Financial Services Compliance in Germany (2024)

Use theLexology Getting The Deal Throughtool to compare the answers in this article with those from other jurisdictions.

Regulatory framework

Regulatory authorities

What national authorities regulate the provision of financial products and services?

In Germany, the provision of financial services is generally supervised by the German Federal Financial Supervisory Authority (BaFin), which is the competent authority for banking supervision, insurance supervision and the supervision of securities tradings (including asset management). BaFin was founded in 2002 as a single supervisory authority for the financial markets where supervision had previously been provided by three different authorities (banking supervision by the Federal Banking Supervisory Office, securities tradings supervision by the Federal Supervisory Office for Securities Trading and insurance supervision by the Federal Insurance Supervisory Office).

In the area of banking supervision in particular, supervision is conducted together with the German Federal Bank (Bundesbank). Both BaFin and Bundesbank are hereafter referred to as the ‘German regulators’.

In addition, some areas of capital markets law are not subject to a federal system of supervision - the supervision of stock exchanges is within the competence of the individual German states and is typically conducted by the respective state minister for economic matters.

Finally, it also needs to be taken into account that within those areas of banking regulation that fall within the remit of the Single Supervisory Mechanism, supervision and regulation is exercised by the European Central Bank, which makes use of a system of joint supervisory teams, which also consists of representatives of BaFin and Bundesbank.

What activities does each national financial services authority regulate?

BaFin supervises credit institutions, financial services providers, payment service providers, insurance companies and asset managers. In addition, BaFin is also the competent authority for the supervision of the trading in securities and hence supervises such aspects as market conduct, market transparency or capital markets publications.

As regards banking supervision, BaFin cooperates and coordinates with Bundesbank in both fields of supervision (ie, prudential and conduct supervision), whereby Bundesbank has a particular focus on ongoing monitoring of solvency and liquidity of German banks, the clarification of facts and the retrieval of information. The details of the cooperation and responsibilities between BaFin and Bundesbank are laid out in ‘Supervision guidelines’ which can be accessed via www.bafin.de/dok/7858060.

In addition, supervision of stock exchanges (including supervision of stock exchange operators and the supervision of access to stock exchanges) is conducted by the competent state authorities, which closely cooperate with BaFin as the competent authority for general market oversight.

What products does each national financial services authority regulate?

As a general rule, the supervision of financial markets in Germany does not follow a product-specific approach. Instead, BaFin serves as the central supervisory authority for all types of regulated financial instruments. However, BaFin operates in three different divisions, competent for the supervision of banking activities (Department BA), Securities trading and Asset Management (Department WA) and Insurance Supervision (Department VA).

Authorisation regime

What is the registration or authorisation regime applicable to financial services firms and authorised individuals associated with those firms? When is registration or authorisation necessary, and how is it effected?

If a firm intends to conduct banking business or to provide financial or payment services in Germany commercially or on a scale that requires commercially organised business operations, it needs to apply for a licence.

These licensing requirements primarily implement the relevant provisions of EU law (in particular, those required under the Capital Requirements Directive, Markets in Financial Instruments Directive, Payment Services Directive or the Alternative Investment Fund Managers Directive to name the most prominent ones), but there may also be specific licensing requirements under German law. For example, commercial lending to either retail or wholesale clients generally requires a banking licence in Germany.

With regard to licensable activities in the area of banking law and securities trading law, section 1 of the German Banking Act (KWG) provides for a comprehensive list of licensable activities that generally trigger licence requirements.

As regards the territorial scope of licensing requirements, a licence is required if such services are provided ‘in Germany’. According to established German supervisory practice, the application of this concept is traditionally rather wide, and as such, a licence requirement is already triggered if a non-German firm is actively targeting the German market to solicit German clients. However, there are exemptions to this concept; in other words, there are privileges for the servicing of existing client relationships or for situations where the relevant services have been requested by a German client (reverse solicitation).

