Banking Regulation 2023

Last Updated October 25, 2022


Law and Practice


Fellner Wratzfeld & Partners (fwp) has a team of more than 120 highly qualified legal personnel. The firm’s major fields of specialisation include banking and finance, corporate/M&A, real estate, infrastructure and procurement law, changes of legal form, reorganisation and restructuring. fwp advises renowned credit institutions and financial services providers on financing projects, representing mainly Austrian and international private companies, but also acts for clients from the public sector. The firm’s expertise has proven its worth repeatedly, not only in connection with project and acquisition financing, but also in regard to financing company reorganisations; fwp is also able to draw upon substantial experience gained in the financing of complex consortia in the last few years.

The primary purpose of the Austrian regulatory framework for the banking sector is to maintain a stable financial system, by doing the following:

  • increasing financial stability and the ability of financial institutions to bear losses;
  • ensuring efficient lending to business and individuals; and
  • progressing harmonisation in the area of bank supervision within the European Union.

In accordance with its EU membership, Austria has implemented a banking and financial framework that is highly influenced by European rules and regulations. The key Austrian legislation applicable in the banking sector is as follows.

  • The Banking Act (BWG), which provides the fundamental framework applicable to credit institutions and financial institutions in Austria, including the licensing regime, supervision, capital and liquidity requirements, and receivership proceedings and penalties.
  • The Payment Service Act 2018 (ZaDiG 2018) and the E-Money Act 2010 (E-GeldG), which implement the Payment Service Directive (Directive (EU) 2015/2366) (PSD II)) and the Electronic Money Directive (Directive 2009/110/EC). ZaDiG 2018 and the E-GeldG provide among others the licensing and capital requirements for payment and e-money institutions.
  • The Bank Recovery and Resolution Act (BaSAG) implements the Bank Recovery and Resolution Directive (Directive 2014/59/EU (BRRD)) and provides for the obligation of credit institutions to draw up recovery and resolution plans. The implementation of the Single Resolution Mechanism (SRM) at the EU level required a revision of the BaSAG in 2015 – most of the amendments entered into force in January 2016.
  • The Securities Supervision Act 2007 (WAG 2007), and additional regulations, provides for the licensing of investment service providers, customer protection provisions, disclosure and notification requirements, etc. The Securities Supervision Act 2018 (WAG 2018) entered into force on 3 January 2018 and implements a substantial part of the Markets in Financial Instruments Directive (Directive 2014/65/EU – (MiFID II)). The amended law ensures that Austrian law is in line with the provisions of the Markets in Financial Instruments Regulation (Regulation (EU) No 600/2014 – MiFIR), which has applied since 3 January 2018.
  • The Capital Markets Act (KMG), which primarily implements the Prospectus Directive (Directive 2003/71/EC – PD), provides in particular for the prospectus framework relevant to securities offerings and offerings of investments in Austria.
  • The Stock Exchange Act (BörseG) and the Takeover Act (ÜbG) provide the legal framework relating to the listing and trading of securities as well as public takeover offerings. The amended Stock Exchange Act 2018 (BörseG 2018) came into force on 3 January 2018, implementing certain MiFID II provisions and introducing the possibility for a legal delisting of publicly traded stock companies from the Official Market, which is now the only regulated market in Austria.
  • The Securities Deposit Act (DepotG) regulates the depositing and acquisition of securities.

In addition to Austrian law, certain EU regulations are directly applicable to Austrian credit institutions, such as the Capital Requirements Regulation (Regulation No 575/2013/EU – CRR), which, to a large extent, is based on the Basel III standards issued by the Basel Committee on Banking Supervision. The CRR includes most of the technical provisions governing the prudential supervision of Austrian credit institutions.

Regulatory Authorities

The Austrian Financial Market Authority (FMA) is established as an integrated supervisory institution, supervising all financial service providers in Austria. It shares responsibilities with the Oesterreichische Nationalbank (OeNB) in connection with banking supervision. While the OeNB is in charge of fact-finding, including on-site and off-site analysis of banks, the FMA is responsible for the decision-making process and is therefore empowered to act as the competent authority in the areas of banking supervision and banking recovery and resolution. The European Central Bank (ECB) is responsible for banking supervision in the European area under the Single Supervisory Mechanism (SSM) and supervises significant entities in Austria, together with the FMA as the National Competent Authority (NCA) and the OeNB. Therefore, the FMA works in close co-operation with the ECB and the OeNB. However, the exclusive responsibility for granting and extending concessions of CRR credit institutions (ie, those credit institutions that receive deposits or other repayable funds from the general public and grant loans on their own account pursuant to Article 4 paragraph 1 no 1 of the CRR) lies with the ECB. For Austrian non-CRR credit institutions and branches of foreign credit institutions, the exclusive responsibility remains with the FMA.

Types of Licence

The ECB licenses CRR credit institutions in SSM member states and those (mixed) financial holding companies for which it is the consolidating supervisor. However, the scope of the licence granted by the ECB also extends to regulated activities under Austrian law.

The FMA licenses the following:

  • all credit institutions that have their registered seat in Austria and are not classified as CRR credit institutions but only as CRR financial institutions; and
  • (mixed) financial holding companies that have their registered seat in Austria and for which the FMA is the consolidating supervisor, provided that at least one group member is a credit institution and more than 50% of the own funds, consolidated turnover, income or other indicators within the group are attributable to CRR credit institutions or CRR financial institutions.

Licences granted can be subject to conditions and requirements, and can cover one or more types of transactions listed in Section 1 of the BWG.

