Insights &
Short Analyses

Many payment service providers underestimate what the ZAG-MaRisk actually requires of them. In practice, the focus often falls on documentation and policies — yet supervisors typically look first at a different question: who decides on risk, and is that responsibility genuinely clear? This piece explains why limit management is a leadership instrument, not a reporting exercise — and what a supervisory-ready governance structure actually looks like.

Credit decisions today are made automatically at checkout — by BNPL providers, platforms, merchants and payment service providers. CCD2 fundamentally shifts the regulatory lens: no longer just the credit contract, but the entire decision-making process is in scope. This piece explains the organisational implications — and why the question of accountability must be answered through governance, not technology.

CCD2 does not turn non-banks into banks — but it does require proportionate governance. Part 2 clarifies who the directive really affects: merchants offering checkout credit, BNPL providers, platforms, intermediaries. And it shows what a functioning control model actually requires — clear ownership, traceable decision logic, documented changes and defined monitoring. No banking framework, but structure.

Much of the CCD2 discussion focuses on governance. In practice, however, regulation first makes itself felt somewhere more concrete: in the credit process itself. Part 3 shows what changes operationally — from creditworthiness assessment and pre-contractual information obligations through to the duty to justify algorithmic decisions. The checkout becomes a regulatory core process.

BRUBEG embeds ESG risks directly in the KWG through new sections 26c and 26d. What this means in practice for small, non-complex institutions is still widely underestimated. This piece sets out the legal framework: why ESG risks are not a separate topic but an integral part of business and risk strategy — and which core obligations under BRUBEG, KWG and MaRisk apply with immediate effect.

Legal framework understood — but where to begin? Part 2 provides a phase-based implementation roadmap for SNCIs: from the preparation phase through initial integration to readiness for the end of the transitional arrangement in 2030. With concrete checklists and practical guidance on designing the ESG risk plan.

Proportionality is not a regulatory discount — it is an obligation to justify. Part 3 shows why choosing simplified approaches is not automatically appropriate: it must be a deliberate, risk-oriented decision taken by management. With concrete examples of supervisory-robust reasoning and the critical difference between weak and strong justification logic.

The ESG risk plan is not a compliance checkbox — it reveals whether governance is more than a concept. This interim piece in the BRUBEG series asks the defining question: is the plan built with form-filling logic or with genuine management intent? The difference lies in how it is embedded — in board decisions, in ICAAP and strategy, in real management choices.