If, however, a licence is required, the authorisation process is complex and requires a substantial amount of time, because a number of required documents have to be drafted and submitted to the regulatory authorities. The applicable framework for the authorisation process is laid out in the German Banking Act. The process is also influenced by the relevant statements of European Supervisory authorities such as, for example, the European Banking Authority (EBA) or the European Securities and Markets Authority (ESMA) on licensing procedures. In the area of banking supervision, the general criteria that are assessed during an authorisation process are, among others, as follows:

• senior managers and other legal representatives have to be trustworthy and have to have the professional qualifications required to manage the institution. In addition, the senior managers have to be able to devote sufficient time to their tasks;
• senior managers must not be in breach of the requirements, in particular concerning management board members laid down in the KWG;
• the relevant entity must meet the minimum own funds requirements and also needs to comply with the applicable requirements regarding regulatory capital (which require firms to hold sufficient regulatory capital to cover the risks resulting from the firm’s business model); and
• the relevant entity must have in place the organisational arrangements necessary for the proper operation of the business for which it is seeking authorisation.

In addition to these authorisation requirements, which apply to individuals or legal entities providing licensable activities in Germany, regulated entities are also required to provide BaFin with information of individuals holding certain functions, such as members of the management board or supervisory board, individuals providing investment advisory services or the compliance officer of a regulated entity.

Legislation

What statute or other legal basis is the source of each regulatory authority’s jurisdiction?

The main legal basis of (both of) the German regulators for banking and securities trading law are:

• the KWG, mainly relating to licensing requirements and the licensing procedure, governance and own-fund requirements of institutions under German law;
• the German Securities Trading Act (WpHG), mainly relating to requirements for investment services firms when dealing with clients and transposing most of the requirements under Directive 2014/65/EU on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (MiFID II); and
• several ordinances by the German government and circulars and acts by BaFin specifying the requirements under the KWG and the WpHG, in particular:
• Minimum Requirements for Risk Management (MaRisk; 27 October 2017 version);
• Minimum Requirements for the Compliance Function and Additional Requirements Governing Rules of Conduct, Organisation and Transparency (MaComp; 8 March 2017 version); and
• German Investment Services Conduct of Business and Organisation Regulation.

What principal laws and financial service authority rules apply to the activities of financial services firms and their associated persons?

See question 5.

Scope of regulation

What are the main areas of regulation for each type of regulated financial services provider and product?

The scope of regulatory oversight that is set out by the relevant statutes is far-reaching and covers structural requirements as well as rules of conduct for individual entities, but also general market supervision.

In this respect, the German regulators constantly monitor relevant activities and will prevent (or sanction) service providers that do not hold the required authorisation from engaging in licensable activities. With regard to the supervision of licensed entities, such entities are under a statutory obligation to constantly monitor and self-assess their compliance with regulatory requirements. The relevant statutes and ordinances set out a system of reporting obligations that generally require regulated entities to notify the German regulators of potential and actual deficits. For example, a German bank is under a statutory obligation to permanently maintain sufficient means to comply with the required capital and liquidity ratios. The relevant bank is required to report these ratios on a regular basis but would also be required to make ad hoc notifications to the German regulators in case of a material shortfall. Obviously, the obligation to comply with regulatory requirements also covers compliance with organisational requirements and rules of conduct.

In the area of general market supervision, BaFin is also competent for product intervention measures and therefore also conducts research on general market trends with statutory powers to issue general orders that need to be observed by all market participants. The most recent example for such intervention powers are a general decree on the regulation of contracts for difference that was issued by BaFin in 2017.

Additional requirements

What additional requirements apply to financial services firms and authorised persons, such as those imposed by self-regulatory bodies, designated professional bodies or other financial services organisations?

Further to the primary statutory obligations that need to be observed by financial services firms and authorised persons, there is also a complex system of administrative guidelines issued by the German regulators, which further define the rules set out in the respective statutory measures. The most prominent example for such guidelines are the minimum requirements for risk management (MaRisk), which form a comprehensive framework for banks’ and financial services firms’ own internal risk management and organisation.

In addition, regulated entities are typically also required to comply with specific rules set out by industry groups or the relevant deposit protection that a bank belongs to. Typically, these rules may include further defining characteristics on the existing statutory requirements, but must not violate the mandatory provisions set up by statute.

