1 Legal framework

1.1 Which legislative and regulatory provisions govern the banking sector in your jurisdiction?

As Germany is an EU member state, the regulatory framework is in many instances based on EU regulations and directives. Regulation (EU) 575/2013 (last amended by EU Regulation 2021/558 and EU Regulation 2021/1043) on prudential requirements for credit institutions and investment firms ('Capital Requirements Regulation' (CRR)) is particularly important. It sets out the rules for calculating capital requirements, reporting and general obligations for liquidity requirements. Further, the Capital Requirements Directive IV (2013/36/EU) (CRD IV, last amended by EU Directive 2021/338) sets out stronger prudential requirements for banks, requiring them to:

  • keep sufficient liquidity and capital reserves; and
  • avoid insufficient capital reserves and insufficient short and long-term liquidity.

Additionally, the European Union has actively contributed to developing the Basel Committee on Banking Supervision standards at the Bank for International Settlements on capital, liquidity and leverage. It aims to ensure that major European banking specificities and issues are appropriately addressed. In 2020, the European Commission conducted a rapid review of the CRR and introduced targeted changes to facilitate bank lending in the context of the COVID-19 crisis. The commission intends to present a regulatory framework for bank capital requirements in CRD and CRR to complete the Basel III finalisation. Originally planned for 2020, the plans were postponed to 2021 in response to the COVID-19 pandemic and applied from 28 June 2021.

The German laws covering the banking sector are, in particular:

  • the Banking Act, which sets out the requirements and duties of credit institutions and financial services institutions;
  • the Payment Services Oversight Act, which covers the supervision of payment services and implements the EU Payment Services Directive into German law;
  • the Supervision of Financial Conglomerates Act;
  • the laws covering savings banks;
  • the Cooperative Societies Act;
  • the Deposit Guarantee Act;
  • the Electronic Securities Act;
  • the Investor Protection Act;
  • the Capital Investment Code, which covers the provision of investment services and implements the Undertakings for Collective Investment in Transferable Securities Directive (2014/91/EU), as well as the Alternative Investment Fund Managers Directive (2011/61/EU);
  • the Money Laundering Act;
  • the Credit Institution Reorganisation Act;
  • the Recovery and Resolution Act;
  • the Securities Trading Act; and
  • laws covering specialised institutions, such as mortgage banks and building societies.

Ancillary laws and regulations also accompany these statutes, most of which deal with specific regulatory aspects (ie, the Regulation Governing Large Exposures and the Solvency Regulation).

1.2 Which bilateral and multilateral instruments on banking have effect in your jurisdiction? How is regulatory cooperation and consolidated supervision assured?

The EU Single Supervisory Mechanism (SSM) set out in Regulation (EU) 1024/2013 was set up as the first pillar of the European banking union, alongside the Single Resolution Mechanism (SRM) and the European Deposit Insurance Scheme. The three pillars rest on the foundation of a single rulebook, which applies to all EU countries. The European banking supervision mechanism aims to contribute to the safety and soundness of credit institutions and to the stability of the EU financial system by ensuring that banking supervision across the European Union is of a high standard and is consistently applied to all banks. While retaining ultimate responsibility, the European Central Bank (ECB) carries out its supervisory tasks within the SSM, comprising the ECB and national competent authorities (NCAs) – in Germany, the Federal Financial Supervisory Authority (BaFin). This structure provides for strong and consistent supervision of all relevant entities across the Euro area, while making the best use of the local and specific expertise of the national supervisor. Within the SSM, composed of the ECB and NCAs, the ECB carries out its supervisory tasks. The ECB is responsible for the effective and consistent functioning of the SSM, with a view to carrying out effective banking supervision and contributing to the safety and integrity of the banking system and the stability of the financial system.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers (including sanctions) do they have?

German banks are supervised under the SSM by the ECB and BaFin, or both; and by the Deutsche Bundesbank. The responsibility of either the ECB or BaFin depends on the allocation of competencies set out in the SSM. The ECB is competent to supervise all German credit institutions with respect to licensing and assessment of notifications of acquisitions and disposals of qualifying holdings in such credit institutions. Additionally, the ECB is competent for the supervision of credit institutions that are deemed 'significant', where:

  • a credit institution has a total asset value of more than €30 billion;
  • total assets exceed €5 billion and the ratio of total assets to German gross domestic product exceeds 20%;
  • BaFin and the ECB mutually decide that the credit institution should be deemed significant;
  • the ECB decides that a credit institution with subsidiaries in Germany and other EU member state(s), and whose cross-border assets or liabilities represent a significant part of its total assets or liabilities, should be deemed significant; or
  • a credit institution has requested or received financial assistance directly from the European Financial Stability Facility or the European Stability Mechanism (ESM).

As at 1 January 2022, the ECB directly supervises 115 'significant' institutions and banking groups in the European Union (including 22 German institutions and banking groups), and supervises member states' regulatory authorities, which directly supervise less significant institutions and banking groups. BaFin supervises banking, financial service institutions and insurance companies, and remains the authority responsible for dealing with anti-money laundering law and the supervision of payment services providers.

The Deutsche Bundesbank is responsible for receiving and analysing data submitted by the banks. It cooperates closely with BaFin and the ECB with regard to banking supervision. If a problem occurs, the Deutsche Bundesbank will promptly involve BaFin. The ECB, BaFin and the Bundesbank cooperate closely, sharing observations and findings necessary for the performance of their respective tasks. In their internal relationship, the ECB or BaFin takes the final decision about whether supervisory measures must be taken or how to construe the law.

Because of the comprehensive responsibility that BaFin has for the banking, insurance, payment and securities sectors, there are no other supervisory authorities besides the Deutsche Bundesbank in Germany that are specifically relevant to the financial services industry, although the German Deposit Protection Fund has a special role. Banks are subject to enhanced audit requirements and external auditors assess compliance of annual accounts with accounting principles, as well as the bank's compliance with its regulatory obligations. The annual audit report is a very important tool for BaFin in exercising its supervisory duties. It is common for the managers of a bank to be invited to a meeting with BaFin to discuss the report annually. Where the audit report identifies any deficiencies or there is any other reason for BaFin to believe that a bank is not fully compliant, BaFin can order a special audit by the Deutsche Bundesbank or an auditing firm.

Ultimately, BaFin can take various supervisory measures under the Banking Act. The most common measures are preventative in nature and may include a request for information, the submission of documents and the ordering of (ad hoc) audits. However, if a bank is conducting unauthorised business, BaFin can conduct inspections, prohibit the continuation of such business and order the liquidation of the existing business. BaFin may also impose administrative fines aimed at warning parties to comply with their statutory obligations. It can further issue warnings against managers and demand their dismissal if they do not have adequate professional qualifications or are considered unreliable.

1.4 What are the current priorities of regulators and how does the regulator engage with the banking sector?

The cooperation between BaFin and the Deutsche Bundesbank in terms of ongoing supervision of institutions is regulated by Section 7 of the Banking Act. This states that the Bundesbank is responsible for the vast majority of operational banking supervision and has an important part to play in crisis management – for example:

  • evaluating the documentation, audit reports and annual financial statements submitted by financial institutions; and
  • conducting evaluating on-site inspections.

Additionally, BaFin's guidelines on ongoing supervision are issued in agreement with the Deutsche Bundesbank pursuant to Section 7(2) of the Banking Act (as amended by Article 5 on 3 June 2021). The guidelines aim to produce harmonised and high-quality banking supervision and ensure the transparent and unambiguous division of tasks.

The UK Brexit referendum result of June 2016 had significant implications for the financial sector in Germany. Supervised credit institutions and financial services institutions that are located in the United Kingdom are no longer able to conduct regulated business in the European Union or with European Economic Area (EEA) member states. Specifically, such institutions can no longer rely on the European passport regime, which enabled them to conduct business on a cross-border basis without any other local national licences. If they wish to continue conducting such business, they need to consider relocating from the United Kingdom to an EU or EEA state.

2 Form and structure

2.1 What types of banks are typically found in your jurisdiction?

German banks and financial institutions are permitted to conduct all types of banking activities described in Section 1 of the Banking Act, if respectively licensed. Universal banks in Germany can be divided into three main types of institutions:

  • commercial banks;
  • public sector banks belonging to the savings bank sector; and
  • cooperative banks.

Commercial banks: Commercial banks are part of the private sector and can be further sub-divided into:

  • large nationwide (major) banks;
  • regional banks; and
  • other financial institutions, including the branch offices of foreign banks.

Commercial banks are corporations and mostly operate as universal banks. Other than their legal form and business aims, the principal difference in the types of universal banks is the number of legally independent institutions they have and the number of branch office locations.

In terms of total assets, the four major German commercial banks (Deutsche Bank AG, Commerzbank AG, UniCredit Bank and ING Bank) account for nearly 65%. This reflects their particular importance. Commercial banks are mainly privately owned and private shareholder representatives are members of the supervisory board. There are three large universal banks in Germany: Deutsche Bank AG, Commerzbank AG and HypoVereinsbank, which is owned and controlled by its Italian parent, UniCredit. In addition, there are a number of specialised institutions:

  • mortgage banks, which primarily focus on real estate finance;
  • auto and other consumer finance banks, which also compete for deposits;
  • securities banks, which have an emphasis on brokerage and custody;
  • subsidiaries and branches of foreign banking groups, with diverse business focuses; and
  • private banks with a concentration on asset management.

