1 Legal framework

1.1 Which legislative and regulatory provisions govern the banking sector in your jurisdiction?

As Germany is an EU member state, the regulatory framework is in many instances based on EU regulations and directives. Regulation (EU) 575/2013 on prudential requirements for credit institutions and investment firms (Capital Requirements Regulation (CRR)) is particularly important. It sets out the rules for calculating capital requirements, reporting and general obligations for liquidity requirements. Further, the Capital Requirements Directive IV (2013/36/EU) (CRD IV) sets out stronger prudential requirements for banks, requiring them to keep sufficient liquidity and capital reserves, and to avoid insufficient capital reserves and insufficient short and long-term liquidity.

Additionally, the EU has actively contributed to developing the Basel Committee on Banking Supervision standards at the Bank for International Settlements on capital, liquidity and leverage. It aims to ensure that major European banking specificities and issues are appropriately addressed. In response to Basel III, the European Union carried out a major overhaul of the existing regulatory framework, which came into effect on 1 January 2014. The rules introduced in the European Union through the CRD IV package therefore respect the balance and ambition of the Basel III framework.

The German laws covering the banking sector are in particular:

  • the Banking Act, which sets out the requirements and duties of credit institutions and financial services institutions;
  • the Payment Services Oversight Act, which covers the supervision of payment services and implements the European Payment Services Directive into German law;
  • the Supervision of Financial Conglomerates Act;
  • the laws covering savings banks;
  • the Cooperative Societies Act;
  • the Deposit Guarantee Act;
  • the Investor Protection Act;
  • the Capital Investment Code, which covers the provision of investment services and implements the Undertakings for Collective Investment in Transferable Securities Directive (2014/91/EU), as well as the Alternative Investment Fund Managers Directive (2011/61/EU);
  • the Money Laundering Act;
  • the Credit Institution Reorganisation Act;
  • the Recovery and Resolution Act;
  • the Securities Trading Act; and
  • laws covering specialised institutions, such as mortgage banks and building societies.

Ancillary laws and regulations also accompany these statutes, most of which deal with specific regulatory aspects (i.e. the Regulation Governing Large Exposures, the Solvency Regulation).

1.2 Which bilateral and multilateral instruments on banking have effect in your jurisdiction? How is regulatory cooperation and consolidated supervision assured?

The EU Single Supervisory Mechanism (SSM) set out in Regulation (EU) 1024/2013 was set up as the first pillar of the European banking union, alongside the Single Resolution Mechanism (SRM) and the European Deposit Insurance Scheme. The three pillars rest on the foundation of a single rulebook, which applies to all EU countries. The European banking supervision mechanism aims to contribute to the safety and soundness of credit institutions and to the stability of the EU financial system by ensuring that banking supervision across the European Union is of a high standard and is consistently applied to all banks. While retaining ultimate responsibility, the European Central Bank (ECB) carries out its supervisory tasks within the SSM, comprising the ECB and national competent authorities (NCAs) – in Germany, the Federal Financial Supervisory Authority (BaFin). This structure provides for strong and consistent supervision of all relevant entities across the euro area, while making the best use of the local and specific expertise of the national supervisor. Within the SSM, composed of the ECB and NCAs, the ECB carries out its supervisory tasks. The ECB is responsible for the effective and consistent functioning of the SSM, with a view to carrying out effective banking supervision and contributing to the safety and integrity of the banking system and the stability of the financial system.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers (including sanctions) do they have?

German banks are supervised under the SSM by the ECB and BaFin, or both, and by the Deutsche Bundesbank. The responsibility of either the ECB or BaFin depends on the allocation of competencies set out in the SSM. The ECB is competent to supervise all German credit institutions with respect to licensing and assessment of notifications of acquisitions and disposals of qualifying holdings in such credit institutions. Additionally, the ECB is competent for the supervision of credit institutions that are deemed ‘significant', where:

  • a credit institution has a total asset value of more than €30 billion;
  • total assets exceed €5 billion and the ratio of total assets to German gross domestic product exceeds 20%;
  • BaFin and the ECB mutually decide that the credit institution should be deemed significant;
  • the ECB decides that a credit institution with subsidiaries in Germany and other EU member state(s), and whose cross-border assets or liabilities represent a significant part of its total assets or liabilities, should be deemed to be significant; or
  • a credit institution has requested or received financial assistance directly from the European Financial Stability Facility or the European Stability Mechanism (ESM).

The ECB directly supervises 117 ‘significant' institutions and banking groups in the European Union (including 21 German institutions and banking groups) from 1 January 2020, and supervises member states' regulatory authorities, which directly supervise less significant institutions and banking groups. BaFin supervises banking, financial service institutions and insurance companies and remains the authority responsible for dealing with anti-money laundering law and the supervision of payment services providers.

The Deutsche Bundesbank is responsible for receiving and analysing data submitted by the banks. It cooperates closely with BaFin and the ECB with regard to banking supervision. If a problem occurs, the Deutsche Bundesbank will promptly involve BaFin. The ECB, BaFin and the Bundesbank cooperate closely, sharing observations and findings necessary for the performance of their respective tasks. In their internal relationship, the ECB or BaFin takes the final decision about whether supervisory measures must be taken or how to construe the law.

Because of the comprehensive responsibility, which BaFin has for the banking, insurance and securities sectors, there are no other supervisory authorities besides the Deutsche Bundes- bank regulators in Germany specifically relevant to the financial services industry, although the German Deposit Protection Fund has a special role. Banks are subject to enhanced audit requirements and external auditors assess compliance of annual accounts with accounting principles, as well as the bank's compliance with its regulatory obligations. The annual audit report is a very important tool for BaFin in exercising its supervisory duties. It is common for the managers of a bank to be invited to a meeting with BaFin to discuss the report annually. Where the audit report identifies any deficiencies or there is any other reason for BaFin to believe that a bank is not fully compliant, BaFin can order a special audit by the Deutsche Bundesbank or another auditing firm.

Ultimately, BaFin can take various supervisory measures under the Banking Act. The most common measures are preventative in nature and may include a request for information, the submission of documents and the ordering of (ad hoc) audits. However, if a bank is conducting unauthorised business, BaFin can conduct inspections, prohibit the continuation of such business and order the liquidation of the existing business. BaFin may also impose administrative fines aimed at warning parties to comply with their statutory obligations. It can further issue warnings against managers and demand their dismissal if they do not have the adequate professional qualifications or are considered unreliable.

1.4 What are the current priorities of regulators and how does the regulator engage with the banking sector?

The cooperation between BaFin and the Deutsche Bundesbank in terms of ongoing supervision of institutions is regulated by Section 7 of the Banking Act. This states that the Bundesbank is responsible for the vast majority of operational banking supervision and has an important part to play in crisis management – for example, evaluating the documentation, audit reports and annual financial statements submitted by financial institutions, as well as performing and evaluating on-site inspections. Additionally, BaFin's guidelines on ongoing supervision are issued in agreement with the Deutsche Bundesbank pursuant to Section 7(2) of the Banking Act. The guidelines aim to produce harmonised and high-quality banking supervision and ensure the transparent and unambiguous division of tasks.

The Brexit referendum result from June 2016 could have potentially significant implications for the financial sector in Germany. As it stands, it cannot be excluded that the EU-UK negotiations will result in a ‘hard Brexit', which means that the United Kingdom will leave the European single market without a negotiated agreement in place. Supervised credit institutions and financial services institutions that are located in the United Kingdom will have to be prepared for the possibility of no longer being able to conduct regulated business in the European Union or with European Economic Area (EEA) member states. Specifically, such institutions may, post-Brexit, no longer be able to rely on the European passport regime, which enables them to conduct business on a cross-border basis without any other local licences. If they wish to continue conducting such business, they may need to consider relocating from the United Kingdom to another EU or EEA state.

2 Form and structure

2.1 What types of banks are typically found in your jurisdiction?

German banks and financial institutions are permitted to conduct all types of banking activities described in Section 1 of the Banking Act, if respectively licensed. Universal banks in Germany can be divided into three main types of institutions: commercial banks, public sector banks belonging to the savings bank sector and cooperative banks.

Commercial banks: Commercial banks are part of the private sector and can be further sub-divided into:

  • large nationwide (major) banks;
  • regional banks; and
  • other financial institutions, including the branch offices of foreign banks.

Commercial banks are corporations and mostly operate as universal banks. Other than their legal form and business aims, the principal difference in the types of universal banks is the number of legally independent institutions they have and the number of branch office locations.

