Germany’s financial regulatory architecture is deeply integrated with the European Union (EU) Single Rulebook for financial services, while retaining distinctive national legal instruments, supervisory practices and institutional arrangements. The operative legal framework covers all categories of financial institutions, including credit institutions, payment institutions, electronic money institutions, investment firms, insurance undertakings and crypto-asset service providers.

German law overlays EU definitions with national regimes under:

• the Kreditwesengesetz (KWG – the German Banking Act) for credit institutions and financial services institutions;
• the Zahlungsdiensteaufsichtsgesetz (ZAG – the German Payment Services Supervision Act) for payment and electronic money institutions;
• the Wertpapierinstitutsgesetz (WpIG – the German Investment Firm Act) for non-bank investment firms;
• the Geldwäschegesetz (GwG – the German Anti-Money Laundering Act) for anti-money laundering (AML) compliance; and
• implementing ordinances and circulars, notably:
1. MaRisk (Minimum Requirements for Risk Management);
2. BAIT (Supervisory Requirements for IT in Financial Institutions); and
3. MaComp (Minimum Requirements for the Compliance Function).

German civil and commercial law frameworks continue to apply across regulated financial activities, including:

• the Bürgerliches Gesetzbuch (BGB – the German Civil Code);
• the Handelsgesetzbuch (HGB – the German Commercial Code); and
• consumer protection provisions (for example, Sections 491 et seq of the BGB for consumer credit).

Germany participates in the EU Banking Union, including:

• the Single Supervisory Mechanism (SSM), a framework for banking supervision in the eurozone, comprising the ECB and national supervisory authorities; and
• the Single Resolution Mechanism (SRM), a system for managing the failure of banks in the Banking Union.

Banking Union significant institutions (SIs) are supervised in the context of the SSM directly by the European Central Bank (ECB), while the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin – the German Federal Financial Supervisory Authority) and the Deutsche Bundesbank (the German central bank) oversee day-to-day supervision of less significant institutions (LSIs), in addition to performing national regulatory tasks. Resolution planning and execution follow EU standards under the SRM, with BaFin acting as national resolution authority (NRA), and the Single Resolution Board (SRB) supervising Banking Union institutions in the context of the SRM.

German financial services law is primarily shaped by EU legislation, which is implemented domestically through national statutes and supervisory practices. The regulatory landscape can be understood as comprising three interlinked layers.

• European Union law, including regulations and directives that provide harmonised rules for prudential supervision, conduct of business, market integrity, operational resilience and consumer protection. Key examples include:
1. the Capital Requirements Regulation and Directive (CRR/CRD VI);
2. the Markets in Financial Instruments Directive and Regulation (MiFID II/MiFIR);
3. the Market Abuse Regulation (MAR);
4. the Bank Recovery and Resolution Directive (BRRD);
5. the Single Resolution Mechanism Regulation (SRMR);
6. the Markets in Crypto-Assets Regulation (MiCAR);
7. the Digital Operational Resilience Act (DORA);
8. the evolving EU AML package;
9. the Anti-Money Laundering Directives (AMLDs); and
10. the EU AI Act.
• German national law, which transposes and supplements EU requirements. The central statutes include:
1. the KWG, which regulates banking activities, authorisation, and prudential requirements;
2. the Wertpapierinstitutsgesetz (WpIG), which governs non-bank investment firms and is the primary framework for MiFID services;
3. the ZAG, which regulates payment and electronic money institutions;
4. the Kapitalanlagegesetzbuch (KAGB – the German Capital Investment Code), which governs collective investment schemes, asset management and loan origination by funds;
5. the Pfandbriefgesetz (PfandBG – the German Covered Bond Act), which provides the framework for covered bonds, establishing special priority creditor rights over a dedicated cover pool;
6. the Gesetz über elektronische Wertpapiere (eWpG – the German Electronic Securities Act), which enables the issuance and custody of electronic securities;
7. the Vermögensanlagengesetz (VermAnlG – the German Capital Investment Act for non-securitised products), which creates a statutory framework for non-securitised investment products;
8. the GwG, which implements anti-money laundering rules, including under the AMLDs;
9. the Einlagensicherungsgesetz (EinSiG – the German Deposit Guarantee Act) and the Anlegerentschädigungsgesetz (AnlEntG – the German Investor Compensation Act), which establish statutory deposit insurance and investor compensation schemes;
10. the Institutsvergütungsverordnung (InstitutsVergV – the German Remuneration Ordinance for Institutions), which sets out detailed rules on remuneration governance, including deferral, malus/clawback mechanisms and limits on variable pay;
11. the BGB and HGB, which provide underlying civil, commercial and consumer protection law (eg, Sections 491 et seq of the BGB for consumer credit);
12. the Einlagensicherungs- und Anlegerentschädigungsgesetz (EAEG – the German Deposit Guarantee and Investor Compensation Act), which sets out deposit protection and investor compensation schemes; and
13. the BGB, which provides consumer protection rules applicable to financial contracts, credit agreements and distance marketing.
• Supervisory guidance and soft law, issued by German and EU authorities to clarify the application of laws and regulations. These include:
1. BaFin circulars and guidance;
2. ECB instructions under the SSM; and
3. recommendations or guidelines from the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).

While Germany’s integration with the EU Single Rulebook ensures harmonisation, national overlays often create additional compliance complexity, particularly for EU-passported firms. For example, BaFin’s supervisory guidance on MaRisk, BAIT and MaComp frequently sets expectations beyond EU minima, requiring institutions to operationalise high standards of governance, risk management and documentation that can impact resource allocation and internal controls. This dual layer of EU and domestic regulation necessitates careful alignment between legal compliance, operational execution and supervisory expectations.

Scope of Regulated Institutions

Germany’s regulatory perimeter explicitly differentiates between:

• credit institutions under the KWG, including a broad spectrum of credit institutions – namely commercial, savings and co-operative banks;
• investment firms under the WpIG;
• financial services institutions under the KWG;
• payment and e-money institutions under the ZAG;
• crypto-asset service providers under the KWG and MiCAR; and
• insurance undertakings under the Versicherungsaufsichtsgesetz (VAG – the German Insurance Supervision Act).