Cooperative banks: Cooperative banks are cooperative societies that carry out all types of banking and related services (eg, Berliner Volksbank eG, Sparda Bank Hamburg eG). A cooperative society is one in which the number of members is not fixed and which serves to promote the business or economic interests of its members through jointly owned business operations. Cooperative banks have become less member-centric, as they are now permitted to establish business relations with non-members. Since the repeal of the identity principle for lending transactions, they no longer have to restrict themselves to business with members, so they now differ very little from other universal banks. Still, in accordance with the Cooperative Societies Act, which applies to all German cooperative banks, they must promote the interests of their members. In contrast to commercial banks, maximising profits is not their highest priority. Cooperative banks have a different governance structure. The equity holders have equal voting rights independent from their equity share. As of December 2021, there were 770 cooperative banks, with combined assets exceeding €1.145 billion and a market share of roughly 13%. To overcome any disadvantage of a fragmented structure, the cooperative banks founded two cooperative central banks, DZ Bank and WGZ Bank, which merged in 2016. Following the merger, the cooperative sector has one large financial head institution, DZ Bank in Frankfurt, which provides services to its constituent institutions.

State-owned banks: The German banking sector also includes several large state-owned banks. The state banks (Landesbanken) are central institutions of the Savings Banks Finance Group (Sparkassen-Finanzgruppe). Following the privatisation of HSH Nordbank (renamed Hamburg Commercial Bank), which was completed in early 2019, only the much smaller SaarLB remained in the Landesbank sector, in addition to the four larger institutions: Landesbank Baden-Württemberg, Bayerische Landesbank, Landesbank Hessen-Thüringen and Norddeutsche Landesbank. This part of the German banking market has thus been reduced to five institutions.

In addition to the Landesbanken, there are several special purpose banks (eg, Deka Bank Deutsche Girozentrale, Kreditanstalt für Wiederaufbau and Landwirtschaftliche Rentenbank) that are directly or indirectly owned by the federal or state governments (with some exemptions).

Further, the public bank sector is characterised by around 376 savings banks (Sparkassen), which in most cases are owned by local municipalities or their countries. Savings banks are committed by their municipal ownership to serving their local region. Profits not needed to further strengthen their capital bases are used for the benefit of society. Rather than focusing on financial figures, savings banks concentrate on benefiting the welfare of the people and businesses in the areas they serve. Accordingly, the business policy of the savings banks focuses on sustainable economic growth and social development in their regions. For this reason, the business of the savings banks revolves around transactions centred on the real economy, instead of international financial markets. This commitment to the community does not mean that savings banks must forgo making a profit. Making a profit is not their main goal, but rather a means of fulfilling their public mandate. Savings banks do not engage in international banking business. They play an important role in offering banking services to Germany's population outside the larger cities, where private commercial banks are not keen to set up local branches.

2.2 How are these banks typically structured?

Banks are organised as either public-owned banks or cooperative banks, or are corporations or partnerships. The most common private law legal forms for a bank or financial institution are stock corporations (Aktiengesellschaft (AGs)) and limited liability companies (Gesellschaft mit beschränkter Haftung (GmbHs)). The most significant difference between an AG and a GmbH is the internal governance structure. An AG has a largely independent management board, appointed by the supervisory board. The shareholders elect the supervisory board. Managing the day-to-day business of an AG is the exclusive duty of the management board. Neither the supervisory board nor the shareholders can give directions to the management board. However, the supervisory board can issue guidelines under which extraordinary transactions require its prior consent. Co-determination – that is, representation of employees on the supervisory board – is mandatory once an institution has more than 500 employees. In contrast, in a GmbH, the managers generally must follow shareholder directions. This makes the GmbH a more suitable instrument for a banking subsidiary of a larger group.

Some smaller private banks are limited partnerships or even general partnerships.

2.3 Are there any restrictions on foreign ownership of banks?

German law requires any person intending to acquire a qualifying holding in a bank or financial institution to notify the Federal Financial Supervisory Authority (BaFin) and the Deutsche Bundesbank. A 'qualifying holding' is a direct or indirect holding in an undertaking that represents 10% or more of the capital or of the voting rights, or which makes it possible to exercise significant influence over the undertaking's management.

If the notification relates to a participation in a credit institution within the meaning of the Capital Requirements Regulation, BaFin itself does not decide on the intended acquisition, but instead prepares a draft decision and submits this draft to the European Central Bank (ECB), which makes the final decision. To implement standardised procedures for cooperation between the ECB and other national regulators, a central unit within BaFin was set up. Related amendments to the Ownership Control Regulation are expected.

Overall, there are no general restrictions and the ECB cannot refuse the acquisition of a qualifying holding in a German bank on the basis of the prospective acquirer's nationality. Acquisitions from some jurisdictions may be more difficult, particularly from countries where BaFin or the ECB has no established contacts with regulators/supervisory authorities. Prospective acquirers from jurisdictions that have a reputation for money laundering or tax avoidance may also find it difficult to obtain ECB approval. Under certain circumstances, BaFin or the ECB may object to the intended acquisition of a qualifying holding. This includes the assumption that:

  • the acquirer is not trustworthy;
  • the institution will not remain able to meet the requirements of supervision; or
  • a future managing director is not reliable or qualified.

2.4 Can banks with a foreign headquarters operate in your jurisdiction on the basis of their foreign licence?

Banks that are headquartered and licensed in the European Economic Area (EAA) can conduct regulated banking business in Germany without a German banking licence under the EU notification procedure, through a branch or on a cross-border basis.

Other foreign banks can either:

  • conduct banking business in Germany through a branch (which is, however, subject to the full licensing requirements); or
  • apply to BaFin for an exemption from the licensing requirements to provide cross-border services, provided that the bank is effectively supervised in its home country under internationally recognised standards.

3 Authorisation

3.1 What licences are required to provide banking services in your jurisdiction? What activities do they cover?

Generally, the European Central Bank (ECB) and the Federal Financial Supervisory Authority (BaFin) are responsible for banking licence applications. BaFin also supervises financial services and payment services that are not included in the definition of 'standard banking transactions'. As the risk to financial stability and consumer protection varies depending on the specific type of activity that is subject to supervision, BaFin banking licence requirements differ accordingly. Of importance are:

  • reliable management;
  • a sound business plan; and
  • compliance with anti-money laundering regulations and activity-specific compliance rules.

When the statutory requirements for the issuance of a German banking licence are met, the applicant has a legally enforceable right to be issued that licence. In this context, it will be up to BaFin to decide whether the details provided are sufficient to issue a licence under supervisory law. Where complex or innovative business models are concerned, many queries or clarifications may be necessary. Consequently, a great deal of care and accuracy should be applied when drafting the licence application, to avoid a lengthy procedure and ensure that the licence is received as quickly as possible. The banking licence, once granted, is a public law permit and belongs to the institution itself, and is not transferable as if it were a civil law right. In particular, a banking licence does not transfer to the surviving body in a merger by way of universal succession.

Any company that commences an activity requiring a licence without holding one takes a great risk. Such a company faces fines and even prosecution by the public prosecutor. Even if the infringement is due to negligence, prison sentences of up to three years can be imposed on the management. In addition, the company's business may be restricted or prohibited by formal decision of BaFin.

Since payment services have become subject to different rules following implementation of the EU Payment Services Directives, it has become more common to license specialised payment institutions. A universal bank with a comprehensive licence is also allowed to perform payment services as an ancillary business.

3.2 What requirements must be satisfied to obtain a licence?

Anyone wishing to conduct banking business in Germany requires a written permit from BaFin (Sections 32 and 33 of the Banking Act) (Section 32 and 33 as amended in 2020 and 2021, in particular in Section 33(1), sentence 1 No 1a-f regarding requested capital from €730,000 to €750,000).

To do so, certain requirements must be met. Some examples are outlined below:

  • When a new institution is created, a minimum initial capital must be proven, depending on the type of business that is intended. In the case of securities trading banks, for example, the required initial capital is at least €750,000; and in the case of deposit-taking banks, at least €5 million.
  • The institution must have at least two professionally qualified and reliable managers with joint responsibility for the institution. 'Professional suitability' means that the person concerned has acquired sufficient theoretical knowledge and practical experience in his or her previous professional career. 'Sufficient experience' generally means at least three years in a leading position at a bank of similar size and type. BaFin examines the suitability in particular by using information from the Federal Central Register (Gerwerbezentralregister), the Transparency Register (Transparenzregister) and the Commercial Register (Handelsregister).
  • The application must include a three-year business plan, which BaFin and the ECB will carefully review for viability. Since most start-ups show losses in the first year or two, the ECB has published further guidance on how much capital it expects to be paid up in full at the time of authorisation and how much capital must be otherwise available (eg, capital commitments by the founding shareholders). In addition, for the first three years, BaFin will typically ask the ECB to set a minimum regulatory capital standard well above that for more mature institutions.
  • Every person holding a direct or indirect interest of 10% or more in a financial institution is subject to a reliability and financial soundness test. This is not an issue if the shareholder is a bank domiciled and regulated in another country with a reputable bank supervisory system. Things become more difficult if an acquirer or founder of a bank is from, for example, an emerging economy. In this case, BaFin requires a full personal record, with comprehensive information on the source of funds invested in the future German bank.

