Key Laws and Regulations

Effective regulation of banks is fundamental to the stability and safety of the financial system. Considering its importance, the banking sector is the most closely supervised and regulated area. The Austrian legal framework for banks operates within the EU’s legislative architecture and is implemented through a coherent set of domestic acts and supervisory instruments. The core national statute is the Banking Act (Bankwesengesetz; BWG), which governs licensing, ownership control, prudential governance and the conduct of credit institutions. Capital and liquidity requirements derive from the EU Capital Requirements Regulation (CRR) and the Capital Requirements Directive (CRD), as transposed in the BWG. Recovery and resolution are governed by the Bank Recovery and Resolution Directive (BRRD), implemented by the Bank Recovery and Resolution Act (Bundesgesetz über die Sanierung und Abwicklung von Banken; BaSAG). Deposit protection is set by the Deposit Guarantee Schemes Directive (DGSD) and implemented by the Deposit Guarantee and Investor Compensation Act (Einlagensicherungs- und Anlegerentschädigungsgesetz; ESAEG). For banks acting in the form of a savings bank (Sparkasse), a separate legal act (Sparkassengesetz; SpG) governs the organisational structure of this specific legal form for credit institutions.

Complementary statutes include the Financial Market Authority Act (Finanzmarktaufsichtsbehördengesetz; FMABG), which establishes the Austrian Financial Market Authority (FMA) and defines its supervisory mandate and powers. For rendering financial services, the relevant legislation is the Securities Supervision Act 2018 (Wertpapieraufsichtsgesetz; “WAG 2018”) transposing the EU Markets in Financial Instruments Directive (MiFID) regime, the Payment Services Act 2018 (Zahlungsdienstegesetz; ZaDiG 2018) for payment service (Second Payment Services Directive; PSD2) activities, the Covered Bonds Act (Pfandbriefgesetz; PfandBG) for covered bond issuance and the Financial Markets Anti-Money Laundering Act (Finanzmarktgeldwäschegesetz - FM-GwG) together with the Beneficial Owners Register Act (Wirtschaftliche Eigentümer Register Gesetz; WiEReG) for AML/CFT and beneficial ownership duties. Consumer lending is further shaped by the Mortgage and Real Estate Credit Act (Hypothekar- und Immobilienkreditgesetz; HIKrG) and the Consumer Credit Act (Verbraucherkreditgesetz; VKrG), alongside general consumer laws.

Supervisory Authorities

Austria participates in the EU’s Single Supervisory Mechanism (SSM), under which banking supervision is shared between the European Central Bank (ECB) and the Austrian FMA and the Austrian National Bank (Österreichische Nationalbank; OeNB).

The ECB is responsible for banking supervision in the euro area. It supervises significant institutions established in Austria and oversees the supervision of less significant institutions nationally. Domestically, the FMA is the integrated supervisor for licensing, ongoing prudential and conduct oversight, and AML/CFT enforcement for credit and financial institutions. The OeNB has no decision-making powers in banking supervision. It supports micro-prudential supervision through data collection, off-site analysis and on-site inspections under a statutory co-operation model with the FMA and contributes to macro-prudential buffers via the Financial Market Stability Board framework.

In Austria, rendering banking services requires prior authorisation under the BWG. The catalogue of licensable activities is set out in Section 1, paragraph 1 of the BWG and includes taking deposits, granting credit for own account, trading on own account in financial instruments, safekeeping and administration of securities, issuing or acquiring payment instruments, foreign-exchange and money-broking, giving guarantees and commitments, and underwriting or placing financial instruments. Undertakings for Collective Investment in Transferable Securities (UCITS) investment companies are also banks in the meaning of the BWG, even though they are governed at the EU level by a different legal framework.

The licence and application process differentiates between CRR credit institutions and others. A “CRR credit institution” is defined in Article 4, paragraph 1 of the CRR as an undertaking that takes deposits or other repayable funds from the public and grants credit for its own account. For such CRR credit institutions, the ECB has exclusive competence to grant (and extend) authorisations within the SSM. These cases run through the SSM’s common procedures: the application is filed with and co-ordinated by the FMA, which conducts the fact-finding and assessment with the applicant. The ECB then issues the final decision, applying EU law together with the relevant national provisions of the BWG. By contrast, where the applicant does not meet the CRR definition (so-called non-CRR credit institutions under Austrian law), or where the case concerns a branch of a third-country bank, the FMA is the licensing authority and decides the application under the BWG.

Authorisation Process

The licensing application must be submitted to the FMA, regardless of whether the final decision rests with the FMA or the ECB. Where the applicant is an Austrian non-CRR credit institution or a branch of a foreign credit institution, the procedure is handled entirely by the FMA. If the applicant meets the CRR definition of a credit institution, the FMA processes the file and forwards it together with a draft decision and the supporting documentation to the ECB, which takes the final decision.