The PfandBG provides a robust framework for Germany’s covered bond market, featuring ring-fenced cover pools, privileged creditor priority and special administration regimes. Deposit protection is provided by statutory schemes under the EinSiG, supplemented by Institutional Protection Schemes in the savings and co-operative banking sectors.

Foreign firms may access the market via subsidiaries, EEA branches, third-country branches or cross-border services, with authorisation requirements calibrated accordingly. Licensing generally mandates adequate initial capital, fit-and-proper management, coherent business plans and MaRisk/BAIT-compliant organisation and outsourcing controls.

Regulatory Perimeter

Germany’s perimeter captures:

• banking activities (notably deposit-taking, lending and treasury) under the KWG;
• MiFID-aligned investment services such as portfolio management, investment advice, order execution and underwriting under the WpIG/Wertpapierhandelsgesetz (WpHG – the Securities Trading Act);
• domestic and cross-border payment services and e-money issuance under the ZAG;
• crypto-asset services, including custody, exchange and issuance (currently licensed under the KWG with a MiCAR overlay); and
• services relating to the registration and transfer of electronic securities under the eWpG.

Prudential requirements follow CRR III/CRD VI, including capital adequacy, leverage, liquidity, large exposures and the Internal Capital/Liquidity Adequacy Assessment Process (ICAAP/ILAAP) framework, together with regulatory reporting (FINREP/COREP – the framework for Financial Reporting/Common Reporting in the EU). Conduct obligations include client classification, suitability and appropriateness assessments, product governance and best execution under the WpHG/WpIG, aligned to MiFID II standards.

Banking Activities

Under the KWG, the acceptance of repayable funds from the public and the granting of credit are regulated activities that require authorisation. Exceptions exist for intra-group transactions, ancillary commercial credit, and specific fintech or payment-related activities, provided these are conducted under the relevant ZAG or EU regulatory framework. Violations can trigger administrative fines, civil liability or criminal sanctions.

Banks are subject to the Sanierungs- und Abwicklungsgesetz (SAG – the German Recovery and Resolution Act) (implementing BRRD/SRMR) for recovery and resolution. Requirements include credible recovery plans for severe stress, early intervention powers, and resolvability work (bail-in, bridge institution, sale of business). German institutions within the SRM are subject to Minimum Requirement for own funds and Eligible Liabilities (MREL) calibration by the SRB or BaFin, including internal MREL for material subsidiaries.

Resolution planning covers bail-in execution, sale-of-business, bridge bank use, liquidity in resolution and operational continuity in resolution. Firms must demonstrate loss-absorbing capacity, clean holding company structures where applicable, and resolvability work on funding and collateral pre-positioning. Co-ordination is required between BaFin (as NRA), the Deutsche Bundesbank and the SRB. Where resolution conditions are not met, German insolvency law (InsO – the German Insolvency Code) applies, with deposit guarantee scheme interventions co-ordinated under the EAEG.

Investment Services and Financial Instruments

Financial instruments, as defined under MiFID II/MiFIR and the KWG/KAGB, include transferable securities, units in investment funds, derivatives and certain structured products. Investment services subject to authorisation include:

• the reception and transmission of client orders;
• the execution of orders on behalf of clients;
• dealing on own account;
• the underwriting and placing of financial instruments;
• portfolio management and investment advice; and
• the operation of multilateral trading facilities (MTFs) and organised trading facilities (OTFs).

Investment firms are subject to the Investment Firm Regulation/Directive (IFR/IFD) regime, implemented in Germany via the WpIG. Prudential classification (Class 1/2/3) depends on size and activities, with Class 2 firms subject to K-factor (a set of quantitative capital requirements for investment firms) requirements measuring risk to clients, market and firm (eg, K-AUM, K-CMG, K-NPR). The regime introduces own funds, liquidity, concentration and disclosure obligations tailored to investment firm business models. Supervisors assess internal governance, Internal Capital Adequacy and Risk Assessment processes, wind-down planning and remuneration frameworks, in line with EBA guidelines.

Capital Markets and Market Infrastructure

Germany’s capital markets framework applies the Prospectus Regulation for public offers and admissions to trading, the Packaged Retail and Insurance-based Investment Products (PRIIPs) Regulation for retail KIDs, and the Short Selling Regulation for net short position reporting and restrictions. Trading venues (regulated markets, MTFs, OTFs) and market operators are supervised in alignment with MiFID II/MiFIR, with transparency, market surveillance and algorithmic trading controls. The Benchmarks Regulation governs the use of critical, significant and non-significant benchmarks, including third-country benchmark recognition and transition arrangements. Securities financing transactions are subject to Securities Financing Transactions Regulation transparency. Market infrastructure includes Central Counterparties (CCPs) and Central Securities Depositories CSDs) subject to European Market Infrastructure Regulation (EMIR) and Central Securities Depositories Regulation (CSDR) regimes respectively.

Asset Management

The KAGB implements Undertakings for Collective Investment in Transferable Securities (UCITS) and the Alternative Investment Fund Managers Directive (AIFMD) and, with AIFMD II, introduces enhanced rules on delegation, liquidity management tools (including anti-dilution and redemption gates), loan origination funds (eligibility, risk retention, leverage and concentration) and reporting. UCITS and AIFs require an authorised depositary subject to strict safekeeping and oversight duties and near-strict liability for loss of financial instruments held in custody. Marketing is regulated through pre-marketing and notification procedures, with investor categorisation, disclosure and local facilities requirements. Managers are expected to operationalise liquidity stress testing, valuation controls and conflicts governance across product life cycles.

Insurance and Reinsurance

Germany’s insurance and reinsurance sector is supervised under the VAG, implementing Solvency II. BaFin authorises and supervises insurers, reinsurers, insurance groups and conglomerates, applying risk-based capital, governance and Own Risk and Solvency Assessment requirements. Cross-border activities follow Solvency II passporting for freedom of services and establishment. Distribution is governed by the Insurance Distribution Directive and German implementing rules, including product oversight and governance, suitability/appropriateness standards for insurance-based investment products, and training requirements under the Versicherungsvermittlerverordnung (VersVermV – the German Insurance Mediation Ordinance). Insurers must maintain robust outsourcing, ICT and cloud controls consistent with EIOPA guidelines and DORA.

