Four days before this article, on 25 June 2026, Germany's Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) published the final 9th amendment to the Minimum Requirements for Risk Management (MaRisk). The circular shrinks from around 122 to roughly 80 pages, introduces three size classes for the first time, and removes the banks supervised directly by the European Central Bank (ECB) from the German scope entirely. There is no transition period; the requirements apply with immediate effect. For around 950 institutions, about three quarters of all German credit institutions, the reform brings tangible relief.
BaFin Executive Director Nikolas Speer had set the tone as early as 23 June, speaking at the Börsen-Zeitung banking conference. The title of his speech was "More responsibility, fewer rules. Where is banking supervision heading?". It is a catchy formula, and it describes the direction correctly. What it conceals is that, in several places, the 9th amendment demands not less but more. Reading the reform purely as relief leads to flawed planning.
What: Final 9th MaRisk amendment, principle-based and structurally reordered
Who: BaFin ∙ around 950 less significant institutions (LSI) benefit
When: Published 25 June 2026, in force immediately, no transition period
Scope: From around 122 to roughly 80 pages, about a third shorter
The catch: New requirements on AI models (AT 4.3.4) and climate scenarios despite the cut
Three size classes: the structural reordering
The genuine break with the previous logic is not the page count but the introduction of proportionality as an organising principle. MaRisk now distinguishes between three classes. Very small institutions with a balance-sheet total of up to one billion euros receive the most far-reaching relief. The small and non-complex institutions, in supervisory parlance Small and Non-Complex Institutions (SNCI), form the middle class. BaFin takes their definition from Article 4(1)(145) of the Capital Requirements Regulation (CRR), which in practice means a balance-sheet total of up to around five billion euros plus further criteria. The remaining less significant institutions (LSI) make up the third group.
What matters is what happens at the top end. The Significant Institutions (SI) supervised directly by the ECB fall out of the scope of MaRisk entirely. The rationale is clean: the ECB applies the guidelines of the European Banking Authority (EBA) to these houses directly in any case. A parallel national MaRisk obligation would be double regulation. This removal is new; it was not yet part of the 8th amendment of May 2024.
Kelp is right, and the sentence is more than self-promotion. With the class logic, BaFin couples MaRisk explicitly to the proportionality framework of the CRR for the first time, whose third version (CRR3) has applied since January 2025. Conceptually, this is a departure from the previous practice in which every institution read the same text and had to argue proportionality individually.
The relief in numbers
The most striking example of the reform is the stress tests. In public perception, their number falls from up to 40 to 5. This reduction is memorable, but it warrants context. The figure of 40 comes from the EBA guidelines, which prescribe various sensitivity analyses and stress tests as a minimum scope. For small institutions, BaFin had already set out in a supervisory communication of 26 November 2024 that six to seven stress tests suffice. The 9th amendment codifies this administrative practice; it does not invent it.
EBA minimum scope: at least 40 sensitivity analyses and stress tests
Small institutions (SNCI): 6 to 7 stress tests, already since the supervisory communication of November 2024
Very small institutions: one cross-risk-type stress test plus one per material risk type, typically around 5
Reading: The reduction is real, but "5 instead of 40" is a headline. What counts is the institution's structure, not a fixed number.
It is much the same with the page count. Speer framed the cut on 1 April 2026, at the start of the consultation, as follows: "We have fundamentally revised MaRisk. The circular is now even more principle-based, and we have significantly reduced the complexity." The arithmetic fits: 122 pages minus a third gives around 80. The point is that the page count alone says little about the actual burden on an individual bank. Three of the four sources of the cut are not deregulation.
The second look: where "fewer rules" deceives
The cut draws on four sources whose effects differ markedly. First, the SIs drop out of the text, which shortens it but eases nothing for the remaining institutions. Second, the module on information and communication technology (AT 7.2) is largely deleted, because these risks now fall primarily under the Digital Operational Resilience Act (DORA). The obligation moves; it does not disappear. Third, genuine duplications and formatting text were consolidated, which is the one uncontested efficiency gain. Fourth, the stronger principle orientation raises the burden of justification: where a checklist was worked through before, institutions must in future derive and document their own solutions. That can be more demanding, not easier.