Following submission, the FMA typically holds a short pre-filing dialogue and then performs a completeness check. Once completeness is acknowledged, the assessment period begins. By law, a decision is normally taken within six months. In this context, applicants are expected to file a coherent dossier covering:

• a programme of operations and three-year business plan;
• evidence of initial capital as required by the CRD and the BWG (as a rule, at least EUR5 million, freely available to the managers without restriction);
• a governance and organisational blueprint – risk management, compliance, internal audit, outsourcing and information and communication technology (ICT) arrangements consistent with applicable EU standards, including the Digital Operational Resilience Act (DORA);
• comprehensive AML/CFT, conduct and product governance policies; and
• full fit-and-proper documentation for members of the management and supervisory bodies and other key function holders.

The FMA’s review is interactive and typically involves written rounds of questions, meetings or interviews with proposed managers, and (where appropriate) conditions or remediation undertakings.

Licensing Requirements

A licence is granted if the conditions in Section 5 of the BWG are met; in particular:

• the applicant uses a permitted legal form (company, co-operative or savings bank);
• the constitutional documents must support the safeguarding of client assets and the proper conduct of Section 1, paragraph 1 of the BWG;
• initial capital of at least EUR5 million, unencumbered and freely available in Austria to the managers;
• the managers must be professionally qualified and experienced (“fit and proper”);
• at least two managing directors (no sole representation, including sole prokura) – in co-operatives, management is restricted to the appointed managers;
• no managing director may have another principal occupation outside banking (or insurance/pension funds); and
• the registered office and head office must be located in Austria.

Costs

Bank licensing involves a one-off application fee under the FMA Fee Regulation for the initial licence and any later extension, and amounts to EUR12,500 for the initial licence and EUR2,500 for any later extension. CRR credit institutions within the SSM also pay the ECB’s annual supervisory fee. Besides the statutory fees, extra costs can include fit-and-proper documents, certified translations and notarisation.

In Austria, acquisitions of qualifying holdings in credit institutions follow the EU “qualifying holdings” regime, as implemented in Section 20 of the BWG and carried out within the SSM (ie, ownership control procedure). Before entering into binding commitments (ie, before signing), a written notification must be filed with the FMA by any person who:

• intends to acquire, directly or indirectly, a qualifying holding (10% or more) in an Austrian bank;
• intends to increase such a holding so that their voting rights or capital reach or exceed 20%, 30% or 50%; or
• intends to make the bank its daughter company.

Falling below any of these thresholds also triggers a notification duty. Separately, the credit institution itself must notify the FMA promptly in writing once it becomes aware of any acquisition or disposal of a qualifying holding and any event by which a shareholder’s interest reaches, exceeds or falls below the statutory thresholds. In addition, the bank must provide the FMA, at least once per year, with an updated list of shareholders holding a qualifying interest, including their names and addresses.

The notification under the ownership control procedure must be submitted in writing and must comply with the catalogue in Section 20b of the BWG. The FMA’s 2016 Regulation on Own Funds and Capital Requirements (Eigenmittel- und Kapitalvorschriften-Verordnung; EKV 2016) sets out the detailed information and documents to be provided. Typically required are a complete presentation of the ownership and control structure (including beneficial owners), a description of the transaction and the thresholds concerned, a robust account of the source of funds and financing structure, a business plan setting out strategic objectives and the impact on the bank’s governance, and evidence of the reliability and integrity of the acquirer and all key persons. Acquirers acting in concert are assessed on a consolidated basis, and indirect holdings/attributions must be disclosed.

After receiving the notification, the FMA has 60 business days upon receipt of all documents to assess the proposed acquisition and may prohibit it, whereas the FMA may interrupt the assessment period once for a maximum of 20 business days (and in specific cases even for 30 business days). A prohibition can be issued if there are justified reasons or if the file is incomplete. In making its decision, the FMA considers:

• the reliability of the acquirer and of the future management;
• the financial soundness of the acquirer;
• the target bank’s ability to continue meeting prudential requirements (capital, liquidity, governance, risk management);
• AML/CFT risks and compliance; and
• whether there are any obstacles to effective supervision (group transparency, co-operation with third-country authorities).

Based on the submitted documents, the FMA prepares a draft decision and forwards it to the ECB for the final decision in case of CRR credit institutions. If no written prohibition is issued by the FMA and the ECB within the assessment period, the acquisition may be completed. Approvals may be made subject to conditions. If the bank’s shares are listed on an Austrian regulated market, the acquirer must also comply with the Austrian Stock Exchange Act (Börsegesetz; BörseG) and its disclosure requirements, and the Austrian Takeover Act in case of public takeovers.