In Austria, licensed credit institutions may also provide banking services in other EU member states by way of using the freedom of establishment or by using the freedom to provide services.

Since 29 May 2021, (mixed) financial holding companies registered in Austria must apply for a special licence as a (mixed) financial holding company upon exceeding specified trigger thresholds relating to the equity, consolidated assets, revenues, personnel or other indicators of a subsidiary qualifying as a credit institution, investment firm or financial institution. The corresponding licensing procedure is basically comparable to that of a banking licence procedure, but its scope is somewhat reduced.

Activities and services covered, and any restrictions on licensed banks’ activities

Pursuant to the BWG, an entity requires a credit institution licence issued by the competent supervisory authority to carry out activities listed in Section 1 paragraph 1 of the BWG, particularly when carrying out one or more of the following activities for a commercial purpose:

  • deposit business (Einlagengeschäft);
  • current account business (Girogeschäft);
  • lending business (Kreditgeschäft);
  • discount business (Diskontgeschäft);
  • custody business (Depotgeschäft);
  • the issuing and administration of payment instruments (Ausgabe und Verwaltung von Zahlungsmittel);
  • trading for one’s own account or on behalf of others on specific markets or with certain instruments set out in Section1 paragraph 1 no 7 lit a-f of the BWG, including trading with futures and equity swaps or financial instruments pursuant to the WAG 2018;
  • guarantee business (Garantiegeschäft);
  • securities issuing business (Wertpapieremissionsgeschäft);
  • building savings and loan business (Bauspargeschäft);
  • investment fund business (Investmentgeschäft);
  • real estate investment fund business (Immobilienfondsgeschäft);
  • capital financing business (Kapitalfinanzierungsgeschäft);
  • factoring business (Factoringgeschäft);
  • money brokerage transactions on the interbank market or the brokerage of transactions in connection with specific banking transactions (Geldmarktgeschäft);
  • severance and retirement fund business (Betriebliches Vorsorgekassengeschäft); and
  • exchange bureau business (Wechselstubengeschäft).

An entity must also be licensed by the competent supervisory authority as a financial institution to carry out additional activities listed in Section 1 paragraph 2 of the BWG, particularly when carrying out one or more of the following activities for a commercial purpose in addition to their activities as a credit institution:

  • leasing business (Leasinggeschäft);
  • consulting companies on capital structure and industrial strategy (Beratung über die Kapitalstruktur);
  • providing trade information (Erteilung von Handelsauskünften);
  • providing safety deposit box management services (Schließfachverwaltung);
  • providing payment services under the Payment Service Act 2018 (ZaDiG); and
  • issuing e-money under the E-GeldG.

The licence for conducting banking activities as a credit institution or additionally as a financial institution may be granted with connected conditions and obligations, and may be restricted to the individual banking activities mentioned above. The scope of the licence(s) granted to each entity is publicly available in the company database of the FMA.

Application Process

In general, the ECB is responsible for granting and extending licences to CRR credit institutions. For Austrian non-CRR credit institutions and branches of foreign credit institutions in Austria, competence remains with the FMA.

Nevertheless, all applications must be submitted to the FMA, regardless of whether the decision is to be taken by the FMA or the ECB.

The following key documents are to be reviewed by the FMA/ECB as part of the licensing process:

  • the application for the authorisation of a credit institution; and
  • the business plan, which reflects the European Banking Authority (EBA) and ECB requirements referred to in the application for the authorisation of a credit institution.

The licensing process for CRR credit institutions, for which the ECB is responsible, is as follows.

Before the application is submitted to the FMA, there is a preliminary discussion phase in which the receipt of the application is confirmed. After formal confirmation by the FMA, a formal ECB approval decision must be issued within 12 months. The ECB’s experts must be involved by the FMA at an early stage of this process.

The FMA assesses whether the conditions set out in the BWG are met in the application. If the applicant fulfils the conditions, the FMA forwards the application with a draft decision and the relevant documentation to the ECB for the decision-making process. The ECB conducts its own assessment of the application based on the FMA’s draft decision and makes a final decision, which is then notified to the applicant. The average timing depends on whether or not the application is for a “full” licence and therefore for major banking activities, but the process should be completed within 12 months.

Licensing applications for Austrian non-CRR credit institutions (CRR financial institutions) or Austrian branches of non-EU-based and non-EEA-based (CRR and non-CRR) credit institutions are conducted entirely by the FMA.


The licence is issued by the FMA (or the ECB for CRR credit institutions) if the following requirements are fulfilled:

  • the undertaking is a corporation, a co-operative society or a savings bank;
  • the articles of association do not contradict the provisions of the Banking Act that ensure the security of assets and the proper conduct of business;
  • the capital, liquidity and solvency of the institution prospectively are sufficient;
  • internal organisation regarding risk management, compliance and audit is compliant;
  • the persons holding qualifying participations (more than 10% of the share capital or voting rights) meet prudent requirements;
  • any close ties of the institution to other natural persons or legal entities shall not prevent the FMA from fulfilling its supervisory duties;
  • legal or administrative provisions of a third country do not prevent the FMA from fulfilling its supervisory duties;
  • the initial capital shall amount to at least EUR5 million and shall be at the unrestricted and unencumbered disposal of the managers in Austria;
  • the members of the management board or the members of the supervisory board are financially sound;
  • the members of the management board, the head of banking compliance, the AML officer and the head of securities services compliance are sufficiently suitable, and the members of the supervisory board have sufficient professional qualifications and experience;
  • the managing directors commit sufficient time to performing their functions;
  • the centre of at least one managing director’s interests is in Austria;
  • the institute has at least two managing directors and the articles of association exclude individual power of representation. The managing directors may not have another main profession outside the banking industry; and
  • the location of the branch and the head office is in Austria.


