James Aspinwall — February 2026
This agent is different from the other four. It uses real public data — not synthetic. BaFin and EBA publish regulatory bulletins on public RSS feeds. The agent scrapes them, classifies each one by relevance, maps it to internal controls, and flags gaps where new regulations have no corresponding compliance procedure.
The gap detection is the money shot. A regulator publishes something new, and within minutes the agent tells you what you are missing.
Why This Matters
German banks face a continuous flood of regulatory change. BaFin publishes circulars (Rundschreiben), consultation papers (Konsultationen), interpretive letters (Auslegungsentscheidungen), and expert articles. EBA publishes guidelines, regulatory technical standards, and opinions. EU regulations land directly in the Official Journal. A mid-size German bank’s compliance function must assess 200-400 regulatory changes per year.
MaRisk AT 4.4.2 makes this obligation explicit: the compliance function must identify, on an ongoing basis, all material legal regulations whose non-compliance could endanger the institution. It must assess impact, inform management, and track implementation. This is not optional — it is personally the compliance officer’s responsibility.
Most banks maintain this in spreadsheets. Some use GRC platforms. None of them can read a new EBA guideline at 9:00 AM and tell you by 9:05 AM which of your internal controls have a gap.
The Regulatory Sources
BaFin
Circulars (Rundschreiben): The binding supervisory guidance. The heavy-hitters:
- MaRisk (Circular 10/2021 BA) — minimum requirements for risk management. Central framework, transposes EBA guidelines on internal governance
- BAIT (Circular 10/2017 BA) — IT governance, information security, outsourcing
- MaComp (Circular 05/2018 WA) — minimum requirements for the compliance function itself
- KAMaRisk — equivalent for capital management companies
Consultation papers: Draft circulars published for 6-12 weeks of industry comment. Early warning signals.
Interpretive letters (Auslegungsentscheidungen): Binding clarifications of ambiguous provisions. These create new compliance obligations without new legislation.
Expert articles (BaFinJournal): Not formally binding, but they signal where BaFin is looking next. Ignore at your peril.
MaRisk has undergone major revisions approximately every 3-5 years (2005, 2009, 2010, 2012, 2017, 2021/2022). But the stream of interpretive letters and BaFin communications between revisions is continuous.
EBA (European Banking Authority)
EBA guidelines operate through the “comply or explain” mechanism (Article 16, Regulation 1093/2010). When EBA publishes a guideline, BaFin has 2 months to notify whether it complies. If it complies, it transposes into German practice — typically through MaRisk amendments or interpretive letters.
The critical window: between EBA publication and BaFin transposition, the guideline exists but may create obligations the bank hasn’t assessed yet. The tracker must catch this gap.
Key EBA guidelines the tracker must monitor:
| Reference | Topic |
|---|---|
| EBA/GL/2021/05 | Internal governance |
| EBA/GL/2019/04 | ICT and security risk management |
| EBA/GL/2019/02 | Outsourcing arrangements |
| EBA/GL/2020/06 | Loan origination and monitoring |
| EBA/GL/2022/01 | AML/CFT de-risking |
| EBA/GL/2023/04 | ESG risk management |
| EBA/GL/2017/12 | Major incident reporting (now superseded by DORA) |
EU Official Journal
Directly applicable regulations — CRR, CRD, DORA, the new AMLR — land here. They don’t need BaFin transposition. They are law the day they take effect.
Input: Data Sources
| Source | URL Pattern | Format | Language | Volume |
|---|---|---|---|---|
| BaFin Rundschreiben | bafin.de/…Rundschreiben… | HTML/PDF | German | ~20-30/year |
| BaFin Konsultationen | bafin.de/…Konsultation… | HTML/PDF | German | ~10-15/year |
| BaFin Auslegungsentscheidungen | bafin.de/…Auslegungsentscheidung… | HTML | German | ~30-50/year |
| EBA Guidelines | eba.europa.eu/…/guidelines/ | English | ~15-25/year | |
| EBA RTS/ITS | eba.europa.eu/…/regulatory-technical-standards/ | English | ~20-30/year | |
| EU Official Journal | eur-lex.europa.eu | HTML/PDF | DE+EN | Continuous |
BaFin provides RSS feeds at https://www.bafin.de/SiteGlobals/Functions/RSSFeed/. The feeds include title, summary, publication date, and link. BaFin does not offer a formal REST API — scraping with proper rate-limiting and caching is the practical approach.
