Principal Laws and Regulations

Banking activity in Germany is governed by a combination of national and European legislation. Germany participates in the European Banking Union, which has established a common legal framework (known as the “Single Rulebook”) and a supervisory framework (known as the “Single Supervisory Mechanism”, SSM) for all participating EU member states of the euro area. Consequently, the national legislation is overlaid, supplemented and, in certain areas, replaced by European law.

The core national statute is the German Banking Act (Gesetz über das Kreditwesen, KWG). At the European level, the prudential framework is set by Directive (EU) 2013/36 on the prudential supervision of credit institutions and investment firms (CRD, last amended by Directive (EU) 2019/878 (“CRD V”) and Directive (EU) 2024/1619 (“CRD VI”), which needs to be transposed into national legislation by 10 January 2026), as well as the Capital Requirements Regulation (EU) 575/2013 (CRR, last amended by Regulation (EU) 2024/1623, “CRR III”). The Bank Recovery and Resolution Directive (EU) 2014/59 (BRRD), amended by Directive (EU) 2019/879 (“BRRD II”), has been transposed into national law mainly through the German Recovery and Resolution Act (Sanierungs- und Abwicklungsgesetz, SAG).

Further national laws relevant for the German banking sector – also shaped by EU requirements – include:

• the German Securities Trading Act (Wertpapierhandelsgesetz, WpHG), which transposes (inter alia) Directive (EU) 2014/65 (“MiFID II”) into German law;
• the German Money Laundering Act (Geldwäschegesetz, GWG);
• the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG); and
• the relevant sections of the German Civil Code (Bürgerliches Gesetzbuch, BGB) and the German Commercial Code (Handelsgesetzbuch, HGB).

Regulators

Under the SSM, the European Central Bank (ECB) is the principal regulator for all credit institutions of participating EU member states of the euro area and shares its supervisory powers with the national competent authorities (NCAs). In Germany, this is the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) supported by the German Federal Bank (Deutsche Bundesbank) (the “Bundesbank”).

The split of responsibilities between the ECB at the European level and BaFin as the German NCA works as follows: The ECB directly supervises “significant” German credit institutions, based on criteria such as size, economic importance or cross-border activities, as set out in the SSM Regulation (EU) 1024/2013, and BaFin directly supervises “less significant” German credit institutions. The ECB retains an overarching role, setting the supervisory standards to be applied, overseeing BaFin’s supervisory practices, and retaining the power to assume direct supervision of a less significant institution where necessary to ensure consistent application of supervisory standards across the euro area.

In connection with the ongoing supervision of credit institutions, the Bundesbank is designated in the KWG as the competent authority for certain sub-areas (eg, the Bundesbank evaluates, among other things, the reports and notifications that credit institutions must submit regularly), unless the competence lies with the ECB.

Authorisation Requirements

Under the KWG, any person wishing to conduct banking business in Germany on a commercial basis, or on a scale requiring a commercially organised business undertaking, must obtain prior written authorisation from the competent authority. To obtain such authorisation, an applicant must demonstrate, inter alia:

• sufficient initial capital – for CRR credit institutions, at least EUR5 million;
• management – at least two reliable, professionally qualified managing directors, with sufficient time availability;
• qualifying shareholders – reliable holders of significant shareholdings meeting sound and prudent management standards;

• registered office – a main office or registered seat in Germany; and
• proper business organisation – including adequate risk management, internal controls and governance arrangements.

Authorising Authority

Under the SSM, the responsibility for granting an authorisation is shared between the ECB and BaFin. If the application covers both deposit-taking and lending activities, the institution qualifies as a “CRR credit institution” subject to the prudential requirements of the CRR. For such institutions, the ECB is responsible for granting the authorisation in co-operation with BaFin. In all other cases of regulated banking activity under the KWG, BaFin alone acts as the competent licensing authority.

Authorisation Process

The process typically begins with an initial meeting between BaFin and the applicant to discuss the documentation, the initial capital, and the suitability of the proposed managing directors. The purpose is to align expectations and to ensure the preparation of a complete, compliant and high-quality application.

The application must include a detailed business plan and supporting documentation, such as CVs, declarations of reliability and criminal-record certificates. Once a complete file is received, BaFin has six months to decide on the authorisation. In practice, the duration depends on the complexity of the business model and the completeness of the submission. If the application is incomplete, BaFin may request additional information. The six-month period starts only once the file is deemed complete.

If the applicant qualifies as a CRR credit institution, BaFin prepares a draft decision for the ECB, which issues the final decision. For non-CRR institutions, BaFin itself grants or denies the authorisation.

Throughout the process, BaFin acts as the sole point of contact for the applicant, even where the ECB is the final decision-maker. After authorisation, the credit institution is subject to supervisory fees payable to the ECB, determined primarily by the institution’s size and risk profile. The licensing procedure itself is also subject to administrative fees, irrespective of the outcome.

Activities and Services Covered

Once authorised, the credit institution may conduct, within the licence scope, banking activities under the KWG. These include, for example:

• acceptance of deposits or repayable funds from the public (deposit business);
• granting of loans and acceptance of credits (lending business);
• safe custody and administration of securities for others (custody business);
• assumption of guarantees, sureties and other warranties (guarantee business); and
• acquisition of financial instruments for own risk for placement or assumption of equivalent guarantees (underwriting business).

In addition, certain financial services – such as investment brokerage, investment advice, placement business or portfolio management – also require authorisation under the KWG and/or WpHG. Further approvals may be required in certain cases – for example, where an institution provides insurance brokerage services or, in the case of non-CRR institutions, offers payment services under the ZAG.

Passporting

Based on the European “single passport” regime, credit institutions authorised in Germany are entitled to operate throughout the European Economic Area (EEA) without requiring a new licence in each host country. Such cross-border business may be carried out either by setting up a local branch (freedom of establishment) or by offering services from the home country (freedom to provide services).

