GERMANY Law and Practice Contributed by: Stephan D. Meyer, Lars Fidan, Elisa Otto and Christian Meisser, LEXR
Outsourcing to a regulated entity is not required but can simplify due diligence, as regulated counterpar - ties are more likely to already meet the governance and security standards the framework demands. 2.9 Gatekeeper Liability There is no single “gatekeeper law” in Germany; rath - er, the concept is woven into virtually every regula - tory framework governing fintech platforms. Under the Money Laundering Act (GwG), regulated entities must conduct ongoing customer due diligence, moni - tor transactions and file suspicious activity reports. MiCA takes this further for crypto trading platforms, requiring dedicated market surveillance systems and compliance with the market abuse provisions dis - cussed in 6.8 Market Integrity Principles . Regulators expect fintech providers to take active ownership of the integrity of the transactions they facilitate. Compa - nies that design their compliance architecture around this reality from the start will find it far easier to scale than those that treat gatekeeper obligations as an afterthought. 2.10 Significant Enforcement Actions BaFin has shifted from a cautious supervisor to an enforcement-oriented regulator, a trajectory that accelerated after the Wirecard scandal. In fintech, recent enforcement has focused on three areas. BaFin intensified scrutiny of BaaS providers, most notably Solaris, imposing operational restric - tions over AML and governance deficiencies. BaFin has actively used its FinmadiG powers to publicly warn against firms operating crypto-asset services without MiCA authorisation, and neobanks and pay - ment institutions have faced enforcement action over AML compliance failures. The pattern is consistent: BaFin acts early and pub - licly. Market participants should treat the regulator’s name-and-warn strategy as a permanent feature of the German supervisory landscape, not a temporary posture. 2.11 Implications of Additional, Non- Financial Services Regulations Beyond financial regulation, fintech companies face a growing web of horizontal requirements that can be
equally demanding. Data protection under the GDPR is a primary concern, especially for companies relying on AI-based analytics or open-banking services. DORA, the EU AI Act (classifying many financial AI applications as high-risk), and the NIS2 Directive col - lectively impose layered cybersecurity, resilience and AI governance obligations. Unlike legacy banks, which have long operated under detailed BaFin IT security circulars (BAIT, ZAIT), fin - tech entrants may face a steeper compliance curve in aligning with these multi-layered requirements, where they rely on cloud infrastructure and third-party tech - nology providers. 2.12 Review of Industry Participants by Parties Other Than Regulators Annual audits by independent auditors ( Wirtschaft- sprüfer ) are mandatory for regulated fintech com - panies. For KWG-licensed institutions, the resulting regulatory audit reports go directly to BaFin and the Bundesbank and regularly trigger follow-up where deficiencies are identified. Beyond statutory requirements, market practice is driving additional review layers. Crypto companies commission smart contract audits and proof-of- reserve attestations. B2B fintechs routinely obtain SOC 2 certifications. Industry bodies such as Bitkom publish best practice standards that shape market norms even without legal force. 2.13 Conjunction of Unregulated and Regulated Products and Services Combining regulated and unregulated services within a single company is widespread in German fintech. Payment services alongside analytics tools, crypto custody alongside unregulated advisory content: these combinations are the norm. BaFin expects clear delineation. The unregulated busi - ness must not compromise the compliance standards of the regulated one. Separate legal entities are an option but not a requirement. What matters is dem - onstrating where the boundary between regulated and unregulated activity lies and maintaining the controls to enforce it.
316 CHAMBERS.COM
Powered by FlippingBook