Finally, there are areas where German regulators closely cooperate with industry groups to define industry standards. For example, the standard terms of business for asset managers that have been pre-­discussed between BaFin and the Bundesverband Investment and Asset Management e.V. are widely used.

Enforcement

Investigatory powers

What powers do national financial services authorities have to examine and investigate compliance? What enforcement powers do they have for compliance breaches? How is compliance examined and enforced in practice?

The KWG provides for a set of administrative measures that may be used to monitor compliance with regulatory provisions.

Most importantly, regulated institutions are required to constantly self-monitor compliance and report specific situations to the regulators. In this respect, section 24 of the KWG provides for a catalogue of issues that need to be reported on an annual basis, as well as certain aspects that a regulated institution must immediately report to BaFin. Examples include changes to management, losses above a certain threshold or changes to the capital ratio. In addition, there is a sophisticated system of regulatory reporting under which institutions need to provide data on an ongoing basis, which enables the German regulators to assess solvency in the financial sector.

In addition, banks and financial services providers are required to commission an annual audit, which also includes an audit on compliance with regulatory obligations. The relevant audit reports that need to be produced to the German regulators are an important source of information in addition to supervisory dialogues that are conducted with each regulated entity on a regular (typically, at least annual) basis.

Further, section 44 of the KWG grants BaFin far-reaching investigative powers by giving BaFin the right to order special audits. According to section 44(1) KWG, any regulated institution as well as the managers and employees of such institution are obliged to provide BaFin or anybody appointed by BaFin with any business information that BaFin requires to perform its supervisory duties. In addition, BaFin may at any time - even without any specific reasons or indications of regulatory wrongdoing - order inspections on the premises of a regulated institution. If a regulated institution has outsourced certain activities to third parties, the German outsourcing regime as stipulated in the MaRisk requires that the outsourcing agreement provides for equal inspection rights for the German regulatory authorities at the premises of the service provider with respect to information relating to the outsourcing. This power to conduct regulatory investigations is widely used in a number of different ways, ranging from short written requests for information to the commissioning of external audit firms to conduct lengthy and complex special audits on specific questions (these need to be paid for by the institution itself).

If BaFin comes to the conclusion that a certain action or behaviour, including compliance breaches, requires regulatory intervention, BaFin may order the appropriate measures. In this regard, section 6(3) of the KWG grants BaFin the general power to issue orders to institutions and their senior managers that are appropriate and necessary to prevent or stop violations of regulatory provisions or to prevent or overcome undesirable developments at an institution that could endanger the safety of the assets entrusted to the institution or impair the proper conduct of its banking business or provision of financial services.

Disciplinary powers

What are the powers of national financial services authorities to discipline or punish infractions? Which other bodies are responsible for criminal enforcement relating to compliance violations?

A bank or financial services firm authorised under the KWG is required to have in place a proper business organisation complying with the legal requirements to be observed by it, and with business needs. This requirement comprises appropriate and effective risk management, including a suitable and effective compliance function. If there is a violation of the requirement to establish and maintain a proper business organisation, BaFin can, inter alia, take the following measures:

• it can issue general orders to institutions and their senior managers that are appropriate and necessary to prevent or stop violations of regulatory provisions. Non-compliance with such binding order may result in a criminal liability of the senior managers, provided that the relevant deficits in the entity’s organisation result in the institution failing or becoming likely to fail;
• it can impose administrative fines on the institution;
• it can impose additional own-fund requirements;
• in exceptional circ*mstances, it can order the dismissal of senior managers; and
• it can ultimately revoke the financial services firm’s licence.

As instrument of prevention, BaFin may also publish the imposed sanctions and fines on its website (naming and shaming).

The scope of criminal sanctions with regard to violations of regulatory provisions is generally limited to severe cases, such as market abuse, insider trading or conducting banking business without a licence, but should typically not apply in case of negligence regarding compliance issues. In this respect, it should also be noted that German law generally does not provide for a criminal responsibility of legal entities; instead, only individuals may be subject to criminal sanctions. However, the German legal system nevertheless allows administrative fines to be imposed on legal entities in case of criminal offences committed by the employees of such entity, for example, senior management. In any event, criminal proceedings are initiated and conducted by the public prosecutor’s office, which will closely cooperate with BaFin.