Payment Services, E-Money and Other Financial Services

PSD2 (the EU’s second Payment Services Directive) is implemented via the ZAG, with strong customer authentication, access-to-accounts (XS2A) and API standards guiding open-banking integrations. The EU’s PSD3 and the Payment Services Regulation (PSR) are expected to refine licensing, safeguard requirements and fraud reimbursement frameworks. The Instant Payments Regulation mandates euro instant credit transfers and associated verification and sanctions-screening controls. German practice emphasises dispute resolution, chargeback transparency and complaint handling, with BaFin oversight of incident reporting, operational resilience and outsourcing for critical payment functions.

Payment card fees are constrained by the Interchange Fee Regulation, with transparency and separation requirements for card schemes and processing. The Bundeskartellamt (the German Federal Cartel Office) monitors competitive dynamics in payments, including platform rules, access conditions and potential self-preferencing. Firms should assess competition law risk in pricing, exclusivity and data-sharing arrangements, particularly in platform ecosystems.

Crowdfunding

EU crowdfunding service providers are authorised under the European Crowdfunding Service Providers Regulation, enabling cross-border investment- and lending-based crowdfunding with harmonised disclosure (the Key Investment Information Sheet), conflict management and investor protection (entry knowledge tests, loss simulation).

Credit servicers

Credit servicers and purchasers are subject to the Credit Servicers Directive framework, with licensing and conduct obligations for managing non-performing loan portfolios, borrower communication standards and data handling rules.

Other financial services

Further regulated financial services such as securitisation and structured finance are subject to CRR/CRD prudential requirements, MiFID conduct rules and EMIR reporting obligations where applicable. EMIR imposes clearing obligations for standardised OTC derivatives, risk-mitigation techniques for non-cleared trades (timely confirmation, portfolio reconciliation, dispute resolution) and margin requirements for Financial Counterparties (FCs) and Non-Financial Counterparties (NFCs) above clearing thresholds. EMIR 3.0 strengthens EU clearing resilience with active account requirements at EU CCPs for certain asset classes and enhanced reporting and data quality standards. German firms must ensure compliant collateral management, model validation and reconciliation practices, with supervisory scrutiny of intraday liquidity and concentration risks.

Access and tied agents

The services above must be performed by BaFin-authorised entities or firms passported from other EU member states. Reverse solicitation is recognised in line with EU guidance, allowing EU-based firms to provide services to German domiciled clients exclusively upon the client’s own exclusive initiative, although this exemption is narrowly construed by supervisors.

Germany permits distribution through tied agents (gebundene Vermittler) acting under the full responsibility of an authorised MiFID firm, with mandatory registration and oversight covering training, conduct, client money and communications. Separately, Section34f GewO (a section of the Gewerbeordnung – the German Trade Regulation Act) intermediaries operate under a distinct national perimeter, with limited scope and heightened manufacturer oversight requirements. Manufacturers must evidence end-to-end product governance, target market adherence, complaint handling and remediation across all distribution chains, including non-MiFID channels.

General Observations

German supervisory practice often exceeds EU minimums in areas such as suitability assessment, product governance and distribution diligence, particularly for retail and mass affluent clients. This creates a risk of regulatory friction for institutions operating cross-border or offering hybrid products. Third-country branch models, in particular, require strategic planning in light of the CRD VI harmonised branch rules effective from 11 January 2027, where compliance failures could trigger significant enforcement scrutiny.

Commonly used routes and exemptions include:

• EU passporting for EEA-authorised CRR institutions and investment firms (for cross-border services and branches);
• the use of representative offices with strictly limited permissible activities; and
• a harmonised third-country branch regime under CRD VI, with core obligations applicable from 11 January 2027.

Certain limited advisory or internal treasury activities may fall outside the scope of licensing where they are incidental to a non-regulated primary business and are not conducted on a commercial basis. All perimeter analyses should be conducted on the precise fact pattern, given the narrow construction of exemptions by BaFin and the courts.

Third-country firms can access Germany via subsidiaries, EEA branches (post-authorisation) or cross-border services, where permitted, with CRD VI introducing a harmonised third-country branch regime from 11 January 2027. Reverse solicitation is narrowly construed; firms should not rely on it as a distribution strategy.

Supervisors consider group supervision, co-operation agreements and booking arrangements, with post-Brexit practice underscoring the need for appropriately capitalised EU entities and robust local governance for material activities. EEA institutions may passport services or establish branches through home-state notifications, with host-state conduct and consumer protection overlays applicable. Branches must implement local governance, complaints and incident reporting aligned with BaFin expectations, and ensure that product governance and disclosure standards reflect German market practice. Notifications should detail activities, target clients, outsourcing to group entities and the local control framework.

The following activities are exempt from standard authorisation requirements:

• ancillary commercial credit extended by non-bank entities in the ordinary course of business;
• intra-group treasury operations subject to appropriate risk management and internal governance;
• limited proprietary trading or advisory activities triggered by reverse solicitation; and
• small-scale fintech or payment services, where PSD2 or the E-Money Directive provides a regulatory carve-out.

These exemptions are strictly defined and subject to BaFin oversight, with firms required to notify or demonstrate compliance with the limits of each exception. Given the narrow construction of exemptions by BaFin and the courts, a detailed perimeter analysis based on the specific fact pattern is always necessary. Exemptions are narrowly construed by BaFin, and reliance on ancillary or reverse solicitation activities carries the risk of supervisory queries or enforcement. Firms must ensure robust internal controls and documentation to demonstrate that activities genuinely fall outside the regulated perimeter, particularly in fintech or non-bank lending contexts.

Germany has brought crypto custody and related services into the regulatory perimeter through amendments to the KWG, with BaFin supervising licensing. At the EU level, MiCAR establishes a harmonised regime, which Germany implements directly and through national law, with the following effects:

• issuers of crypto-assets must comply with white paper requirements and disclosure obligations;
• crypto-asset service providers (CASPs), including custodians, trading platforms and advisers, require BaFin authorisation; and
• prudentially relevant activities, such as issuing electronic money tokens or asset-referenced tokens, are supervised by both BaFin and Deutsche Bundesbank, overseeing certain prudential aspects.

Market integrity rules, including prohibitions on insider trading and market manipulation, apply as directly under EU law.