The fee for an FMA licence for the operation of bank transactions amounts to approximately EUR10,000, and the extension fee for a licence amounts to EUR2,000. If the applicants engage a lawyer, further costs for the licence proceedings arise. Annual ongoing costs for the licence are also charged.

The ECB further charges annual supervisory fees to all CRR credit institutions in Austria, whereby significant banks must pay a higher supervisory fee than less significant banks.

Pursuant to Section 20 paragraph 1 of the BWG, the FMA must be informed in advance in writing by any person who has taken a decision to acquire or dispose of (directly or indirectly) a participation of 10%, or to increase or decrease a qualified shareholding by reaching a 20%, 30% or 50% threshold of voting rights or capital in an Austrian credit institution (or in such a way that the credit institution becomes a subsidiary undertaking of that party).

Furthermore, the credit institution shall immediately notify the FMA in writing of any acquisition or relinquishment of qualified shareholdings, and of any reaching, exceeding or falling below the shareholding thresholds as soon as it becomes aware thereof. In addition, credit institutions must notify the FMA in writing at least once a year of the names and addresses of shareholders holding qualified interests.

The FMA has a maximum of 60 working days from the receipt of the notification and all the documents required pursuant to Section 20b paragraph 3 of the BWG to prohibit the proposed acquisition in writing following an assessment according to the assessment criteria set forth in Section 20b of the BWG, provided there are reasonable grounds therefor, or if the information submitted by the proposed acquirer is incomplete. Thus, the FMA shall examine the suitability of the interested buyer and the financial stability of the intended acquisition.

The FMA will review and assess all information provided by the proposed acquirer in connection with the notification, focusing on the criteria set by law.

Specific information to be filed is provided for in the Ownership Control Regulation, including information about:

  • the identity of the proposed acquirer, by-laws, management board, economic beneficiaries, etc;
  • the reliability of the acquirer with regard to criminal or administrative offences, insolvency proceedings, etc;
  • the participations with a group of companies as well as other possible ways to exercise influence;
  • the relevant business relationships, family ties or other relevant relationships, as well as acquisition interests;
  • the financial situation and credit standing of the acquirer;
  • the funding of the intended acquisition, including disclosure of all relevant agreements; and
  • the business plan, including a description of strategic objectives and plans if the acquirer gains control.

If the bank is listed on the Austrian stock exchange, an acquirer must also comply with the provisions of the BörseG and the Takeover Act (eg, filing and notification obligations, mandatory takeover bid, etc).

Similar requirements must be fulfilled if the proposed acquirer intends to acquire a qualified holding in an insurance company, an investment firm, an investment service provider or a payment institution.

The FMA has published a detailed set of guidelines and circular letters (FMA Rundschreiben) on the application and scope of the organisational regulations, which depend on the type of business activities envisaged by the entity. An institution has to implement and continuously monitor a comprehensive set of organisational requirements, such as organisational structure, clear decision-making processes, documentation and reporting obligations, and responsibilities.

Furthermore, the management shall define and oversee the internal principles of proper business management (“fit and proper”), guaranteeing the requisite level of care when managing the institution, and focus particularly on the segregation of duties in the organisation and the prevention of conflicts of interest and, therefore, establish mechanisms to safeguard the security and confidentiality of information, pursuant to Section 38 of the BWG.

Banks are required to ensure the suitability of their managing directors, supervisory board members and holders of key functions on an ongoing basis. In addition to an internal guideline for the assessment process, banks are also required to provide ongoing training for their governing bodies and employees.

Sections 5 (1) (6)-(13), 28a and 30 (7a) of the BWG contain requirements for the members of the management and the supervisory board of credit institutions.

Fit and Proper Hearings

The FMA and the ECB apply an increasingly strict assessment procedure when evaluating the professional suitability of functionaries. Newly appointed governing bodies are invited to a hearing, and the theoretical knowledge required for the respective company is tested in an oral examination. The material covered for credit institutions includes financial expertise, the BWG and related ordinances, applicable special laws and European supervisory laws (CRR, EBA Regulatory Technical Standards, EBA Guidelines, etc) as well as the contents of the FMA Minimum Standards and FMA circulars. Basic knowledge of corporate law and knowledge of the institution within the framework of the “know your structure” principle is also required.

Requirements for the remuneration policies and practice of credit institutions licensed in Austria are set out in Sections 39/2 and 39b of the BWG, and in the Annex to Section 39b. These provisions implement the EU Directive governing remuneration policies and practices (CRD IV and CRD V) into Austrian Law. The FMA has to take these regulations into account, according to the European convergence in respect of supervisory tools and supervisory procedures. As a consequence, the guidelines and recommendations (and other measures) that are issued by the EBA must be applied. Therefore, the Annex to Section 39b of the BWG, the circular letter (re-)issued by the FMA in January 2018 (Grundsätze der Vergütungspolitik und –praktiken; Rundschreiben der FMA zu §§ 39 Abs. 2, 39b und 39c BWG) and the guidelines from the EBA considering remuneration policies (eg, guidelines on sound remuneration policies under CRD IV and disclosures under the CRR) contain the main rules for restrictions on remuneration.

Therefore, the remuneration provisions of the BWG shall ensure that credit institutions adopt remuneration policies and practices that encourage their employees to act in a sustainable and long-term manner and align their personal objectives with the long-term interests of the credit institution.

