The core services provided by our "risk" experts relate to the minimum requirements for risk management (MaRisk), the capital and liquidity requirements and reporting.

Minimum requirements for risk management

In the form of MaRisk, BaFin pursues the goal of providing a flexible and practical framework for institutions seeking to establish risk management guidelines. In this sense, an appropriate and effective risk management system, taking into account the risk-bearing capacity, must in particular include the establishment of strategies and internal control procedures. The internal control procedures consist of the internal control system and the internal audit. BaFin has substantiated the content requirements for internal control systems by providing detailed information on the following:

• Rules for structural and operational organisation
• Regulations on processes for identifying, assessing, controlling, monitoring and communicating risks (risk management and controlling processes) and
• Rules for risk controlling and a compliance function.

Beyond this, the MaRisk defines a qualitative framework for appropriate management, governance and control processes to be established by the institutions as well as the ongoing strategies and processes under the "overall bank management" umbrella, with a view to ensuring that sufficient internal capital is in place to cover all significant risks.

Through performing a variety of annual audits, our work as auditors for the regulators in the scope of special audits by BaFin, or the ECB asset quality review, as well as our audit-related services (for example, in the context of performing reviews of internal auditing and due diligence tasks), our employees have a deep insight into the organisational structure and process organisation requirements and the procedures to be deployed for efficient and effective risk management practices with numerous examples best practices. We use this experience in auditing and providing consultancy on all topics that directly or indirectly affect the MaRisk requirements.

Equity and liquidity requirements

The need to regulate the equity and liquidity of credit and financial services institutions results in particular from creditor protection and ensuring the financial intermediation function. However, the global financial crisis in 2007/2008 made it clear that the rules in effect up to this point were insufficient to ensure the solvency and liquidity of the banks in stress situations. The Basel Committee on Banking Supervision (BCBS) therefore addressed what is above all the tightening of equity capital requirements for institutions in the form of the Basel III Framework, and for the first time introduced uniform liquidity standards. The new rules were enacted in European and German law in the form of the CRD IV Package (Capital Requirements Regulation - CRR and Capital Requirements Directive CRD IV) to which details is continuously being added, in particular through complementary standards and guidelines from the European Banking Authority (EBA). Since January 1, 2014, all institutions were required to apply the new extensive requirements from and continuously adapt them to reflect complementary developments.

Due to a large number of qualitative and quantitative capital requirements, the challenge for the institutions is to provide for the extended requirements, including the capital buffer. The latter consists of core equity. The requirements must be brought in line with the profitability endeavours of the respective institutions and thus with the interests of stakeholders. Compliance with the risk-independent indebtedness ratio (leverage ratio) leads to an additional requirement for equity capital. We thus analyse institution-specific opportunities for improving the qualitative and quantitative equity situation and perform targeted analysis of risk-weighted assets (RWA) by risk type and/or investigate options for reducing of low-margin business volumes in order to identify potential cost savings.

Other new developments from the CRR/CRD IV  – initially as monitoring indicators – relate to the liquidity coverage ratio (LCR) and net stable funding ratio (NSFR). Again these adversely affect the profitability of the institutions. Regarding the LCR, we analyse the existing high quality liquid assets (HQLA) and the funding structures in a targeted manner in order to derive implications for the business and risk strategy.

A further regulatory development of the CRR/CRD IV resulted from the CRR II/CRD V published as part of the EU banking package on 27 June 2019. The CRR II strengthened the proportionality principle to ease the burden on smaller institutions and the promotion of SMEs (small and medium-sized enterprises) and infrastructure measures.

Other important changes concern the following regulatory areas:

• Counterparty credit risk in derivatives (new standardised approach SA-CCR),
• credit risk for investment funds (increased focus on risk weighting at the level of underlyings),
• Market risks (reform of market risk approaches by introducing a new standardised approach and a new internal model approach),
• Introduction of regulations on loss absorbing  capacity for institutions (TLAC, MREL),
• Final determination of the leverage ratio and weighting factors for the net stable funding ratio - NSFR,
• Large exposures (limitation of the capital base when calculating the large exposure limits to Tier 1 capital).

The new provisions of CRR II must be implemented by the institutions for the most part by 28 June 2021.

The various indicators shown must not be governed separately. It is thus of enormous importance for the institutions to consider the interdependencies, in order to ensure compliance with all requirements at all times, while at the same time leveraging profitability potentials. Our employees contribute their many years of experience in bank management towards support our clients in their capital and liquidity planning and in order to optimise management of key indicators. Our audit experiences provide support to achieve the best possible results. The current developments in banking supervisory law are always taken into account at the international, European and German levels.