Transitional arrangements exist for firms operating under prior national regimes, allowing phased compliance with MiCAR.

The EU Transfer of Funds Regulation applies the crypto “travel rule” to CASPs, requiring originator and beneficiary information to accompany transfers, with risk-based controls for unhosted (non-custodial) wallets. The (revised) Distributed Ledger Technology (DLT) Pilot Regime enables authorised operators to run DLT multilateral trading facilities, settlement systems or combined trading and settlement systems, subject to exemptions and proportional safeguards. Germany’s eWpG interacts with these frameworks by permitting electronic bearer bonds and fund units, facilitating tokenisation within established property and custody rules.

CASPs authorised to operate in Germany must satisfy both MiCAR and BaFin’s domestic supervisory expectations. Governance requirements emphasise robust segregation of client assets, strong key management (including multi-signature wallets), incident response, segregation of duties, and the integration of AML/CTF controls, including blockchain analytics, travel rule compliance and risk-based customer scoring. ICT resilience expectations, including outsourcing oversight, are aligned to DORA, which imposes EU-harmonised ICT risk management, incident reporting and third-party risk obligations.

BaFin is the national competent authority for prudential and conduct supervision across banks, investment firms, payment institutions and CASPs. It is responsible for licensing, ongoing supervision, enforcement and AML oversight, and serves as the national resolution authority. The Deutsche Bundesbank supports prudential supervision through data collection, analysis and on-site inspections and Supervisory Review and Evaluation Process (SREP) inputs. Within the Banking Union, the ECB – through the SSM – directly supervises SIs via joint supervisory teams, while LSIs are overseen day-to-day by BaFin and the Bundesbank under SSM methodologies.

The German Financial Intelligence Unit (FIU) receives suspicious activity reports; BaFin co-ordinates AML supervision of obliged entities within its remit. Sanctions compliance is co-ordinated at EU level with national enforcement by Bundesamt für Wirtschaft und Ausfuhrkontrolle (BAFA – the Federal Office for Economic Affairs and Export Control) and BaFin within their remits. Institutions must implement screening against EU and national lists, asset freeze implementation, escalation and governance procedures, and licence management for exemptions. Controls should address ownership and control by listed persons, circumvention risks, trade finance documentation and end use/end user checks, with robust audit trails and board-level oversight.

The Bundesamt für Sicherheit in der Informationstechnik (BSI – the Federal Office for Information Security) sets national cybersecurity standards relevant to ICT resilience.

Macroprudential oversight is co-ordinated by the Financial Stability Committee (Ausschuss für Finanzstabilität) with the Finance Ministry, BaFin and the Bundesbank, and works in co-ordination with the European Systemic Risk Board.

Main Authorities

In practical terms, firms primarily interact with the following authorities:

BaFin

• Licenses, supervises and enforces banking, investment, payment and e-money activities.
• Oversees AML compliance, investor protection and conduct-of-business standards.
• Co-ordinates with ECB under the SSM for significant institutions and with the SRB for resolution planning.

Deutsche Bundesbank

• Provides prudential support, liquidity monitoring and systemic risk assessments.
• Participates in ECB-led supervision and supports BaFin in licensing, stress testing and operational resilience evaluations.

European Supervisory Authorities

• EBA, ESMA, EIOPA (and in future the EU’s Anti-Money Laundering Authority, or AMLA) issue binding technical standards guidelines.
• AMLA will assume a central role in harmonising AML/CFT supervision, taking over certain functions from the EBA, co-ordinating national supervisors and issuing recommendations.

On-Site Inspections and Supervisory Audits

Supervision relies on audit reports (Prüfungsberichte) by statutory auditors covering regulatory requirements, targeted “special audits” Sonderprüfungen where risks are identified, and on-site inspections by BaFin, the Bundesbank and, for SIs, ECB Joint Supervisory Teams. Institutions should expect detailed reviews of governance effectiveness, model risk, ICT controls, outsourcing registers and incident management, with clear remediation timelines and follow-up testing. In practice, BaFin is considered more prescriptive and interventionist than many other EU regulators, particularly regarding retail protection, AML/CTF and digital asset operations. Co-ordination between BaFin, Bundesbank, ECB and EU authorities can sometimes result in overlapping requirements, requiring firms to invest heavily in regulatory liaison functions and compliance monitoring.

While EU rules are directly applicable in many areas, BaFin’s circulars –MaRisk (risk management and governance), BAIT (ICT governance and outsourcing) and MaComp (conduct and organisational rules) – are the central soft law instruments translating legal requirements into German supervisory expectations. German supervisory practice also integrates binding technical standards and guidelines from the EBA and ESMA, as well as specific guidance from the ECB under the SSM on areas like internal governance, model risk, outsourcing and ESG. DORA now harmonises ICT risk management, incident reporting and third-party oversight across the EU, driving further alignment of German ICT expectations with EU-level standards.

Outsourcing expectations align MaRisk/BAIT with EBA outsourcing and cloud guidelines, requiring comprehensive registers, criticality assessments, audit and access rights, data location and subcontracting controls, exit strategies and resilience testing. Under DORA, critical ICT third-party providers are subject to EU-level oversight, with lead overseers empowered to require remediation. Firms must manage concentration risk, maintain incident response and perform scenario testing aligned with ICT business continuity and disaster recovery plans.

Financial institutions must comply with the General Data Protection Regulation (GDPR) and the Bundesdatenschutzgesetz (BDSG – the German Federal Data Protection Act), including lawful bases for processing, data minimisation, retention and data subject rights, alongside sector-specific banking secrecy obligations. Monitoring, surveillance and AML measures must be balanced against privacy requirements through clear policies, Data Protection Impact Assessments and proportional controls. Outsourcing and cross-border processing require contractual safeguards, audit rights and transfer mechanisms. Record-keeping standards must align with prudential, conduct and AML regimes, without excess data collection.

Soft law instruments, such as MaRisk, BAIT and MaComp, create operational expectations that frequently exceed statutory minima. Firms must translate these into concrete processes – eg, detailed ICT governance, layered disclosures in retail distribution, or AI explainability protocols – or risk supervisory critique for insufficient operationalisation.