Pursuant to Section 39 paragraph 2 of the BWG, credit institutions and groups of credit institutions need to have administrative, accounting and control procedures for the identification, assessment, management and monitoring of banking business and banking operational risks, as well as risks arising from remuneration policies and practices, that are appropriate to the nature, scale and complexity of the banking business conducted.

The Financial Markets Anti-Money Laundering Act (Finanzmarkt-Geldwäschegesetz – FM-GwG) has been in force since 1 January 2017, transposing the international and European rules for the prevention of money laundering and terrorist financing into national law. Provisions relating to beneficial ownership are now also set out in the Beneficial Owners Register Act (Wirtschaftliche Eigentümer Registergesetz – WiEReG).

The FM-GwG imposes special due diligence requirements and defines special obligations for credit and financial institutions regarding due diligence and reporting in order to prevent money laundering and terrorist finance. Bank business may only be transacted with customers who have been identified – the “know-your-customer” principle.

Before a credit or financial institution begins a business relationship, it must verify the identity of the customer.

The Act on Deposit Guarantee Schemes and Investor Compensation (ESAEG) implements the Directive on Deposit Guarantee Schemes (Directive 2014/49/EU) and regulates the protection of deposits and credit balances, including interest on accounts and savings. The objective of the ESAEG is to ensure the rapid and comprehensive compensation of depositors’ claims in the event of a guarantee. The aim is to ensure that claims arising from security incidents are satisfied by the member institutions of the security schemes within a short period of time, so that financial obligations for the federal government can be avoided. In a guarantee case, deposits of up to EUR100,000 per customer and bank are covered. Every credit institution domiciled in Austria that wishes to accept customer deposits or provide investment services requiring guarantees must belong to a protection scheme.

Since 1 January 2019, the single deposit guarantee and investor compensation scheme limited liability company (Einlagensicherung Austria GesmbH – ESA) has assumed the responsibility for the compensation of all depositors and investors in Austrian credit institutions. Another institutional protection scheme as a limited liability company (Sparkassen-Haftungs-GmbH) is recognised as an alternative deposit guarantee and investor compensation schemes in Austria by the FMA and the ECB. In 2022, a third institutional protection scheme (Österreichische Raiffeisen-Sicherheitseinrichtung eGen) will be recognised.

Section 38 paragraph 1 of the BWG stipulates the obligation of a bank, its shareholders, corporate bodies, staff and other persons who are acting on behalf of the bank not to disclose certain information and secrets that have come to their attention based on their relationship with the customers.

Secret in the legal context means a fact that is known only to the keeper of the secret themselves or only to a relatively limited circle of persons. Furthermore, the fact must not be accessible, or can only be accessible with difficulty to persons otherwise interested in such fact. This includes circumstances where disclosure or exploitation is likely to violate a legitimate interest of the customer. Accordingly, banking secrecy includes the name and contact details of the creditor, the amount of the credit volume and the account balance information of the customer.

The concept of a secret is also characterised by the subjective component that the holder of the secret has an interest or desire to treat a fact as a business secret, as the owner of the secret would be at a disadvantage in case of disclosure. However, as this desire to maintain secrecy may not be established in some situations, the negative criterion that the existence of a secret is excluded if the owner of the secret renounces the secrecy has been supported by scholars.

Banking secrecy is intended to protect the legitimate interests of a customer in maintaining the confidentiality of facts that become known to the bank in the course of the business relationship. This includes all secrets that are exclusively entrusted, disclosed or made accessible within the scope of a business relationship; such secrets may not be disclosed or exploited. This is necessary to maintain the basis of trust between credit institution and customer. Furthermore, the access of third parties to these secret facts – of the federal state in particular, but also of private persons interested in receiving information – is to be excluded or limited to the extent that the customer only has to accept exceptions from banking secrecy under certain conditions.

Exceptions to banking secrecy are stipulated in Section 38 paragraph 2 of the BWG – eg, in criminal proceedings vis-à-vis public prosecutors and criminal courts.

Banking Secrecy and Non-performing Loans

Banking secrecy plays a key role in the sale of non-performing loans. Section 38 paragraph 2 of the BWG does not contain any express exception for the sale of non-performing loans. On the basis of the BWG, only an exception based on the customer’s express consent is possible. However, the Austrian Supreme Court has decided that a breach of banking secrecy is permissible if special requirements are met; in particular if the bank’s interest in a sale outweighs the customer’s interest in confidentiality.

A breach of banking secrecy generally results in the nullity of the legal transaction under civil law and also can lead to administrative and criminal law consequences.

Capital Requirements

Article 92 of the CRR sets out the specific capital requirements for the types of risk to be covered in accordance with Article 92 (3). Article 92 (2) of the CRR defines the capital ratio as a percentage of the total risk amount – the so-called solvency ratio (Solvabilitätskoeffizienten). The total risk amount is the sum of the institutions’ credit risk, operational risk, market price risks and the risk of a credit valuation adjustment. This total risk amount is to be compared to the own funds of the credit institution, resulting in the capital ratio of the institution.

Accordingly, credit institutions must maintain at least the following own funds requirements at all times:

  • a Common Equity Tier 1 capital ratio of 4.5%;
  • a Tier 1 capital ratio of 6%; and
  • a total capital ratio of 8%.

In addition to these minimum capital requirements, an institution must meet certain capital buffer requirements that.

As the capital buffers contained in the CRD have been transposed into Austrian law by Sections 23 to 23f of the BWG, the capital conservation buffer of 2.5% of risk-weighted assets (RWA) therefore applies by virtue of Austrian law and is applicable to every credit institution licensed in Austria.