Requirements for Establishing a Branch

To establish a branch in another EEA member state, the institution must notify BaFin and the relevant regional office of the Bundesbank, which in turn inform the ECB. For significant institutions, the ECB processes the notification and, if the conditions are met, forwards it to the host-state supervisory authority within three months. For less significant institutions, the notification is handled jointly by BaFin and the Bundesbank, which transmit the documents directly to the competent authority of the host state.

Requirement for Cross-Border Services

For the provision of cross-border services without establishing a branch, institutions must submit a notification describing the activities to be performed to BaFin and the Bundesbank, which then review the completeness of the submission, the institution’s financial soundness and the adequacy of its organisational structure. If the assessment is positive, the notification is forwarded to the host-state supervisory authority within one month.

Notification and Approval Requirement

The acquisition of control or a qualifying holding (bedeutende Beteiligung) in a German financial institution requires prior notification and approval under Section 2c of the KWG, commonly referred to as the owner control procedure (Inhaberkontrollverfahren).

A qualifying holding exists where a person, alone or acting in concert with others, directly or indirectly holds at least 10% of the capital or voting rights, or is otherwise able to exercise “significant influence” over the management of the institution. Further notifications are required if the holding reaches or exceeds 20%, 30% or 50%, or if control is acquired. These thresholds apply irrespective of the acquisition form and the nationality of the acquirer. There is no general restriction on foreign ownership (but foreign acquirers may be subject to the German general FDI screening regime).

Indirect capital participations are determined by applying the multiplication method across the holding chain (eg, a 30% interest in an entity holding 30% in the institution results in an indirect 9% capital participation, not exceeding the 10% threshold). Indirect voting rights are attributed to the acquirer where any of the criteria under Section 34 of the WpHG are met, such as in parent–subsidiary relationships or through trust or proxy arrangements.

Approval Process

The notification procedure is further governed by the German Owner Control Regulation (Inhaberkontrollverordnung), which specifies the information and documentation to be submitted, including details of the acquirer’s identity, financial soundness and reputation and the strategic purpose of the acquisition.

Following its review, BaFin determines whether the notification is complete and issues formal confirmation of receipt. From that date, BaFin generally has 60 working days to assess the acquisition, extendable once by up to 20 working days (or 30 for non-EU or unregulated acquirers). Because the statutory review period begins only once BaFin deems the notification complete, review time and additional information requests often extend the overall timetable in practice.

The acquirer may only close the acquisition after approval has been granted or the statutory review period has expired without objection. BaFin may object to the acquisition if the proposed acquirer or its managers are deemed unreliable or unqualified, if there are indications of money-laundering or terrorist-financing risks, or if the transaction would otherwise endanger sound and prudent management of the institution.

Under the SSM, the ECB decides on all notifications of qualifying holdings in CRR credit institutions. BaFin acts as the national contact point, receives and reviews notifications, prepares a draft proposal and submits it to the ECB, which then issues the final decision – approval, conditional approval or rejection – in line with SSM procedures.

If an acquisition occurs without the required notification or despite an objection, BaFin may suspend the voting rights attached to the shares and order their disposal within a specified period.

Overview of General Corporate Governance

Corporate governance in German banks is governed by corporate laws, eg, the German Stock Corporation Act (Aktiengesetz) or the German Liability Companies Act (GmbH-Gesetz), and by the KWG. Under the common two-tier board system, the management board (Vorstand or Geschäftsführung) is responsible for conducting the institution’s business, while the supervisory board (Aufsichtsrat) appoints, supervises and advises it. For significant institutions, the supervisory board must establish dedicated committees – namely, risk, nomination, remuneration and audit committees.

The KWG requires all credit institutions to maintain a “proper business organisation”, with clear responsibility lines, effective internal-control and internal-audit functions, independent risk control and compliance units, and contingency planning for critical and IT-related functions. BaFin specifies these expectations through circulars, particularly the Guidance Paper on Minimum Requirements for Risk Management, which elaborate on governance, risk-control processes, outsourcing and high-risk activities.

Voluntary Codes and Industry Initiatives

Industry bodies such as the Association of German Banks (Bundesverband deutscher Banken, BdB) and the German Savings Banks Association (Deutscher Sparkassen- und Giroverband, DSGV) issue sectoral principles on governance, sustainability and consumer protection.

Listed financial institutions must observe the German Corporate Governance Code (Deutscher Corporate Governance Kodex, DCGK) with recommendations on transparency, shareholder rights, remuneration and board diversity (but which is not banking-specific). The DCGK operates on a “comply or explain” basis. Privately held banks may reference or apply the DCGK on a voluntary basis.

Diversity Requirements

German and EU supervisory frameworks emphasise diversity in management and oversight bodies. The KWG requires collective suitability and a broad range of knowledge, skills and experience across board members. The Guidelines on Suitability Assessmentfrom the European Banking Authority (EBA) and the European Securities and Market Authority (ESMA) recommend considering gender, age, geographical provenance, and educational and professional background to avoid “groupthink”. In addition, the KWG requires boards to perform at least annual assessments of their composition and performance.

Under the CRD and EBA guidance, significant institutions must set gender targets and adopt a diversity policy; in Germany, BaFin’s 2025 General Ruling on Diversity Disclosures (Allgemeinverfügung bezüglich Diversitätsanzeigen)implements the Guidelines on Diversity (EBA/GL/2023/08) from the EBA and requires significant German CRR institutions to report diversity data to the authorities (including quantitative targets).

Codes of Conduct and Bankers’ Oath

Germany imposes no statutory bankers’ oath akin to the Dutch model. Instead, bank employees are bound by professional-conduct and integrity duties under civil and supervisory law. The KWG obliges institutions to promote a risk-aware and integrity-based governance culture.

Voluntary industry codes – such as the Consumer Credit Code of Conduct (Kodex für Verbraucherkredite) issued by the Deutsche Kreditwirtschaft – set standards for fair dealing, data protection and ethical compliance.