3.3 What is the procedure for obtaining a licence? How long does this typically take?

Timing and basis of decision: The time from filing the application to receipt of the licence is usually six to 18 months, in addition to the time taken to prepare the application. Where the new bank has a complex business plan or ownership structure – for example, through various holding companies – collecting information about direct and indirect shareholders and their individual directors can significantly extend the overall timeframe.

Cost and duration: The application for a BaFin licence is subject to a fee, the amount of which depends on the type of banking transactions, payment or financial services applied for. In this respect, Sections 14 and 17 of the Financial Services Supervision Act and Section 2(1) of the Cost Ordinance, in conjunction with the attached schedule of fees, are decisive. According to these provisions, the fee for permission to provide financial services such as investment brokerage or financial portfolio management ranges from €5,045 to €10,725.

If the applicant additionally applies for a licence to conduct banking business (eg, a deposit or lending business), the fee ranges from €5,000 to €20,000 and may increase to up to €30,000. In any case, the fees may nonetheless be charged if the applicant withdraws its application for a licence or if BaFin issues a negative decision on the application. In addition to the application fee, legal fees for work incurred by lawyers advising on the application process can range from €75,000 to €150,000 (plus value added tax). While there is no end date for banking licences (and so renewal costs are not applicable), other costs for supervision by BaFin are applicable.

4 Regulatory capital and liquidity

4.1 How are banks typically funded in your jurisdiction?

The funding strategies of German banks have changed substantially as a result of the 2008 financial crash. Conceptually, commercial banks fund their balance sheets in layers, starting with a capital base comprising equity, subordinated debt and hybrids of the two, plus medium and long-term senior debt. The next layer consists of customer deposits, which are assumed to be stable in most circumstances, even though they can be requested with little or no notice. The final funding layer comprises various shorter-term liabilities, such as commercial paper, certificates of deposit, short-term bonds, repurchase agreements, swapped foreign exchange liabilities and wholesale deposits. This layer is managed on a dynamic basis, as its composition and maturity can change rapidly with cash-flow needs and market conditions. This funding structure is usually relatively stable.

The Federal Financial Supervisory Authority (BaFin) and Deutsche Bundesbank continue, on an ongoing basis, to monitor whether German banks have sufficient funds for the risks assumed from balance-sheet assets and off-balance-sheet transactions – for example, from claims, securities, derivatives or equity investments. In addition to default and market risks, operational risks must be backed by their own adequate funds. Institutions must also hold funds for the capital maintenance buffer, the countercyclical capital buffer and, if so ordered, for the capital buffer for systemic risks, the capital buffer for globally systemically important institutions and the capital buffer for institutions with other systemic relevance (Sections 10c to 10i of the Banking Act, as amended on 9 December 2020). BaFin may order this buffer for risks exposures located in Germany or in another non-European Economic Area state. Details regarding the calculation of risks and banks' own funds are set out in the Capital Requirements Regulation (CRR).

4.2 What minimum capital requirements apply to banks in your jurisdiction?

German banks must at all times meet at least:

  • a hard-core capital ratio of 4.5%;
  • a core capital ratio of 6%; and
  • a total capital ratio of 8%.

In addition, BaFin and the ECB check whether liquidity is sufficient – that is, whether the institutions invest their funds in such a way that a sufficient solvency is guaranteed at all times (Section 11 of the Banking Act, as amended on 9 December 2020). As part of the supervisory review process, BaFin also monitors those risks that are not required to be backed by own funds under the CRR (Section 6b of the Banking Act, as amended on 9 December 2020). The core elements of this process are the establishment of adequate risk management systems and their monitoring by the supervisory authority. For example, institutions must set up an internal capital adequacy assessment process, which ensures that they have sufficient internal capital to cover all material risks.

The enforcement of such capital adequacy guidelines falls within the supervisory mandate of the supervisory authorities. This means that BaFin and/or the European Central Bank (ECB) can take measures to improve the institution's own funds and liquidity. Furthermore, in cases of danger (eg, if the discharge of an institution's obligations to its creditors is endangered), the authorities can take temporary measures to avert that danger. In particular, the authorities may issue instructions for the management of the institution's business or prohibit the acceptance of deposits, funds or securities from customers and the granting of loans.

4.3 What legal reserve requirements apply to banks in your jurisdiction?

The ECB requires German credit institutions to hold compulsory deposits on accounts with the Deutsche Bundesbank. These are called 'minimum' or 'required' reserves and the amount to be held by each institution is determined by its reserve base. All banks must hold a capital conservation buffer consisting of first-class capital (hard-core capital) equivalent to 2.5% of their total risk exposure. The buffer is intended to preserve a bank's equity capital.

In order to determine an institution's reserve requirement, the reserve base is multiplied by the reserve ratio. The ECB applies a uniform positive reserve ratio to most of the balance-sheet items included in the reserve base. As noted above, the reserve requirement for each individual institution is calculated by applying the reserve ratio to the reserve base. Institutions must deduct a uniform lump-sum allowance of €100,000 from their reserve requirement. This allowance is designed to reduce the administrative costs arising from managing very small reserve requirements.

In order to meet their reserve requirements, German credit institutions must hold balances on their current accounts with the Deutsche Bundesbank. This means that compliance with minimum reserve requirements is determined on the basis of the average daily balances on the counterparties' reserve accounts over one reserve maintenance period. Data on the amount of required minimum reserves and their fulfilment is published in the statistical section of the Monthly Report of the Deutsche Bundesbank.

5 Supervision of banking groups

5.1 What requirements apply with regard to the supervision of banking groups in your jurisdiction?

The European Central Bank (ECB) and the Federal Financial Supervisory Authority (BaFin) supervise banking groups as well as individual institutions. A group generally falls under the jurisdiction of the ECB or BaFin if the parent undertaking:

  • is a credit institution incorporated in Germany; or
  • is a financial holding company or a mixed financial holding company; and
  • either:
    • both the holding company and the bank subsidiary are incorporated in Germany; or
    • the holding company is incorporated in another EU member state and the German subsidiary is subject to consolidated supervision in accordance with the EU Capital Requirements Directive IV.

Requirements: The most important requirement is that the minimum regulatory capital standards also be maintained at group level. For this purpose, the regulatory capital and risk weighted assets of individual institutions and group members are consolidated. Although each institution in a group may be sufficiently capitalised, consolidation of group capital may produce a regulatory capital gap – in particular, if the group includes entities that are not subject to the same capital adequacy rules as banks on a solo basis, but that incur risks that need to be covered by the owned funds of the consolidated group.

The credit institution at the top of the group or, in the case of a group headed by a financial holding company or a mixed financial holding company, the largest subsidiary credit institution in the group is generally responsible to the supervisory authority for making sure that the group has sufficient regulatory capital.

Similar rules apply to financial conglomerates. These groups include financial institutions and insurance companies.

5.2 How are systemically important banks supervised in your jurisdiction?

Germany is part of the Single Supervisory Mechanism established in all EU member states. Its purpose is to centralise the prudential supervision of banks. In particular, the ECB:

  • directly supervises 111 institutions and banking groups in the European Union that are considered significant on 1 April 2022 (including 21 German institutions and banking groups); and
  • supervises member states' regulatory authorities that directly supervise less significant institutions and banking groups.

In Germany, the day-to-day supervision is conducted by joint supervisory teams, which comprise staff from both BaFin and the ECB. BaFin continues to conduct the direct supervision of less significant institutions – around 3,500 entities – subject to the oversight of the ECB. The ECB can also take on the direct supervision of less significant institutions if this is necessary to ensure the consistent application of high supervisory standards. The ECB is also involved in the supervision of cross-border institutions and groups, either as a home supervisor or a host supervisor in colleges of supervisors. Moreover, the ECB participates in the supplementary supervision of financial conglomerates in relation to the credit institutions included in a conglomerate and assumes the responsibilities of the coordinator referred to in the Financial Conglomerates Directive.

5.3 What is the role of the central bank?

The German national central bank is the Deutsche Bundesbank. In banking supervision, the Deutsche Bundesbank works in close cooperation with BaFin and the ECB. Because of its role in the EU System of Central Banks, the EU system and its participation in the EU payment system TARGET2, it has genuine access to large amounts of data relating to banks. In addition, regular reporting by the financial sector is addressed by the Deutsche Bundesbank, which performs a quantitative analysis of a financial institution's figures. If a problem occurs, the Deutsche Bundesbank will promptly involve BaFin.

6 Activities

6.1 What specific regulations apply to the following banking activities in your jurisdiction: (a) Mortgage lending? (b) Consumer credit? (c) Investment services? and (d) Payment services and e-money?

(a) Mortgage lending

The European Mortgage Credit Directive (MCD) of 4 February 2014 was transposed into German law through the Act Implementing the MCD as at 21 March 2016. To ensure the protection of consumers raising real estate loans, a large number of requirements have been set out across different pieces of legislation – in particular, in the Civil Code and the Introductory Act to the Civil Code. Other changes can also be found in the Business Code, the Payment Services Oversight Act, the Insurance Supervision Act and the Banking Act.