However, the FMA may set additional capital buffers on an individual basis, including:

  • a countercyclical capital buffer of up to 2.5% of RWA generated in the respective EU member state;
  • a systemic risk buffer for 11 Austrian groups of institutions, with five of the group member institutions additionally required to comply on an unconsolidated basis (between 0.5% and 1% of RWA in 2021 with a statutory flexible maximum of 5% of RWA); and
  • a buffer for global systemically important institutions (G-SIIs).

Liquidity Requirements

The CRR (CRR II) requires entities to hold enough liquid assets to deal with any possible imbalance between liquidity inflows and outflows under gravely stressed conditions during a period of 30 days (Liquidity Coverage Ratio –LCR) and to ensure their ongoing ability to meet short-term obligations. The LCR as a short-term liquidity business ratio was fully introduced in 2018; amendments made by the CRR II have applied since June 2021. The new rules impose a binding leverage ratio requiring institutions to maintain Tier 1 capital of at least 3% of their non-risk-weighted assets. An additional leverage ratio buffer will apply to G-SIIs. In addition, the European Commission has proposed that credit institutions should also ensure that their long-term obligations will be adequately met with a diversity of stable funding instruments under both normal and stressed conditions (Net Stable Funding Ratio – NSFR – as a long-term liquidity business ratio). Furthermore, entities are required by the BWG to ensure that they are able to meet their payment obligations at any time – eg, by establishing company-specific financial and liquidity planning based on banking experience pursuant to Section 39 paragraph 3 of the BWG.

According to Section 82 of the BWG, insolvency proceedings cannot be opened in the form of reorganisation proceedings (Sanierungsverfahren); business supervision proceedings (Geschäftsaufsichtsverfahren) or bankruptcy proceedings (Konkursverfahren) can, however, be instituted. In addition, the conclusion of a reorganisation plan is not possible in bankruptcy proceedings.

In addition to the BWG, the BRRD provides central provisions in the area of insolvency, recovery and resolution.

Austria has implemented the BRRD by adopting the BaSAG, thereby creating a national legal framework for dealing with banks that are failing or likely to fail. The BaSAG contains provisions covering the following:

  • prescribing the preparation of recovery plans by banks and by the resolution authorities, including powers to remove obstacles to a resolution (prevention);
  • enabling supervisory authorities to intervene at an early stage, including related additional powers to intervene (early intervention); and
  • forming the basis for the establishment of a national resolution authority and for entrusting the authority with the necessary powers and tools (resolution).

The following resolution tools are at the FMA’s disposal:

  • the sale of business tool;
  • the tool to establish a bridge institution (bridge bank);
  • the asset separation tool; and
  • the tool for the bailing-in of creditors (bail-in).

The bail-in is one of the core elements of the BRRD. It provides the resolution authority with the possibility to write down the eligible liabilities in a cascading contribution to absorb the losses of an institution, or to convert them into equity capital.

If insolvency proceedings are opened over the assets of a credit institution or a legal entity pursuant to Section 1 of the BaSAG, it must continue to provide services or support if the resolution authority has issued a corresponding order.

The amendments made by CRR II and CRD V regarding the capital requirements of credit institutions and investment firms shall strengthen the resilience of the banking sector by introducing more risk-sensitive capital requirements. Challenges arise in particular from the fact that these concepts designed for large institutions (“big players” and G-SIIs) – eg, total loss-absorbing capacity (TLAC) and minimum requirement for own funds and eligible liabilities (MREL) – may not be applied to small institutions without making adaptations, as Austria has a particularly large number of small and medium-sized banks.

The financial sector has faced recent challenges created by new ways of digitalisation and data processing technology within the field of banking operations and investment service providers (fintech). Traditional financial institutions in particular have to be aware of their new digital competitors. Other important issues include the rising standards of regulation, complexity and the increasing costs for the institutes. With regard to the current interest rates, the “Compliance tool” proposed by the European Commission aimed at facilitating institutions’ compliance with their Regulations and Directives may enable each institution to rapidly identify the relevant provisions with which they have to comply and improve the Cost-Income-Ratio.

The EU Sustainability Taxonomy

Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020 on the establishment of a framework to facilitate sustainable investment, and amending Regulation (EU) 2019/2088, places sustainability at the centre of the financial system. This is intended – in accordance with the Regulation (EU) 2020/852 – to direct capital flows into “sustainable” investments. Regulation (EU) 2020/852 is addressed to companies engaged in capital markets and thus also to financial institutions that provide investment advice or portfolio management to retail clients or professionals who are therefore called upon to act responsibly. Regulation (EU) 2020/852 sets out considerable disclosure obligations for entrepreneurs as of 1 January 2022 in order to provide (potential) investors with “clear and not misleading” information about the respective company and financial instrument. To this end, the regulation contains the criteria for determining whether an economic activity is to be classified as environmentally sustainable in order to be able to determine the degree of environmental sustainability of an investment. For this purpose, the regulation defines the following six environmental objectives:

  • climate change mitigation;
  • climate change adaptation;
  • the sustainable use and protection of water and marine resources;
  • the transition to a circular economy;
  • pollution prevention and control; and
  • the protection and restoration of biodiversity and ecosystems.

For an economic activity to be considered environmentally sustainable under the EU taxonomy, the following conditions must be met:

  • the activity must make a significant contribution to at least one of the six environmental objectives listed above;
  • the activity must not cause significant harm to any of the other environmental objectives (the “do no significant harm” principle);
  • companies must meet the minimum social standards set by the EU; and
  • the technical evaluation criteria, which are or have been set by the Commission, must be met.