Germany is implementing the final Basel III reforms via the EU CRR III/CRD VI package. Key elements include:

• the output floor;
• revised standardised and IRB approaches for credit risk;
• the Fundamental Review of the Trading Book (FRTB);
• operational risk reforms
• CVA (Credit Valuation Adjustment); and
• updated real-estate exposure treatments.

These rules are applied through the SSM supervisory cycle, Pillar 2 (including SREP), and are operationalised domestically via MaRisk and related guidance, with ongoing alignment to EU technical standards and supervisory calendars. Accordingly, the following applies.

• German banks adhere to CRR III/CRD VI capital and liquidity standards. ICAAP/ILAAP are embedded via MaRisk, including stress testing and risk appetite frameworks. Firms report FINREP/COREP to BaFin/Deutsche Bundesbank, with additional templates for resolution, MREL/total loss absorbing capacity and internal controls. Internal model governance follows ECB/SSM expectations and BCBS 239 (the Basel Committee on Banking Supervision’s principles for effective risk data aggregation and risk reporting) data governance. Harmonised requirements for third-country branches under CRD VI take effect from 11 January 2027.
• The SREP conducted by ECB (for SIs) or BaFin (for LSIs) assesses Pillar 2 capital, interest rate risk in the banking book, operational risk and internal governance.
• Macroprudential measures, including capital buffers, are determined by BaFin in consultation with the Bundesbank. Pillar 2 SREP assessments frequently reveal gaps in interest rate risk modelling, stress testing and internal controls, particularly under “higher-for-longer” interest rate conditions. Firms must demonstrate not only compliance with CRR III/CRD VI but also credible risk appetite and ICAAP/ILAAP integration into day-to-day management decisions. Real estate lending is subject to conservative valuation under Beleihungswertermittlungsverordnung (BelWertV – the Regulation on the Determination of the Mortgage Lending Value), with prudential expectations on borrower affordability, collateral enforceability and risk differentiation by property type and region. Supervisors monitor loan-to-value distributions, amortisation practices and sensitivity to interest rate shocks, with heightened scrutiny of commercial real estate concentrations and underwriting standards in a higher-for-longer rate environment.

As part of the EU, Germany currently operates on a T+2 settlement cycle for cash equities. The EU is targeting a move to a T+1 settlement cycle by 2027. EU post-trade reforms under the CSDR Refit, which includes revised settlement discipline rules and central securities depository obligations, remain a key focus area. German institutions are expected to enhance reconciliation, fails management and operational readiness in anticipation of the transition to a shorter settlement cycle. Clearstream Banking Frankfurt acts as the primary CSD infrastructure, subject to CSDR, with trade reporting, reconciliation and operational resilience monitored by BaFin and the ECB.

CSDR’s settlement discipline regime imposes cash penalties for fails and prescribes measures to improve settlement efficiency. Mandatory buy-ins are not currently active but remain a policy lever. German market participants are expected to monitor settlement efficiency metrics, perform root cause analysis of fails and implement operational improvements. CSD authorisation and oversight continue under the CSDR Refit, with a focus on risk management, operational resilience and cross-border services. Operational readiness for T+1 settlement is a significant challenge, requiring enhanced reconciliation, fails management and liquidity buffers. German institutions are actively preparing, but supervisory expectations already anticipate potential operational stress and systemic impact of settlement failures.

ESG integration spans governance, risk management and product disclosure through the Sustainable Finance Disclosure Regulation (SFDR), the Taxonomy Regulation and the Corporate Sustainability Reporting Directive (CSRD), supplemented by SSM climate expectations and BaFin guidance on sustainability risks. Firms are expected to maintain evidence-based marketing, claims registers and sampling controls to substantiate sustainability-related statements, and to ensure alignment between disclosures, product design, stewardship approaches and actual portfolio composition. ESG is treated as both a prudential and a conduct matter.

Supervisors have intensified greenwashing enforcement through thematic reviews, marketing material sweeps and targeted interventions. Firms are expected to maintain robust claims governance, including pre-clearance of sustainability statements, alignment between investment strategy and disclosures, and ongoing portfolio checks versus exclusions or targets. Misleading labels, inconsistent use of ESG metrics or unsubstantiated impact claims trigger corrective orders and, where appropriate, sanctions.

Beyond the conduct/prudential focus above, ESG expectations include board-level oversight of sustainability risks, integration into ICAAP/ILAAP and product governance, and participation in ECB climate stress testing for SIs. Greenwashing and mis-selling risks are treated as both conduct and prudential issues, with enforcement increasingly co-ordinated at EU level. Greenwashing enforcement is increasingly rigorous. Supervisors expect evidence-based claims, robust internal approval processes, and periodic verification of portfolio alignment with ESG statements. Smaller institutions face resource challenges in meeting SFDR, Taxonomy and CSRD requirements, creating a potential competitive disadvantage.

DORA has been operational since 17 January 2025, and sets comprehensive ICT risk management, incident reporting and third-party outsourcing oversight obligations that are highly relevant to AI-enabled systems.

The EU AI Act imposes specific obligations for high-risk AI use cases common in financial services, such as credit scoring, risk assessment and certain portfolio management applications. AI governance under the EU AI Act applies to high-risk systems used for credit scoring, risk assessment and operational decision-making, and must be aligned with KWG/KAGB/ZAG operational and governance requirements.

German institutions are expected to maintain AI inventories and ensure robust human oversight, explainability and model governance. These controls must be integrated with existing BAIT and MaRisk frameworks, as well as data protection obligations under GDPR. The second Network and Information Security Directive (NIS2) provides an additional overlay of cybersecurity, security and breach notification duties.

NIS2 expands cybersecurity obligations for critical and important entities, including many financial sector firms and key service providers. Requirements encompass risk management, incident reporting timelines, supply chain security and governance oversight. Interaction with DORA necessitates co-ordinated ICT risk management, testing and reporting processes to avoid duplication and ensure end-to-end resilience across third-party and intragroup service chains. The integration of AI under the EU AI Act and DORA governance presents practical difficulties in explainability, auditability and human oversight, particularly for automated advisory or credit scoring systems. Firms must reconcile AI transparency obligations with operational efficiency and existing ICT governance frameworks.

Germany applies the principle of “same activity, same risk, same rules” to fintechs. BaFin provides advisory services and regulatory guidance to start-ups and new business models, including digital assets and payment platforms.