Statutory reporting

The lack of uniformity in statutory reporting for credit institutions in Europe was one of the main findings from the financial crisis of 2007/2008. Following the implementation of the capital requirement regulation (CRR) and the capital requirement directive IV (CRD IV), in conjunction with the publication of the technical implementation standards on the uniform reporting requirements of the CRR EBA/ITS/2013/02 of 26 July 2013 in the implementation under European law as Ord. (EU) no. 680/2014 of 16 April 2014, along with the amendments of Ord. (EU) no. 680/2014 by the Ord. (EU) no. 2015/79 of 18 December 2014 and the Ord. (EU) no. 2015/227 of 9 January 2015, the European institutions are pursuing the goal of finding a remedy for this matter. The key element of these regulations is Ord. (EU) no. 680/2014 with its publication of uniform reporting formats, forms, and thresholds, establishment of uniform reporting due dates and submission dates, adoption of all data to be reported into a uniform data point model, and matching rules between individual values within the various reporting forms to ensure data quality and coherence.

The reporting requirements covered by this ordinance include the common reporting framework (COREP), consisting of the

• reports of equity capital and capital requirements on an individual and group basis,
• biannual reporting of defined losses from property-secured lending business at an individual and group level (hard test),
• large exposure reports,
• monthly reports of the liquidity coverage ratio (LCR) and the quarterly reports on information regarding stable refinancing at individual and group level (net stability funding ratio - NSFR), and the
• reports on simple, non-risk-based capital indicators "leverage ratio".

Additionally, the ordinance also covers the reports under the financial reporting framework (FinRep), consisting of the

• comprehensive balance sheet and profit-and-loss information for IFRS parent institutions at group level since September 30 2014 (reporting date) as well as for HGB balance sheet preparers on an individual and group level, depending on classification into one of four groups (FinRep light) and the
• reports of assets that were pledged as collateral or are the subject of an agreement on the provision of collateral (asset encumbrance).

Regulation (EU) No. 680/2014 of 16 April 2014, which is central to regulatory reporting, will be completely replaced by DPM 3.0 in the course of the introduction of CRR II/CRD V. This involves an adaptation of existing and the introduction of new reporting templates. For this purpose, the ITS EBA-CP-2019-10 was published as a draft version for consultation purposes on 16 October 2019. A finalization of the ITS EBA-CP-2019-10 is expected for June 2020.

In addition, institutions in Germany must report their financial and risk-bearing capacity information as per FinaRisikoV, where relevant.

Another reporting obligation arising for credit institutions is the ordinance adopted by the Governing Council on 18 May 2016 for the implementation the granular statistical credit reporting system AnaCredit. The ordinance will come into force on 31 December 2017. AnaCredit is an abbreviation for "analytical credit datasets". The method of data acquisition on the individual loan level ( "loan-by-loan") provided for in the ordinance once again increases the complexity and granularity of supervisory reporting. The flexibly evaluable data sets are intended for statistical and regulatory purposes, but also to benefit financial stability and monetary policy. The data are intended to identify risks within the financial system at an early stage through micro- and macro-prudential analysis.

BDO has experts who help credit and financial services institutions to meet the requirements of the reporting system as part of their daily work. Specifically, we provide support for

• creating reports,
• creating, implementing and assuring the quality of functional solutions,
• in the conceptual design and improvement of reporting processes, as well as
• in assuring the quality of reports and reporting processes.

As independent auditors, we perform auditing of reporting processes routinely or on-demand.

Regardless of specific reports, requirements for banks were tightened by the principles for effective aggregation of risk data and risk reporting published by the Basel Committee, The principles are a response to findings of the regulatory authorities during the financial crisis that many banks were unable to aggregate and evaluate risk data in a timely manner, and thus unable to properly control the risks.

BCBS 239 consists of 11 fairly generally worded principles relating to banking that cover overall corporate governance and infrastructure, risk data aggregation capacities and risk reporting. The contents of BCBS 239 were incorporated essentially unchanged in the MaRisk amendment of 27 October 2017 and are thus directly relevant for German institutions.

In collaboration with our experts from IT Risk & Performance, we support credit and financial services institutions in the implementation of principles for effective aggregation of risk data and risk reporting and, as independent auditors, issue routine and ad hoc opinions on the current state of implementation.

Request for proposal