Transparency Obligations

The rules for financial market participants and financial advisers on transparency with regard to the integration of sustainability risks and the consideration of adverse sustainability impacts in their processes and the provision of sustainability‐related information with respect to financial products are laid down in Regulation (EU) 2020/852 and Regulation (EU) 2019/2088, which provide for the following transparency obligations:

  • transparency of sustainability risk policies;
  • transparency of adverse sustainability impacts at entity level;
  • transparency of remuneration policies in relation to the integration of sustainability risks;
  • transparency of the integration of sustainability risks;
  • transparency of adverse sustainability impacts at financial product level;
  • transparency of the promotion of environmental or social characteristics in pre‐contractual disclosures;
  • transparency of (environmentally) sustainable investments in pre‐contractual disclosures and in periodic reports;
  • transparency of the promotion of environmental or social characteristics and of sustainable investments on websites and in periodic reports;
  • transparency of financial products that promote environmental characteristics in pre-contractual disclosures and in periodic reports;
  • transparency of other financial products in pre-contractual disclosures and in periodic reports (“[t]he investments underlying this financial product do not take into account the EU criteria for environmentally sustainable economic activities.”); and
  • transparency of undertakings in non-financial statements.
Fellner Wratzfeld and Partners

Schottenring 12
A-1010 Vienna

+43 1 53770 0
Author Business Card

Trends and Developments


DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa, and Asia Pacific. It is the leading mid-market M&A and private equity firm in Europe and has more than 70 corporate partners across Europe specialising in PE. The management advisory team has acted on over 30 mandates over the last three years with a combined value of over EUR36 billion. The team at DLA Piper has specific expertise in fundraising, buyouts and secondaries, buy and builds, sponsorship and management, corporate ventures and venture capital and exit planning and execution (M&A/IPO/refinancing/return of cash)

Current Developments in Open Banking From the EU and Austrian Law Perspective


In the last couple of years, the bank-centric financial market has been increasingly faced with challenges related to the spectrum of choices that can be provided to customers as well as the development of new financial products and services based on the technologies which are gaining in popularity. One of the most important (and often described as revolutionary) trends is “open banking”, a banking practice that enables third-party financial services providers access to several types of data kept by banks and other financial institutions, thereby transforming the existing bank-centric financial system and, most importantly, introducing innovation and competition into the financial services sector.

Simultaneously, the (supra)national legislators and regulators have been – considering several developments that have taken place on the market – presented with new legal issues that needed to be addressed. In the context of the open banking phenomenon, these issues include, among others, defining the appropriate and sufficient regulatory response as well as concerns related to regulation of data being shared in this respect. This paper will focus on the latter aspect, namely the question of how to regulate increased data sharing while maintaining high standards of privacy and data protection as well as ensuring a level playing field between different financial services providers (including banks and fintech providers).

The key EU measure in this respect was the introduction of the Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSD 2) which entered into force on 12 January 2016 and started to apply on 13 January 2018. EU member states, including Austria, have transposed the PSD 2 into national legislation to establish a functioning legal framework for payment services providers as well as general rules applicable to the financial services sector as a whole.

Despite the successful implementation of the PSD 2 and its provisions, the new legal challenges combined with the new technologies that have emerged require amendment of the current legal rules. In particular, one of the main issues is the interaction of financial services rules on open banking (including PSD 2) with personal data protection and privacy law which will be discussed below.

What is open banking?

Open banking is an emerging banking practice with the purpose of providing third-party financial services providers “open access” to various types of data on consumers as well as other financial data kept by either banks or other financial institutions. In principle, the open access to such data is provided using the so-called application programming interfaces (APIs).

Open banking therefore breaks the concentration of information in traditional banks and increases networking of multiple accounts as well as data across the financial services sector merged between old and new service providers (see, for instance, F. Ferretti, Open Banking: Gordian Legal Knots in the Uncomfortable Cohabitation between the PSD2 and the GDPR, 1 European Review of Private Law 2022, 30, pages 73–102). As will be discussed in more detail below, this enables new products and services to enter the fintech market, which leads to a better overall customer experience.

Under the PSD 2 regime there are, broadly speaking, two different types of entity that are regulated and considered as third-party providers in the above sense, namely:

  • account information service providers (AISP), and
  • payment initiation service providers (PISP).

The aim of the AISP and their respective services is to provide a payment services user with an overall view of its financial situation immediately at any given moment (see, for instance, Recital 28 of PSD 2). Payment initiation services, on the other hand, enable the PISP to provide comfort to a payee that the payment has been initiated to provide an incentive to the payee to release the goods or to deliver the service without undue delay (ie, a low-cost solution for both merchants and consumers that provide the latter with a possibility to shop online even without possessing payment cards – see, for instance, Recital 29 of PSD 2). It should be noted that both types of third-party providers described above must be licensed and need to comply with the legal requirements laid down in PSD 2.

Legal framework – status quo

The key legal act on the EU level is PSD 2 which forms the cornerstone of EU legislation on open banking. As a successor of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC, which was largely limited to the regulation of payment services and information requirements for payment services providers, PSD 2 tackles broader issues. This includes, among other things, opening up payment markets to new entrants as well as furthering the level playing field for payment services providers, leading to more (fair) competition, greater choice and better prices for consumers. In this context, PSD 2 pertains to companies offering consumer-oriented or business-oriented payment services which are based on access to the payment account and differentiates between account information services on the one hand (provided by AISP) and payment initiation services on the other (provided by PISP) – ie, both licensable payment services, pursuant to Nos 7 and 8 of Annex 1 to PSD 2.

In Austria, PSD 2 has been transposed, among other acts, into the Austrian Payment Services Act (ZaDiG 2018).