A new Section 18a has been added to the Banking Act, which specifies a large number of obligations that banks must meet when granting consumer real estate loans. They include, in particular, requirements in terms of:

  • (pre-)contractual information obligations;
  • the assessment of creditworthiness;
  • the independence of appraisers from the lending process; and
  • adequate qualifications of bank employees who work in lending.

The Federal Financial Supervisory Authority (BaFin) has set out the requirements for the qualifications and expertise of internal and external employees in dedicated regulations.

The new provisions of the MCD Directive led to uncertainty among credit institutions, especially in relation to the creditworthiness assessment. For this reason, the legislature is planning to specify the requirements in greater detail.

(b) Consumer credit

Unlike in many other jurisdictions, lending in Germany is generally a regulated activity that requires a banking licence pursuant to Section 1 of the Banking Act if performed commercially or in a manner requiring a commercial business organisation. The licensing requirement applies irrespective of whether loans are granted to consumers or to non-consumers. According to the administrative practice of BaFin, the licensing requirement also applies to lenders domiciled abroad if they actively approach borrowers domiciled in Germany to grant loans. Not only the granting of a new loan, but also the mere restructuring of a loan that has been acquired from the original lender (eg, by extending maturity and/or adjusting interest rates), may qualify as lending activity requiring a banking licence.

(c) Investment services

The definition of what are deemed 'investment services' (part of financial services) is set out in Section 1(1a), sentence 2, numbers 1 to 12, sentences 3 and 4 of the Banking Act. Accordingly, financial services comprise the following:

  • Number 1: The brokering of business involving the purchase and sale of financial instruments (investment broking).
  • Number 1a: Providing customers or their representatives with personal recommendations in respect of transactions relating to certain financial instruments where the recommendation is based on an evaluation of the investor's personal circumstances or is presented as being suitable for the investor and is not provided exclusively via information distribution channels or for the general public (investment advice).
  • Number 1b: Operating a multilateral facility, which brings together the interests of a large number of persons in the purchase and sale of financial instruments within the facility according to set rules in a way that results in a purchase agreement for these financial instruments (operation of a multilateral trading facility).
  • Number 1c: The placing of financial instruments without a firm commitment basis (placement business).
  • Number 2: The purchase and sale of financial instruments on behalf of and for the account of others (contract broking).
  • Number 3: The management of individual portfolios of financial instruments for others on a discretionary basis (portfolio management).
  • Number 4: Property trading:
    • continuously offering to purchase or sell financial instruments at self-determined prices in an organised market or a multilateral trading facility;
    • frequent organised and systematic conduct of trading for its own account outside of an organised market or a multilateral trading facility, by providing a system accessible to third parties in order to conduct business transactions with them;
    • the purchase or sale of financial instruments for its own account as a service for others; or
    • the purchase or sale of financial instruments for own account as a direct or indirect participant in a domestic organised market or multilateral trading facility by means of a high-frequency algorithmic trading strategy that is characterised by the use of:
      • infrastructure for minimising network latencies and other delays in order transmission (latencies), which includes at least one of the following devices for the input of algorithmic orders: collocation, proximity hosting or high-speed direct electronic access;
      • the ability of the system to initiate, generate, transmit or execute an order without human intervention within the meaning of Article 18 of Commission Delegate Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that directive (OJ L 87, 31 March 2017, p 1), as amended; and
      • a high volume of intraday notifications within the meaning of Article 19 of Delegate Regulation (EU) 2017/565 in the form of orders, course details or cancellations.
  • Number 5: The brokering of deposit business with undertakings domiciled outside the European Economic Area (EEA) (non-EEA deposit broking).
  • Number 6: The custody, management and safeguarding of crypto securities or private cryptographic keys used to hold, store or dispose of crypto securities for others, as well as the safeguarding of private cryptographic keys used to hold, store or dispose of crypto securities for others in accordance with Section 4(3) of the Electronic Securities Act (crypto custody business).
  • Number 7: Dealing in foreign notes and coins (foreign currency dealing).
  • Number 8: The maintenance of a crypto securities register pursuant to Section 16 of the Electronic Securities Act (crypto securities register maintenance) and crypto registration business.

7 Reporting, organisational requirements, governance and risk management

7.1 What key reporting and disclosure requirements apply to banks in your jurisdiction?

Banking supervisory law – in particular, the Ordinance on Notification – sets out a number of corporate governance rules, including the following:

  • Committees must be established in an institution's supervisory board.
  • Managing directors must fulfil their roles and personal tasks.
  • Specialised internal functions must be established, such as compliance, risk control and internal audit.
  • In addition to institutions' annual reports, one of the banking supervisors' main sources of information is the audit reports, which external auditors or audit associations produce as part of their auditing of the annual reports.
  • Institutions must regularly file condensed balance sheets, from which the major balance-sheet items, risk positions and changes thereto can be identified.
  • Institutions must also report major changes – such as net losses of 25% of the equity capital as defined under the Capital Requirements Regulation or changes in the management board – in their domestic and foreign branch networks or in holdings of more than 10%. They must also report their large exposures and loans of €1 million or more.
  • Since 3 January 2018, under the Markets in Financial Instruments Directive (2014/65/EU) (MiFIR II) (as modified by Directive (EU) 2021/338) and Regulation (EU) 600/2014 (MiFIR) (as modified by Regulation (EU) 2021/23), investment services enterprises, trading venue operators (including operators of multilateral and organised trading facilities), German central counterparties and subsidiaries are obliged to notify the Federal Financial Supervisory Authority (BaFin) of all on-exchange and off-exchange dealings in financial instruments, such as securities and derivatives. The Second Markets in Financial Instruments Directive and MiFIR ensure fairer, safer and more efficient markets and facilitate greater transparency for all participants. The protection of investors is strengthened through:
    • the introduction of new requirements on product governance and independent investment advice;
    • the extension of existing rules to structured deposits; and
    • the improvement of requirements in several areas, including on the responsibility of management bodies, inducements, information and reporting to clients, cross-selling, remuneration of staff and best execution.

BaFin has adapted its minimum requirements for the compliance function to the amendments of MiFID II and published the amendment in March 2018. BaFin has also adapted existing modules and added new modules which it has implemented European Securities Authority (ESMA) guidelines under Article 16 of the ESMA Regulation. All modules have been adapted in terms of language and content to the new legal bases in the German Securities Trading Act and Delegate Regulation (EU) 2017/565 (as modified by Regulation (EU) 2021/1254).

7.2 What key organisational and governance requirements apply to banks in your jurisdiction?

The Capital Requirements Directive IV (CRD IV) stipulates guidelines for corporate governance principles for institutions in accordance with Article 3. Furthermore, in Recital 54 of the CRD IV, the legislature sets out specific principles. The effective implementation of these corporate governance principles requires the assistance of legal, regulatory and institutional frameworks. Such guidelines tend to guide the actions of the senior leadership of a diverse range of banks in a number of countries with varying legal and regulatory systems. However, there are significant differences in the legislative and regulatory frameworks across countries, which may restrict the application of certain principles or provisions therein.

In Germany, some of these corporate governance principles have already been implemented into German law. First, Section 25a of the Banking Act addresses special organisational duties in relation to the institutions to which the Banking Act applies (eg, credit institutions and financial services institutions). Section 25a(1) of the Banking Act stipulates that an institution must have a proper business organisation which ensures compliance with the legal provisions to be adhered to by the institution. According to Section 25a(1) of the Banking Act, proper business organisation comprises, in particular, appropriate and effective risk management, on the basis of which an institution must continuously ensure its risk tolerance.

Second, Sections 25c and 25d of the Banking Act extend such duties to the managing directors and the supervisory body of an institution: the managing directors of an institution must be professionally qualified and reliable, and must devote sufficient time to the performance of their duties. Members of management must have adequate theoretical and practical knowledge of the business concerned, as well as managerial experience. Section 25c of the Banking Act also states that, with a view to their overall responsibility for the proper business organisation of the institution according to Section 25a of the Banking Act, the managing directors of an institution must ensure that the institution has the statutory strategies, processes, procedures, functions and concepts in place. A new paragraph 1a in Section 25c of the Banking Act has been added with further requirements for the knowledge, skills and experience of the managing directors necessary for understanding the activity, including the main risks in their entirety. According to Section 25d of the Banking Act, the members of the administrative or supervisory body must:

  • be reliable;
  • have the expertise required to exercise the control function and assess and supervise the business conducted by the institution; and
  • devote sufficient time to the performance of their duties.

Such rules of conduct and organisational requirements are especially important for investor protection and for properly functioning financial markets. Rules of conduct lay down minimum standards for investment services in order to avoid conflicts of interest between clients, investment services enterprises and their employees, and to prevent investors from being disadvantaged as a result.

7.3 What key risk management requirements apply to banks in your jurisdiction?

The requirements are based on guidelines issued by BaFin relating to the Minimum Requirements for Risk Management (MaRisk). MaRisk provides a comprehensive framework for the management of all significant risks based on Section 25a of the Banking Act, which governs the organisational requirements for institutions regarding internal risk management. MaRisk provide a principles-based framework that gives institutions the flexibility to implement solutions individually. Moreover, MaRisk contains clauses which ensure that smaller institutions can also comply with the requirements in a flexible way.

