Insights &
Short Analyses

The ZAG-MaRisk demands more than documentation and policies. Many payment service providers underestimate the supervisory expectation at its core: who decides on risk — and is that responsibility unambiguously defined? Limit management is a management process, not a reporting exercise. Effective governance requires clear roles across all three lines, a defined escalation path and supervisory-ready documentation without unnecessary bureaucracy. The principle of "no business without a limit" is not a formality — it makes risks visible before they become problems.

CCD2 fundamentally shifts the regulatory lens: no longer just the credit contract, but the entire decision-making process is in scope — from data use and scoring logic to customer dialogue. This affects not only banks, but everyone who has integrated credit functions into their business model: BNPL providers, merchants, platforms, payment service providers. CCD2 does not turn non-banks into banks — but it requires proportionate governance. The defining question is organisational, not technical: who is accountable for the credit decision?

Part 2 clarifies who CCD2 actually affects and what a functioning control model requires. What matters is the role in the process, not the industry. The regulatory target state calls for clear ownership, versioned scoring logic, documented change processes and defined monitoring — no banking framework, but structure. Credit decisions become a board-level responsibility: requirements apply at every touchpoint, from advertising through pre-contractual disclosures to checkout and ongoing customer communication.

While much of the CCD2 debate focuses on governance, regulation first makes itself felt operationally: in the credit process itself. The checkout becomes a regulatory core process — with mandatory creditworthiness assessment even for small amounts, pre-contractual information obligations, withdrawal rights and transparent cost disclosure. Most significantly: algorithmic decisions must be explainable. Customers have the right to a traceable justification — the black box is no longer regulatorily viable.

BRUBEG embeds ESG risks in the KWG through new sections 26c and 26d — not as standalone risk categories, but as cross-cutting risk drivers affecting credit, market, liquidity and operational risks. For management boards, this means ESG risks are an integral part of business and risk strategy, not an isolated side topic. Inaction is not an option: supervisors will systematically assess ESG risks within SREP, and BaFin can mandate corrective measures where risk management is found inadequate.

With the legal framework in place, the question becomes practical: how to implement? Part 2 provides a phase-based roadmap for SNCIs: Phase 0 establishes clarity on responsibilities and ambition level, Phase 1 meets minimum requirements and produces the first ESG risk plan, Phase 2 deepens integration into ICAAP/ILAAP and steering processes, Phase 3 prepares for the end of the transitional arrangement in 2030. The key is not complexity but embeddedness: the ESG risk plan must be anchored in regular management and steering processes.

Proportionality is not a regulatory discount — it is an obligation to justify. The choice of simplified approaches must be deliberate, risk-oriented and owned by management: not automatic, not delegated. What supervisors actually assess is not model complexity but consistency and accountability — was the ambition level consciously set, is the materiality analysis documented, does the methodology feed into real management decisions? The difference between weak and strong argumentation lies not in the outcome, but in the reasoning.

The ESG risk plan is not a compliance checkbox — it reveals whether governance is more than a concept. Building it with form-filling logic produces compliance without management effect. Building it with steering logic embeds it in board decisions, ICAAP and strategy — and creates the foundation for genuine management effectiveness. The defining question is not whether the plan is formally complete, but whether it actually informs capital planning, limit-setting and portfolio decisions.