In terms of total assets, the four major German commercial banks (Deutsche Bank AG, Commerzbank AG, UniCredit Bank AG and Deutsche Postbank AG) account for nearly 65%. This reflects their particular importance. Commercial banks are mainly privately owned and private shareholder representatives are members of the supervisory board. There are three large universal banks in Germany: Deutsche Bank AG, Commerzbank AG and HypoVereinsbank, which is owned and controlled by its Italian parent, UniCredit. In addition, there are a number of specialised institutions:

  • mortgage banks, which primarily focus on real estate finance;
  • auto and other consumer finance banks, which also compete for deposits;
  • securities banks, which have an emphasis on brokerage and custody;
  • subsidiaries and branches of foreign banking groups, with diverse business focuses; and
  • private banks with a concentration on asset management.

Cooperative banks: Cooperative banks are cooperative societies that carry out all types of banking and related services. A cooperative society is one in which the number of members is not fixed and which serves to promote the business or economic interests of its members through jointly owned business operations. Cooperative banks have become less member-centric, as they are now permitted to establish business relations with non-members. Since the repeal of the identity principle for lending transactions, they no longer have to restrict themselves to business with members, so they now differ very little from other universal banks. Still, in accordance with the Cooperative Societies Act, which applies to all German cooperative banks, they must promote the interests of their members. In contrast to commercial banks, maximising profits is not their highest priority. Cooperative banks have a different governance structure. The equity holders have equal voting rights independent from their equity share. At the end of 2018, there were 875 cooperative banks, with combined assets exceeding €934 billion and a market share of roughly 13%. To overcome any disadvantage of a fragmented structure, the cooperative banks had founded two cooperative central banks, DZ Bank and WGZ Bank, which merged in 2016. Following the merger, the cooperative sector has one large financial head institution, DZ Bank in Frankfurt, which provides services to its constituent institutions.

State-owned banks: The German banking sector also includes several large state-owned banks. The state banks (Landesbanken) are central institutions of the Savings Banks Finance Group (Sparkassen-Finanzgruppe). Following the privatisation of HSH Nordbank (renamed Hamburg Commercial Bank), which was completed in early 2019, only the much smaller SaarLB remained in the Landesbank sector, in addition to the four larger institutions: Landesbank Baden-Württemberg, Bayerische Landesbank, Landesbank Hessen-Thüringen and Norddeutsche Landesbank. This part of the German banking market has thus been reduced to five institutions.

In addition to the Landesbanken, there are several special purpose banks (eg, Kreditanstalt für Wiederaufbau, Landwirtschaftliche Rentenbank) which are directly or indirectly owned by the federal or state governments (with some exemptions).

Further, the public bank sector is characterised by around 380 savings banks (Sparkassen), which in most cases are owned by local municipalities or their countries. Savings banks are committed by their municipal ownership to serving their local region. Profits not needed to further strengthen their capital bases are used for the benefit of society. Rather than focusing on financial figures, savings banks concentrate on benefiting the welfare of the people and businesses in the areas they serve. Accordingly, the business policy of the savings banks focuses on sustainable economic growth and social development in their regions. For this reason, the business of the savings banks revolves around transactions centred on the real economy, instead of international financial markets. This commitment to the community does not mean that savings banks must forgo making a profit. Making a profit is not their main goal, but rather a means of fulfilling their public mandate. Savings banks do not engage in international banking business. They play an important role in offering banking services to Germany's population outside the larger cities, where private commercial banks are not keen to set up local branches.

2.2 How are these banks typically structured?

Banks are organised as either public owned banks or cooperative banks, or are corporations or partnerships. The most common private law legal forms for a bank or financial institution are stock corporations (Aktiengesellschaft (AGs)) and limited liability companies (Gesellschaft mit beschränkter Haftung (GmbHs)). The most significant difference between an AG and a GmbH is the internal governance structure. An AG has a largely independent management board, appointed by the supervisory board. The shareholders elect the supervisory board. Managing the day-to-day business of an AG is the exclusive duty of the management board. Neither the supervisory board nor the shareholders can give directions to the management board. However, the supervisory board can issue guidelines under which extraordinary transactions require its prior consent. Co-determination – that is, representation of employees on the supervisory board – is mandatory once an institution has more than 500 employees. In contrast, in a GmbH, the managers generally must follow shareholder directions. This makes the GmbH a more suitable instrument for a banking subsidiary of a larger group.

Some smaller private banks are limited partnerships or even general partnerships.

2.3 Are there any restrictions on foreign ownership of banks?

German law requires any person intending to acquire a qualifying holding in a bank or financial institution to notify the Federal Financial Supervisory Authority (BaFin) and the Deutsche Bundesbank. A ‘qualifying holding' is a direct or indirect holding in an undertaking that represents 10% or more of the capital or of the voting rights, or which makes it possible to exercise significant influence over the undertaking's management.

If the notification relates to a participation in a credit institution within the meaning of the Capital Requirements Regulation, BaFin itself does not decide on the intended acquisition, but instead prepares a draft decision and submits this draft to the European Central Bank (ECB), which makes the final decision. To implement standardised procedures for cooperation between the ECB and other national regulators, a central unit within BaFin was set up. Related amendments to the Ownership Control Regulation are expected.

Overall, there are no general restrictions and the ECB cannot refuse the acquisition of a qualifying holding in a German bank on the basis of the prospective acquirer's nationality. Acquisitions from some jurisdictions may be more difficult, particularly from countries where BaFin or the ECB has no established contacts with regulators/supervisory authorities. Prospective acquirers from jurisdictions that have a reputation for money laundering or tax avoidance may also find it difficult to obtain ECB approval. Under certain circumstances, BaFin or the ECB may object to the intended acquisition of a qualifying holding. This includes the assumption that:

  • the acquirer is not trustworthy;
  • the institution will not remain able to meet the requirements of supervision; or
  • a future managing director is not reliable or qualified.

2.4 Can banks with a foreign headquarters operate in your jurisdiction on the basis of their foreign licence?

Banks headquartered and licensed in the European Economic Area (EAA) can conduct regulated banking business in Germany without a German banking licence under the EU notification procedure, through a branch or on a cross-border basis.

Other foreign banks can either:

  • conduct banking business in Germany through a branch (which is, however, subject to the full licensing requirements); or
  • apply to BaFin for an exemption from the licensing requirements to provide cross-border services, provided that the bank is effectively supervised in its home country under internationally recognised standards.

3 Authorisation

3.1 What licences are required to provide banking services in your jurisdiction? What activities do they cover?

Generally, the European Central Bank (ECB) and the Federal Financial Supervisory Authority (BaFin) are responsible for banking licence applications. BaFin also supervises financial services and payment services that are not included in the definition of standard banking transactions. As the risk to financial stability and consumer protection varies depending on the specific type of activity that is subject to supervision, BaFin banking licence requirements differ accordingly. Of importance are reliable management, a sound business plan and compliance with anti-money laundering regulations and activity-specific compliance rules.

When the statutory requirements for the issuance of a German banking licence are met, the applicant has a legally enforceable right to be issued that licence. In this context, it will be up to BaFin to decide whether the details provided are sufficient to issue a licence under supervisory law. Where complex or innovative business models are concerned, many queries or clarifications may be necessary. Consequently, a great deal of care and accuracy should be applied when drafting the licence application, to avoid a lengthy procedure and ensure that the licence is received as quickly as possible. The banking licence, once granted, is a public law permit and belongs to the institution itself, and is not transferable as if it were a civil law right. In particular, a banking licence does not transfer to the surviving body in a merger by way of universal succession.

Any company which commences an activity requiring a licence without holding one takes a great risk. Such a company faces fines and even prosecution by the public prosecutor. Even if the infringement is due to negligence, prison sentences of up to three years can be imposed on the management. In addition, the company's business may be restricted or prohibited by formal decision of BaFin.

Since payment services have become subject to different rules following implementation of the EU Payment Services Directive, it has become more common to license specialised payment institutions. A universal bank with a comprehensive licence is also allowed to perform payment services as an ancillary business.