Corporate governance in Austrian banks is primarily grounded in national legislation, including the BWG and, where applicable, the Austrian Stock Corporation Act (Aktiengesetz; AktG), complemented by EU regulations such as CRD IV and CRD V. These statutory frameworks define the overall responsibilities, organisational structures and oversight mechanisms that banks must maintain to ensure prudent management and regulatory compliance. Banks are expected to implement robust internal governance arrangements covering both operational management and strategic oversight, ensuring that responsibilities are clearly allocated and decision-making processes are documented and transparent.

Corporate governance also encompasses systems and controls requirements, including comprehensive risk management, compliance, internal audit functions, and the monitoring of outsourced services and ICT arrangements. Banks are expected to implement effective internal control frameworks that allow timely identification and management of risks, support regulatory reporting, and ensure the integrity of financial and operational processes.

In addition to statutory obligations, Austrian banks frequently adhere to voluntary governance codes, most notably the Austrian Corporate Governance Code (Österreichischer Corporate Governance Kodex; ÖCGK), which provides guidance on best practices for board structure, risk oversight, transparency and stakeholder engagement. These codes help institutions go beyond the minimum legal requirements, promoting sound governance, accountability and trust in the banking system.

Finally, corporate governance also incorporates ethical standards and conduct rules for employees, particularly in critical positions. While Austria does not have a universal “bankers’ oath”, banks adopt binding codes of conduct, aligned with BWG obligations and EBA guidelines, to ensure staff act with integrity, diligence and in the best interest of the institution, while avoiding conflicts of interest.

Banks are required to ensure the suitability and integrity of their senior management, including members of the management board, the supervisory board and holders of key functions, on an ongoing basis. The primary legal framework for these requirements is provided by the BWG, specifically Sections 5 (1) (6)–(13), 28a, and 30 (7a), which establish the standards for professional competence, reliability and collective suitability of management and supervisory bodies. These provisions are complemented by EU regulations, notably CRD IV and CRD V, which set out harmonised governance and fit-and-proper requirements across the European banking sector. Banks are expected to implement internal policies and guidelines to assess, document, and continuously monitor the fitness and propriety of all individuals in senior roles. Additionally, governing bodies and staff in key roles must undergo regular training to maintain knowledge of regulatory obligations, risk management principles and internal governance processes.

Regulatory Approval Process

Appointments of management board members and, where applicable, supervisory board members and other key function holders must be notified to the FMA without delay. The notification includes comprehensive documentation that enables the fit-and-proper assessment, such as professional qualifications and experience, prior roles, additional mandates, potential conflicts of interest, and evidence of integrity and reliability. Within the SMM, such notifications trigger a joint fit-and-proper process co-ordinated between the FMA and the ECB for significant institutions.

Fit and Proper Assessment

The FMA and ECB apply a rigorous fit-and-proper assessment when evaluating candidates. Newly appointed members of governing bodies are typically invited to a hearing to assess their theoretical knowledge and practical understanding of banking operations. The evaluation covers financial expertise, regulatory frameworks (including the BWG, relevant ordinances, and EU-level regulations such as CRR and EBA guidelines), corporate law, and the structure and organisation of the institution. The assessment ensures that directors and senior managers have the competence to manage and oversee the bank’s activities effectively and responsibly.

Screening Requirements

Banks must perform ongoing screening and monitoring of all senior management. This includes verifying the continued suitability, independence, and integrity of directors and key function holders, checking for new legal or regulatory issues, conflicts of interest or changes in personal circumstances that could affect their ability to perform their duties. Screening also covers politically exposed persons (PEPs), sanctions lists and any criminal or regulatory sanctions.

Remuneration policies and practices in Austrian banks are primarily governed by Section 39, paragraph 2 and Section 39b of the BWG, including the annex to Section 39b, which implements the provisions of CRD IV and CRD V into national law. These provisions apply to both individual institutions and banking groups and set out the framework for variable sensitive remuneration schemes, ensuring that compensation structures align with the long-term interests of the bank and its stakeholders.

The requirements apply to senior management, key function holders and other material risk takers; that is, members of the management board, heads of risk, compliance and internal audits and any staff whose professional activities may materially affect the institution’s risk profile. The framework is designed to ensure that remuneration incentivises prudent risk-taking, discourages excessive short-term risk and promotes sustainable business conduct.

Key remuneration principles include:

• proportionality – compensation structures must be appropriate to the bank’s size, internal organisation, risk profile and complexity of operations;
• performance alignment – variable pay should reflect long-term performance rather than short-term gains; and
• risk-adjustment – bonus payments are subject to risk adjustments, including deferred payments and claw-back mechanisms in the event of material losses or misconduct.