The general banking secrecy obligation (Bankgeheimnis) arises primarily from contract and data-protection law rather than a separate statutory privilege, and is subject to statutory exceptions (eg, anti-money-laundering, tax or criminal-law disclosures).

German credit institutions are typically organised under a two-tier governance system consisting of a management board (Vorstand or Geschäftsführung) and a supervisoryboard (Aufsichtsrat). The management board is responsible for conducting the institution’s business and ensuring a proper and effective risk-management and compliance framework, while the supervisory board appoints and oversees the management board but does not engage in executive management itself.

Beyond corporate law requirements, EU and German banking regulation together establish a prudential governance framework derived from the CRD, which sets minimum standards for the suitability and integrity of members of management and supervisory bodies. These rules are implemented in Germany primarily through the KWG, supplemented by guidance from the ECB (Fit-and-Proper Guide), the EBA (Guidelines on Suitability Assessment) and BaFin (Guidance Notices on Managing Directors and Supervisory Board Members as well as Key Function Holders).

Management Board

Under the KWG, a member of the management board (Geschäftsleiter) of credit institutions must:

• be professionally qualified, reliable, and able to devote sufficient time to their duties (professional qualification requires both theoretical and practical knowledge in relevant business areas as well as management experience);
• collectively possess a sufficiently broad range of knowledge, skills and experience to understand the institution’s activities, including its main risks; and
• comply with limits on the number of management and supervisory mandates.

The knowledge, skills and experience of the members of the management board, as well as the collective suitability of the entire body, must be reviewed at least annually to ensure continuing relevance and accuracy.

Key Function Holders

Similar requirements apply to “key function holders” of an institution, meaning persons with significant influence over the direction of the bank who are not members of the management body (eg, heads of internal control functions, the CFO, where not part of the management board, and other persons identified on a risk-based basis by the institution), subject to supervisory review by BaFin or the ECB. Key function holders must be of good repute, act with honesty and integrity, and have the knowledge, skills and experience appropriate to their functions.

Supervisory Board

Corresponding prudential standards also apply to the supervisory board (Aufsichtsrat). Under the KWG, supervisory board members must be individually reliable and collectively possess the expertise necessary to supervise and assess the institution’s management effectively. They must dedicate sufficient time to their duties and ensure compliance of the management board with regulatory obligations. The supervisory board’s oversight responsibilities extend to strategy, risk management, internal control functions and the remuneration framework.

Regulatory Approval and Screening

Under the SSM, the ECB assesses members of the management and supervisory bodies of “significant” institutions, while BaFin performs these assessments for “less significant” institutions.

The intention to appoint a member of the management board or to authorise a sole representative of the institution must be reported to the Bundesbank and BaFin (or to the ECB, for significant institutions). Appointment in significant institutions require prior ECB approval. Notifications must specify all facts relevant for assessing reliability, professional qualification and time availability, along with the institution’s own assessment. Similar duties apply to the appointment, removal or change of supervisory board members and to any new facts affecting previous assessments.

Assessments typically involve a review of employment and education history, reference and integrity checks, evaluation of risk and governance experience, and verification of professional qualifications. Documentation must include a CV, certificate of good conduct, declarations of reliability and time availability, and other supporting evidence. Screening also covers criminal and financial record checks, review of any previous regulatory findings, and an assessment of independence and potential conflicts of interest.

Legal Framework and Covered Individuals

The main legal framework governing remuneration in German credit institutions is set out in the KWG and a distinct German Institutions Remuneration Regulation (Institutsvergütungsverordnung, InstitutsVergV). These laws implement the remuneration provisions of the CRD.

The remuneration requirements of the KWG and the InstitutsVergV apply to all employees of credit institutions, including those whose professional activities have a material impact on the institution’s risk profile (“material risk takers”, MRTs), as well as members of the management board and supervisory board and the heads of control functions.

Remuneration Principles

Under the KWG and InstitutsVergV, credit institutions must maintain remuneration systems that are appropriate, gender-neutral (no pay discrimination) and transparent, and that support sustainable development of the institution. They must align with the bank’s strategy, promote sound and effective risk management and avoid incentives for excessive risk-taking.

Fixed and variable remuneration must be proportionate: the variable component must not exceed 100% of fixed remuneration (bonus cap), unless the shareholders’ meeting of an institution approves an increase of the cap up to 200%.

For MRTs, at least 50% of variable remuneration must consist of non-cash instruments (eg shares, equivalent ownership interests or instruments linked to the long-term performance of the institution). A minimum of 40% (or 60% for higher variable amounts) must be deferred for at least four to five years and remain subject to malus and claw-back arrangements in cases of misconduct or negative performance.

Supervisory board remuneration must avoid conflicts of interest; variable remuneration is not permitted, in order to ensure the board’s independence.

Supervisory Approach

The ECB and BaFin monitor compliance with the remuneration requirements within the annual Supervisory Review and Evaluation Process (SREP). Institutions must document their remuneration systems, identify MRTs annually, and submit remuneration reports to BaFin. If deficiencies are identified, supervisory authorities may require adjustments to policies or restrict variable remuneration.

The prevention of money laundering and terrorist financing is a central pillar of both European and German financial regulation.

Regulatory Framework

The current German AML/CFT framework is primarily set out in the GwG and the KWG. In May 2024, the EU adopted a new AML/CFT package which represents a comprehensive reform of the European anti-money-laundering framework, introducing for the first time a directly applicable Single Rulebook and a new EU-level supervisory authority. The legislative package comprises, among others, Regulation (EU) 2024/1620 establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) and Regulation (EU) 2024/1624, which lays down a Single Rulebook for AML/CFT and introduces harmonised customer-due-diligence (CDD) and internal-control obligations.