The system must be bilingual. BaFin publishes primarily in German (Verwaltungssprache — notoriously complex regulatory German, routinely 50+ word sentences with nested subordinate clauses). EBA publishes in English. The LLM must handle both.
Processing: The Classification and Mapping Pipeline
Stage 1 — Ingestion
RSS/web scraping pulls new bulletins. PDF extraction for BaFin circulars (many are PDF-only). Structure extraction identifies sections, paragraphs, articles. Metadata extraction: effective date, addressed entities, topic area.
Stage 2 — Relevance Classification
The LLM classifies each bulletin across four dimensions:
Entity-type filter: Does this apply to CRR credit institutions, CRD investment firms, payment institutions?
Business-line filter: Retail banking, corporate banking, trading, payment services?
Topic classification: Multi-label taxonomy mapping to the regulatory domain:
Level 1: Prudential / Securities / AML / Consumer Protection / Payment Services
Level 2: Capital Requirements / Risk Management / IT & Operational Resilience / Outsourcing / Governance / Reporting
Level 3: Credit Risk / Market Risk / Operational Risk / Liquidity Risk / ESG RisksChange type: New requirement, amendment to existing, clarification, repeal.
Materiality: High / medium / low impact on the institution.
Stage 3 — Policy Mapping
The agent maps each relevant regulation to the institution’s Normenkataster (regulatory inventory) — the core data structure:
Regulation ID: "EBA/GL/2023/04"
Regulation Title: "Guidelines on ESG risks management"
Applicable Since: 2024-01-01
Responsible Unit: Risk Management
Mapped Internal Policy: ESG Policy v1.0
Mapped Controls: [ESG-CTRL-001, ESG-CTRL-002]
Last Assessment: 2025-06-15
Assessment Result: Gap identified
Next Review: 2026-06-15Stage 4 — Gap Detection
A gap exists when:
- A regulatory requirement has no corresponding internal policy or control
- A policy exists but doesn’t fully address the regulatory requirement
- The internal policy hasn’t been updated to reflect a regulatory change
- A control exists but is inadequately designed to meet the requirement
The LLM flags each gap with a prioritization recommendation:
| Regulatory Impact | Business Impact | Priority |
|---|---|---|
| High | High | Critical — immediate remediation |
| High | Low | High — 30 days |
| Low | High | Medium — 90 days |
| Low | Low | Low — 180 days |
Additional factors: BaFin-imposed deadlines override internal prioritization. Areas currently under supervisory focus get elevated. Open audit findings get elevated.
Alerting and Escalation
The governance chain for regulatory change assessments follows MaRisk AT 4.4.2:
Standard flow: New regulation identified → classified by AI → reviewed by compliance analyst → approved by senior compliance officer → tracked in inventory.
Elevated: Regulation affects multiple business lines → cross-functional assessment meeting → joint remediation plan → compliance committee approval.
Critical: Regulation creates immediate compliance risk → ad-hoc management board notification → emergency remediation → potential supervisory notification.
The compliance officer (Compliance-Beauftragter) has personal responsibility for the monitoring function under MaRisk AT 4.4.2. The management board (Geschäftsleitung) receives compliance reports at least annually, with ad-hoc reports for material changes. The supervisory board receives summary reporting.
Human-in-the-Loop: The Compliance Officer Owns It
BaFin’s position on AI in compliance (Big Data and AI Principles, 2021) requires:
- Explainability: The system must explain why it classified a regulation as relevant or irrelevant
- Override capability: Humans must be able to override AI decisions with documented reasoning
- Audit trail: All AI decisions and human overrides must be logged
- Regular validation: The AI model’s accuracy must be regularly assessed and documented
- Fallback process: If the AI system fails, manual processes must be in place
The AI recommends. The compliance officer decides. Every assessment — whether AI-generated or human-modified — must be signed off, timestamped, and retained.
Compliance and Documentation
What MaRisk AT 4.4.2 Demands
- Regulatory inventory completeness: Every material regulation captured. Gaps in coverage are findings in regulatory examinations
- Assessment timeliness: New regulations assessed within 30-90 days of publication, depending on materiality
- Mapping specificity: Regulation-to-control mapping must be specific and meaningful, not generic boilerplate
- Gap remediation tracking: Every gap has an owner, a plan, milestones, a deadline
- Management reporting: Board receives adequate information about regulatory changes and their implications
- Resource adequacy: The compliance function has sufficient staff and technology
What BaFin Examiners Check
During supervisory examinations (Sonderprüfungen under Section 44 KWG), examiners assess:
- Is the regulatory inventory complete?