The FMA supervises banks’ compliance with remuneration. Its oversight covers remuneration policies, internal controls, risk adjustments and the implementation of EBA guidelines. The FMA also monitors CRR disclosure requirements and can require policy changes or impose sanctions for non-compliance.

Austria’s banking sector follows a risk-based AML/CFT regime under the FM-GwG, complemented by the WiEReG and relevant EU legislation, including the 4th and 5th Anti-Money Laundering Directives (AMLDs 4 and 5, respectively), the 6th AML Directive (AMLD 6), and the EU Regulation on Transfers of Funds and Sanctions compliance obligations. Banks are required to implement these measures in line with the EBA guidelines on customer due diligence, transaction monitoring and risk assessment.

Banks must apply customer due diligence before establishing a business relationship and continuously throughout its duration. This includes identifying and verifying customers and beneficial owners, understanding the purpose and intended nature of the relationship, and monitoring transactions on an ongoing basis. Measures are proportionate to each institution’s documented risk assessment. Enhanced due diligence is applied where higher risks are identified, for example in relationships with PEPs, non-resident customers or high-risk jurisdictions. Simplified measures are used only where clearly justified by low risk.

In practice, compliance includes screening customers against sanctions lists, implementing targeted transaction monitoring and ensuring the timely escalation of unusual or suspicious activity. Institutions are also obliged to report suspicions of money laundering or terrorist financing to the competent authorities and to retain records for legally prescribed periods. These obligations are supported by internal policies, clear governance structures, regular staff training and independent testing of the control framework, to ensure effectiveness and adherence to both national and EU requirements.

The EU Deposit Guarantee Schemes Directive (DGSD) is implemented in Austria by ESAEG. Every deposit-taking institution authorised in Austria must belong to a statutory deposit guarantee scheme and comply with its organisational, reporting and funding duties. The framework embodies the principle that the costs of payout events are borne by credit institutions rather than the taxpayer. Payouts are financed from a deposit guarantee fund built through annual contributions from member institutions.

Administration is decentralised across banking sectors but operates under uniform statutory rules. Credit institutions are assigned to one of three recognised schemes: Einlagensicherung AUSTRIA GmbH (covering most joint-stock, co-operative and mortgage banks), the Austrian Raiffeisen Protection Institution (Österreichische Raiffeisen-Sicherungseinrichtung eGen; ÖRS) for the Raiffeisen sector and Sparkassen-Haftungs GmbH for the savings banks group. Each scheme maintains its own fund, systems and payout processes, is supervised for compliance with ESAEG and co-ordinates with the FMA in a default event. Membership in the appropriate scheme is a condition for carrying out deposit-taking business. If the FMA determines that a bank’s deposits are unavailable, the relevant scheme must initiate repayment to depositors up to the covered amount and complete standard payouts within seven working days.

Coverage is broad and aims to protect households and the real economy while excluding professional financial risk-takers. Natural persons and most non-financial legal entities, including SMEs, are protected for eligible deposits held with an Austrian bank. Deposits of credit institutions and investment firms, certain public authorities and funds linked to criminal activity are excluded. Protection attaches to the balance of current, savings and term-deposit accounts and applies per depositor, per bank. Joint accounts are attributed to the co-holders in equal shares for the purpose of applying the limit. Foreign-currency deposits with Austrian institutions are covered but reimbursed in euros at the applicable rate on the payout date.

The general limit is EUR100,000 per depositor, per bank. If the depositor has several accounts with the same institution, balances are aggregated before the limit is applied; if accounts are held at different institutions, the limit is applied separately for each institution. The regime also recognises temporarily high balances arising from defined life events and provides enhanced protection for a limited period. In particular, deposits arising from real-estate transactions concerning a private principal residence, payments serving legally stipulated social purposes linked to specific life events (such as marriage, divorce, retirement, dismissal/redundancy, invalidity or death) and payments of insurance benefits or statutory compensation benefit from increased cover of up to EUR500,000 for 12 months from the date of credit, subject to the depositor providing evidence upon request.

Capital Requirements

Austrian banks are subject to prudential own-funds requirements as part of a risk-based supervisory framework, designed to align capital with each institution’s risk profile and ensure adequate loss-absorbing capacity. Under Article 92 of the CRR, banks must cover specific risk types, including credit risk, market risk, operational risk, counterparty credit risk, settlement risk and credit valuation adjustment (CVA) risk. The total risk exposure is calculated by summing these components, and the solvency ratio (Solvabilitätskoeffizient) is determined by comparing eligible own funds with the aggregate risk (total risk exposure amount; TREA). Article 92 of the CRR also requires banks to maintain, at all times, a Common Equity Tier 1 (CET1) ratio of 4.5%, a Tier 1 ratio of 6% and a total capital ratio of 8% of risk-weighted assets (RWAs).