• AMLA commenced operations on 1 July 2025, with the aim to reach full staffing in 2027 and begin direct supervision in 2028.
• AMLA’s mandate is to co-ordinate and strengthen supervisory practices across EU member states, promote consistency in enforcement and, for high-risk cross-border groups, exercise direct supervisory powers.
• The Single Rulebook will apply from 10 July 2027, at which point national rules will be largely superseded. Until then, the existing national law implementing the EU AML Directives and other EU instruments continues to apply.

Specific Obligations

Under the GwG, a credit institution is required to identify and assess the risks of money laundering and terrorist financing that arise from its business activities. In addition, the institution must establish internal safeguards related to its operations and customer relationships in order to manage and mitigate these risks. The effectiveness of such safeguards must be reviewed and updated regularly. For institutions that form part of a group, these safeguards must also include group-wide procedures.

KYC

Credit institutions are subject to extensive CDD obligations. They must:

• identify their contractual partners (and persons acting on their behalf);
• obtain and assess information about the purpose and intended nature of the business relationship; and
• determine whether the customer or the beneficial owner is a politically exposed person (PEP), a family member of a PEP, or a person known to be closely associated with a PEP.

Furthermore, institutions must continuously monitor business relationships. As part of this ongoing monitoring, credit institutions must keep customer data and documentation up to date at intervals appropriate to the identified risk.

The scope of measures must correspond to the specific risk of money laundering or terrorist financing, taking into account factors such as the purpose of the relationship, amounts involved, transaction volume, and duration and frequency of the business relationship. These obligations apply not only when establishing a relationship but also to certain occasional transactions or when relevant circumstances change.

Simplified and Enhanced Due Diligence

Credit institutions may apply simplified due diligence (SDD) if, based on the GwG risk factors, they determine that a low risk of money laundering or terrorist financing exists for specific customers, products, services or transactions.

Where a higher risk of money laundering or terrorist financing is identified – either through the institution’s risk analysis or specific circumstances – enhanced due diligence (EDD) must be applied. A higher risk exists in particular when:

• the customer or beneficial owner is a PEP, a family member or close associate of a PEP;
• the relationship or transaction involves a high-risk third country identified under EU law; or
• the transaction is unusually large or complex, or lacks an apparent economic or lawful purpose.

In such cases, the GwG prescribes a set of minimum EDD measures, such as senior management approval or enhanced verification of source of wealth and funds.

Reporting Obligations

Credit institutions must report suspicious activities and transactions to the German Financial Intelligence Unit (Zentralstelle für Finanztransaktionsuntersuchungen, FIU) whenever facts indicate a possible link to money laundering or terrorist financing. A reported transaction may only be executed once the FIU or the public prosecutor has given consent, or after three working days have passed since submission without a prohibition being issued.

Statutory Deposit Protection and Investor Compensation

Germany maintains a comprehensive, EU-harmonised framework for depositor and investor protection based on the Deposit Guarantee Schemes Directive (EU) 2014/49 (DGSD) and the Investor Compensation Schemes Directive 97/9/EC, implemented through the German Deposit Protection Act (Einlagensicherungsgesetz, EinSiG) and the German Investor Compensation Act (Anlegerentschädigungsgesetz, AnlEntG).

The mandatory statutory deposit protection for private-sector credit institutions is operated by the Compensation Scheme of German Banks (Entschädigungseinrichtung deutscher Banken,EdB). The EdB collects and administers member contributions, manages the compensation fund and processes depositor claims in accordance with the EinSiG. Covered deposits comprise all eligible liabilities arising from deposits – generally up to EUR100,000 per depositor and per bank. Certain categories of depositors, such as other credit institutions, insurance companies, investment funds and public authorities, are excluded. In line with the DGSD, deposits arising from exceptional events – such as sale of a primary residence, inheritance or insurance payouts – are protected beyond the EUR100,000 limit for up to six months (“temporary high balances”). Compensation must be paid within seven working days of deposit unavailability.

Funding is provided through annual contributions by participating banks, calculated on a risk basis considering the amount of covered deposits and the relevant institution’s risk profile. The scheme’s target level of 0.8% of total covered deposits was reached in July 2024. Where necessary, the EdB may levy special contributions or borrow funds to meet compensation obligations.

In the context of bank resolution, the EdB may be required to contribute to the financing of resolution measures. Its contribution is capped at the amount it would have been obliged to pay in a normal insolvency scenario. Under certain circumstances, it may also provide temporary financial support to prevent a member’s failure. In addition, where BaFin determines a compensation case under the AnlEntG, the EdB compensates 90% of an investor’s claims arising from securities transactions (denominated in euros or in another EU currency), up to an equivalent of EUR20,000 per investor.

Voluntary Deposit Protection Scheme

Deposits at private sector banks exceeding the statutory coverage, or otherwise excluded from the EdB scheme, may be protected by the Deposit Protection Fund (Einlagensicherungsfonds, ESF), a voluntary scheme administered by the BdB.

Following reforms to strengthen proportionality and sustainability, the protection limits of the ESF are being gradually reduced: after 1 January 2023, deposits of private individuals were protected up to EUR5 million, reduced to EUR3 million as of 1 January 2025, and reducing to EUR1 million by 2030. For companies and institutional clients, protection was reduced to EUR50 million in 2023 and to EUR30 million in 2025, and will fall to EUR10 million in 2030.

The ESF is funded through risk-weighted contributions from participating banks, supplemented, where necessary, by extraordinary levies. The ESF may also provide preventive support measures to avert member bank distress, subject to supervisory approval.

Institutional Protection Schemes

In addition to these statutory and voluntary schemes, public sector savings banks, state banks, building and loan associations, and co-operative banks participate in institutional protection systems that safeguard both member institutions and depositors:

• The DSGV administers the protection system for the public savings banks (Sparkassen) and regional state banks (Landesbanken).
• The National Association of German Cooperative Banks (Bundesverband der Volksbanken und Raiffeisenbanken, BVR) operates the co-operative banks’ mutual protection scheme.