There is no formal German regulatory sandbox. Pilot programmes or regulatory sandboxes are limited but subject to co-ordination with EU initiatives and ECB research projects. The supervisory attitude prioritises investor protection and operational robustness over speed to market.

Germany has normalised digital issuance under the eWpG and integrated crypto services into the supervised perimeter, but supervisory engagement remains substance-focused with high standards on governance, AML/CTF and operational resilience.

On a central bank digital currency, the Eurosystem – via the ECB and the Deutsche Bundesbank – continues preparation activities for a potential Digital Euro, with ongoing design, prototyping and rulebook workstreams. The absence of a formal German regulatory sandbox limits early-stage experimentation, forcing fintech firms to engage with EU or ECB pilot programmes. Digital issuance under eWpG and MiCAR integration is proceeding cautiously, with the compliance burden shaping strategic entry decisions.

Robust protections under the KWG, BGB, ZAG and KAGB govern disclosure, suitability assessments, complaint handling and marketing standards. Supervisory attention focuses on vulnerable clients, transparency and fair contractual terms. Retail product governance is closely tied to clear target market definitions, calibrated marketing controls and effective oversight of distribution channels, including digital.

Germany is implementing the revised EU Consumer Credit Directive during 2026. Supervisory priorities emphasise outcome-oriented suitability, fairness and layered, comprehensible disclosures, with particular attention being paid to vulnerable customers and less financially literate segments. This includes “break points” for higher-risk products, and increased supervision of digital advice channels. Supervisory focus on vulnerable clients has intensified, especially where automated or digital advisory channels are used.

Suitability and disclosure processes must account for financial literacy, behavioural biases and potential misunderstanding of product features. Outcome-oriented supervision evaluates whether documented client objectives align with actual product allocation and ongoing advice.

Buy-now-pay-later and revolving credit products are assessed against consumer credit rules, transparency and fair value standards. Firms must ensure clear disclosures on total cost of credit, late fees and re-pricing, robust affordability checks, and outcome-oriented suitability for vulnerable consumers. Digital journeys should avoid dark patterns and provide accessible comparison of repayment options, with complaint and arrears management calibrated to consumer protection expectation.

This core regime is complemented by targeted consumer protections spanning mortgage credit under Germany’s implementation of the Mortgage Credit Directive, access to payment accounts (including basic accounts), fee transparency and early repayment rights constrained by clearly defined compensation limits. Effective product governance hinges on precise target market definitions, calibrated marketing controls and rigorous oversight of distribution – across both digital and face-to-face channels – underpinned by cross-cutting duties on fair value and communications, with heightened scrutiny of complex or bundled products. Complaints management, dispute resolution and the prevention of abusive practices are actively monitored, with sector-wide ombudsman schemes and BaFin’s complaints portal providing both redress mechanisms and supervisory visibility into firm behaviour, reinforcing a feedback loop that disciplines sales practices and tests the real-world efficacy of governance arrangements.

Shadow banking activities are monitored under CRR III, KWG and ECB guidance, with leverage and systemic risk reporting applied to non-bank financial institutions. BaFin conducts regular oversight of securitisation, asset management and lending activities outside the traditional banking sector.

Loan origination and private credit by closed-ended AIFs are permitted under the KAGB framework, with a supervisory focus on governance, liquidity management, conflict management and scrutiny of covenant-light exposures. To address risks in non-bank credit intermediation, macroprudential oversight employs tools such as cyclical capital buffers, borrower-based measures and enhanced monitoring of real estate credit concentration.

Non-bank credit intermediation and private credit by AIFs are closely monitored for leverage, liquidity mismatches and sector concentration risks. Macroprudential oversight targets both systemic and borrower-level risk, with BaFin emphasising governance, risk management and disclosure to ensure non-bank lending does not create hidden systemic vulnerabilities.

Conducting banking activities or financial services on a commercial basis in Germany requires authorisation from BaFin, with the Bundesbank closely involved in the review and the ECB acting as the competent authority for licensing credit institutions within the SSM. The process includes preliminary meetings, the submission of business plans and governance documents, due diligence on key personnel, and supervisory assessment. Key licensing requirements include an appropriate legal form, at least two fit-and-proper managers with sufficient time commitment, initial capital meeting applicable thresholds, a coherent three-year business plan and a MaRisk/BAIT-compliant organisational and governance framework, including robust outsourcing arrangements where used. Investment firms are authorised under the WpIG and the IFR/IFD regime; payment and e-money institutions are authorised under the ZAG. A German full banking licence can encompass MiFID services without a separate WpIG licence.

Applications for banking, investment, payment or crypto-asset services are submitted to BaFin, often in co-operation with the Bundesbank. A complete application typically includes:

• constitutional documents;
• ownership/control charts;
• a programme of operations;
• three-year financials and ICAAP/ILAAP narratives, where applicable;
• detailed policies (risk, compliance, AML/CTF, outsourcing, ICT, business continuity);
• outsourcing and IT inventories;
• incident frameworks; and
• recovery planning proportional to the business model.

Pre-application meetings are standard practice to de-risk filings and align on perimeter and scope. BaFin evaluates organisational structure, risk management, capital adequacy, compliance and consumer protection measures. Supervisors commonly request clarifications on governance lines, data quality, model validation, outsourcing subcontracting and financial resilience under adverse scenarios.

Qualifying Holdings and Changes in Control

Acquisitions or increases of qualifying holdings must be notified to BaFin (Section 2c of the KWG), with ECB involvement for SIs. Notification thresholds include 20%, 30% and 50% of voting rights or capital, or any acquisition conferring significant influence or control. The assessment covers the reputation and financial soundness of the acquirer, the sustainability of the business plan, governance and AML/CFT arrangements. Private banks’ voluntary schemes (eg, the Einlagensicherungsfonds, or ESF, which is the deposit protection fund of the Association of German Banks) may conduct parallel assessments. Foreign direct investment screening may apply in strategic sectors.