In addition to these Pillar 1 requirements, Austrian banks are subject to macroprudential capital buffers, which may be set by the FMA. These include the capital conservation buffer (CCoB), the countercyclical capital buffer (CCyB), the systemic risk buffer (SyRB) and buffers for systemically important institutions (O-SII and G-SII) – and, since 1 July 2025, a sectoral systemic risk buffer (sSyRB). These requirements are transposed into Austrian law under Section 23 of the BWG.

The CCoB is a capital buffer amounting to 2.5% of a bank’s total exposures. It must be made up of CET1 capital. This buffer is in addition to the 4.5% minimum requirement for CET1 capital. Its objective is to conserve a bank’s capital. If a bank’s CCoB falls below 2.5%, automatic safeguards apply, which limit the amount of dividend and bonus payments the bank can make.

The CCyB addresses cyclical risks from excessive credit growth, requiring banks to hold additional CET1 capital during periods of expansion. By increasing own funds during upswings, the CCyB encourages more balanced risk pricing and supports a more sustainable supply of credit. In Austria, the CCyB is implemented under Section 23a BWG, and when early signs of procyclical systemic risk emerge – such as excessive credit growth – the FMA may set a buffer of up to 2.5 percentage points of RWA for domestic exposures.

The SyRB covers structural risks and is implemented under Section 23e of the BWG, while the O-SII buffer applies to highly interconnected and systemically relevant banks under Section 23d of the BWG. The SyRB may be applied broadly across the banking sector or to specific groups of institutions, either at the consolidated level or for particular exposure segments, such as by asset class. The O-SII buffer addresses risks of highly interconnected and complex banks that are systemically important and the associated externalities. In the EU framework, it is established by Article 131 of the CRD as a macroprudential capital buffer for structural risk, to be met in CET1 on top of the minimum and the combined buffer requirement. In Austria, the O-SII buffer is transposed in Austrian law in Section 23d of the BWG.

The G-SII buffer applies to global systemically important institutions under Section 23c of the BWG. The buffer applies in addition to the CCoB and any other applicable macroprudential buffers. G-SII must be met entirely with CET1 and is generally applied at the consolidated level to the EU parent of the G-SII group, although currently no Austrian bank is designated as a G-SII. All buffers are additive to the minimum requirements according to Article 92 CRR, except where structural risks overlap and CRD stacking rules apply.

The sSyRB aims to address systemic risks that are not adequately covered by other capital requirements or macroprudential tools. It is specifically applied to subsets of exposures that are deemed to pose systemic risks, thereby increasing the financial system’s resilience to potential shocks in those sectors. The aim of the sSyRB, as a macroprudential tool, is to allow authorities to target specific systemic risks that are inherent in banks’ exposures at a sectoral level. The sSyRB is a macroprudential tool designed to enhance the resilience of the financial system against sector-specific risks, particularly in areas like residential or commercial real estate.

The Pillar 2 requirement (P2R) is a bank-specific capital requirement that supplements the minimum capital requirement (known as the Pillar 1 requirement) in cases where the latter underestimates or does not cover certain risks. A bank’s P2R is determined as part of the Supervisory Review and Evaluation Process (SREP). It is legally binding, and if banks fail to comply, they could be subject to supervisory measures, including sanctions.

The P2R does not encompass the risk of excessive leverage, which is covered by the leverage ratio Pillar 2 requirement (LR-P2R). In addition to complying with both the P2R and the LR-P2R, banks are expected to follow the Pillar 2 guidance (P2G) and the leverage ratio Pillar 2 guidance (LR-P2G) set by the competent authority. Unlike the P2R, the P2G is not legally binding and merely reflects supervisory expectations.

Liquidity Requirements

Austrian banks must demonstrate short- and long-term liquidity resilience in line with CRR standards. The liquidity coverage ratio (LCR), fully in force since 1 January 2018 and amended by CRR II in June 2021, requires banks to hold sufficient high-quality liquid assets to withstand 30-day net cash outflows under stressed conditions. The net stable funding ratio (NSFR) ensures that available stable funding meets or exceeds required stable funding over a one-year horizon, under both normal and stressed conditions. Binding NSFR requirements apply from 28 June 2021, with a simplified approach permitted for smaller banks with total assets below EUR5 billion.

Furthermore, the Basel III leverage ratio is embedded in the CRR and became binding on 28 June 2021. Banks must maintain a minimum 3% ratio of Tier 1 capital to total exposures. G-SII must maintain a leverage ratio buffer that is 50% of the G-SII buffer determined by macroprudential authorities.

