at your disposal to take over the tasks of the internal audit and to carry out professional audits within the framework of risk management.

Training and workshops

With interactive workshops and practical training on the topics of MaRisk and risk management, we offer you the opportunity to deepen your understanding of risk and put your company on a solid base for effective risk assessment and management.
If you have any questions, please contact our specialists at any time!
Contact us