On 22 January 2009, Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin), the German regulator, published a long awaited circular detailing the minimal requirements of risk management for insurers and reinsurers in Germany. The circular outlines those rules under the EU Financial Conglomerates Directive (2002/87/EC) which have been implemented as well as going some way towards anticipating the risk-based governance regime of Solvency II. The circular (Aufsichtsrechtliche Mindestanforderung an das Risikomanagement (MaRisk VA)) lists principles-based minimal requirements and provides interpretations of these principles by BaFin.
In future, reinsurers and direct insurers, pension funds, insurance holding companies and mixed financial holding companies with a focus on insurance will need to comply with the requirements for the proper organisation of their business and for adequate risk management. Just like the circular for banks (MaRisk BA) which has been in place for several years already, MaRisk VA outlines the main components of adequate risk management, including: organisation and processes;
- capital markets;
- insurance and reinsurance products;
- internal governance and control systems;
- methods of bearing risk;
- analysis, evaluation, identification of risks and risk reporting;
- internal audits;
- outsourcing of core functions and services; and
- emergency planning.
Anticipating the principles of Solvency II, the circular provides guidelines on risk management systems as a whole. However the qualification, quantification and administration of risks are left to the relevant insurer to determine. The adequacy of the risk management system and the structure of risk control measures will be reviewed by BaFin, but there are no specific limits, thresholds or caps.
It is not only the risk manager on an executive board who is liable for the compliance with MaRisk VA, but all board members. Their duty is to define, identify, qualify and quantify risks and handle them within their own risk management systems. BaFin has made it clear that such a system need only be adequate for the respective insurer or insurance group. Requirements for smaller entities with smaller risks should be decreased accordingly.