Tribunals

What tribunals adjudicate criminal and civil financial services infractions?

As mentioned above, German law does not provide for a criminal responsibility of legal entities. If there is, however, indication that an individual (for example, a senior manager or an employee of a regulated institution) has engaged in criminal behaviour, this will be investigated by the office of the public prosecutor who will typically closely cooperate with BaFin during the investigation. If the public prosecutor comes to the conclusion that there is sufficient evidence that a crime has been committed, charges will be filed against the accused individuals before the competent criminal court at the location where the alleged crime was committed. Depending on the severity of the alleged crime, this will be brought before district courts or local courts.

As regards the responsibility of the regulated entity, court proceedings resulting from administrative fines imposed against financial services firms are usually adjudicated by the criminal courts (district courts).

In parallel, any individual such as, for example, a client, that takes the view that a misdemeanour has harmed their legal position can bring forward civil litigation before the competent private law court (eg, in order to seek compensation for damages caused by the wrongful behaviour of the financial services firm or employees).

Penalties

What are typical sanctions imposed against firms and individuals for violations? Are settlements common?

As already outlined in question 10, there is a set of different measures that BaFin can impose on an organisation that is in breach of regulatory provisions. In this context, administrative fines are not uncommon. Particularly with regard to breaches of anti-money laundering provisions or breaches of market transparency rules, BaFin takes a strict approach to sanctioning breaches of regulatory provisions and regularly issues fines. Although the KWG and the WpHG provide for a wide scope of potential fines, each decision depends on a case-by-case assessment and is subject to regulatory discretion. BaFin has not made use of its full powers so far; however, German law does give BaFin the power to fine a legal entity that is in breach of provisions of the KWG, with - depending on the specific breached provision - a fine of up to €20 million, or 10 per cent of the annual turnover of the relevant entity. Violation of provisions required under the WpHG may incur a fine of up to €15 million, or 15 per cent of the annual turnover of the entity. In addition, BaFin may also impose a fine based on the economic profit deriving from the relevant offence, which may be even more severe than the actual fine. The economic benefit comprises the profits made and losses avoided, both of which can be estimated.

Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

In general, German law is not prescriptive with regard to the nature and content of compliance programmes; however, the KWG and the WpHG require regulated entities to implement appropriate measures to ensure sufficient compliance standards and to generally have a specified compliance function. This is also required for securities trading firms under article 22(2) of the Delegated Regulation (EU) 2017/565, which is directly applicable in Germany.

As regards the compliance function of German regulated institutions, the MaRisk requires any institution to ensure that it adheres to statutory, regulatory and other legal requirements. According to BaFin, this does not mean, however, that all legal areas must be scrutinised to the same extent by separate organisational functions or units; instead, it is customary to only assign certain legal areas, namely those that relate to special compliance-related risks, to a compliance function. From BaFin’s point of view, these necessarily include investment services, money laundering, prevention of (internal and external) fraudulent conduct, data protection and general consumer protection. Moreover, institutions are responsible, in accordance with MaRisk, for examining which areas present additional special compliance risks that are to be handled by the compliance function.

In addition, the MaComp contains more specific requirements for the compliance function of investment services undertakings, in particular on their structural and operational arrangements. In addition, MaComp specifies the tasks of the compliance function and sets out monitoring and organisational requirements as well as reporting obligations and individual requirements (in particular as regards the trustworthiness and competences of the compliance-function).

Gatekeepers

How important are gatekeepers in the regulatory structure?

See question 13.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Managing directors of a German regulated institution are jointly responsible for the proper business organisation and its further development, irrespective of the internal allocation of responsibilities. This particularly covers all material elements of risk management. In addition to the overall responsibility of the managing directors, the managing directors are responsible for the establishment of appropriate control and monitoring processes in their respective area of competence. According to BaFin, managing directors can fulfil this responsibility only if they are able to assess risks and take the necessary measures to limit them.