3.2 What requirements must be satisfied to obtain a licence?

Anyone wishing to conduct banking business in Germany requires a written permit from BaFin (Sections 32 and 33 of the Banking Act). To do so, certain requirements must be met. Some examples are outlined below:

  • When a new institution is created, a minimum initial capital must be proven, depending on the type of business that is intended. In the case of securities trading banks, for example, the required initial capital is at least €730,000; and in the case of deposit-taking banks, at least €5 million.
  • The institution must have at least two professionally qualified and reliable managers with joint responsibility for the institution. ‘Professional suitability' means that the person concerned has acquired sufficient theoretical knowledge and practical experience in his or her previous professional career. ‘Sufficient experience' generally means at least three years in a leading position at a bank of similar size and type. BaFin examines the suitability by using information from the Federal Central Register, the Transparency Register and the Commercial Register.
  • The application must include a three-year business plan, which BaFin and the ECB will carefully review for viability. Since most start-ups show losses in the first year or two, the ECB has published further guidance on how much capital it expects to be paid up in full at the time of authorisation and how much capital must be otherwise available (eg, capital commitments by the founding shareholders). In addition, for the first three years, BaFin will typically ask the ECB to set a minimum regulatory capital standard well above that for more mature institutions.
  • Every person holding a direct or indirect interest of 10% or more in a financial institution is subject to a reliability and financial soundness test. This is not an issue if the shareholder is a bank domiciled and regulated in another country with a reputable bank supervisory system. Things become more difficult if an acquirer or founder of a bank is from, for example, an emerging economy. In this case, BaFin requires a full personal record, with comprehensive information on the source of funds invested in the future German bank.

3.3 What is the procedure for obtaining a licence? How long does this typically take?

Timing and basis of decision: The time from filing the application to receipt of the licence is usually six to 18 months, in addition to the time taken to prepare the application. Where the new bank has a complex business plan or ownership structure – for example, through various holding companies – collecting information about direct and indirect shareholders and their individual directors can significantly extend the overall timeframe.

Cost and duration: The application for a BaFin licence is subject to a fee, the amount of which depends on the type of banking transactions or financial services applied for. In this respect, Section 14(1) and Section 17 b of the Financial Services Supervision Act and Section 2(1) of the Cost Ordinance, in conjunction with the attached schedule of fees, are decisive. According to these provisions, the fee for permission to provide financial services such as investment brokerage or financial portfolio management ranges between €5,045 and €10,725.

If the applicant additionally applies for a licence to conduct banking business (eg, a deposit or lending business), the fee ranges between €5,000 and €20,000 and may increase to up to €30,000. In any case, the fees may nonetheless be charged if the applicant withdraws its application for a licence or if BaFin issues a negative decision on the application. In addition to the application fee, legal fees for work incurred by lawyers advising on the application process can range between €75,000 and €150,000 (plus value added tax). While there is no end date for banking licences (and so renewal costs are not applicable), other costs for supervision by BaFin are applicable.

4 Regulatory capital and liquidity

4.1 How are banks typically funded in your jurisdiction?

The funding strategies of German banks have changed substantially as a result of the 2008 financial crash. Conceptually, commercial banks fund their balance sheets in layers, starting with a capital base comprising equity, subordinated debt and hybrids of the two, plus medium and long-term senior debt. The next layer consists of customer deposits, which are assumed to be stable in most circumstances, even though they can be requested with little or no notice. The final funding layer comprises various shorter-term liabilities, such as commercial paper, certificates of deposit, short-term bonds, repurchase agreements, swapped foreign exchange liabilities and wholesale deposits. This layer is managed on a dynamic basis, as its composition and maturity can change rapidly with cash-flow needs and market conditions. This funding structure is usually relatively stable.

The Federal Financial Supervisory Authority (BaFin) and Deutsche Bundesbank continue, on an ongoing basis, to monitor whether German banks have sufficient funds for the risks assumed from balance-sheet assets and off-balance-sheet transactions – for example, from claims, securities, derivatives or equity investments. In addition to default and market risks, operational risks must be backed by their own adequate funds. Institutions must also hold funds for the capital maintenance buffer, the countercyclical capital buffer and, if so ordered, for the capital buffer for systemic risks, the capital buffer for globally systemically important institutions and the capital buffer for institutions with other systemic relevance (Sections 10c to 10i of the Banking Act). This buffer may be ordered by BaFin for risks exposures located in Germany or in another non-European Economic Area state. Details regarding the calculation of risks and banks' own funds are set out in the Capital Requirements Regulation (CRR).

4.2 What minimum capital requirements apply to banks in your jurisdiction?

German banks must at all times meet at least a hard-core capital ratio of 4.5%, a core capital ratio of 6% and a total capital ratio of 8%. In addition, BaFin and the ECB check whether liquidity is sufficient – that is, whether the institutions invest their funds in such a way that sufficient solvency is guaranteed at all times (Section 11 of the Banking Act). As part of the supervisory review process (SRP), BaFin also monitors those risks that are not required to be backed by their own funds under the CRR (Section 6b of the Banking Act). The core elements of the SRP are the establishment of adequate risk management systems and their monitoring by the supervisory authority. For example, institutions must set up an internal capital adequacy assessment process, which ensures that they have sufficient internal capital to cover all material risks.

The enforcement of such capital adequacy guidelines falls within the supervisory mandate of the supervisory authorities. This means that BaFin, and/or the European Central Bank (ECB) can take measures to improve the institution's own funds and liquidity. Furthermore, in cases of danger (eg, if the discharge of an institution's obligations to its creditors is endangered), the authorities can take temporary measures to avert that danger. In particular, the authorities may issue instructions for the management of the institution's business or prohibit the acceptance of deposits, funds or securities from customers and the granting of loans.

4.3 What legal reserve requirements apply to banks in your jurisdiction?

The ECB requires German credit institutions to hold compulsory deposits on accounts with the Deutsche Bundesbank. These are called ‘minimum' or ‘required' reserves and the amount to be held by each institution is determined by its reserve base.

In order to determine an institution's reserve requirement, the reserve base is multiplied by the reserve ratio. The ECB applies a uniform positive reserve ratio to most of the balance-sheet items included in the reserve base. This reserve ratio was set at 2% at the start of Stage Three of European Economic and Monetary Union and was lowered to 1% from 18 January 2012. As noted above, the reserve requirement for each individual institution is calculated by applying the reserve ratio to the reserve base. Institutions must deduct a uniform lump-sum allowance of €100,000 from their reserve requirement. This allowance is designed to reduce the administrative costs arising from managing very small reserve requirements.

In order to meet their reserve requirements, German credit institutions must hold balances on their current accounts with the Deutsche Bundesbank. This means that compliance with minimum reserve requirements is determined on the basis of the average daily balances on the counterparties' reserve accounts over one reserve maintenance period. Data on the amount of required minimum reserves and their fulfilment is published in the statistical section of the Monthly Report of the Deutsche Bundesbank.

5 Supervision of banking groups

5.1 What requirements apply with regard to the supervision of banking groups in your jurisdiction?

The European Central Bank (ECB) and the Federal Financial Supervisory Authority (BaFin) supervise banking groups as well as individual institutions. A group generally falls under the jurisdiction of the ECB or BaFin if the parent undertaking:

  • is a credit institution incorporated in Germany; or
  • is a financial holding company or a mixed financial holding company, and both the holding company and the bank subsidiary are incorporated in Germany, or the holding company is incorporated in another EU member state and the German subsidiary is subject to consolidated supervision in accordance with the EU Capital Requirements Directive IV.

Requirements: The most important requirement is that the minimum regulatory capital standards also be maintained at group level. For this purpose, the regulatory capital and risk weighted assets of individual institutions and group members are consolidated. Although each institution in a group may be sufficiently capitalised, consolidation of group capital may produce a regulatory capital gap – in particular, if the group includes entities that are not subject to the same capital adequacy rules as banks on a solo basis, but that incur risks that need to be covered by the owned funds of the consolidated group.

The credit institution at the top of the group or, in the case of a group headed by a financial holding company or a mixed financial holding company, the largest subsidiary credit institution in the group is generally responsible to the supervisory authority for making sure that the group has sufficient regulatory capital.

Similar rules apply to financial conglomerates. These groups include financial institutions and insurance companies.

5.2 How are systemically important banks supervised in your jurisdiction?

Germany is part of the Single Supervisory Mechanism established in all EU member states. Its purpose is to centralise the prudential supervision of banks. In particular, the ECB:

  • directly supervises 117 institutions and banking groups in the European Union that are considered significant (including 21 German institutions and banking groups); and
  • supervises member states' regulatory authorities that directly supervise less significant institutions and banking groups.