On top of this come requirements that have newly entered the text despite the cut. The new module AT 4.3.4 demands, for the first time, governance for models and Artificial Intelligence. Where institutions deploy AI in credit-risk, stress-test or valuation models, MaRisk will in future require validation, explainability and a clear assignment of responsibility. For houses that have so far used AI without a formalised framework, this is a genuine new obligation.
BaFin has also tightened the scenario analysis for Environmental, Social and Governance (ESG) risks. In harmonisation with the EBA guidelines EBA/GL/2025/04, institutions must in future analyse climate risks over a horizon of at least ten years, with combined methods and scientifically grounded scenarios. Historical data alone no longer suffice. This is demanding and ties up resources that the deleted stress tests do not free up one for one.
The industry response
The consultation ran from 1 April to 8 May 2026, a comparatively short window of five weeks, in which 35 comments were submitted. In its statement of 8 May, the German Banking Industry Committee (Deutsche Kreditwirtschaft, DK) welcomed the fundamental reorientation towards proportionality and a principle-based approach. In the same breath, however, it cautioned that the intended relief must also become tangible in practice and that a number of aspects still required adjustment. Specifically, the associations criticised that individual new requirements, above all the AI module and the ESG scenarios, claw back the proclaimed simplification elsewhere.
The cooperative and public-sector institutions, which make up the bulk of the very small and small houses, benefit most. For the large, ECB-supervised banks, little changes at first glance, because they are subject to the EBA guidelines directly in any case. On closer inspection, however, they lose a familiar national reference framework with MaRisk, which tends to complicate internal governance documentation during the transition.
Recommended actions for German institutions
The 9th amendment applies with immediate effect, without a grace period. The reform rewards houses that determine their size class cleanly and address the new obligations early, rather than being lulled into a false sense of security by the relief rhetoric. Five fields of action stand out.
Immediately: Every institution should derive and substantiate its classification as a very small institution, SNCI, remaining LSI or SI. The SNCI threshold follows the CRR definition, not a pure balance-sheet limit. A wrong self-classification leads either to unnecessary effort or to relief that does not hold up under examination.
Near term: Anyone deploying AI in credit-risk, stress-test or valuation models will in future need documented validation, explainability and clear responsibilities. Institutions should inventory their model estate and assess which procedures fall under the new module obligation before the next examination raises the question.
2026 to 2027: Harmonisation with EBA/GL/2025/04 requires climate scenarios over a horizon of at least ten years with scientifically grounded assumptions. Institutions should review their data basis and methodology, since purely historical approaches no longer suffice. This is where the largest new resource requirement of the amendment arises.
Near term: With the relocation of AT 7.2, ICT steering shifts into the DORA framework. Institutions that use proportionality exemptions under DORA should check whether a regulatory gap arises between the leaner MaRisk and their DORA implementation, and formulate the required ICT strategy as a connecting element.
Ongoing: The stronger principle orientation shifts the burden of proof to the institution. Instead of ready-made answers, a comprehensible derivation of one's own is now required. Risk functions should build up their capacity to justify and document, because in case of doubt the supervisor assesses the quality of the reasoning, not the ticking-off of a list.
Christian Schablitzki
Strategy & Management Consultant · Agentic AI expert for financial institutions
More than 20 years in investment banking and derivatives trading, followed by over 10 years advising financial institutions. Currently a Partner at Infosys Consulting in Germany. Certified in Google AI, Generative AI Leader (Google Cloud) and IBM RAG and Agentic AI.
LinkedIn profile →Keep reading – every 14 days in your inbox.
Capital-markets insights, regulatory updates and AI trends. Concise, well-founded, free.
GDPR-compliant. Unsubscribe at any time.