- How quickly are new regulations assessed?
- Is the regulation-to-control mapping specific?
- Are gaps tracked with clear ownership and deadlines?
- Does the board receive adequate reporting?
- Is the compliance function adequately resourced and independent?
Testing and Demo Scope
The Demo Scenario
EBA publishes a new guideline on ESG risk management. The agent detects it via RSS within minutes.
Step 1 — Ingestion: “New EBA Guideline EBA/GL/2024/XX on management of ESG risks in the banking book published.”
Step 2 — Classification:
- Relevance: HIGH (applies to all CRR credit institutions)
- Topics: Risk Management > ESG Risks, Governance > Strategy
- Change type: New requirement
- Affected MaRisk sections: AT 4.1 (strategy), AT 4.3.2 (risk identification), BTO (lending)
- BaFin transposition expected: Yes, likely MaRisk amendment within 12-18 months
Step 3 — Mapping: System matches to existing controls:
- ESG Policy v1.0 — partially covers climate risk in lending but not social/governance risks
- Credit Risk Policy v4.2 — does not address ESG factors in credit assessment
Step 4 — Gap Report:
- 3 gaps identified: no control for ESG risk in market risk management, no social risk assessment framework, no ESG data governance policy
- 2 high priority, 1 medium
- Recommended remediation with timeline aligned to expected BaFin transposition
Step 5 — Human review: Compliance officer reviews, adjusts one classification, adds a note, approves.
What took the compliance team 2-3 days — reading the guideline, assessing applicability, mapping to controls, writing up the assessment — is done in minutes with AI assistance.
Edge Cases to Demonstrate
- Multi-business-line regulation: New outsourcing guideline affects IT, operations, and all business lines. Show multiple assessment items created for different owners.
- Cascade effect: CRR amendment triggers EBA RTS change, which triggers BaFin circular amendment. Show the system tracking the full cascade.
- False positive handling: Regulation classified as relevant that, upon human review, is not applicable. Show the override and feedback loop.
- Regulatory withdrawal: An existing regulation superseded by a new one. Show the system updating the mapping.
Running Under the MCP Orchestrator
MCP Tools:
-
regulatory_check_feeds— polls BaFin/EBA RSS feeds for new publications -
regulatory_classify— classifies a bulletin for relevance, topic, and materiality -
regulatory_map_controls— maps a regulation to the internal control inventory -
regulatory_gap_analysis— identifies gaps and generates prioritized remediation recommendations
System Prompt Context: Institution profile (entity type, business lines, jurisdictions), current regulatory inventory snapshot, internal control catalog, previous gap assessments.
Trigger Conditions:
- Scheduled: daily RSS feed check
- Event-driven: webhook on new publication
- On-demand: analyst requests assessment of a specific regulation
Output: Structured change notification, gap analysis report, action items with ownership and deadlines. Feeds into the unified dashboard timeline.
The Pitch
Every compliance team knows this pain: a regulatory bulletin lands, and someone has to read it, understand it, figure out what it means for the bank, check whether existing controls cover it, and write up the assessment. Multiply by 200-400 times per year.
This agent does the first pass in minutes. Not the final word — the compliance officer still reviews, still decides, still signs off. But the heavy lifting of classification, mapping, and gap identification is automated.
The story it tells to a prospective client: “A new regulation dropped at 9:00 AM. By 9:05 AM, your compliance team knew exactly which controls had a gap, who was responsible, and what the remediation deadline was. Without this agent, that assessment would have landed on someone’s desk next Tuesday.”
Beyond Classification: Execute the Remediation
Currently, the agent classifies regulations and identifies gaps. The next step: a one-click “Execute” button that creates remediation tickets — with owners, deadlines, and milestone tracking — directly in the institution’s project management system (Jira, ServiceNow, or internal GRC platform).
Gap identified → remediation plan generated → tickets created → owners notified → progress tracked → compliance officer reviews at the next scheduled checkpoint. Not “here is a report.” Instead: “the work is already assigned.”
The consulting differentiator: This agent does not just read regulations — it reads them in Verwaltungssprache (German regulatory prose), maps them to MaRisk section numbers, and knows the difference between an EBA guideline (comply-or-explain, 2-month window) and a directly applicable EU regulation (law on day one). That jurisdictional knowledge is the moat. Generic AI cannot tell a Rundschreiben from a Konsultation, let alone assess whether BaFin transposition creates a new compliance obligation for the institution.