In Germany, the day-to-day supervision is conducted by joint supervisory teams, which comprise staff from both BaFin and the ECB. BaFin continues to conduct the direct supervision of less significant institutions, around 3,500 entities, subject to the oversight of the ECB. The ECB can also take on the direct supervision of less significant institutions if this is necessary to ensure the consistent application of high supervisory standards. The ECB is also involved in the supervision of cross-border institutions and groups, either as a home supervisor or a host supervisor in colleges of supervisors. Moreover, the ECB participates in the supplementary supervision of financial conglomerates in relation to the credit institutions included in a conglomerate and assumes the responsibilities of the coordinator referred to in the Financial Conglomerates Directive.

5.3 What is the role of the central bank?

The German national central bank is the Deutsche Bundesbank. In banking supervision, the Deutsche Bundesbank works in close cooperation with BaFin and the ECB. Because of its role in the EU System of Central Banks, the EU system and its participation in the EU payment system TARGET2, it has genuine access to large amounts of data relating to banks. In addition, regular reporting by the financial sector is addressed by the Deutsche Bundesbank, which performs a quantitative analysis of a financial institution's figures. If a problem occurs, the Deutsche Bundesbank will promptly involve BaFin.

6 Activities

6.1 What specific regulations apply to the following banking activities in your jurisdiction: (a) Mortgage lending? (b) Consumer credit? (c) Investment services? and (d) Payment services and e-money?

(a) Mortgage lending?

The European Mortgage Credit Directive (MCD) of 4 February 2014 was transposed into German law through the Act Implementing the MCD as at 21 March 2016. To ensure the protection of consumers raising real estate loans, a large number of requirements have been set out across different pieces of legislation, in particular in the Civil Code and the Introductory Act to the Civil Code. Other changes can also be found in the Business Code, the Payment Services Oversight Act, the Insurance Supervision Act and the Banking Act.

A new Section 18a has been added to the Banking Act, which specifies a large number of obligations that banks must meet when granting consumer real estate loans. They include, in particular, requirements in terms of:

  • (pre-)contractual information obligations;
  • the assessment of creditworthiness;
  • the independence of appraisers from the lending process; and
  • adequate qualifications of bank employees who work in lending.

The Federal Financial Supervisory Authority (BaFin) has set out the requirements for the qualifications and expertise of internal and external employees in dedicated regulations.

The new provisions of the MCD Directive led to uncertainty at the credit institutions, especially in relation to the creditworthiness assessment. For this reason, the legislature is planning to specify the requirements in greater detail.

(b) Consumer credit?

Unlike many other jurisdictions, lending in Germany is generally a regulated activity that requires a banking licence pursuant to Section 1 of the Banking Act if performed commercially or in a manner requiring a commercial business organisation. The licensing requirement applies irrespective of whether loans are granted to consumers or to non-consumers. According to the administrative practice of BaFin, the licensing requirement also applies to lenders domiciled abroad if they actively approach borrowers domiciled in Germany to grant loans. Not only the granting of a new loan, but also the mere restructuring of a loan that has been acquired from the original lender (eg, by extending maturity and/or adjusting interest rates), may qualify as lending activity requiring a banking licence.

(c) Investment services?

The definition of what are deemed ‘investment services' (part of financial services) is set out in Section 1(1a), sentence 2, numbers 1 to 12, sentences 3 and 4 of the Banking Act. Accordingly, financial services comprise the following:

  • Number 1: The brokering of business involving the purchase and sale of financial instruments (investment broking);
  • Number 1a: Providing customers or their representatives with personal recommendations in respect of transactions relating to certain financial instruments where the recommendation is based on an evaluation of the investor's personal circumstances or is presented as being suitable for the investor and is not provided exclusively via information distribution channels or for the general public (investment advice);
  • Number 1b: Operating a multilateral facility, which brings together the interests of a large number of persons in the purchase and sale of financial instruments within the facility according to set rules in a way that results in a purchase agreement for these financial instruments (operation of a multilateral trading facility);
  • Number 1c: The placing of financial instruments without a firm commitment basis (placement business);
  • Number 2: The purchase and sale of financial instruments on behalf of and for the account of others (contract broking);
  • Number 3: The management of individual portfolios of financial instruments for others on a discretionary basis (portfolio management);
  • Number 4: Property trading:
    • continuously offering to purchase or sell financial instruments at self-determined prices in an organised market or a multilateral trading facility;
    • frequent organised and systematic conduct of trading for its own account outside of an organised market or a multilateral trading facility, by providing a system accessible to third parties in order to conduct business transactions with them;
    • the purchase or sale of financial instruments for its own account as a service for others; or
    • the purchase or sale of financial instruments for own account as a direct or indirect participant in a domestic organised market or multilateral trading facility by means of a high-frequency algorithmic trading strategy that is characterised by the use of:
      • an infrastructure for minimising network latencies and other delays in order transmission (latencies), which includes at least one of the following devices for the input of algorithmic orders: collocation, proximity hosting or high-speed direct electronic access;
      • the ability of the system to initiate, generate, transmit or execute an order without human intervention within the meaning of Article 18 of Commission Delegate Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive (OJ L 87, 31 March 2017, p 1), as amended; and
      • a high volume of intraday notifications within the meaning of Article 19 of Delegate Regulation (EU) 2017/565 in the form of orders, course details or cancellations;
  • Number 5: The brokering of deposit business with undertakings domiciled outside the European Economic Area (EEA) (non-EEA deposit broking); and
  • Number 7: Dealing in foreign notes and coins (foreign currency dealing).

7 Reporting, organisational requirements, governance and risk management

7.1 What key reporting and disclosure requirements apply to banks in your jurisdiction?

Banking supervisory law – in particular, the Ordinance on Notification – sets out a number of corporate governance rules, including the following:

  • Committees must be established in an institution's supervisory board;
  • Managing directors must fulfil their roles and personal tasks;
  • Specialised internal functions must be established, such as compliance, risk control and internal audit;
  • In addition to institutions' annual reports, one of the banking supervisors' main sources of information is the audit reports, which external auditors or audit associations produce as part of their auditing of the annual reports;

Institutions must regularly file condensed balance sheets, from which the major balance-sheet items, risk positions and changes thereto can be identified;

  • Institutions must also report major changes, such as net losses of 25% of the equity capital as defined under the Capital Requirements Regulation or changes in the management board, in their domestic and foreign branch networks or in holdings of more than 10%. They must also report their large exposures and loans of €1 million or more; and
  • Investment services enterprises, trading venue operators (including operators of multilateral and organised trading facilities), German central counterparties and subsidiaries are obliged since 3 January 2018 under the Markets in Financial Instruments Directive (2014/65/EU- MiFIR II) and the Regulation (EU) 600/2014 (MiFIR) to notify BaFin of all on-exchange and off-exchange dealings in financial instruments, such as securities and derivatives. MiFID II and MiFIR ensure fairer, safer and more efficient markets and facilitate greater transparency for all participants. The protection of investors is strengthened through the introduction of new requirements on product governance and independent investment advice, the extension of existing rules to structured deposits, and the improvement of requirements in several areas, including on the responsibility of management bodies, inducements, information and reporting to clients, cross-selling, remuneration of staff, and best execution.

BaFin has adapted its minimum requirements for the compliance function (MaComp) to the amendments of MiFID II and published the amendment in March 2018. BaFin has also adapted existing modules and added new modules by which it has implemented ESMA guidelines under Article 16 ESMA Regulation (ESMA-VO). All modules have been adapted in terms of language and content to the new legal bases in the German Securities Trading Act and Delegate Regulation (EU) 2017/565.

7.2 What key organisational and governance requirements apply to banks in your jurisdiction?

The Capital Requirements Directive IV (CRD IV) stipulates guidelines for corporate governance principles for institutions in accordance with Article 3. Furthermore, in Recital 54 of the CRD IV the legislature sets out specific principles. The effective implementation of these corporate governance principles requires the assistance of legal, regulatory and institutional frameworks. Such guidelines tend to guide the actions of the senior leadership of a diverse range of banks in a number of countries with varying legal and regulatory systems. However, there are significant differences in the legislative and regulatory frameworks across countries, which may restrict the application of certain principles or provisions therein.

In Germany, some of these corporate governance principles have already been implemented into German law. First, Section 25a of the Banking Act addresses special organisational duties in relation to the institutions to which the Banking Act applies (eg, credit institutions and financial services institutions). Section 25a(1) of the Banking Act stipulates that an institution must have a proper business organisation which ensures compliance with the legal provisions to be adhered to by the institution. According to Section 25a(1) of the Banking Act , a proper business organisation comprises, in particular, appropriate and effective risk management, on the basis of which an institution must continuously ensure its risk tolerance.