Austria has established a comprehensive legal and regulatory framework for dealing with banks that are failing or likely to fail, combining domestic law with EU rules. Under Section 82 of the BWG, certain insolvency procedures, such as reorganisation proceedings (Sanierungsverfahren), are not available for credit institutions. However, supervisory or bankruptcy proceedings may be initiated. Importantly, the conclusion of a reorganisation plan is not possible within bankruptcy proceedings, ensuring that banks in distress are handled under specific recovery and resolution rules rather than standard insolvency law.

BaSAG implements the BRRD into Austrian law and provides the legal basis for both recovery planning and resolution. Under this regime, banks are required to prepare recovery plans detailing measures to restore financial soundness if they experience distress. The FMA, as the supervisory authority, may take early intervention measures to correct emerging weaknesses before a bank becomes non-viable. Such measures can include requiring changes in governance, strengthening capital or liquidity, restricting high-risk activities or mandating divestments of certain business lines. Early intervention is designed to prevent the bank from reaching a state where resolution would become necessary.

When a bank cannot be restored to viability, the FMA, acting as the national resolution authority, may employ a range of resolution tools to maintain critical functions and limit systemic impact. These tools include transferring parts of a bank’s business to a third-party purchaser, establishing a temporary bridge institution, segregating impaired assets into a separate vehicle, and imposing bail-in measures on creditors and shareholders. The bail-in mechanism allows losses to be absorbed internally, following a predetermined hierarchy, and is a key instrument for avoiding taxpayer-funded rescues.

It is important to distinguish between recovery and resolution measures. Recovery measures are applied while the bank is still viable and focus on restoring financial health, whereas resolution tools are triggered when a bank is deemed non-viable and cannot be restored through recovery actions. This distinction ensures that interventions are proportional to the institution’s condition and that systemic stability is maintained.

Insolvency Preferences for Deposits

Austrian law provides specific protections for bank depositors in insolvency situations. Under ESAEG, deposits up to the guaranteed limit benefit from preferential treatment, meaning that covered deposits are repaid before most other unsecured creditors. This aligns with the EU DGSD and aims to protect retail depositors and maintain public confidence in the banking system.

ESG Regulatory Requirements in Austrian Banking

Austrian banks are increasingly subject to regulatory obligations concerning environmental, social and governance (ESG) matters, reflecting both EU-level legislation and national supervisory practices. ESG in banking encompasses the assessment of climate and ESG risks across all business activities, including lending, investment, and operational decisions. Given their central role in allocating capital, banks are well-positioned to support a transition towards a more sustainable and resilient economy, channelling finance towards responsible and impact-oriented projects while mitigating ESG-related risks.

Regulatory Framework

The integration of ESG considerations is anchored in a combination of EU directives and regulations and Austrian supervisory guidance. At the EU level, the Capital Requirements Directive V (CRD V) and the Capital Requirements Regulation II (CRR II) require banks to incorporate ESG-related risks into governance, risk management frameworks and capital planning. The Sustainable Finance Disclosure Regulation (SFDR, EU 2019/2088) mandates transparency on how sustainability risks are considered in investment and lending decisions, covering both pre-contractual disclosures and ongoing reporting. Complementing these requirements, the EU Taxonomy Regulation (EU 2020/852) establishes criteria for environmentally sustainable economic activities and guides banks in evaluating exposures against environmental objectives.

ESG Regulatory Requirements in Austrian Banking

Austrian banks are increasingly subject to regulatory obligations concerning ESG matters, reflecting both EU-level legislation and national supervisory practices. ESG in banking encompasses the assessment of climate and ESG risks across all business activities, including lending, investment and operational decisions. Given their central role in allocating capital, banks are well-positioned to support a transition towards a more sustainable and resilient economy, channelling finance towards responsible and impact-oriented projects while mitigating ESG-related risks.

Regulatory Framework

The integration of ESG considerations is anchored in a combination of EU directives and regulations and Austrian supervisory guidance. At the EU level, the CRD V and the CRR II require banks to incorporate ESG-related risks into governance, risk management frameworks and capital planning. The SFDR mandates transparency on how sustainability risks are considered in investment and lending decisions, covering both pre-contractual disclosures and ongoing reporting. Complementing these requirements, the EU Taxonomy Regulation (EU 2020/852) establishes criteria for environmentally sustainable economic activities and guides banks in evaluating exposures against environmental objectives.

Transparency Obligations

Banks and financial institutions are required to provide clear, comparable and decision-useful information on sustainability risks, ESG impacts and the characteristics of their financial products. These transparency obligations are designed to help investors, clients and stakeholders understand how ESG considerations are integrated into business and investment decisions. Key requirements include:

• disclosure of ESG and sustainability risk policies, showing how these risks are incorporated into governance, internal controls and risk management frameworks;
• reporting adverse sustainability impacts at both the entity level and for individual financial products, allowing stakeholders to assess potential negative effects on the environment or society;
• explanation of remuneration policies, demonstrating how compensation structures align with ESG risk management and long-term sustainable performance;
• communication on the ESG characteristics of financial products, ensuring that pre-contractual documentation and periodic reports clearly indicate whether products promote environmental or social objectives;
• explicit disclosure when financial products do not meet EU environmental criteria, avoiding misleading statements and supporting informed decision-making; and
• integration of ESG information in non-financial statements and corporate reporting, providing a holistic view of how the institution addresses sustainability across operations and strategic planning.