Key provisions of PSD 2/ZaDiG 2018 relating to open banking aspects relevant to this paper are

  • Article 66 of PSD 2 (which has been transposed into Section 60 of ZaDiG 2018 with, in principle, no notable derogations) in relation to payment initiation services (Zahlungsauslösedienste); and
  • Article 67 of PSD 2 (which has been transposed into Section 61 of ZaDiG also with, in principle, no notable derogations) in relation to account information services (Kontoinformationsdienste).

Apart from the regulation pertaining to payment services as such, open banking is subject to several other regulatory realms including EU electronic verification rules, cybersecurity legislation, the most recently adopted EU digital finance package, and, finally, privacy and personal data protection legislation.

Amending proposals for the existing legal framework

Following the European Commission’s Call for Advice on the review of the PSD 2 in 2021, the European Banking Authority (EBA) published, on 23 June 2022, an Opinion of the European Banking Authority on its technical advice on the review of Directive (EU) 2015/2366 on payment services in the internal market (PSD2) (the “EBA Opinion”). In the comprehensive EBA Opinion, the EBA’s amending proposals touch upon several aspects with the aim of contributing to the development of a single EU retail payments market as well as ensuring a harmonised and consistent application of the legal requirements across the EU. As a side note it is worth mentioning that even though discussions are currently taking place on the EU level, the amendment of the PSD 2 regime will result in amendments of the EU member states’ national payment services regimes (including ZaDiG 2018 in Austria).

One of the EBA’s proposals aims at protecting consumers’ data, more particularly, access to and use of payment accounts data in relation to account information services and payment initiation services (ie, also a special section of the European Commission’s Call for Advice). On several occasions, the EBA Opinion mentions the problem of interplay between PSD2 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR). According to the EBA, legal uncertainty of interplay between PSD 2 and the GDPR pertains especially to the following aspects (as outlined on pages 113 et seq of the EBA Opinion).

  • The implementation of the data minimisation requirements under the GDPR into the design of the interfaces that account servicing payment services provider are required to provide under PSD2.
  • The processing of special categories of personal data, and in particular whether the processing of payment transaction data is subject to the requirements in Article 9 of the GDPR (whereby it shall be borne in mind that such an interpretation could have far-reaching effects on the processing of all payment transactions and on the financial system).
  • The legal ground for processing of the so-called “silent party” (defined by the European Data Protection Board (EDPB) as personal data pertaining to a data subject who is not the user of a specific payment services provider, but whose personal data is being processed by that specific payment services provider for the performance of a contract between the provider and the payment services user; see EDPB: Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR as of 15 December 2020 (the “EDPB Guidelines”).
  • The compatibility of the GDPR principle of data minimisation with “screen scraping” techniques.
  • The possibility for third-party providers to share with account servicing payment services providers data such as the payment services user’s location, IP-address, and other device data.

Further to the above aspects, additional problems of interplay between PSD 2 and other legal acts regulating the processing of personal data may arise also in light of the specific requirements stemming from national legal regimes. In Austria, the most important national law in this area is the strict banking secrecy legislation which may affect the data protection regime under PSD 2.

Lawfulness of processing of the customer’s data by third-party providers

One of the main issues deriving from the interplay between PSD 2 and the GDPR is the nature of the legal bases for processing customers’ data. Although the EDPB Guide has provided a certain level of clarity in this respect, both the EBA and EDPB recognised that explicit consent under Article 94 (2) of PSD2 shall be differentiated from (explicit) consent under the GDPR leaving several aspects of the issue at hand unclear to a certain extent.

Consent under the GDPR

Under the GDPR, controllers that wish to process personal data must have a legal basis. Article 6(1) of the GDPR represents an exhaustive and restrictive list of legal bases for processing of personal data under the GDPR regime which includes, among others, consent (Article 6(1)(a), GDPR).

Consent of the data subject under the GDPR regime (as defined in Article 4(11), GDPR which reflects Recital 32 thereof) shall be understood as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Apart from other safeguards stemming from, for instance, Articles 7 and 9 of the GDPR, it shall also be mentioned that consent can under no circumstances be inferred from potentially ambiguous statements or actions. In addition, consent cannot be obtained through, for example, agreeing to a contract or accepting general terms and conditions (see page 13 of the EDPB Guidelines).

Despite national legal rules pertaining to consent in the context of processing of personal data (in particular, the Austrian Data Protection Act (Datenschutzgesetz – DSG)), the GDPR regime constitutes a comprehensive regulation of consent which means that the DSG provisions are in this respect, generally speaking, of no relevance.

Explicit consent under PSD 2/ZaDiG 2018

According to Article 94 (2) of PSD 2, payment services providers shall only access, process, and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment services user.

Although similar in nature, explicit consent under PSD 2 shall be differentiated from (explicit) consent under the GDPR regime, according to the EDPB Guidelines. Namely, the EDPB explicitly rejected the notion that Article 94 (2) of PSD 2 shall be regarded as an additional legal basis for processing of personal data. Accordingly, the explicit consent requirement defined in Article 94(2) of PSD2 shall be regarded as an additional requirement of a contractual nature in relation to the access to, and subsequent processing/storage of, personal data in the context of provision of payment services (see page 14 of the EDPB Guidelines). Due to the fact that the explicit consent under Article 94 (2) of PSD 2 is a contractual consent, the following aspects are implied, according to the EDPB Guidelines.