Second, Sections 25c and 25d of the Banking Act extend such duties to the managing directors and the supervisory body of an institution: the managing directors of an institution must be professionally qualified and reliable, and devote sufficient time to the performance of their duties. Members of the management must have adequate theoretical and practical knowledge of the business concerned, as well as managerial experience. Section 25c of the Banking Act also states that, with a view to their overall responsibility for the proper business organisation of the institution according to Section 25a of the Banking Act, the managing directors of an institution must ensure that the institution has the statutory strategies, processes, procedures, functions and concepts in place. According to Section 25d of the Banking Act, the members of the administrative or supervisory body must:

  • be reliable;
  • have the expertise required to exercise the control function and assess and supervise the business conducted by the institution; and
  • devote sufficient time to the performance of their duties.

Such rules of conduct and organisational requirements are especially important for investor protection and for properly functioning financial markets. Rules of conduct lay down minimum standards for investment services in order to avoid conflicts of interest between clients, investment services enterprises and their employees, and to prevent investors from being disadvantaged as a result.

7.3 What key risk management requirements apply to banks in your jurisdiction?

The requirements are based on guidelines issued by BaFin relating to the Minimum Requirements for Risk Management (MaRisk). MaRisk provides a comprehensive framework for the management of all significant risks based on Section 25a of the Banking Act, which governs the organisational requirements for institutions regarding internal risk management. MaRisk provide a principles-based framework that gives institutions the flexibility to implement solutions individually. Moreover, MaRisk contains clauses which ensure that smaller institutions can also comply with the requirements in a flexible way.

MaRisk has a modular structure. The General Section (AT modules) contains basic requirements for internal risk management, including outsourcing standards. Special requirements regarding the organisation of the internal control system for particular types of business and types of risk, and the organisation of the internal audit function, are set out in the Special Section (BT modules). MaRisk has undergone several revisions due to recent developments and international regulatory initiatives. BaFin has published the current valid version as Circular 09/2017 (BA) . MaRisk addresses a variety of issues on controlling business and organisational risks of financial institutions. These include the responsibility of management to:

  • develop a risk management system suitable to identify and control risks;
  • meet the requirements of appropriate staff resources;
  • install internal controls;
  • meet organisational requirements for lending and trading business;
  • identify and address market, liquidity and operational risks; and
  • ensure basic specifications for the compliance function, the risk control function and the internal audit function.

MaRisk specifies the more general risk management standards set out in Section 25a of the Banking Act. Compliance with MaRisk is subject to the external audit. Any material deficiencies exposed by the audit report can lead to BaFin requiring corrective measures or imposing sanctions.

Like MaRisk, the Banking Supervisory Requirements for IT (Bankaufsichtliche Anforderungen an die IT (BAIT)) specifies the statutory requirements laid down in Section 25a of the Banking Act. BAIT describes what BaFin considers to be suitable technical and organisational resources for IT systems, with particular regard to information security and suitable contingency plans. As institutions are increasingly obtaining IT services from third parties, including as part of outsourcing arrangements, BAIT also set out the requirements for the external procurement of IT services.

7.4 What are the requirements for internal and external audit in your jurisdiction?

Internal audit is part of the ongoing monitoring of the bank's system of internal controls and of its internal capital assessment procedure. As such, the internal audit function assists senior management and the board of directors in the efficient and effective discharge of their responsibilities. The scope of internal audit activities should include the examination and evaluation of the effectiveness of the internal control, risk management and governance systems and processes of the entire bank, including the organisation's outsourced activities and its subsidiaries and branches. The internal audit function should independently evaluate:

  • the effectiveness and efficiency of internal control, risk management and governance systems in the context of both current and potential future risks;
  • the reliability, effectiveness and integrity of management information systems and processes (including relevance, accuracy, completeness, availability, confidentiality and comprehensiveness of data);
  • the monitoring of compliance with laws and regulations, including any requirements from supervisors; and
  • the safeguarding of assets.

The head of internal audit is responsible for establishing an annual internal audit plan that can be part of a multi-year plan. The plan should be based on a robust risk assessment (including input from senior management and the board), and should be updated at least annually (or more frequently to enable an ongoing real-time assessment). The board's approval of the audit plan implies that an appropriate budget will be available to support the internal audit function's activities. The budget should be sufficiently flexible to adapt to variations in the internal audit plan in response to changes in the bank's risk profile.

Together with the Deutsche Bundesbank, BaFin produces a risk profile for each less significant institution (LSI) – that is, the credit institutions it supervises directly. BaFin updates the risk profile of each of these LSIs at least once a year. It uses the risk profile of an individual LSI to determine how closely it supervises the institution. In addition to the findings of the audit report for the annual financial statements, current risk analyses and knowledge obtained from special audits and requests for information are included in the assessment.

BaFin allocates each institution to a risk class on the basis of its risk profile. This risk classification is based on the quality of the institution and potential impact of a solvency or liquidity crisis of the institution on the stability of the financial sector. In comparison with 2016, there have been only marginal changes in the allocations to the individual risk classes – while the quality of the institutions showed a slight downward trend, their impact increased slightly.

8 Senior management

8.1 What requirements apply with regard to the management structure of banks in your jurisdiction?

The Banking Act imposes stringent requirements regarding the qualifications of management board members. The bank or financial institution must provide to the Federal Financial Supervisory Authority (BaFin):

  • the names of the senior managers (Section 32(1), sentence 2, number 2 of the Banking Act);
  • all information required to assess the trustworthiness of the applicants and of the senior managers (Section 1(2), sentence 1 and Section 32(1), sentence 2, number 3 of the Banking Act). For this purpose, the following are required from each applicant or senior manager:
    • the form "Disclosures relating to the reliability of designated managers";
    • an excerpt from the Federal Business Record Register if they were or are self-employed or if, in the course of their professional activities, they were or are the authorised representative of a businessperson or charged with managing a business or the manager of any other commercial enterprise; and
    • a "criminal record check for submission to an authority" or "European criminal record check for submission to an authority" or equivalent documents from another country; and
  • the information required to assess the professional qualifications of the proprietors and the senior managers (Section 32(1), sentence 2, number 4 of the Banking Act). Each proprietor and senior manager should submit (along with the references from any employment relationship that has ended within the last three years) a complete, signed CV containing all given names, name at birth, date and place of birth, home address and nationality, as well as a detailed description of relevant education and training, the names of all undertakings for which the manager/proprietor has worked and details of the nature and duration (in months and years) of the functions performed there, particularly with relevance to the business for which authorisation is being sought, including any secondary activities, except for those performed in an honorary capacity. When describing the nature of the functions performed, in particular, the powers of representation, internal decision-making authority and the divisions within the undertaking overseen by the manager/proprietor must be specified.

8.2 How are directors and senior executives appointed and removed? What selection criteria apply in this regard?

According to Section 24(1) number 1 of the Banking Act, the institution must notify BaFin and the Deutsche Bundesbank, without delay, of its intention to appoint a (managing) director or to confer sole power on a person to represent the institution. In addition, facts that are essential for assessing the reliability, professional competence and availability of time to perform the duties in question must be provided. Further, pursuant to Section 24(1) number2 of the Banking Act. the institute must notify BaFin and the Deutsche Bundesbank, without delay, of the resignation of a (managing) director and the withdrawal of the sole power to represent the institution across its entire business area.

8.3 What are the legal duties of bank directors and senior executives?

According to Section 25a(1), sentence 2 of the Banking Act, the directors are responsible for the implementation, establishment, maintenance and further development of proper business organisation. All managers are jointly responsible for compliance with the requirements of Section 25a of the Banking Act. The combined responsibility of the managers for the organisation of the bank is also defined in Section AT 3 of the Minimum Requirements for Risk Management (Mindestanforderungen für das Risikomanagement 2012 AT 3, p. 4).

A specially appointed director is responsible for:

  • providing a regular overview of the overall risk profile and definition of the business and risk strategy;
  • reporting on the risk situation to the management; and
  • reporting to the supervisory board any instances of serious misconduct.

8.4 How is executive compensation in the banking sector regulated in your jurisdiction?

In accordance with Section 25a(1), sentence 3, number 6 of the Banking Act, the remuneration systems for managers and staff should be appropriate and transparent, and geared towards the sustainable development of the institution. In accordance with Section 25a(5) of the Banking Act, the variable and fixed remuneration of employees and managing directors must be appropriately proportioned and balanced. Furthermore, the variable remuneration must not exceed 100% of the fixed remuneration, although an exception in Section 25a(5), sentence 5 of the Banking Act permits the ratio to be increased to a maximum of 200%.

