upe über digitalem Prüfprotokoll auf Laptop – Symbolbild für KAMaRisk Konsultation, Risikomanagement und regulatorische Anforderungen im Bankensektor.

KAMaRisk in the Consultation Phase

19. June 2026

After Bafin (Federal Financial Supervisory Authority) released the draft of the 9th amendment to MaRisk for consultation in early April, the consultation version of the Minimum Requirements for Risk Management at Capital Management Companies (KAMaRisk) has been available since 12 June 2026. With this, the supervisory authority is continuing to advance the revision of its circulars in the financial sector.

One of the reasons for the revision is the Fund Risk Limitation Act (FRiG). It transposes the revised EU Directive on the Regulation of Alternative Investment Funds (AIFMD II) into German law and establishes harmonized requirements for credit funds in the EU. Accordingly, in KAMaRisk, Bafin is revising, in particular, the requirements for lending by alternative investment funds (AIFs) and simplifying the requirements in several areas.

What Else Stands Out?

In addition, Bafin is revising the KAMaRisk in several sections to eliminate overlaps with the Digital Operational Resilience Act (DORA). For example, the section on electronic data processing has been removed. Duplication of regulation is also to be avoided in the chapter on outsourcing: ICT services already governed by DORA are not to be subject to the corresponding KAMaRisk requirements as well.

Bafin is explicitly focusing on ESG (Environmental, Social, Governance) risks. The requirements for internal audit are also being tightened: Internal audit staff may not audit activities for which they themselves were responsible in the past twelve months. In the future, the internal audit function will also report to management and the supervisory board.

Implications from a Regulatory Perspective

Anyone who has been following the current MaRisk consultation phase will recognize the general direction. In that consultation phase as well, Bafin had announced its intention to make the requirements more principles-based, reduce complexity, and clarify their application. KAMaRisk continues this approach for capital management companies, while setting its own technical priorities.

"Overall, the proposed changes provide a pragmatic and welcome relief. By removing requirements that are already covered by DORA, the KAMaRisk consultation reduces regulatory overlap. Institutions that have so far taken a cautious approach and assessed outsourced or third party ICT services against both DORA and the existing KAMaRisk framework may now be able to simplify parts of their implementation efforts.“

Dr. Christian Schwartz, Executive Board Member usd Security Consulting
Portrait of Dr. Christian Schwartz, wearing a suit, Board Member of usd Security Consulting

Bafin is accepting submissions on KAMaRisk until 1 July 2026. We are monitoring further developments regarding MaRisk and KAMaRisk and will keep you informed.

Also interesting:

A5: BSI Publishes New Audit Framework for Trustworthy AI

A5: BSI Publishes New Audit Framework for Trustworthy AI

The German Federal Office for Information Security (BSI) has published the Community Draft of the AI Audit and Assurance Assessment Architecture (A5) (currently available in German only), thus starting the consultation phase. A5 is intended to create a standardized...

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

Categories

Categories