Public-law institutions affiliated with the Association of German Public Banks (Bundesverband Öffentlicher Banken Deutschlands e.V., VÖB) may benefit from an additional voluntary Deposit Protection Fund (Einlagensicherungsfonds des VÖB).

Credit institutions in Germany are subject to a wide range of capital, liquidity and risk-control requirements under the EU regulatory framework (CRD/CRR) and the KWG. Together, these implement the Basel III framework – and, from 2025 with phase-in to 2030, the final Basel III standards (in Europe commonly referred to as “Basel IV”) – into EU and German law.

While the EU implementation is broadly consistent with the Basel standards, it includes certain structural and transitional deviations, notably the application of the SME and infrastructure supporting factors (which reduce capital requirements for qualifying exposures), extended phase-in arrangements for the output floor and market-risk framework, and retention of selected internal model approaches not foreseen under Basel III. These EU-wide deviations apply equally in Germany through direct application of the CRR.

Minimum Capital (“Own Funds”) Requirements

Under the CRR, banks must maintain at least:

• 4.5% of risk-weighted assets (RWA) in Common Equity Tier 1 (CET1) capital;
• 6% of RWA in CET1 and Additional Tier 1 capital (Tier 1); and
• 8% of RWA in total own funds (Tier 1 + Tier 2).

A minimum leverage ratio of 3% of total exposure also applies to all CRR credit institutions. For a global systemically important institution (G-SII), an additional leverage buffer equal to the G-SII’s total exposure measure under the CRR multiplied by 50% of its risk-based G-SII capital buffer rate applies.

Loss-Absorbing Capacity Standards (MREL and TLAC)

In addition to prudential capital requirements, banks are subject to minimum loss-absorbing capacity standards designed to ensure orderly resolution in the event of failure. In this respect, the BRRD (and the SAG as German national implementing law) contains rules on the minimum requirement for own funds and eligible liabilities (MREL). The relevant resolution authority – BaFin for smaller institutions or the Single Resolution Board (SRB) for significant ones – sets MREL individually each year, depending on the institution’s resolution strategy.

For G-SIIs, the MREL requirement must also meet the internationally agreed Total Loss-Absorbing Capacity (TLAC) standard, ensuring sufficient liabilities can be written down or converted in resolution.

Capital Buffer

German banks must further hold supplementary capital buffers that strengthen resilience against cyclical and systemic risks:

• Capital Conservation Buffer (CCoB): Universally applicable; ensures that banks maintain additional CET1 capital to absorb losses during financial and economic stress periods. Banks in the EU are required to maintain a mandatory capital conservation buffer of CET1 capital amounting to 2.5% of RWA.
• Countercyclical Buffer (CCyB): Designed to increase the resilience of the banking sector during periods of excessive credit growth and to be released during downturns to support lending activity; set by BaFin for Germany at 0.75%.
• Systemic Risk Buffer (SyRB): Addresses structural or sector-specific risks that may threaten the stability of the financial system as a whole or specific segments such as real estate lending. BaFin may require banks to build up a systemic risk buffer of CET1 capital of between 0.5% and 3% of the total risk exposure amount and – under additional requirements – up to 5% and above 5% (above 5% only with authorisation from the European Commission). Effective from 1 May 2025, BaFin lowered the systemic risk buffer for loans secured by residential property from 2.0% to 1.0% (and at the same time kept the general CCyB at 0.75%).
• G-SIIs and O-SIIs: Additional institution-specific capital buffers apply to globally and domestically systemically important institutions to reflect the potential impact of their distress or failure on the wider financial system. The G-SII buffer ranges from 1% to 3.5% of risk-weighted assets depending on the institution’s systemic importance, while the other systemically important institution (O-SII) buffer may be set at up to 3% – and, with the European Commission’s authorisation, above this level.

Pillar 2 Requirements

The minimum capital ratios and buffers described above constitute the “Pillar 1” requirements of the Basel framework, which address quantifiable risks such as credit, market and operational risk. “Pillar 2” complements this by allowing supervisors to address institution-specific or unquantified risks, such as governance risks, through additional capital or qualitative requirements.

“Pillar 2 Requirements” (P2R) are legally binding for an institution and must be met with at least 56.25% CET1 capital. The ECB and BaFin may also issue “Pillar 2 Guidance” (P2G), which is not binding but indicates the additional capital expected to ensure resilience of the institution under stress scenarios.

Liquidity Requirements

In addition to capital requirements, credit institutions must maintain sufficient liquidity to withstand short-term and long-term funding stress. Banks must comply with two Basel III liquidity standards:

• Liquidity Coverage Ratio (LCR): High-quality liquid assets must equal or exceed 100% of net cash outflows over 30 days.
• Net Stable Funding Ratio (NSFR): Stable funding sources must at least equal 100% of required stable funding, measured over a one-year horizon.

Risk Management Rules

At EU level, the CRD and the EBA Guidelines on Internal Governance establish harmonised principles for banks’ risk-management and internal-control frameworks. These provisions require institutions to maintain robust governance arrangements and effective processes for identifying, managing and monitoring risks, forming the foundation for the annual Supervisory Review and Evaluation Process (SREP) conducted by the ECB and BaFin.

In Germany, these requirements are implemented in the KWG, which requires every institution to maintain a proper business organisation, including an adequate and effective risk-management system proportionate to its nature, scale and complexity. BaFin’s Guidance Paper onMinimum Requirements for Risk Management (MaRisk) provides a detailed framework.

The risk-control function must report at least quarterly to management on the adequacy of capital resources, current and projected capital and liquidity ratios, and refinancing positions. Forecasts and early-warning indicators must be included, and the internal audit must independently review the effectiveness of all risk-management components.

Recovery and Resolution Framework

Germany’s bank recovery and resolution regime forms part of the SRM, the framework governing the orderly resolution of banks in EU member states participating in the European Banking Union. The SRM is built on two key legislative pillars: the BRRD, amended as BRRD II, and the Single Resolution Mechanism Regulation (Regulation (EU) 806/2014, SRMR). In Germany, the BRRD has been implemented through the SAG.