9 Change of control and transfers of banking business

9.1 How are the assets and liabilities of banks typically transferred in your jurisdiction?

In Germany, shareholder control procedures apply to banks and financial institutions. They allow the Federal Financial Supervisory Authority (BaFin), working with the European Central Bank (ECB), to assess in advance the suitability of potential investors. The procedure applies to investors which, either individually or together with other persons or companies, wish to acquire a ‘significant holding' in a regulated German entity. A ‘significant holding' means a direct or indirect holding in an undertaking which represents 10% or more of the capital or of the voting rights, or a holding which makes it possible to exercise a significant influence over the management of that undertaking. Several investors acting in concert – that is, coordinating the exercise of their voting rights to influence a target – can also reach the 10% threshold. Persons or entities intending to acquire a significant holding, or to increase their holding to exceed 20%, 30% or 50% of the voting rights or capital, must notify this intention immediately to BaFin and the Deutsche Bundesbank. The first notification must be accompanied by a business plan, statements of reliability and further extensive information on the acquirer, its management, its investors and its group. The authorities have up to 90 working days to review the filings, which begins to run only once all required documentation has been submitted. In practice, this leaves the authorities with significant discretion as to when the 90-working-day period actually starts. While no formal approval of the acquisition by the authorities is required, authorities may, within the assessment period, prohibit the transaction. Thus, they have de facto a veto right.

Investors in all sorts of financial institutions should be aware that the shareholder control procedure is in many cases time consuming and onerous in terms of paperwork – in particular, if the target is a bank and the investor does not yet own a financial institution in the European Union. In the case of banks, authorities also sometimes use their veto power to require from investors certain guarantees that are not explicitly provided for by law, such as a certain capitalisation of the target bank. While the shareholder control procedure should therefore be taken very seriously and be prepared carefully, it should also be stressed that in the recent past it has been successfully completed by a number of investors other than traditional European banks. This shows that the authorities recognise that the German banking system can strongly benefit from outside investors and their financial strength. Although it is generally assumed that a veto by BaFin/the ECB would not make the acquisition of an interest in a financial institution invalid under civil law, such acquisition before clearance can qualify as an administrative offence which may be heavily sanctioned by BaFin or the ECB. Therefore, the lapse of the assessment period or a certificate of non-objection by BaFin will generally be agreed as a condition precedent to closing of a transaction.

The ECB can prohibit the acquisition of a significant holding in a German credit institution only if any of the following conditions are met:

  • The prospective acquirer is considered unsuitable to be a major shareholder in a financial institution;
  • The institution would no longer be able to comply with its regulatory obligations;
  • The institution would become a subsidiary of a foreign institution whose regulator does not cooperate with BaFin or the ECB;
  • The future management would be unreliable;
  • There are reasonable grounds to suspect that money laundering or terrorism financing is being conducted through the institution, or the acquisition would increase the risk of this; or
  • The prospective investor cannot provide financial support to the institution when needed.

During their review of a notification, BaFin and the ECB will investigate the ultimate purchaser(s) as well as any intermediate holding companies and their management. Further, BaFin and the ECB will require evidence of the source of funds used for the acquisition, to combat money laundering. Compliance with these regulatory requirements generally involves long-term planning and careful preparation.

An asset deal allows the purchasers to select the assets (and liabilities) which they want to buy. However, the purchaser must ensure that the purchasing entity possesses a BaFin issued licence, which is required to conduct the purchased business at the time of the closing. If entire agreements are to be transferred, including outstanding obligations of the seller, the contracting party must approve of the transfer.

The advantage of a share deal in comparison to an asset deal is that the licence of the target entity remains unaffected – that is, an entity with an existing licence will be acquired. The purchaser must, however, undergo the shareholder control procedure(s), as described above. All agreements of the target generally also remain unaffected. However, agreements can contain change-of-control clauses, which can lead to their termination or to termination rights. This is particularly relevant for financing agreements and must be thoroughly analysed in the legal due diligence.

9.2 What requirements must be met in the event of a change of control?

German law requires any person that intends to acquire a qualifying holding in an institution to notify BaFin and Deutsche Bundesbank, without undue delay, of its intention. A ‘qualifying holding' is a direct or indirect holding in an undertaking that represents 10% or more of the capital or of the voting rights, or which makes it possible to exercise significant influence over the management of that undertaking.

If the notification relates to a participation in a credit institution within the meaning of the Capital Requirements Regulation, BaFin does not decide on the intended acquisition itself, but instead prepares a draft decision and submits this draft to the ECB, which is responsible for taking the final decision. In order to implement standardised procedures for cooperation with the ECB and other national regulators involved in cross-border transactions, a central unit within BaFin has been established.

Besides the regulatory ownership control procedure, it may be necessary under the Foreign Trade Regulation to file an application for approval with the Federal Ministry for Economic Affairs and Energy (BMWi) if an investor from a non-EU state intends to acquire, directly or indirectly, 25% of the voting rights in an institution that engages in critical infrastructure such as payment systems, cash supply, insurance business or settlement and clearing of securities. In December 2018 the BMWi significantly tightened the notification requirements for the acquisition of a company that operates ‘critical infrastructure' by purchasers from third-party countries. A reporting obligation already applies to the acquisition of 10% of the voting rights, instead of the above-mentioned 25%. In other cases, it is possible to seek the BMWi's approval on a voluntary basis. This may make sense since the BMWi can object to transactions (and order the reversal of transactions) or impose certain restrictions if there is a threat to public policy or public security.

As with all EU banks, German banks are obliged to secure deposits by way of membership in a statutory deposit guarantee scheme (see question 10.2). The statutory deposit protection scheme guarantees the deposits of (most) customers up to an amount of €100,000. From the purchaser's point of view, it is advisable that the purchase agreement provides approval of the Federal Association of German Banks to the continued membership of the target in the statutory deposit guarantee scheme as a condition precedent to the closing of the transaction.

10 Consumer protection

10.1 What requirements must banks comply with to protect consumers in your jurisdiction?

Since the Retail Investor Protection Act came into force, collective consumer protection has been part of the supervisory objective of the Federal Financial Supervisory Authority (BaFin). Collective consumer protection means that BaFin protects consumers as a whole. By contrast, the protection of individual consumer interests is the task of ombudsmen, dispute resolution entities and the courts.

In order to manage collective consumer protection efficiently and effectively, BaFin has modified its organisational structure. At the turn of 2016, the new Consumer Protection Department commenced operations, with a total of seven divisions. Although it is part of the Securities Supervision Directorate in Frankfurt am Main, its focus is not on investor protection, but rather on all topics relevant to consumer protection which are within the remit of BaFin. This means that it also deals with the protection of bank customers and insureds. The department is divided between BaFin locations in Frankfurt am Main and Bonn.

BaFin endeavours to ensure that the range of financial products, insurance products and financial services on offer is transparent and comprehensible. The aim is to ensure that consumers are in a position where they can understand the functioning and risks of products and services, and can evaluate their actual costs correctly. The content and form of the information made available by providers – whether it is legally required or voluntary – must be designed in such a way that the information satisfies the needs and knowledge requirements of consumers. Only then can consumers keep pace with the informational advantage that providers enjoy.

BaFin can issue orders on the basis of Section 4(1a) of the Act Establishing the Federal Financial Supervisory Authority in order to prevent or rectify irregularities if it becomes apparent that a general clarification is advisable in the interests of consumer protection. On the basis of the new Section 15 of the Securities Trading Act, BaFin can even restrict or prohibit certain sales practices and the sale of products in serious cases – specifically, if investor protection or the functioning or integrity of the financial markets is jeopardised.

10.2 How are deposits protected in your jurisdiction?

The Deposit Protection Fund (DPF) of the Association of German Banks secures the deposits of every customer at the private commercial banks up to a ceiling of 15% of the relevant liable capital of the respective bank as at the date of the last published annual financial statements. The minimum equity capital of a bank in Germany is €5 million. In this case, €750,000 per customer will be protected. From 1 January 2025, this figure will change to 8.75% of the liable capital of the bank relevant for deposit protection. There is one exception: the protection ceiling for banks joining the scheme is in principle only €250,000 up to the end of the third calendar year of their participation in the DPF.