MaRisk (as amended on 16 August 2021) has a modular structure. The General Section (AT modules) contains basic requirements for internal risk management, including outsourcing standards. Special requirements regarding the organisation of the internal control system for particular types of business and types of risk, and the organisation of the internal audit function, are set out in the Special Section (BT modules). MaRisk has undergone several revisions due to recent developments and international regulatory initiatives. BaFin has published the current valid version as Circular 09/2017 (BA). MaRisk addresses a variety of issues on controlling business and organisational risks of financial institutions. These include the responsibility of management to:

  • develop a risk management system suitable to identify and control risks;
  • meet the requirements of appropriate staff resources;
  • install internal controls;
  • meet organisational requirements for lending and trading business;
  • identify and address market, liquidity and operational risks; and
  • ensure basic specifications for the compliance function, the risk control function and the internal audit function.

MaRisk specifies the more general risk management standards set out in Section 25a of the Banking Act. Compliance with MaRisk is subject to the external audit. Any material deficiencies exposed by the audit report can lead to BaFin requiring corrective measures or imposing sanctions.

Like MaRisk, the Banking Supervisory Requirements for IT (Bankaufsichtliche Anforderungen an die IT (BAIT)) specifies the statutory requirements laid down in Section 25a of the Banking Act. BAIT describes what BaFin considers to be suitable technical and organisational resources for IT systems, with particular regard to information security and suitable contingency plans. As institutions are increasingly obtaining IT services from third parties, including as part of outsourcing arrangements, BAIT also set out the requirements for the external procurement of IT services.

7.4 What are the requirements for internal and external audit in your jurisdiction?

Internal audit is part of the ongoing monitoring of the bank's system of internal controls and of its internal capital assessment procedure. As such, the internal audit function assists senior management and the board of directors in the efficient and effective discharge of their responsibilities. The scope of internal audit activities should include the examination and evaluation of the effectiveness of the internal control, risk management and governance systems and processes of the entire bank, including the organisation's outsourced activities and its subsidiaries and branches. The internal audit function should independently evaluate:

  • the effectiveness and efficiency of internal control, risk management and governance systems in the context of both current and potential future risks;
  • the reliability, effectiveness and integrity of management information systems and processes (including relevance, accuracy, completeness, availability, confidentiality and comprehensiveness of data);
  • the monitoring of compliance with laws and regulations, including any requirements from supervisors; and
  • the safeguarding of assets.

The head of internal audit is responsible for establishing an annual internal audit plan that can be part of a multi-year plan. The plan should be based on a robust risk assessment (including input from senior management and the board), and should be updated at least annually (or more frequently to enable an ongoing real-time assessment). The board's approval of the audit plan implies that an appropriate budget will be available to support the internal audit function's activities. The budget should be sufficiently flexible to adapt to variations in the internal audit plan in response to changes in the bank's risk profile.

Together with the Deutsche Bundesbank, BaFin produces a risk profile for each less significant institution (LSI) – that is, the credit institutions it supervises directly. BaFin updates the risk profile of each of these LSIs at least once a year. It uses the risk profile of an individual LSI to determine how closely it supervises the institution. In addition to the findings of the audit report for the annual financial statements, current risk analyses and knowledge obtained from special audits and requests for information are included in the assessment.

BaFin allocates each institution to a risk class on the basis of its risk profile. This risk classification is based on the quality of the institution and potential impact of a solvency or liquidity crisis of the institution on the stability of the financial sector. In comparison with 2016, there have been only marginal changes in the allocations to the individual risk classes – while the quality of the institutions showed a slight downward trend, their impact increased slightly.

8 Senior management

8.1 What requirements apply with regard to the management structure of banks in your jurisdiction?

The Banking Act imposes stringent requirements regarding the qualifications of management board members. The bank or financial institution must provide to the Federal Financial Supervisory Authority (BaFin):

  • the names of the senior managers (Section 32(1), sentence 5, number 2 of the Banking Act) (as amended on 12 May 2021);
  • all information required to assess the trustworthiness of the applicants and of the senior managers (Section 1(2), sentence 1 and Section 32(1), sentence 5, number 3 of the Banking Act). For this purpose, the following are required from each applicant or senior manager:
    • the form "Disclosures relating to the reliability of designated managers";
    • an excerpt from the Federal Business Record Register if they were or are self-employed or if, in the course of their professional activities, they were or are the authorised representative of a businessperson or charged with managing a business or the manager of any other commercial enterprise; and
    • a "criminal record check for submission to an authority" or "European criminal record check for submission to an authority", or equivalent documents from another country; and
  • the information required to assess the professional qualifications of the proprietors and the senior managers (Section 32(1), sentence 5, number 4 of the Banking Act). Each proprietor and senior manager should submit (along with the references from any employment relationship that has ended within the last three years) a complete signed CV containing all given names, name at birth, date and place of birth, home address and nationality, as well as a detailed description of relevant education and training, the names of all undertakings for which the manager/proprietor has worked and details of the nature and duration (in months and years) of the functions performed there, particularly with relevance to the business for which authorisation is being sought, including any secondary activities, except for those performed in an honorary capacity. When describing the nature of the functions performed, in particular, the powers of representation, internal decision-making authority and the divisions within the undertaking overseen by the manager/proprietor must be specified.

8.2 How are directors and senior executives appointed and removed? What selection criteria apply in this regard?

According to Section 24(1) number 1 of the Banking Act (as amended 9 December 2020), the institution must notify BaFin and the Deutsche Bundesbank, without delay, of its intention to appoint a (managing) director or to confer sole power on a person to represent the institution. In addition, facts that are essential for assessing the reliability, professional competence and availability of time to perform the duties in question must be provided. Further, pursuant to Section 24(1) number 2 of the Banking Act, the institute must notify BaFin and the Deutsche Bundesbank, without delay, of the resignation of a (managing) director and the withdrawal of the sole power to represent the institution across its entire business area. According to Section 24 (1) number 19 of the Banking Act, the institution must inform Bafin of any outsourcing arrangements.

8.3 What are the legal duties of bank directors and senior executives?

According to Section 25a(1), sentence 2 of the Banking Act, the directors are responsible for the implementation, establishment, maintenance and further development of proper business organisation. All managers are jointly responsible for compliance with the requirements of Section 25a of the Banking Act. The combined responsibility of the managers for the organisation of the bank is also defined in Section AT 3 of the Minimum Requirements for Risk Management (Mindestanforderungen für das Risikomanagement 2012 AT 3, p4).

A specially appointed director is responsible for:

  • providing a regular overview of the overall risk profile and definition of the business and risk strategy;
  • reporting on the risk situation to the management; and
  • reporting to the supervisory board any instances of serious misconduct.

8.4 How is executive compensation in the banking sector regulated in your jurisdiction?

In accordance with Section 25a(1), sentence 3, number 6 of the Banking Act, the remuneration systems for managers and staff should be appropriate and transparent, and geared towards the sustainable development of the institution. In accordance with Section 25a(5) of the Banking Act, the variable and fixed remuneration of employees and managing directors must be appropriately proportioned and balanced. Furthermore, the variable remuneration must not exceed 100% of the fixed remuneration, although an exception in Section 25a(5), sentence 5 of the Banking Act permits the ratio to be increased to a maximum of 200%.

9 Change of control and transfers of banking business

9.1 How are the assets and liabilities of banks typically transferred in your jurisdiction?

In Germany, shareholder control procedures apply to banks and financial institutions. They allow the Federal Financial Supervisory Authority (BaFin), working with the European Central Bank (ECB), to assess in advance the suitability of potential investors. The procedure applies to investors which, either individually or together with other persons or companies, wish to acquire a 'significant holding' in a regulated German entity. A 'significant holding' means a direct or indirect holding in an undertaking which represents 10% or more of the capital or of the voting rights, or a holding which makes it possible to exercise a significant influence over the management of that undertaking. Several investors acting in concert – that is, coordinating the exercise of their voting rights to influence a target – can also reach the 10% threshold. Persons or entities intending to acquire a significant holding, or to increase their holding to exceed 20%, 30% or 50% of the voting rights or capital, must notify this intention immediately to BaFin and the Deutsche Bundesbank. Under the revised Section 2c (1) sentence 7 of the Banking Act, unintended acquisitions of a significant holding or an unintended increase of the holding exceeding 20%, 30% or 50% of the voting rights or capital must be notified without delay as soon as the institution becomes aware of the acquisition. This also applies if there is an intention to reduce the shareholding until it falls below the threshold, unless the shareholding is reduced immediately after becoming aware of the acquisition or increase. The first notification must be accompanied by a business plan, statements of reliability and further extensive information on the acquirer, its management, its investors and its group. The authorities have up to 90 working days to review the filings, which begins to run only once all required documentation has been submitted. In practice, this leaves the authorities with significant discretion as to when the 90-working-day period actually starts. While no formal approval of the acquisition by the authorities is required, authorities may, within the assessment period, prohibit the transaction. Thus, they have de facto a veto right.