The SAG and SRMR fully reflect the “Key Attributes of Effective Resolution Regimes” issued by the Financial Stability Board (FSB), the international standard developed to ensure that authorities can resolve failing financial institutions in an orderly manner, maintaining critical functions, protecting depositors and financial stability, and avoiding the use of public funds.

Under the SAG, among other things:

• credit institutions are obliged to draw up recovery plans describing how they would address situations of financial stress;
• the competent resolution authority must, in alignment with the supervisory authority, prepare resolution plans;
• competent supervisory authorities may take early-intervention measures (as described below);
• a set of resolution tools has been introduced that resolution authorities can apply to preserve critical functions without resorting to public support, such as the bail-in tool to write down or convert a bank’s liabilities into equity; and
• resolution funds have been established to finance and facilitate the orderly resolution of credit institutions.

Competent Authorities

The SRMR establishes the institutional and procedural framework for the resolution of banks within the euro area. It creates the SRB as the central resolution authority responsible for significant institutions under the direct supervision of the ECB and for cross-border banking groups, while national resolution authorities (NRAs), such as BaFin in Germany, implement SRB decisions and are responsible for less significant institutions. The SRMR also governs the operation of the Single Resolution Fund (SRF), which is financed by contributions from the banking sector and can be used to support resolution actions in the Banking Union. The Bundesbank supports both the SRB and BaFin through data collection and technical analysis.

Own-Funds Requirements and MREL

A key feature of the European resolution regime is the MREL, which ensures that institutions maintain sufficient capital and loss-absorbing instruments to support an orderly resolution without recourse to public funds. MREL complements the prudential capital requirements under the CRR and CRD and is conceptually aligned with the TLAC standard for global systemically important banks.

The SRB (for significant institutions) and BaFin (for less significant institutions) determine the applicable MREL level for each institution, reviewing it annually based on factors such as the preferred resolution strategy, the bank’s business model and risk profile, and its systemic relevance. The requirement is tailored to each institution to ensure that it can absorb losses and be recapitalised to continue critical functions in resolution.

In 2024, the EU adopted Directive (EU) 2024/1174 (the so-called “daisy-chains” amendment), which grants resolution authorities more flexibility in setting internal MREL in banking groups to ensure sufficient loss-absorbing capacity, and provides for a specific MREL treatment for liquidation entities.

Failure, or imminent risk of failure, to meet own-funds, MREL or liquidity requirements may trigger supervisory or resolution powers. Authorities can require remedial actions to restore compliance, restrict business operations or, as a last resort, withdraw the banking licence and initiate resolution proceedings.

Recovery and Early-Intervention Measures

Pursuant to the SAG, all credit institutions must prepare and maintain recovery plans setting out measures to restore viability in periods of financial stress. The competent resolution authority, in co-operation with the supervisory authority, prepares resolution plans describing the preferred resolution strategy and assessing resolvability.

Before resolution conditions are met, early-intervention powers under the SAG and the KWG allow BaFin to take proportionate measures, including:

• requiring changes to legal or operational structures or to business strategy;
• ordering the execution of options identified in the recovery plan;
• requiring improvements in capital or liquidity positions, or reductions in risk exposure; and
• demanding the replacement of management where necessary.

These preventive tools are complemented by crisis management powers, such as writing down or converting relevant capital instruments when viability is at risk.

Resolution Tools

If an institution is failing or likely to fail, and no private or supervisory measures can prevent that outcome within a reasonable timeframe, the SRB (for significant institutions) or BaFin (for less significant institutions) may place it into resolution. Resolution aims to preserve critical functions, maintain financial stability and protect covered depositors, while minimising reliance on public funds.

The principal resolution tools available under the SRMR and SAG are:

• sale of business – transfer of shares or assets to a private purchaser;
• bridge institution – transfer of critical functions to a temporary bridge bank pending sale;
• asset separation – transfer of impaired assets to a management vehicle; and
• bail-in – write-down or conversion of eligible liabilities into equity.

Certain liabilities are excluded from bail-in, notably covered deposits up to EUR100,000, secured liabilities, client assets and liabilities to employees or tax authorities.

Valuation and Creditor Safeguards

Following any resolution action, an independent expert must perform a “no creditor worse off” assessment to determine whether shareholders and creditors would have received better treatment in normal insolvency proceedings. If so, they are entitled to compensation from the SRF or, for less significant institutions, from the national restructuring fund (Restrukturierungsfonds).

Non-CRR Institutions and Insolvency

The SRM and the SAG only apply to CRR credit institutions. For non-CRR institutions, insolvency and liquidation are governed at the national level by special bank insolvency provisions of the KWG, which supplement the general rules of the German Insolvency Code (Insolvenzordnung).

In cases of over-indebtedness (Überschuldung) or illiquidity (Zahlungsunfähigkeit), the institution’s management must immediately notify BaFin, which is then required to petition the competent court to open insolvency proceedings. Creditors are subsequently informed, and if the institution is part of an EEA group, BaFin must also notify the relevant authorities in the other EEA member states.

Depositor Preference

In accordance with the BRRD, Germany applies the EU-wide general depositor preference in order to ensure that retail and SME depositors are protected ahead of other unsecured creditors in both resolution and insolvency proceedings. Deposits rank above ordinary unsecured claims, in a two-tier hierarchy:

• Tier 1 – covered deposits up to EUR100,000 and deposits of individuals and SMEs above that limit; and
• Tier 2 – other eligible deposits of large corporate clients.

German banks are increasingly affected by the expanding legal framework on environmental, social and governance (ESG) regulation.

EU Prudential Framework

The ECB has made the management of climate-related and environmental risks a core supervisory priority for 2025–2027 and expects significant institutions to demonstrate full alignment with its Guide on Climate-related and Environmental Risks and related EBA standards.

