GERMANY Law and Practice Contributed by: Stephan D. Meyer, Lars Fidan, Elisa Otto and Christian Meisser, LEXR
12. Fraud 12.1 Elements of Fraud
• Unlicensed crypto offerings – BaFin uses its name- and-warn powers aggressively, publicly identify - ing suspect operators before formal proceedings conclude. The reputational damage alone can be fatal for a business. • AML failures at fast-growing fintechs – several neobanks and payment institutions have faced enforcement action for scaling their customer base faster than their compliance infrastructure. BaFin has made clear that this pattern will not be toler - ated. The expectation is proactive prevention. Firms that build detection and response into their operations are better positioned than those that wait for the regulator to identify the problem. 12.3 Responsibility for Losses Liability depends on the service type. Payment service providers under the ZAG bear liability for unauthorised transactions, with a customer co-payment of up to EUR50 for lost or stolen payment instruments (unless the customer acted with gross negligence). For authorised push-payment fraud, the current frame - work places limited liability on the provider, though PSD3/PSR will expand provider obligations. Investment firms under MiFID II face liability for breaches of best execution, suitability requirements or conflicts of interest management. CASPs under MiCA face liability for operational failures, custody breaches or failure to protect client assets. General civil liability under the BGB applies across all service types. The direction of travel is clear: PSD3/ PSR will shift the balance further toward provider responsibility, especially where adequate fraud-pre - vention measures were not in place. Building robust prevention systems is no longer just good practice – it directly reduces legal exposure.
Fraud in the German financial services context plays out across three dimensions that can hit simultane - ously. • On the criminal side, both traditional fraud through deception and computer fraud through manipula - tion of digital systems are prosecuted. The latter is increasingly relevant as fintech products are inherently software-driven and therefore exposed to digital manipulation vectors that did not exist in traditional banking. • On the regulatory side, BaFin pursues unauthor - ised financial services, market manipulation and misleading marketing. MiCA has extended these enforcement powers to crypto-asset markets, where insider dealing and price manipulation are now explicitly prohibited and actively monitored. • On the civil side, customers and counterparties can bring claims for mis-selling, deceptive practices, and misrepresentation under general civil and com - petition law. The critical point for fintech companies is that these layers are not alternatives. A single incident, such as a data breach exploited for unauthorised transactions, can trigger a criminal investigation, a BaFin enforce - ment proceeding and civil litigation at the same time. Building fraud prevention into the product architecture rather than bolting it on as a compliance function is the most effective way to manage this multi-dimen - sional exposure. 12.2 Areas of Regulatory Focus Three areas dominate BaFin’s fraud focus. • Authorised push-payment fraud – social engineer - ing attacks are becoming more sophisticated, increasingly aided by AI, and BaFin views the cur - rent liability framework as insufficient. PSD3/PSR will introduce mandatory payee verification and shift more responsibility onto providers who fail to prevent these attacks.
327 CHAMBERS.COM
Powered by FlippingBook