Investors in all sorts of financial institutions should be aware that the shareholder control procedure is in many cases time consuming and onerous in terms of paperwork – in particular, if the target is a bank and the investor does not yet own a financial institution in the European Union. In the case of banks, authorities also sometimes use their veto power to require from investors certain guarantees that are not explicitly provided for by law, such as a certain capitalisation of the target bank. While the shareholder control procedure should therefore be taken very seriously and be prepared carefully, it should also be stressed that in the recent past it has been successfully completed by a number of investors other than traditional European banks. This shows that the authorities recognise that the German banking system can strongly benefit from outside investors and their financial strength. Although it is generally assumed that a veto by BaFin/the ECB would not make the acquisition of an interest in a financial institution invalid under civil law, such acquisition before clearance can qualify as an administrative offence which may be heavily sanctioned by BaFin or the ECB. Therefore, the lapse of the assessment period or a certificate of non-objection by BaFin will generally be agreed as a condition precedent to closing of a transaction.

The ECB can prohibit the acquisition of a significant holding in a German credit institution only if any of the following conditions are met:

  • The prospective acquirer is considered unsuitable to be a major shareholder in a financial institution;
  • The institution would no longer be able to comply with its regulatory obligations;
  • The institution would become a subsidiary of a foreign institution whose regulator does not cooperate with BaFin or the ECB;
  • The future management would be unreliable;
  • There are reasonable grounds to suspect that money laundering or terrorism financing is being conducted through the institution, or the acquisition would increase the risk of this; or
  • The prospective investor cannot provide financial support to the institution when needed.

During their review of a notification, BaFin and the ECB will investigate the ultimate purchaser(s) as well as any intermediate holding companies and their management. Further, BaFin and the ECB will require evidence of the source of funds used for the acquisition, to combat money laundering. Compliance with these regulatory requirements generally involves long-term planning and careful preparation.

An asset deal allows the purchasers to select the assets (and liabilities) which they want to buy. However, the purchaser must ensure that the purchasing entity possesses a BaFin issued licence, which is required to conduct the purchased business at the time of the closing. If entire agreements are to be transferred, including outstanding obligations of the seller, the contracting party must approve of the transfer.

The advantage of a share deal in comparison to an asset deal is that the licence of the target entity remains unaffected – that is, an entity with an existing licence will be acquired. The purchaser must, however, undergo the shareholder control procedure(s), as described above. All agreements of the target generally also remain unaffected. However, agreements can contain change-of-control clauses, which can lead to their termination or to termination rights. This is particularly relevant for financing agreements and must be thoroughly analysed in the legal due diligence.

9.2 What requirements must be met in the event of a change of control?

German law requires any person that intends to acquire a qualifying holding in an institution to notify BaFin and Deutsche Bundesbank, without undue delay, of its intention. A 'qualifying holding' is a direct or indirect holding in an undertaking that represents 10% or more of the capital or of the voting rights, or which makes it possible to exercise significant influence over the management of that undertaking.

If the notification relates to a participation in a credit institution within the meaning of the Capital Requirements Regulation, BaFin does not decide on the intended acquisition itself, but instead prepares a draft decision and submits this draft to the ECB, which is responsible for taking the final decision. In order to implement standardised procedures for cooperation with the ECB and other national regulators involved in cross-border transactions, a central unit within BaFin has been established.

Besides the regulatory ownership control procedure, it may be necessary under the Foreign Trade Regulation to file an application for approval with the Federal Ministry for Economic Affairs and Energy (BMWi) if an investor from a non-EU state intends to acquire, directly or indirectly, 25% of the voting rights in an institution that engages in critical infrastructure such as payment systems, cash supply, insurance business or settlement and clearing of securities. In December 2018 the BMWi significantly tightened the notification requirements for the acquisition of a company that operates 'critical infrastructure' by purchasers from third-party countries. A reporting obligation already applies to the acquisition of 10% of the voting rights, instead of the above-mentioned 25%. In other cases, it is possible to seek the BMWi's approval on a voluntary basis. This may make sense since the BMWi can object to transactions (and order the reversal of transactions) or impose certain restrictions if there is a threat to public policy or public security.

As with all EU banks, German banks are obliged to secure deposits by way of membership in a statutory deposit guarantee scheme (see question 10.2). The statutory deposit protection scheme guarantees the deposits of (most) customers up to an amount of €100,000. From the purchaser's point of view, it is advisable that the purchase agreement provides approval of the Federal Association of German Banks to the continued membership of the target in the statutory deposit guarantee scheme as a condition precedent to the closing of the transaction.

10 Consumer protection

10.1 What requirements must banks comply with to protect consumers in your jurisdiction?

Since the Retail Investor Protection Act came into force, collective consumer protection has been part of the supervisory objective of the Federal Financial Supervisory Authority (BaFin). Collective consumer protection means that BaFin protects consumers as a whole. By contrast, the protection of individual consumer interests is the task of ombudsmen, dispute resolution entities and the courts.

In order to manage collective consumer protection efficiently and effectively, BaFin has modified its organisational structure. At the turn of 2016, the new Consumer Protection Department commenced operations, with a total of seven divisions. Although it is part of the Securities Supervision Directorate in Frankfurt am Main, its focus is not on investor protection, but rather on all topics relevant to consumer protection which are within the remit of BaFin. This means that it also deals with the protection of bank customers and insureds. The department is divided between BaFin locations in Frankfurt am Main and Bonn.

BaFin endeavours to ensure that the range of financial products, insurance products and financial services on offer is transparent and comprehensible. The aim is to ensure that consumers are in a position where they can understand the functioning and risks of products and services, and can evaluate their actual costs correctly. The content and form of the information made available by providers – whether it is legally required or voluntary – must be designed in such a way that the information satisfies the needs and knowledge requirements of consumers. Only then can consumers keep pace with the informational advantage that providers enjoy.

BaFin can issue orders on the basis of Section 4(1a) of the Act Establishing the Federal Financial Supervisory Authority in order to prevent or rectify irregularities if it becomes apparent that a general clarification is advisable in the interests of consumer protection. On the basis of the new Section 15 of the Securities Trading Act, BaFin can even restrict or prohibit certain sales practices and the sale of products in serious cases – specifically, if investor protection or the functioning or integrity of the financial markets is jeopardised.

10.2 How are deposits protected in your jurisdiction?

The Deposit Protection Fund (DPF) of the Association of German Banks secures the deposits of every customer at the private commercial banks up to a ceiling of 15% of the relevant liable capital of the respective bank as at the date of the last published annual financial statements. The minimum equity capital of a bank in Germany is €5 million. In this case, €750,000 per customer will be protected. From 1 January 2025, this figure will change to 8.75% of the liable capital of the bank relevant for deposit protection. There is one exception: the protection ceiling for banks joining the scheme is in principle only €250,000 up to the end of the third calendar year of their participation in the DPF.

The protection extends to all deposits held by 'non-banking institutions' – that is, deposits held by private individuals, business enterprises and public bodies. The deposits protected are, for the main part, demand, term and savings deposits and registered savings certificates. Liabilities in respect of which bearer instruments such as bearer bonds and bearer certificates of deposits have been issued by a bank are not protected. For almost all depositors, this protection concept means virtually full protection for all deposits at private commercial banks. If a bank ceases to participate in the DPF, there are provisions for depositors to be informed in good time so that arrangements can be made while still enjoying deposit protection. Furthermore, deposits are protected until the next due date – that is, possibly well beyond the date on which a bank's participation in the fund ends.

Alongside the DPF, there exists a statutory deposit protection scheme, the Compensation Scheme of German Banks (Entschädigungseinrichtung deutscher Banken (EdB)), which was set up in 1998. The EdB performs the tasks of the compensation scheme required under the German Deposit Guarantee Act in relation to private commercial banks and private building and loan associations. The protection provided by the EdB is limited to €100,000 per depositor. The DPF only covers deposits and depositors if and to the extent that the EdB does not already cover them.

11 Data security and cybersecurity

11.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for banks?

The applicable data protection regime for banks is based on the Banking Act, General Data Protection Regulation (GDPR), the German Data Protection Act and the Payment Services Oversight Act regarding bank account information. The GDPR stipulates in very concrete terms how the collection, selection, archiving and processing of personal data is to be carried out. In addition, bank secrecy aspects apply.

11.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for banks?

The applicable data protection regime is the EU Cybersecurity Act and GDPR, especially Sections 32 and 33 of the GDPR. However, there are also special regulations for the banking sector, such as:

  • Section 25a(1), number 5 of the Banking Act, which requires an appropriate contingency plan for IT systems;
  • the minimum requirements for the security of internet payments of the Federal Financial Supervisory Authority; and
  • the banking supervisory requirements for IT supervision (see question 7.3).

12 Financial crime and banking secrecy

12.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for banks?

The German Money-Laundering Act governs money laundering. Additionally, Sections 54 to 60d of the Banking Act concern, for example:

  • prohibited business transactions;
  • acting without permission; and
  • breach of the obligation to notify the relevant authorities of insolvency or overindebtedness.