DORA, effective from 17 January 2025, serves as the core regulation for enhancing digital resilience within the EU banking sector, including in Austria. DORA aims to ensure that banks and financial institutions are prepared to withstand ICT-related disruptions and cyber-attacks by setting comprehensive standards for ICT risk management, incident reporting, resilience testing and third-party ICT risk management. The DORA Enforcement Act (DORA-VG) has been introduced to adapt these EU regulations into Austria’s legal framework, ensuring that all Austrian credit institutions, as defined under Section 1, paragraph 1 of the BWG, are fully compliant with DORA’s provisions. This extends to institutions that might otherwise fall outside DORA’s general scope. The alignment of DORA with Austria’s national regulations strengthens the overall resilience of the banking sector and ensures consistent application of ICT standards across the EU.

Supervisory Role and Powers of the FMA

The FMA is the competent authority responsible for overseeing compliance with DORA’s requirements in Austria. As the central supervisory body, the FMA is equipped with powers to enforce compliance, which includes utilising tools from existing sectoral laws. These tools allow the FMA to immediately halt unlawful actions, exchange information with national and EU authorities and, under strict conditions, access communications metadata in cases where there is a well-founded suspicion of misconduct. Banks that violate DORA can face significant administrative penalties. For individuals responsible, the fines can reach up to EUR150,000, while legal entities may be fined up to EUR500,000 or 1% of their annual net turnover, whichever is higher. In determining penalties, the FMA considers factors such as seriousness, duration, the financial capacity of the violator and whether the institution has previously committed any violations.

Resilience Testing and Third-Party Risk Management

Banks are required to conduct resilience testing according to a risk-based approach. These tests typically include vulnerability scans, failover drills and end-to-end exercises, which focus on critical processes, key business functions and essential third-party dependencies. Banks designated for threat-led penetration testing (TLPT) must perform real-life penetration tests that are intelligence-driven and targeted at their most critical functions. These tests must occur at least once every three years. The test results must be documented and followed by a remediation plan, with subsequent retesting to ensure that any issues identified have been addressed. This proactive approach ensures that banks are better prepared for potential ICT incidents.

In addition to resilience testing, ICT third-party risk management is a crucial component of DORA’s framework. Banks must maintain a complete register of all ICT arrangements and assess risks such as concentration risk and substitutability. Enhanced due diligence is required for critical or important ICT services, and contracts with third-party providers must include specific terms addressing service levels, availability, recovery objectives, incident reporting, audit rights, data location, security requirements, patching obligations and subcontracting controls. This ensures that banks not only manage their internal ICT risks but also effectively mitigate risks arising from their third-party service providers.

Austria’s banking sector continues to align with evolving EU standards while maintaining targeted national measures. Over the next 12–24 months, three regulatory priorities are expected to have the most significant impact on banks: prudential reforms under Basel IV and CRD VI, ESG-related regulatory developments and updates to the consumer-credit framework in line with the new EU directive. Each of these areas will require banks to adapt their governance, risk management, capital planning and operational practices to meet both EU and domestic requirements.

In parallel, the FMA has summarised its ongoing supervisory focus. Its priorities are:

• resilience and stability – ie, real estate risks for the financial market, interest change and credit risks, governance, open banking and stress tests, implementation of the Insurance Recovery and Resolution Directive (IRRD);
• digitalisation and new business models – ie, Dora, AI Act, MICAR;
• sustainability – ie, greenwashing and transparency, sustainability risks, conduct of climate stress tests, sustainability reporting;
• collective consumer protection – ie, establishment of a sector-crossing conduct hub, consumer protection with a focus on fund-linked life insurance, claim management for insurance companies, marketing communication, “magnifying glass” for funds;
• “clean marketplace” – ie, sanctions supervision, Financial Action Task Force (FATF) assessment, establishing a link to AMLA; and
• data-driven supervision – ie, implementation of an IT and data strategy, the creation of an innovation lab and a 360-degree-view supervision tool, and agile governance.