Governance

Institutions must implement governance structures consistent with CRD VI, MaRisk and EBA guidelines, including clear organisational arrangements, segregation of duties, effective supervisory board oversight and independent control functions. Outsourcing must align with MaRisk AT 9, BAIT and DORA for critical ICT functions, with contractual audit/termination rights and concentration risk management. Board composition and collective suitability are actively supervised, supported by documented delegation matrices, escalation protocols and risk oversight embedded in management processes. External auditors conduct enhanced regulatory audits; supervisors may object to appointments, impose remedial measures or order special audits where deficiencies arise.

Remuneration

The InstitutsVergV implements the CRD remuneration framework, including caps on variable pay (100% of fixed, extendable to 200% with shareholder approval), deferral (typically 40–60% for MRTs), and malus/clawback. Remuneration committees oversee alignment with risk appetite, with Pillar 3 disclosures and supervisory benchmarking.

AML/KYC

Institutions must implement risk-based CDD/KYC under the GwG, including verification of customers and beneficial owners, sanctions screening and ongoing monitoring. Enhanced due diligence applies to politically exposed persons (PEPs), complex ownership structures and high-risk jurisdictions. AML officers must be independent and adequately resourced. Suspicious activity reports are filed to the FIU, with cross-border co-ordination aligned to the evolving EU AMLA framework. Sanctions enforcement is co-ordinated with BAFA, and all measures must integrate GDPR/BDSG data protection controls.

Depositor Protection

Germany operates statutory and voluntary deposit protection under EinSiG and sectoral IPS frameworks. Coverage is generally up to EUR100,000 per depositor per institution, with additional voluntary coverage for private banks (ESF) and institutional schemes for Sparkassen (savings banks) and Genossenschaftsbanken (co-operative banks). Branches of EU credit institutions are covered by home-state schemes; third-country branches must clearly disclose applicable protections. The European Deposit Insurance Scheme remains under political and technical discussion at an EU level.

In practice, licensing and governance requirements are resource-intensive, particularly for institutions with complex structures, internal models or extensive outsourcing. Fit-and-proper assessments are strictly enforced, with frequent supervisory interventions and remedial obligations. Remuneration frameworks and variable pay structures are closely scrutinised for alignment with risk appetite, with implications for talent retention and incentive design.

End-to-end licensing typically takes nine to 12 months in practice, subject to the completeness and quality of the submission and iterative supervisory queries, within statutory review periods of up to six months from a complete application. Complex or cross-border models, or where internal models and extensive outsourcing are involved, can extend timelines toward 12–18 months.

Post-authorisation, firms are subject to supervisory fees and contributions, which include application costs, annual supervisory fees and potential costs for regulatory reporting or specialised audits, including sectoral fees for BaFin, the Single Resolution Fund and deposit guarantee scheme contributions, where applicable.

BaFin charges application fees based on activity type and complexity, alongside annual supervisory levies calculated with reference to balance sheet metrics and activity-based allocations. Additional cost lines include Deutsche Bundesbank reporting interfaces, statutory audit of regulatory requirements, SRF contributions for banks within the SRM, and deposit guarantee scheme contributions (including IPS interactions). Firms should budget for thematic or special audits and potential ECB cost recovery for SIs.

End-to-end licensing timelines are heavily influenced by application completeness, quality of governance documentation and the complexity of proposed services. High-touch supervisory interaction and iterative queries often extend practical timelines to 12–18 months, particularly for digital asset custody, third-country branches and cross-border investment services.

While Germany does not operate a formal individual accountability regime akin to the UK Senior Managers and Certification Regime, supervisors increasingly focus on the responsibilities of key function holders, documentation of delegations and the demonstrable effectiveness of management oversight.

Management and key function holders must meet fit-and-proper standards under the KWG, KAGB and CRD VI. Senior managers (Geschäftsleiter– ie, senior managers or directors) and supervisory board members are subject to fit-and-proper assessment under Sections 25c/25d of the KWG, covering integrity, competence, independence of mind, time commitment and conflict management. CRD VI extends governance expectations to key function holders and introduces rules on independence, staff dealing restrictions and cooling-off periods, where relevant. Ongoing suitability processes, training and oversight are embedded through MaRisk and are reviewed in supervisory engagements.

Ongoing obligations include training, remuneration oversight, internal audit, compliance monitoring and adherence to risk policies. BaFin may remove or restrict management functions in cases of non-compliance or inadequate governance.

The Whistleblower Protection Act (the Hinweisgeberschutzgesetz, or HinSchG) requires firms to implement secure, confidential internal reporting channels for breaches of EU and German law, with timely follow-up and protection from retaliation. BaFin expects clear governance for whistle-blowing, independent investigation capabilities and board visibility over material issues.

Over the coming months, Germany will continue the roll-out of the CRR III/CRD VI package, including the output floor, FRTB, operational risk, CVA and revised real estate treatments, aligned to EU RTS/ITS timelines. The harmonised third-country branch regime under CRD VI will apply from 11 January 2027, requiring strategic planning for third-country access models. DORA operationalisation will drive enhancements to ICT risk management, incident reporting and third-party contractual oversight across the sector. EMIR 3.0 clearing and reporting reforms, the CSDR Refit and the EU instant payments and fraud-prevention initiatives will reshape post-trade and payments operations. ESG-related supervision will intensify under SFDR, the Taxonomy and the CSRD, with continued greenwashing enforcement. Domestically, supervisors are prioritising the professionalisation of retail and non-securitised investment distribution, the normalisation of electronic securities and crypto services within robust governance and asset liability management (AML) frameworks, and vigilant oversight of ALM, deposit stability and interest rate risk.

Key domestic trends and supervisory priorities include the following.

Retail Distribution: Suitability, Disclosure and Product Governance

Retail distribution remains a central focus of regulatory scrutiny, driven by supervisory emphasis on advice quality, client outcomes, product governance, and conflict management in vertically integrated value chains. German supervisors expect suitability assessments to go beyond standardised questionnaires, requiring evidence that individual client objectives, time horizons, loss-bearing capacity and liquidity needs align precisely with product features, risks and potential downside exposures. Internal approvals, documentation and after-sales monitoring processes are being restructured to capture these links in a verifiable manner.

Product governance has similarly evolved from a procedural exercise into a substantive supervisory priority. Target market definitions must be granular and realistic, negative target markets must be rigorously enforced, and mechanisms must be in place to prevent “target market drift” under commercial pressures. Supervisors are examining manufacturer–distributor arrangements for structured products, leveraged notes and closed-ended AIF interests, ensuring that costs, liquidity constraints and risk exposures are clearly disclosed and consistently communicated across all sales channels.