The Federal Financial Supervisory Authority (BaFin) has published interpretative and application notes for the implementation of due diligence and internal safeguard measures to prevent money laundering. Depending on the gravity of the crime, BAFin may revoke required licences as a result of a violation of anti-money laundering provisions (Section 35(2), number 6 of the Banking Act). Furthermore, BaFin may demand the dismissal of the responsible managers and prohibit them from carrying out their activities at institutions organised as a legal person (Section 36(4) of the Banking Act).

12.2 Does banking secrecy apply in your jurisdiction?

The application of banking secrecy in the German jurisdiction depends on the field of law. In civil law or contract law, banking secrecy applies at least as a secondary obligation or as an obligation of consideration based on Section 311 or 241 of the Civil Code. However, in criminal law or tax law, banking secrecy does not (always) apply.

Under the Anti-Money Laundering Act the obliged banks are exempt from the reporting obligation if the reportable matter relates to information they received in the context of a client relationship subject to professional secrecy. However, the reporting obligation continues to exist if the obliged entity knows that the contracting party has used or is using the relationship for the purpose of money laundering or terrorist financing or another criminal offence.

With an enforcement and seizure order or search warrant, and in compliance with the principle of proportionality, the German Code of Criminal Procedure allows for breach of the secrecy obligation. The right of professional secrecy holders to refuse to testify in accordance with Section 53 of the code does not cover banks or their employees.

Section 30a of the German Fiscal Code protected bank customers until its abolition in 2017 by the German Tax (Combat) Avoidance Act. According to Section 93 of the Fiscal Code, the tax authorities must be provided with information required to establish facts that are relevant for taxation.

13 Competition

13.1 What specific challenges or concerns does the banking sector present from a competition perspective? Are there any pro-competition measures that are targeted specifically at banks?

The European Central Bank (ECB) can prohibit the acquisition of a qualifying holding in a German credit institution only if any of the following conditions are met:

  • The prospective acquirer is considered unsuitable to be a major shareholder in a financial institution;
  • The institution would no longer be able to comply with its regulatory obligations;
  • The institution would become a subsidiary of a foreign institution whose regulator does not cooperate with the Federal Financial Supervisory Authority (BaFin) or the ECB;
  • The future management would be unreliable;
  • There are reasonable grounds to suspect that money laundering or terrorism financing is being conducted through the institution, or the acquisition would the risk of this; or
  • The prospective investor cannot provide financial support to the institution when needed.

During their review of a notification, BaFin and the ECB will investigate the ultimate purchaser(s), as well as any intermediate holding companies and their management. Further, BaFin and the ECB will require evidence of the source of funds used for the acquisition, to combat money laundering. Compliance with these regulatory requirements generally involves long-term planning and careful preparation.

Non-financial organisations are not prevented from acquiring and owning banks in Germany. Similarly, German banks are generally allowed to acquire minority or controlling investments in other banks and non-financial organisations. However, qualifying holdings held by banks in undertakings outside the financial sector that exceed certain thresholds will receive a risk weight of 1.25% and thus must be fully funded with own funds of the institution to avoid contagion risk.

14 Recovery, resolution and liquidation

14.1 What options are available where banks are failing in your jurisdiction?

In 2014 the European Commission, the European Parliament and the EU member states reached agreement on a Single Resolution Mechanism (SRM) for all EU member states whose currency is the euro, including the establishment of a Single Resolution Fund (SRF) of up to €55 billion, to be raised from 2016 to 2023 through contributions by EU banks.

Germany was one of the first countries to introduce a recovery and resolution regime into its regulatory framework. The Banking Act was changed with the implementation of Directive 2014/59/EU on Bank Recovery and Resolution (BRRD) as of 1 January 2015, and the entry into force of the SRM as of 1 January 2016. The centrepieces of the new resolution regime for banks are the SRM Regulation and the Act on the Recovery and Resolution of Institutions and Financial Groups. The regime has two major parts: recovery planning and resolution planning, and the actual resolution of a bank that is failing or likely to fail. Resolution planning and taking resolution decisions fall within the decision power of specific resolution authorities as part of the SRM. In the SRM, similar to the Single Supervisory Mechanism, competencies and tasks are shared between the Single Resolution Board (SRB), an EU authority, and national resolution authorities of the EU member states participating in the SRM. The SRB is competent for resolution planning and actual resolution of all banks that are directly supervised by the ECB because they are deemed significant. When a bank is failing or likely to fail, and to avoid a bailout, the SRB and the Federal Financial Supervisory Authority (BaFin) can use resolution tools to restructure the bank and safeguard public interest, through ensuring the continuity of the bank's critical functions and financial stability while incurring minimal costs for taxpayers.

The core resolution tool is the bail-in tool, by which a bank's equity, debt instruments and other unsecured liabilities can be written down, including to zero, or converted into new equity, in order that shareholders and creditors participate in the losses and the recapitalisation of the bank. To be prepared for a bail-in, banks must have a sufficient amount of unsecured liabilities that can be bailed-in during times of crisis (minimum requirement for own funds and eligible liabilities). International recognition of resolution measures remains a critical issue. To minimise the risk of non-recognition, German institutions must include a clause in contracts governing their liabilities by which the creditor recognises that the liability is subject to the bail-in tool if the liability is governed by the laws of non-EU country.

International cooperation between resolution authorities in the Eurozone is organised within the SRM. With certain non-EU resolution authorities, the SRB concluded bilateral resolution cooperation arrangements, which provide a basis for the exchange of information and cooperation in resolution planning and in the implementation of resolution measures.

14.2 What insolvency and liquidation regime applies to banks in your jurisdiction?

If an institution becomes insolvent or overindebted, the managing directors must report this and submit informative documentation to BaFin without undue delay. The Act on the Recovery and Resolution of Institutions and Financial Groups transposes the BRRD into German law. The act provides for detailed provisions regarding the recovery and resolution of banks.

Pursuant to Section 12 of the Act on the Recovery and Resolution of Institutions and Financial Groups, institutions are obliged to prepare a recovery plan once the supervisory authority has asked them to do so. The time limit for the preparation of the recovery plans may not exceed six months. However, an institution may apply for an extension of up to six months. The recovery plans must contain the measures that will ensure or restore the financial stability in case of a crisis. The act provides a detailed description of the content of these plans. The aim of such recovery plans is to give an institution the tool for handling a crisis through its own efforts. In doing so, the resolution of institutions right from the outset may be avoided. BaFin assesses institutions' recovery plans and suggests improvements thereto. Where plans do not meet the requirements under the Act on the Recovery and Resolution of Institutions and Financial Groups, BaFin can request a revised recovery plan.

Another key section of the Act on the Recovery and Resolution of Institutions and Financial Groups covers the resolution of institutions and financial groups. Pursuant to Section 62, certain conditions must be fulfilled in order to implement resolution measures. One condition, for example, is that the institution is failing or is likely to fail. An institution is deemed to be failing if:

  • it breaches the requirements associated with the Banking Act in a way that would justify the suspension of a licence by BaFin;
  • its assets are below the level of its liability; or
  • it is overindebted.

Further conditions are that the measure is in the public interest and that the failure of the institution cannot be equally prevented by other means within the available timeframe. Once these conditions are met, resolution measures can be implemented. There are four resolution measures: sale of business, transfer to a bridge institution, asset separation and bail-in.

15 Trends and predictions

15.1 How would you describe the current banking landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The German banking market has proved to be fundamentally consistent and Deutsche Bank once again leads the top 10 banks by total assets, followed by DZ Bank, which maintained this position after a merger with WGZ Bank in July 2016, and Kreditanstalt für Wiederaufbau (KFW Group including its subsidiaries KFW IPEX Bank, DEG and KfW Entwicklungsank). Apart from Commerzbank, which is ranked fourth, the top tier of the German banking industry is partly dominated by German branches of large international banks (UniCredit Bank), development banks (KfW Group, NRW Bank) and state banks (Landesbank Baden-Württemberg, Bayerische Landesbank, Landesbank Hessen-Thüringen, Norddeutsche Landesbank).

Overall, Germany's three large commercial retail banks (Deutsche Bank, Commerzbank and HypoVereinsbank) together only control about 15% of the retail banking market. The 403 non-profit independent Sparkassen or savings banks, which are mostly owned by local municipalities across Germany, had a 37% share of the retail market in 2016 and a 28% market share in local business lending. Most cooperative institutions are Volks- and Raiffeisenbank institutions. Consolidation in the industry has led to a continuous reduction in the number of such institutions. Consolidation is somewhat stronger in terms of numbers than in the savings bank sector (Sparkassen). From an asset perspective, a trend towards the formation of larger institutions is evident in this sector. For comparison, the average total assets in the cooperative banking sector amount to approximately €1 billion, whereas those in the savings banks sector amount to around €3.3 billion.

Many of the commercial, public and cooperative banks in Germany also have online banking options, and a number of online-only and mobile-only banks have emerged in recent years. Online banking in Germany is fairly straightforward and very common. Most German banks offering online services and a number of banks focus solely on online banking (eg, bunq, N26, Wise, Revolut, DKB and Santander).