Upcoming Prudential Changes Under Basel IV and CRD VI

Austria is implementing the Basel IV package, comprising CRR III (Regulation EU 2024/1623) and CRD VI (Directive EU 2024/1619). CRR III entered into force on 9 July 2024 and applies from 1 January 2025, while CRD VI must be transposed into national law by 11 January 2026. These measures realign Austrian prudential rules with Basel standards and embed stronger governance and ESG-risk requirements. A central feature is the output floor, which limits the benefits from internal models by requiring that modelled RWAs remain above 72.5% of standardised RWA, with phased application through 2030.

The standardised approach to credit risk is now more granular, with risk weights depending on borrower characteristics, collateral, jurisdiction and mortgage-specific factors such as property type, occupancy and loan-to-value ratios. This change increases capital requirements for high-loan-to-value (LTV) and income-producing real-estate exposures. Operational-risk capital is simplified, replacing the advanced measurement approach with a single standardised measurement approach based on business indicators and loss history.

CRD VI also broadens qualitative governance requirements, holding boards accountable for risk culture, ESG oversight, and the approval of plans with measurable ESG risk targets embedded in internal capital and liquidity planning and reflected in ongoing supervisory review. Initial analysis indicates Basel IV implementation could increase RWAs by 5–10% system-wide, with larger effects in corporate and real-estate portfolios. Smaller banks following the standardised approach will see more moderate impacts but must align data, reporting and collateral valuation with the new framework.

Furthermore, the new CRD VI requirements are expected to increase capital intensity, which may compress lending margins and potentially slow new credit growth, particularly in the commercial real estate sector. Nevertheless, authorities regard these reforms as enhancing the resilience of the banking system, reducing variability in internal models and improving cross-border comparability.

CRD VI also introduces a harmonised framework for non-EU banks operating via branches, setting requirements for minimum capital, robust local governance and risk management, and enhanced reporting.

Upcoming ESG-Related Regulatory Developments

Austrian banks are preparing for strengthened ESG-related regulatory requirements, reflecting evolving EU standards. The European Banking Authority (EBA) is issuing updated guidelines on ESG risk management, which are expected to apply from January 2026 for ECB-supervised institutions and from January 2027 for smaller and non-complex banks. These guidelines will require banks to integrate ESG risks into their internal capital adequacy assessment process (ICAAP), SREP and overall risk governance frameworks.

Institutions will need to embed ESG considerations into strategic decision-making, linking identified risks to risk appetite frameworks and governance reporting at board level. Operationalisation will rely on measurable indicators, scenario-based stress testing and transition planning, including assessing potential financial impacts over short-, medium- and long-term horizons. Banks are also expected to enhance data collection, covering counterparty and sectoral exposures, greenhouse gas emissions, energy usage, social standards and corporate governance practices, with particular attention paid to high-emission or high-risk industries. Where data gaps exist, proxies may be used initially, but institutions should develop plans to improve data quality over time.

The guidelines further emphasise alignment with EU disclosure frameworks, including the Corporate Sustainability Reporting Directive (CSRD), the EU Taxonomy and Pillar 3 requirements. Banks will need to demonstrate that ESG risks are considered in credit underwriting, portfolio management and capital planning, ensuring that sustainability objectives are integrated into daily operations and long-term planning.

Regulators will monitor compliance through standard supervisory processes, using ICAAP/internal liquidity adequacy assessment process (ILAAP) assessments, SREP reviews and on-site inspections. The guidance aims to improve transparency, promote board accountability for ESG oversight, and ensure that ESG risks are consistently factored into decision-making. Austrian banks are expected to adjust policies, processes and governance structures to meet these requirements, strengthening resilience, facilitating alignment with sustainability goals and supporting risk-informed, forward-looking management of ESG exposures.

Upcoming Consumer Credit Regulatory Developments

Austria is transposing the new EU Consumer Credit Directive (Directive EU 2023/2225), which introduces significant reforms to consumer lending. Implementation into national law is required by November 2025, with application to new contracts from 20 November 2026. The directive broadens the scope to include small-value loans, zero-interest financing, limited buy-now-pay-later arrangements and certain rental or leasing contracts with purchase options. These changes address protection gaps in low-value and short-term credit products.

The definition of “credit” is now broader than under current Austrian law, encompassing deferred payments and financing beyond traditional interest-bearing loans. This extends protection to instruments such as credit cards with deferred payments and zero-percent loans. Certain short-term credit cards may be exempt if repaid within 40 days with minimal fees.

Consumer safeguards are strengthened through advertising restrictions, mandatory cost warnings and measures to prevent abuse, including caps on excessive interest or total credit costs. Overdrafts will require monthly disclosure, and explicit consent is needed for credit beyond agreed limits. Early repayment rules now limit reductions to costs owed to the lender, and the standard 14-day withdrawal period is capped at one year and 14 days if pre-contractual information is incomplete.

Overall, the reforms materially enhance consumer protection, expand the regulated credit universe and require substantial updates to the VKrG.