The protection extends to all deposits held by ‘non-banking institutions' – that is, deposits held by private individuals, business enterprises and public bodies. The deposits protected are, for the main part, demand, term and savings deposits and registered savings certificates. Liabilities in respect of which bearer instruments such as bearer bonds and bearer certificates of deposits have been issued by a bank are not protected. For almost all depositors, this protection concept means virtually full protection for all deposits at private commercial banks. If a bank ceases to participate in the DPF, there are provisions for depositors to be informed in good time so that arrangements can be made while still enjoying deposit protection. Furthermore, deposits are protected until the next due date – that is, possibly well beyond the date on which a bank's participation in the fund ends.

Alongside the DPF, there exists a statutory deposit protection scheme, the Compensation Scheme of German Banks (Entschädigungseinrichtung deutscher Banken (EdB)), which was set up in 1998. The EdB performs the tasks of the compensation scheme required under the German Deposit Guarantee Act in relation to private commercial banks and private building and loan associations. The protection provided by the EdB is limited to €100,000 per depositor. The DPF only covers deposits and depositors if and to the extent that the EdB does not already cover them.

11 Data security and cybersecurity

11.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for banks?

The applicable data protection regime for banks is based on the Banking Act, General Data Protection Regulation (GDPR), the German Data Protection Act and the Payment Services Oversight Act regarding bank account information. The GDPR stipulates in very concrete terms how the collection, selection, archiving and processing of personal data is to be carried out. In addition, bank secrecy aspects apply.

11.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for banks?

The applicable data protection regime is the EU Cybersecurity Act and GDPR, especially Sections 32 and 33 of the GDPR. However, there are also special regulations for the banking sector, such as:

  • Section 25a(1), number 5 of the Banking Act, which requires an appropriate contingency plan for IT systems;
  • the minimum requirements for the security of internet payments of the Federal Financial Supervisory Authority; and
  • the banking supervisory requirements for IT supervision (see question 7.3).

12 Financial crime and banking secrecy

12.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for banks?

The German Money-Laundering Act governs money laundering. Additionally, Sections 54 to 60d of the Banking Act concern, for example, prohibited business transactions, acting without permission and breach of the obligation to notify the relevant authorities of insolvency or over indebtedness. The Federal Financial Supervisory Authority (BaFin) has published interpretative and application notes for the implementation of due diligence and internal safeguard measures to prevent money laundering. Depending on the gravity of the crime, BAFin may revoke required licences as a result of a violation of anti-money laundering provisions (Section 35(2), number 6 of the Banking Act). Furthermore, BaFin may demand the dismissal of the responsible managers and prohibit them from carrying out their activities at institutions organised as a legal person (Section 36(4) of the Banking Act).

12.2 Does banking secrecy apply in your jurisdiction?

The application of banking secrecy in the German jurisdiction depends on the field of law. In civil law or contract law, banking secrecy applies at least as a secondary obligation or as an obligation of consideration based on Section 311 or 241 of the Civil Code. However, in criminal law or tax law, banking secrecy does not (always) apply.

Under the Anti-Money Laundering Act the obliged banks are exempt from the reporting obligation if the reportable matter relates to information they received in the context of a client relationship subject to professional secrecy. However, the reporting obligation continues to exist if the obliged entity knows that the contracting party has used or is using the relationship for the purpose of money laundering or terrorist financing or another criminal offence.

With an enforcement and seizure order or search warrant, and in compliance with the principle of proportionality, the German Code of Criminal Procedure allows for breach of the secrecy obligation. The right of professional secrecy holders to refuse to testify in accordance with Section 53 of the code does not cover banks or their employees.

Section 30a of the German Fiscal Code protected bank customers until its abolition in 2017 by the German Tax (Combat) Avoidance Act. According to Section 93 of the Fiscal Code, the tax authorities must be provided with information required to establish facts that are relevant for taxation.

13 Competition

13.1 What specific challenges or concerns does the banking sector present from a competition perspective? Are there any pro-competition measures that are targeted specifically at banks?

The European Central Bank (ECB) can prohibit the acquisition of a qualifying holding in a German credit institution only if any of the following conditions are met:

  • The prospective acquirer is considered unsuitable to be a major shareholder in a financial institution;
  • The institution would no longer be able to comply with its regulatory obligations;
  • The institution would become a subsidiary of a foreign institution whose regulator does not cooperate with the Federal Financial Supervisory Authority (BaFin) or the ECB;
  • The future management would be unreliable;
  • There are reasonable grounds to suspect that money laundering or terrorism financing is being conducted through the institution, or the acquisition would the risk of this; or
  • The prospective investor cannot provide financial support to the institution when needed.

During their review of a notification, BaFin and the ECB will investigate the ultimate purchaser(s), as well as any intermediate holding companies and their management. Further, BaFin and the ECB will require evidence of the source of funds used for the acquisition, to combat money laundering. Compliance with these regulatory requirements generally involves long-term planning and careful preparation.

Non-financial organisations are not prevented from acquiring and owning banks in Germany. Similarly, German banks are generally allowed to acquire minority or controlling investments in other banks and non-financial organisations. However, qualifying holdings held by banks in undertakings outside the financial sector that exceed certain thresholds will receive a risk weight of 1.25% and thus must be fully funded with own funds of the institution to avoid contagion risk.

14 Recovery, resolution and liquidation

14.1 What options are available where banks are failing in your jurisdiction?

In 2014 the European Commission, the European Parliament and the EU member states reached agreement on a Single Resolution Mechanism (SRM) for all EU member states whose currency is the euro, including the establishment of a Single Resolution Fund (SRF) of up to €55 billion, to be raised from 2016 to 2023 through contributions by EU banks.

Germany was one of the first countries to introduce a recovery and resolution regime into its regulatory framework. The Banking Act was changed with the implementation of Directive 2014/59/EU on Bank Recovery and Resolution (BRRD) as of 1 January 2015, and the entry into force of the SRM as of 1 January 2016. The centrepieces of the new resolution regime for banks are the SRM Regulation and the Act on the Recovery and Resolution of Institutions and Financial Groups. The regime has two major parts: recovery planning and resolution planning, and the actual resolution of a bank that is failing or likely to fail. Resolution planning and taking resolution decisions fall within the decision power of specific resolution authorities as part of the SRM. In the SRM, similar to the Single Supervisory Mechanism, competencies and tasks are shared between the Single Resolution Board (SRB), an EU authority, and national resolution authorities of the EU member states participating in the SRM. The SRB is competent for resolution planning and actual resolution of all banks that are directly supervised by the ECB because they are deemed significant. When a bank is failing or likely to fail, and to avoid a bail-out, the SRB and the Federal Financial Supervisory Authority (BaFin) can use resolution tools to restructure the bank and safeguard public interest, through ensuring the continuity of the bank's critical functions and financial stability while incurring minimal costs for taxpayers.

The core resolution tool is the bail-in tool, by which a bank's equity, debt instruments and other unsecured liabilities can be written down, including to zero, or converted into new equity, in order that shareholders and creditors participate in the losses and the recapitalisation of the bank. To be prepared for a bail-in, banks must have a sufficient amount of unsecured liabilities that can be bailed-in during times of crisis (minimum requirement for own funds and eligible liabilities). International recognition of resolution measures remains a critical issue. To minimise the risk of non-recognition, German institutions must include a clause in contracts governing their liabilities by which the creditor recognises that the liability is subject to the bail-in tool if the liability is governed by the laws of non-EU country.

International cooperation between resolution authorities in the Eurozone is organised within the SRM. With certain non-EU resolution authorities, the SRB concluded bilateral resolution cooperation arrangements, which provide a basis for the exchange of information and cooperation in resolution planning and in the implementation of resolution measures.

14.2 What insolvency and liquidation regime applies to banks in your jurisdiction?

If an institution becomes insolvent or overindebted, the managing directors must report this and submit informative documentation to BaFin without undue delay. The Act on the Recovery and Resolution of Institutions and Financial Groups transposes the BRRD into German law. The act provides for detailed provisions regarding the recovery and resolution of banks.

Pursuant to Section 12 of the Act on the Recovery and Resolution of Institutions and Financial Groups, institutions are obliged to prepare a recovery plan once the supervisory authority has asked them to do so. The time limit for the preparation of the recovery plans may not exceed six months. However, an institution may apply for an extension of up to six months. The recovery plans must contain the measures that will ensure or restore the financial stability in case of a crisis. The act provides a detailed description of the content of these plans. The aim of such recovery plans is to give an institution the tool for handling a crisis through its own efforts. In doing so, the resolution of institutions right from the outset may be avoided. BaFin assesses institutions' recovery plans and suggests improvements thereto. Where plans do not meet the requirements under the Act on the Recovery and Resolution of Institutions and Financial Groups, BaFin can request a revised recovery plan.