In particular, the managing directors have the duty to:

• establish a business strategy;
• gain an overview of the risks faced by the institution in the context of a risk inventory (overall risk profile), regularly and on an ad hoc basis;
• implement a risk strategy;
• set up a strategy process that includes, in particular, the steps for planning, implementing, assessing and adjusting the strategies;
• approve audit planning as well as any material modifications thereto; and
• provide the supervisory board at least once a year with concise information on the serious findings identified by the internal audit function.

When are directors typically held individually accountable for the activities of financial services firms?

Senior managers can be individually subject to criminal or administrative sanctions for various reasons. The senior management of an institution can be held liable for criminal or administrative offences, if the relevant manager itself commits a crime or offence and the manager is the factual leader of the offence or crime. A manager can be considered a factual leader, for example, if the offence or crime:

• is ordered by the manager;
• is the direct consequence of a policy of the manager; or
• is committed and the manager, although he or she knows or should know about the breach of law, does not prevent the crime or offence from happening, while he or she had the power to do so.

In addition, as described under question 15, senior managers are ultimately responsible for the proper business organisation of the regulated entity as such. Therefore, they might face administrative sanctions for breaches of personal legal obligations.

If senior managers are liable to prosecution, they might face civil claims for compensation of damages by their company.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

Generally, the violation of national financial services authority rules and regulations does not result in private rights of action, as these provisions only serve public purposes and thus an individual cannot assert a claim because of a violation of such provisions. In exceptional cases, where a regulatory law provision also serves to protect individual rights, an individual may assert a claim against the regulated institution.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

As regards the required standard of care to be observed when providing financial services to German clients, German law generally does not differentiate between wholesale and retail clients.

Does the standard of care differ based on the sophistication of the customer or counterparty?

Generally, regulated entities must apply due care when interacting with any counterparty. However, the applicable rules as set out in the WpHG that implement the requirements set out by MiFID II on the provision of financial services, provide for different treatment of professional clients, eligible counterparties and retail clients. Hence, it is of utmost importance that financial services providers classify their clients correctly.

Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

Laws affecting the financial services industry are usually subject to a consultation process. In the course of the consultation process, the first draft of the respective act is usually published by the German government and then consulted and amended before it is finally adopted by the German parliament. Some laws are also directly adopted by the German government, but these laws are usually also subject to a consultation process.

The same generally holds true for regulatory decrees that are published by BaFin. Before adopting a new circular (such as, for example, MaRisk or MaComp), BaFin typically initiates a consultation process and publishes a draft of the circular that is consulted and then results in new final guidance. During the consultation process, industry groups as well as other market participants may comment on the envisaged rules to be adopted and bring forward any concerns or suggestions that may exist. Such consultation plays an important role in the rulemaking of the German regulators, and it is not uncommon that provisions may be materially changed as a result of the feedback received.

Cross-border issues

Cross-border regulation

How do national financial services authorities approach cross-border issues?

As mentioned in question 4, BaFin takes a rather strict view on the provision of licensable activities in Germany and to clients based in Germany. According to established German supervisory practice, the application of this concept is traditionally rather wide, and as such, a licence requirement is already triggered if a non-German firm is actively targeting the German market to solicit German clients. However, there are exemptions to this concept; in other words, there are privileges for the servicing of existing client relationships or for situations where the relevant services have been requested by a German client (reverse solicitation).

In addition, non-German entities that have their registered seat in the EU or EAA may benefit from passporting arrangements in accordance with the freedom to provide services under MiFID II and Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (CRD IV) - European Passport or EU Passport. Passported entities can offer services covered by their EU Passport in another EU or EEA state either through a branch, or by providing the services within the territory of the other EU or EEA state from a place of business in Germany (cross-border). The EU Passport is restricted to specific products and services as applied for.

International standards

What role does international standard setting play in the rules and standards implemented in your jurisdiction?

The implementation of international standards, such as Directives or Delegated Directives, into national German law follow the same principle as under question 20. This means that upon adoption of a EU act by the relevant EU legislator, the German legislator is obliged to implement the provision into its national acts within a certain time period.

However, in addition, interpretations of provisions, specific circ*mstances or questions by ESMA (eg, MiFID Q&A) or EBA are reflected and considered by BaFin and the German regulatory industry. Further, BaFin might amend its guidance notes or circulars in light of updated international standards.