ESG metrics have been incorporated into the SREP, assessing whether a bank’s governance, data quality and internal models adequately capture climate-related and environmental risks. Deficiencies can result in qualitative measures or additional Pillar 2 capital guidance.

This prudential focus on ESG is further reinforced by the newest legislative reforms. As part of the “second banking package”, the new CRD VI, which must be transposed into German law by 10 January 2026, introduces explicit provisions on ESG risk management. Credit institutions will be required to:

• integrate ESG risks into their governance arrangements, risk strategies and internal capital-adequacy assessment process (ICAAP);
• perform forward-looking scenario analyses and stress tests addressing physical and transition climate risks;
• consider ESG exposures when setting remuneration policies and variable-pay structures; and
• disclose information on transition planning and the management of ESG risks in accordance with detailed EBA technical standards.

Disclosure and Due Diligence

The Corporate Sustainability Reporting Directive (EU) 2022/2464 (CSRD) has been applicable from financial year 2024 to large publicly-listed credit institutions. In February 2025, the European Commission’s Omnibus Simplification Package (“Omnibus Package”) postponed the application of the CSRD to other in-scope institutions until 2028 to allow additional time for implementation of the European Sustainability Reporting Standards. The CSRD substantially broadens the scope and depth of ESG disclosures, requiring detailed information on sustainability strategy, governance, risk-management processes and key performance indicators.

The Corporate Sustainability Due Diligence Directive (EU) 2024/1760 (CSDDD), whose effective date has likewise been deferred to 2028, will additionally oblige larger credit institutions to conduct due diligence on human-rights and environmental impacts in their value chains and to adopt climate-transition plans. The Omnibus Package also proposes targeted amendments to narrow the CSDDD’s scope and clarify proportionality for financial-sector entities.

The Taxonomy Regulation (EU) 2020/852 defines environmentally sustainable activities and requires banks to report the share of taxonomy-aligned assets, including the Green Asset Ratio for exposures on their banking book.

National Supervisory Practice

At the German national level, BaFin and the Bundesbank have embedded ESG supervision within the existing risk-management framework. BaFin’s Guidance Notice on Dealing with Sustainability Risks obliges credit institutions to analyse climate-related and broader ESG risks within their overall risk strategy and inventory, to integrate these into MaRisk processes and to ensure active management oversight.

In 2024, BaFin launched a consultation to update the MaRisk and Banking Supervisory Requirements for IT (BAIT) to reflect ESG considerations and to align with CRD VI and the new EBA Guidelines on the Management of ESG Risks (EBA/GL/2024/01). In supervisory practice, BaFin and the Bundesbank review ESG governance, scenario analyses and disclosure quality as part of on-site inspections and the SREP.

ESG competence has also become a fit-and-proper (FAP) criterion. The ECB and BaFin expect management and supervisory boards to collectively possess adequate knowledge to oversee ESG and climate risks. Institutions must evidence such expertise in their FAP notifications.

Further, BaFin’s Sustainable Finance Strategy 2025 and its Guidance on the Prevention of Greenwashing (2024) confirm that ESG supervision in Germany increasingly covers not only prudential and governance aspects but also conduct and disclosure risks.

Sector Initiatives

German banking associations – including the BdB, the DSGV and the VÖB – have issued sector-specific ESG frameworks, such as the BdB Leitfaden für nachhaltige Kreditvergabe (2023), the DSGV Nachhaltigkeitsstrategie der Sparkassen-Finanzgruppe (2021) and the VÖB Leitfaden Nachhaltiges Banking (2021). These guidelines promote sustainable lending, green-bond issuance and the integration of climate risks into credit decisions.

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) has been applicable to all EU financial entities, including German credit institutions, since 17 January 2025. DORA strengthens operational continuity in the face of cyber and information and communication technology (ICT) disruptions and establishes a harmonised European framework for managing ICT risks. Significant institutions must conduct advanced threat-led penetration tests to assess their security against sophisticated threats at least every three years, in line with DORA technical standards.

DORA has made ICT governance and cyber-resilience a core element of prudential supervision in Germany. BaFin and the Bundesbank are responsible for national supervision and implementation, working in close co-operation with the ECB. BaFin has issued interpretative guidance and DORA-readiness questionnaires, and treats digital resilience as a supervisory priority. Expectations derived from DORA are now integrated into IT-risk reviews and on-site inspections, as well as in the regular SREP.

BaFin’s IT Audit Guide (IT-Prüfungsleitfaden) sets detailed examination standards for auditors and supervisors. The Bundesbank performs dedicated IT audits as part of its ongoing prudential inspections, and the findings directly influence an institution’s risk profile and capital assessment under the SREP.

Alongside DORA, German banks must continue to comply with domestic supervisory rules under MaRisk and the BAIT. Both BaFin circulars remain applicable but are currently being revised to align with the new EU framework.

ICT risks have also gained greater weight in FAP assessments of management board and supervisory board members. BaFin and the ECB now assess the technological competence of individuals. Management and supervisory bodies must collectively demonstrate adequate knowledge on ICT, outsourcing and cybersecurity risks.

DORA further complements existing German ICT-security and data-protection regimes. Credit institutions remain subject to the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the General Data Protection Regulation (Datenschutz-Grundverordnung, DSGVO); DORA reinforces these frameworks by requiring governance and technical controls that ensure the confidentiality, integrity, and availability of data and systems.

In addition, large credit institutions that meet the thresholds for “critical infrastructure” (Kritische Infrastruktur, KRITIS) under the BSI Act (BSIG) and the BSI-Kritis Regulation (BSI-KritisV) are supervised by the Federal Office for Information Security (BSI) with respect to their IT systems. Obligations include maintaining state-of-the-art security measures, designating a 24/7 contact point, reporting serious IT incidents to the BSI and periodically demonstrating compliance. DORA and the KRITIS regime apply cumulatively. DORA governs the prudential resilience of ICT systems under banking supervision, while the BSIG and KRITIS laws regulate national cybersecurity and public security aspects.