New rules and regulations include the following:

  • Amendments to the German Placement Agent Regulation based on the Second Markets in Financial Instruments Directive came into force in August 2020. The regulation is relevant for all financial investment brokers and fee-based financial investment advisers, subject to Section 34f of the German Trade Act. In addition to the avoidance of conflicts of interest and the so-called 'declaration of suitability', financial investment intermediaries must record the content of telephone conversations and electronic communications as soon as they relate to the brokerage of or advice on financial investments in order to preserve evidence
  • Directive (EU) 2018/843 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing ('AML 5') entered into force on 9 July 2018. EU member states were required to transpose AML 5 into national law by 10 January 2020. The directive was implemented in Germany in January 2020. In particular, digital companies will be obliged to provide payment service providers with access to infrastructure services. These include, for example, interfaces for near field communication, which is required for cashless payments with mobile phones at physical points of sale.
  • The regulation for investment screenings in the European Union, including a framework regulation for foreign investment screenings by EU member states, was adopted in March 2019 and is applicable as of 11 October 2020. The German rules on foreign direct investment are set out in the Foreign Trade and Payments Act and the Foreign Trade and Payments Ordinance. In 2020, the number of cases increased significantly from 106 in 2019 to a total of 159 – excluding acquisitions reported to the Federal Ministry of Economics and Technology exclusively through the EU cooperation mechanism (which far exceeded the initially expected numbers).
  • Since November 2019, there has been new momentum to establish a European Deposit Insurance Scheme. The recast Directive 2014/49/EU of the European Parliament and of the Council of 14 April further harmonises the requirements for national deposit guarantee systems (DGSs). All EU member states must now establish bank-financed deposit guarantee funds, thus providing coverage for bank deposits up to the amount of €100,000 should a compensation event occur. Germany already meets this requirement through its existing statutory compensation schemes. Under the directive, DGSs must put aside financial means equal to 0.8% of their covered deposits by 24 July 2024. With a view to the future, a pan-European deposit insurance scheme is envisaged. The European Commission's proposals foresee the gradual implementation of a system of comprehensive insurance by 2024, under which bank customers' savings would be covered by a European fund in the event of the bank's insolvency.
  • The EU Securitisation Regulation (2017/2402) became applicable in the European Union from 1 January 2019. It includes requirements relating to investor due diligence, risk retention, disclosure and credit granting, as well as a ban on resecuritisation. In addition, it established a new regime for 'simple, transparent and standardised' (STS) securitisations, allowing certain investors in securitisations that meet the applicable requirements to benefit from lower regulatory capital requirements and other favourable regulatory treatment. Certain amendments were made to the EU Securitisation Regulation and the Capital Requirements Regulation in April 2021, including the introduction of an STS framework for balance-sheet synthetic securitisations and adjustments with respect to securitisations of non-performing exposures.
  • The Federal Financial Supervisory Authority (BaFin) has published all modules of the Issuer Guidelines for German and foreign issuers whose securities are admitted to trading on a German stock exchange. These guidelines are addressed to issuers for which BaFin is the competent authority for supervising compliance with the requirements of capital markets legislation. The guidelines are designed as a hands-on guide to dealing with the requirements of securities trading legislation, albeit without constituting a legal commentary. They provide an introduction to these legal issues and explain BaFin's administrative practice.

In terms of trends and predictions, the German banking business continues to be challenged by new rules and regulations, as well as by state, federal and global regulators. Therefore, banking entities must focus on the EU Capital Requirements Regulation (CRR) and the EU Capital Requirements Directive IV (CRD IV); and at the same time, must prepare for new laws and regulations in emerging focus areas such as climate change, financial inclusion and digital assets.

Key topics include the following:

  • Capital and liquidity: Capital and liquidity planning will likely remain very complex in 2022, and banking institutions must prove resilience under stress scenarios and engage in more sophisticated contingency planning. Among the amendments to the capital rules is a binding advantage ratio of 3% for all institutions that fall within the scope of CRD IV, with adjustments possible under specific circumstances. A requirement for stable funding based on the ratio of an institution's stable funding over a one-year period (net stable funding ratio) is introduced, in order to prevent institutions from relying on excessive amounts of short-term wholesale funding to finance long-term activities. This requirement will become effective on 1 January 2024, while in some areas later application dates are relevant. In addition, CRD IV includes a substantial set of transitional provisions, which are aimed at grandfathering current situations of supervised entities to allow for the gradual phase-in of new requirements. The rules for calculating the capital requirements for market risk, which are applicable to trading book positions, will be amended as from 28 June 2023 to reflect more accurately the actual risk to which banks are exposed. However, to allow for a more proportionate solution, there are derogations for banks with small trading books and a simplified standardised approach for medium-sized banks. Furthermore, the European Commission's implementing power is replaced by a delegated power, enabling the commission to exempt entities from the CRD where certain conditions are fulfilled and to decide whether such institutions fall within the scope of the CRD or CRR once again where these criteria are no longer fulfilled.
  • Compliance and anti-money laundering (AML): 'Compliance' covers various issues, such as environmental, social and governance (ESG) issues, board governance and third-party risk management, along with detailed requirements in prudential risk management areas such as capital and liquidity management. An effective compliance management system should cover all new and non-traditional areas, in addition to consumer protection, AML and the Bank Secrecy Act.
  • Consumers and consumer protection: BaFin and the European Central Bank will probably improve consumer-related supervision and enforcement activities in 2022, with a particular focus on areas such as fair and responsible banking.
  • Cyber risks: Banking institutions must focus on cyberattacks, data breaches and service outages, and on managing such operational and cyber risks.
  • Data infrastructure and technology resilience: Data is critical to identify and manage emerging risk and develop risk mitigation responses. This results in a need to take care of the technology and data strategy, and to consider integration and legacy systems. This includes data availability across the firm, data privacy, data protection and data security, and related analytic capabilities and resilience.
  • Digital assets: In 2022, regulators will likely take a more active role in regulating digital assets in two areas:
    • regulated financial instruments (eg, deposits, futures, securities); and
    • regulated entities (eg, banks, broker-dealers, money transmission entities).
  • Flexibility will be essential as the rules unfold and firms will need to respond quickly.
  • ESG and sustainable risks: The Federal Financial Supervisory Authority (BaFin) will also focus on ESG compliance and sustainable risks, which have already been outlined in its circulars on the Minimum Requirements for Risk Management, the Minimum Requirements for the Governance of Insurance Companies and the Minimum Requirements for Asset Management Companies. BaFin expects that all supervised entities are considering sustainability risks in their operations and that this is being properly documented.
  • Governance and core risk management: Banking institutions must ensure that their risk management, governance, audit and internal controls are implemented, operational and owned by both board and supervisor-level employees – particularly in newly emerging risk areas such as remote and hybrid work.

15.2 Does your jurisdiction regulate cryptocurrencies? Are there any legislative developments with respect to cryptocurrencies or fintech in general?

The Act Implementing the Amending Directive on the Fourth EU Anti-Money Laundering Directive has incorporated crypto-custody business into the regime of the Banking Act as a new financial service. As of 1 January 2020, when this statute entered into force, companies seeking to provide such services require prior authorisation from BaFin. However, the law includes transitional provisions for companies that conducted such business before the law took effect – that is, before such business activities became subject to authorisation requirements. BaFin provides potential institutions with information on the legal situation with regard to the crypto-custody business and its website is updated on an ongoing basis. In June 2021, an Electronic Securities Act came into force, which includes regulations on cryptocurrencies. It includes a new register for cryptocurrencies in Section 16 of the Electronic Securities Act.

The Council presidency and the European Parliament have reached a provisional agreement on the markets in crypto-assets proposal, which covers issuers of unbacked crypto-assets and so-called 'stablecoins', as well as the trading venues and the wallets in which crypto-assets are held. This regulatory framework will protect investors and preserve financial stability, while allowing innovation and fostering the attractiveness of the crypto-asset sector. This will bring greater clarity in the European Union, as some member states already have national legislation for crypto-assets in place, but thus far there has been no specific regulatory framework at EU level.

16 Tips and traps

16.1 What are your top tips for banking entities operating in your jurisdiction and what potential issues would you highlight?

Ultimately, the traditional role of a bank is to lend, accept deposits, facilitate payments and assist with investments; and banks have been doing very well in creating products across these functions for their customers. However, in this regard, they are highly reliant on traditional channels such as branches and relationship managers to distribute these products. To survive in a digital world, they must change their methods.

In recent years, banks have made an effort to roll out internet banking and mobile banking capabilities. However, these efforts have fallen far short of what the younger generation demands. Globally, around 2 billion people remain unbanked, with an additional estimate of 3.5 billion underbanked. 'Unbanked' refers to people with no relationship with banks at all; while 'underbanked' refers to people who have a deposit account, but no access to a suite of financial services.

This notwithstanding, banks are finding it tough to customise and match the right customers with the right products; and there are so many choices that it can be confusing for customers themselves to understand which are most suitable for them.

Fintech will provide banks with the flexibility that they need. Using data-driven models, tech can draw on the abundance of information available in banks to give users a better understanding of their customers. In turn, new technology such as matching algorithms will offer banks a more efficient way of reaching out to a bigger segment of customers. It will also benefit existing customers, as banks can suggest the choices and options that are most relevant to their needs.

Alternatively, working with a fintech helps banks to better manage risk, as it gives them a safe way of testing the system without exposing their core platforms. Banks can open up the edges of their system, allowing third-party developers to tag on their systems via an open application programming interface.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.