Digital onboarding and automated advice channels have improved traceability but have raised concerns about explainability and transparency, particularly where default settings, pre-populated recommendations or compressed disclosures could obscure client choice. German practice increasingly requires layered disclosures with explicit “break points” for higher-risk features, supported by thorough records of client decisions that deviate from recommended pathways.

Non-Securitised Investments Under the Vermögensanlagengesetz

The regime governing non-securitised investment products continues to balance SME funding objectives with investor protection. Supervisory experience highlights the following three priorities.

• Documentation and credibility: issuer projections, risk statements and financial forecasts must be plausible, verifiable and reproducible.
• Suitability and distribution diligence: intermediaries must avoid “manufactured suitability”, ensuring that investor targeting is genuine rather than mechanically applied.
• Professionalisation of channels: lower-quality distribution networks are consolidating or exiting, with remaining intermediaries investing in compliance, product approval committees and ongoing monitoring aligned with MiFID-style governance.

This has led to higher compliance costs, lower tolerance for overly optimistic projections, and a general market shift toward professional-only placements or AIF structures under the KAGB, with attendant governance obligations.

Investment Intermediation: Boundaries of Permitted Services

Germany’s dual system – MiFID-authorised firms under WpIG/KWG and Section 34f GewO intermediaries – remains operational but is more rigorously supervised. Key issues include the following.

• Reception and transmission of orders: firms must clearly delineate between informal facilitation and regulated order-handling; informal collection of client orders risks unauthorised activity.
• Professional client classification: supervisors closely monitor opt-up procedures; unauthorised intermediaries cannot rely on manufacturer categorisations without contractual and client-level diligence.
• Manufacturer oversight: firms must evidence control over downstream sales, with explicit obligations on target market adherence, client data sharing, complaint handling and remediation protocols.

The overarching trend is towards formalising distribution chains, reducing reliance on informal or unstructured networks.

Digital Issuance, Electronic Securities and Crypto Custody

The eWpG has matured from legislative novelty to practical application. The law enables electronic bearer bonds, fund units and other registrable instruments, creating pathways for operational efficiency and market liquidity. EU crypto-asset rules provide overarching licensing and categorisation, but Germany maintains the following national distinctions.

• Crypto custody as a KWG-regulated service: licensing requires rigorous governance, IT controls and operational resilience.
• Hybrid registry models: centralised and decentralised registers coexist, providing flexibility in issuance and custody while maintaining legal certainty.

Supervisory expectations include multi-signature wallets, segregation of duties, independent change management, cross-jurisdictional incident response, and integration of AML/CTF measures, including travel rule compliance and blockchain analytics. Institutions adopting digital assets without embedding compliance into their operational architecture encounter significant delays and supervisory friction.

Loan Origination by Funds and Private Credit

Germany permits loan origination by closed-ended AIFs under the KAGB, with supervisory conditions emphasising prudential risk management.

• Credit risk governance: underwriting, collateral policies, valuations and workout procedures must be documented and integrated into risk frameworks.
• Liquidity management and investor fairness: asset maturity profiles must align with fund liquidity offerings; first-loss transfer to new investors is closely scrutinised.
• Delegation and conflict management: related-party servicers or originators require documented conflict mitigation and transparent fee structures.

Supervisors are vigilant regarding covenant-light exposures, layered collateral, sector concentration and realistic stress testing.

Interest Rate Risk, Deposit Stability and Conduct

Germany’s shift to a higher-for-longer interest rate environment has heightened focus on traditional banking risks, as follows.

• Interest rate risk in the banking book (IRRBB): supervisors review hedging strategies, balance sheet ALM modelling and scenario analyses.
• Deposit stability under rate competition: marketing campaigns for deposits and yield-enhancing notes are subject to suitability and fair presentation standards; misleading emphasis on headline yields triggers supervisory scrutiny.
• Treasury oversight: ALM models must account for client behaviour, cannibalisation effects and liquidity constraints. Smaller institutions are expected to maintain robust model risk management and independent risk functions.

Sustainability, Greenwashing and ESG Integration

Supervisory expectations have shifted from general principles to precision in sustainability risk integration and marketing, as follows.

• Risk integration: ESG factors must be embedded in credit, market and operational risk frameworks where material, with clear documentation.
• Marketing and claims: sustainability-related communications must be substantiated, internally approved and consistent across all client-facing materials, including Key Investor Information Documents, prospectuses, factsheets and digital platforms.
• Internal controls: firms must maintain claims registers linking assertions to underlying evidence and conduct periodic portfolio checks against exclusions or targets. Engagement strategies under discretionary mandates must be documented and measurable.

AML/CTF, Governance and Operational Resilience

AML/CTF supervision has hardened around practical effectiveness.

• Transaction monitoring: alerts must be actionable; models are recalibrated for product and channel-specific typologies.
• Customer due diligence: enhanced scrutiny for cross-border and introducer-based business, including source-of-wealth verification.
• Governance expectations: boards and senior management must demonstrate ownership of compliance agendas, risk appetite documentation and remuneration governance aligned to risk.

Operational resilience frameworks under DORA and BAIT mandate robust IT governance, incident response, third-party oversight and cyber risk management. Supervisors increasingly scrutinise AI and automation tools for transparency, explainability and auditability.

Insurance-Based Investments and Bancassurance

Life insurance and unit-linked products face intensified supervisory focus.

• Cost transparency: layered charges and guarantee costs must be fully disclosed.
• Suitability and clarity: structured or hybrid guarantees require detailed explanation of risk asymmetries.
• After-sales monitoring: ongoing portfolio alignment with client objectives is expected.

Supervisors demand defensible choice architecture; nudging clients towards higher cost options without justification is no longer acceptable.

Market Consolidation, Alliances and Professionalisation

Distribution networks are consolidating, with larger platforms absorbing smaller intermediaries and standardising compliance infrastructure. Supervisors welcome this trend for raising governance standards but monitor ownership links, incentive structures and negative target market enforcement. Product shelf curation, manufacturer due diligence and audit trails for inclusion and removal decisions are increasingly reviewed in thematic supervisory work.