In 2025, the German Federal Cabinet (Bundeskabinett) approved a draft KRITIS Umbrella Act (KRITIS-Dachgesetz), enhancing co-ordination between BaFin, the BSI and the Federal Office for Civil Protection and Disaster Assistance (BBK). The new framework introduces a national register of critical-infrastructure operators and harmonised incident reporting. Consequently, a major cyber incident may trigger parallel notifications to the ECB, BaFin and the BSI.

In parallel, the NIS2 Directive (EU) 2022/2555 – to be transposed into German law by late 2025 through the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz – expands cybersecurity obligations for all “essential” and “important” entities across critical sectors, including banking. While DORA acts as the lex specialis for financial entities, NIS2 complements it by establishing cross-sector co-ordination and incident-reporting mechanisms under the Federal Office for Information Security (BSI).

Capital Requirements and Basel IV Implementation

Capital regulation continues to evolve, with Basel IV remaining a core focus. CRD VI must be transposed into national legislation by 10 January 2026 and, according to a draft law published on 22 August 2025 by the German Federal Ministry of Finance, the draft Banking Directive Implementation and Bureaucracy Reduction Act (Bankenrichtlinienumsetzungs- und Bürokratieentlastungsgesetz, BRUBEG), a full transposition is envisaged.

At the same time, the EU has postponed the implementation of the Fundamental Review of the Trading Book by one additional year to 1 January 2027, citing competitive concerns with respect to the USA and other major jurisdictions, where deregulatory trends persist. While this delay offers short-term relief, it adds complexity to banks’ medium-term planning.

The output floor, which limits capital relief from internal models by requiring total RWA (used for the calculation of own-funds and capital buffer requirements) to be no lower than 72.5% of the amount calculated under the standardised approaches, will be phased in from 2025 to 2030, requiring banks to use internal models to recalibrate portfolios and data systems.

CRD VI further introduces explicit supervisory expectations for integrating ESG risks into risk-management frameworks and the ICAAP. BaFin and the Bundesbank are preparing guidance to align national supervisory reviews with forthcoming EBA standards on climate-related stress testing and transition-plan assessment. In 2026, the ECB will conduct a thematic stress test examining banks’ resilience to geopolitical shocks.

In addition, under a new regime of the CRD VI for third-country branches, third-country institutions providing core banking services will be required to establish an authorised branch or subsidiary in Germany unless an exemption applies. Existing cross-border exemptions under the KWG will be curtailed for such activities, and new procedures and notification requirements are introduced for bank M&A and reorganisations.

Crisis Management and Bank Resolution

In June 2025, the European Parliament and Council reached a political agreement to overhaul the EU’s Crisis Management and Deposit Insurance (CMDI) framework for banks. The reform aims to make resolution tools applicable to a wider spectrum of institutions, including smaller and medium-sized banks, and to reduce reliance on taxpayer-funded bail-outs by strengthening industry-funded safety nets (national resolution funds and the SRF). Implementation is expected from 2026 and will amend the BRRD, SRMR and DGSD. For German banks, this will entail closer co-ordination between BaFin and the SRB in resolution planning and funding arrangements.

The CMDI package also clarifies the interplay between national deposit-guarantee schemes and the SRF, strengthening depositor preference and introducing more consistent triggers for resolution and liquidation.

Regulatory Simplification and Proportionality

Alongside the tightening of prudential standards, the authorities are also seeking to reduce unnecessary administrative complexity. Recognising the cumulative burden of existing requirements, the ECB launched a “High-Level Task Force on Simplification” in April 2025 to identify redundant or overlapping obligations, notably in reporting and supervisory processes.

In parallel, BaFin issued a Supervisory Notice in November 2024 introducing proportionality measures for small and very small institutions – simplified risk-management and capital-planning approaches, lighter internal reporting and greater flexibility in outsourcing through group frameworks. Around three-quarters of German banks are expected to benefit from these simplifications.

Digital Transformation and Artificial Intelligence (AI)

Digitalisation remains central to the EU’s financial services agenda. The German government supports the rollout of the European Digital Identity (EUDI) Wallet and preparations for the Digital Euro.

The Market in Crypto-Assets Regulation (MiCAR) is progressing through its implementation phase. Level 2 and 3 technical standards being prepared by ESMA and the EBA will specify detailed prudential and conduct obligations for crypto-asset service providers and stablecoin issuers. Banks offering custody or token-issuance services must integrate these standards into their risk and compliance frameworks.

The EU Artificial Intelligence Act (“AI Act”) entered into force on 1 August 2024 and is expected to be fully effective by 2027. It imposes strict compliance obligations on AI systems. Credit institutions using AI for credit scoring, trading or AML monitoring will fall under the “high-risk” category, requiring model-governance, documentation and testing obligations. The ECB and BaFin are assessing how to integrate AI governance into existing risk-management reviews to ensure alignment with DORA and data protection standards. On 10 July 2025, the European Commission published the voluntary General-Purpose AI (GPAI) Code of Practice, which provides guidelines for compliance with the AI Act.

Retail Banking, Payments and AML Reform

On the consumer side, Germany’s 2025 coalition agreement places renewed emphasis on fairness and market access. Planned reforms include fee caps on overdrafts and basic accounts, as well as measures to channel venture-capital investment into growth sectors.

Germany is also preparing to implement the Consumer Credit Directive (EU) 2023/2225 by 20 November 2025, with application from 20 November 2026, expanding its scope to new retail-credit products such as “buy now, pay later” and short-term digital lending. In parallel, EU legislators are finalising the Payment Services Directive and Regulation (PSD3/PSR) package together with the Instant Payments Regulation, which will make instant payments mandatory across the EU and introduce name-matching of recipients (the “verification of payee” check). These rules are phasing in from 2025 and are expected to substantially modernise the EU retail payments landscape.