Another key section of the Act on the Recovery and Resolution of Institutions and Financial Groups covers the resolution of institutions and financial groups. Pursuant to Section 62, certain conditions must be fulfilled in order to implement resolution measures. One condition, for example, is that the institution is failing or is likely to fail. An institution is deemed to be failing if:

  • it breaches the requirements associated with the Banking Act in a way that would justify the suspension of a licence by BaFin;
  • its assets are below the level of its liability; or
  • it is overindebted.

Another condition is that the measure is in the public interest and that the failure of the institution cannot be equally prevented by other means within the available timeframe. Once these conditions are met, resolution measures can be implemented. There are four resolution measures: sale of business, transfer to a bridge institution, asset separation and bail-in.

15 Trends and predictions

15.1 How would you describe the current banking landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The German banking market has proved to be fundamentally consistent and Deutsche Bank once again leads the top 10 banks, followed by DZ Bank, which maintained this position after a merger with WGZ Bank in July 2016. Apart from Commerzbank, which is ranked fourth, the top tier of the German banking industry is dominated by German branches of large international banks (UniCredit Bank, ING-DiBa), development banks (KfW Group, NRW Bank) and state banks (Landesbank Baden-Württemberg, Bayerische Landesbank, Landesbank Hessen-Thüringen, Norddeutsche Landesbank).

Most cooperative institutions are Volks- and Raiffeisenbank institutions. The consolidation in the industry has led to a continuous reduction in the number of such institutions. The consolidation is somewhat stronger in terms of numbers than in the savings bank sector (Sparkassen). From an asset perspective, a trend towards the formation of larger institutions can be recognised in this banking group. For comparison: the average total assets in the cooperative banking sector amount to approximately €1 billion, whereas those in the savings banks sector amount to around €3.3 billion.

New rules and regulations include the following:

  • Amendments to the German Placement Agent Regulation will come into force in August 2020. The regulation is relevant for all financial investment brokers and fee-based financial investment advisers. They will become subject to the Banking Act and the Federal Financial Supervisory Authority (BaFin) will become the supervisory authority.
  • The Act Implementing the Amending Directive on the Fourth EU Anti-Money Laundering Directive came into force in January 2020. Members of the public are no longer obliged to prove a legitimate interest in order to access information regarding ultimate beneficial owners in the German Transparency Register. Increased due diligence requirements for high-risk countries apply.
  • A new regulation for investment screenings in the European Union, including a framework regulation for foreign investment screenings by EU member states, was adopted in March 2019. It will be directly applicable as of October 2020 and a further reform of the German provisions is expected as part of its implementation.
  • Since November 2019, there has been new momentum to establish a European Deposit Insurance Scheme. It has been suggested the different performance of national deposit guarantee schemes could be offset by a European reinsurance system. It is likely that Germany will push for a compromise during its upcoming European Council presidency in the second half of 2020.
  • Although they have been applicable since 2019, further Delegated Regulations (eg, on transparency requirements for originators, sponsors and securitisation special purpose entities) are expected to be published in relation to the Securitisation Regulation during the course of 2020.
  • BaFin has published the outstanding Module C of the new edition of the Issuer Guidelines for German and foreign issuers whose securities are admitted to trading on a German stock exchange. The new Module C reflects the changes brought into force by the Market Abuse Regulation.

15.2 Does your jurisdiction regulate cryptocurrencies? Are there any legislative developments with respect to cryptocurrencies or fintech in general?

The Act Implementing the Amending Directive on the Fourth EU Anti-Money Laundering Directive has incorporated crypto-custody business into the regime of the Banking Act as a new financial service. As of 1 January 2020, when this statute entered into force, companies seeking to provide such services require prior authorisation from BaFin. However, the law includes transitional provisions for companies that conducted such business before the law took effect – that is, before such business activities became subject to authorisation requirements. BaFin provides potential institutions with information on the legal situation with regard to the crypto-custody business and its website is updated on an ongoing basis.

16 Tips and traps

16.1 What are your top tips for banking entities operating in your jurisdiction and what potential issues would you highlight?

The European Parliament passed a legislative package for amendments to the Capital Requirements Regulation (CRR) and the Capital Requirements Directive IV (CRD IV), as well as Directive 2014/59/EU on Bank Recovery and Resolution (BRRD) and the Single Resolution Mechanism, in April 2019. The legislation package aims to eliminate certain weaknesses identified in the banking regulation system, while taking into account the role that banks play in the economy. It includes measures agreed by the Basel Committee on Banking Supervision (BCBS) and the Financial Stability Board.

Among the amendments is a binding advantage ratio of 3% for all institutions that fall within the scope of the CRD IV, with adjustments being possible under specific circumstances. A requirement for stable funding based on the ratio of an institution's stable funding to the required stable funding over a one-year period (net stable funding ratio) is introduced, in order to prevent institutions from relying on excessive amounts of short-term wholesale funding to finance long-term activities. This requirement will become effective from 28 June 2021. The rules for calculating the capital requirements for market risk, which are applicable to trading book positions, will be amended as from 28 June 2023 to reflect more accurately the actual risk to which banks are exposed. However, to allow for a more proportionate solution, there are derogations for banks with small trading books and a simplified standardised approach for medium-sized banks. Furthermore, the European Commission's implementing power is replaced by a delegated power, enabling the commission to exempt entities from the CRD where certain conditions are fulfilled and to decide on whether such institutions fall within the scope of the CRD or CRR again once these criteria are no longer fulfilled.

To improve the effectiveness of resolution and to protect public funds, global systemically important banks are now required to hold sufficient amounts of capital and other instruments that absorb losses in case of a resolution (total loss-absorbing capacity). Moreover, the package provides for an EU harmonised approach to a bank creditor's insolvency ranking. To this end, a new statutory category of unsecured debt that ranks just below the most senior debt and other senior liabilities is introduced. BRRD II also includes a moratorium tool that enables the suspension of certain contractual obligations for a short period. Several changes are intended to enhance proportionality (ie, small institutions will be subject to less frequent and less extensive reporting and disclosure requirements).

Further, the Brexit referendum result of June 2016 could have potentially significant implications for the financial sector in Germany. As it stands, EU-UK negotiations may result in a so-called ‘hard Brexit'. Supervised credit institutions and financial services firms that are located in the United Kingdom must be prepared for the possibility that they will no longer be able to conduct regulated business in other EU or EEA member states from the United Kingdom in future. Specifically, post-Brexit, such institutions may no longer be able to rely on the EU passporting regime, which enables them to conduct business on a cross-border basis without any other local licences. If they wish to continue conducting such business, they need to consider relocating out of the United Kingdom to another EU or EEA member state. The German Federal Ministry of Finance published a draft bill at the end of 2018 that would enable the Federal Financial Supervisory Authority to allow credit institutions and financial services firms from the United Kingdom to continue their business activities in Germany to a certain extent for a transitional period of up to 21 months after a hard Brexit. This law came into force on 21 March 2019.

In order to address the current uncertainties and work out the consequences of the COVID-19 pandemic for any given bank, an individual scenario analysis will need to be carried out to determine just how the crisis has and will affect the profit and loss, balance-sheet and operating model of the respective institution. In addition, the bank's loan portfolio should be actively reviewed and appropriate measures taken to mitigate risk. Specific short, medium and long-term savings potential and measures can then be identified on that basis. In the absence of significant countermeasures on the cost side, operating result (before risks, write-downs and impairment losses) will probably fall by as much as 25% in 2020 (or even 30% in 2021). In the ‘profound recession' scenario, a decline of up to 40% in 2020 (or as much as 50% in 2021) can be expected. To proactively address this eventuality, banks must now make themselves fit for the future. Undertaking a systematic review of the loan portfolio and preparing to increase the number of restructuring and liquidation units are just as important as active cost management.

The Group of Governors and Heads of Supervision, the steering committee of the BCBS, decided on 27 March 2020 to extend the implementation timetable of the Basel III finalisation package. This should free up additional operational capacity for banks during the COVID-19 crisis. It was important that banks and supervisors focus their resources on providing critical banking services to the real economy and stabilising the financial system. The Basel Committee postponed the date by which Basel Committee on Banking Supervision members must fully implement the Basel III standards of December by one year to 1 January 2023. The transition periods for the output floor now apply until 1 January 2028 instead of 1 January 2027. The new implementation date for the Market Risk Framework and Pillar 3 disclosure requirements is 1 January 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.