  • When entering into a contract with a payment services provider in line with PSD 2, data subjects must be made fully aware of the specific categories of personal data that will be processed.
  • Data subjects shall be made aware of the specific (payment service) purpose for which their personal data will be processed and shall agree to these clauses in an explicit fashion.
  • The relevant clauses should be clearly distinguishable from the other clauses within the contract and should be required to be accepted by the data subject in an explicit fashion.

In conclusion, consent under Article 94 (2) of PSD 2 does not represent a legal ground for the processing of personal data; however, it ensures a degree of control and transparency for the user of payment service.

In Austria, Article 94 (2) of PSD 2 has been transposed in Section 90 (4) of ZaDiG 2018 without, generally speaking, any notable differences. Nonetheless, Section 90 (4) of ZaDiG 2018 goes a step further than 94 (2) of PSD 2 by stipulating that payment services providers shall inform payment services users about the processing of personal data in accordance with Article 13 (Information to be provided where personal data are collected from the data subject) and Article 14 (Information to be provided where personal data have not been obtained from the data subject) of the GDPR.

Austrian banking secrecy regulation as an additional set of requirements pertaining to processing of customer’s data by third-party providers

Apart from requirements pertaining to (explicit) consent under the GDPR and PSD 2 regime, there is one additional aspect that needs to be considered when assessing the role of customer’s consent in the context of open banking regulation, namely consent to allow access to a customer’s banking data as per banking secrecy provisions. See The Role of Consumer Consent in Open Banking: Financial Inclusion Support Framework. Technical Note; Washington, DC © World Bank (the “Technical Note”).

Banking secrecy (Bankgeheimnis), a general obligation of banks not to pass on information to third parties which they obtained because of a business relationship, is traditionally excluded from the scope of the EU harmonisation project. This means that the banking secrecy legislation is almost entirely based on national rules. In Austria, the banking secrecy rule in enacted in Section 38 of the Austrian Banking Act (Bankwesengesetz, BWG).

Section 38 (1) of the BWG sets out that credit institutions (eg, banks), their shareholders, members of governing bodies, employees, and other staff employed by the credit institutions shall not disclose or exploit secrets entrusted to them or made accessible to them exclusively based on business relations with customers. This means that the entities/persons subject to banking secrecy rules must ensure their customer’s interest in confidentiality in the form of a duty of confidentiality on the part of the obliged entities / persons (see Kammel in Laurer/M. Schütz/Kammel/Ratka, BWG Section 38 No 1-7 (Status 1.1.2019,

Despite the strict nature of the banking secrecy provision, Section 38 (2) of the BWG lays down several scenarios which release the obliged entities/persons from banking secrecy requirements. These include, inter alia, the customer’s express and written consent to the disclosure of the secret, pursuant to Section 38 (2) No 5 of the BWG (whereby it shall be noted that the BWG also foresees certain exemptions from the requirement that such consent shall be provided in a written form, in particular in cases where means of distance communication with customer authentication are used). Austrian legal scholars have described express and written consent as a “non-genuine exception” to banking secrecy regulation and simultaneously emphasised its function as a protective measure to ensure that the customer does not grant premature or misleading consent (due to the requirement of written form and an express nature) (see Kammel in Laurer/M. Schütz/Kammel/Ratka, BWG Section 38 No 20 (Status 1.1.2019,

In light of the above, Austrian law imposes – in addition to explicit consent-related requirements under the GDPR and PSD 2 – explicit and written consent requirements under the Austrian banking secrecy legislation, under the assumption that the entity/person in question is subject to the respective rules. This means that the relevant entities shall also observe this aspect when considering participating in open banking arrangements, in particular due to the possible consequences/sanctions that may apply in the case of a breach of the banking secrecy legal framework which range from civil and criminal to administrative sanctions.


Considering the ever-growing popularity and presence of open banking on the financial services market, it may be expected that such arrangements will become more and more important as well as increasingly used by different market participants. Although this will bring benefits to customers and the financial services market as such, it will simultaneously create challenges for legislators and regulators to ensure a safe and stable market.

Despite the issue of consent for processing data in the course of existing open banking arrangements in the EU being, for the most part, clarified, the authors believe that there are still several uncertainties which may – especially in the case of larger amounts of data and other types of data being processed – cause problems. In order to avoid any issues in the future, the amendment of PSD 2 (as well as any other legal acts) should also clarify in detail the interplay of PSD 2 and the GDPR as well as – although not important for the EU as a whole – potential conflicts with the national banking secrecy regimes.

DLA Piper Weiss-Tessbach Rechtsanwälte GmbH

Schottenring 14
1010 Vienna

+43 1 53178 1042

+43 1 53178 52 52
Author Business Card

Law and Practice


Fellner Wratzfeld & Partners (fwp) has a team of more than 120 highly qualified legal personnel. The firm’s major fields of specialisation include banking and finance, corporate/M&A, real estate, infrastructure and procurement law, changes of legal form, reorganisation and restructuring. fwp advises renowned credit institutions and financial services providers on financing projects, representing mainly Austrian and international private companies, but also acts for clients from the public sector. The firm’s expertise has proven its worth repeatedly, not only in connection with project and acquisition financing, but also in regard to financing company reorganisations; fwp is also able to draw upon substantial experience gained in the financing of complex consortia in the last few years.

Trends and Development


DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa, and Asia Pacific. It is the leading mid-market M&A and private equity firm in Europe and has more than 70 corporate partners across Europe specialising in PE. The management advisory team has acted on over 30 mandates over the last three years with a combined value of over EUR36 billion. The team at DLA Piper has specific expertise in fundraising, buyouts and secondaries, buy and builds, sponsorship and management, corporate ventures and venture capital and exit planning and execution (M&A/IPO/refinancing/return of cash)

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.