ARTICLE
2 September 2025

FinTech Comparative Guide

DMR Legal

Contributor

DMR Legal logo
Explore Firm Details
FinTech Comparative Guide for the jurisdiction of Germany, check out our comparative guides section to compare across multiple countries
Germany Technology
Alexis Darányi

1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

Germany does not currently have legislation tailored specifically to fintech businesses. As a result, fintech companies must navigate the same legal framework that applies to traditional financial institutions such as banks, investment firms and funds. The specific legal obligations that a fintech must comply with depend on its individual business model and operational implementation.

The regulatory landscape for fintech companies in Germany is shaped by a combination of:

  • binding legal provisions (hard law); and
  • non-binding standards or guidelines (soft law).

These rules stem from both national and EU legislation, creating a multi-layered framework that fintechs must navigate. This framework can be broadly divided into four key areas:

  • banking, financial and payment services regulation, governed by laws such as:
    • the Banking Act (KWG);
    • the Securities Institutions Act (WpIG); and
    • the Payment Services Supervision Act (ZAG);
  • investment and securities regulation, governed by laws such as:
    • the Capital Investment Code (KAGB);
    • the Securities Trading Act (WpHG);
    • the EU Prospectus Regulation (Regulation (EU) 2017/1129); and
    • the EU Crowdfunding Service Providers Regulation (Regulation (EU) 2020/1503);
  • anti-money laundering and sanctions compliance, governed by laws such as the Anti-Money Laundering Act (GwG) and the EU sanctions regime, which impose obligations on:
    • customer due diligence;
    • transaction monitoring; and
    • the reporting of suspicious activity; and
  • market conduct and transparency regulation, focusing on market abuse, disclosure, and notification obligations, as primarily set out in:
    • the Market Abuse Regulation (Regulation (EU) 596/2014); and
    • the Securities Trading Act (WpHG).

Depending on the nature and scope of its business, a fintech may need to obtain authorisation or approval from:

  • the Federal Financial Supervisory Authority (BaFin); or
  • in some cases, from local trade authorities.

In cross-border or EU-regulated contexts, supervisory authorities in other EU member states or, where relevant, European institutions such as the European Central Bank may also be involved.

1.2 Do any special regimes apply to specific areas of the fintech space?

Germany does not currently have legislation designed specifically for fintech companies. Instead, fintechs must operate within the same regulatory framework that applies to traditional financial institutions. The precise legal obligations that a fintech faces depend on its business model and operational implementation.

Unlike some jurisdictions that have introduced regulatory sandboxes – that is, supervisory regimes that allow firms to test innovative financial services with limited regulatory burden – Germany has opted not to implement such a mechanism. Instead, it applies a level playing field approach, holding all market participants to the same regulatory standards when they offer comparable services. In line with this, BaFin applies the principle of "Same business, same risk, same rules". This ensures that regulatory oversight is based on the nature of the activity and the associated risks, regardless of whether a service is provided by a traditional financial institution or a fintech.

However, two areas stand out as exceptions where dedicated regulatory frameworks have been introduced in direct response to fintech innovation:

  • The first area is crowdfunding, which is now governed by the EU Crowdfunding Service Providers Regulation (Regulation (EU) 2020/1503). This regulation establishes a harmonised EU-wide framework for platforms offering lending or investment-based crowdfunding services, streamlining authorisation procedures and introducing specific investor protection measures.
  • The second area is blockchain and crypto. While blockchain as a technology remains unregulated, being merely a form of infrastructure, the legal classification of activities built on it depends entirely on how it is used. For example, a token issued on a blockchain may qualify as a financial instrument, potentially triggering prospectus and other disclosure obligations under German or EU financial markets law. With the wide range of use cases from tokenised securities to decentralised finance protocols, no blanket statement on regulatory requirements can be made. However, the Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) now provides a dedicated EU-level authorisation and compliance framework for crypto-asset service providers, reflecting the growing importance of this sector.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

Whether a fintech requires regulatory authorisation depends on its specific business model and operational implementation. Many fintech activities – such as alternative payment services, automated investment management (robo-advice) and crowdfunding – fall in some way or another within the scope of the legal frameworks mentioned in questions 1.1 and 1.2, including:

  • the Banking Act (KWG);
  • the Securities Institutions Act (WpIG); and
  • the Payment Services Supervision Act (ZAG).

These activities typically require prior authorisation from BaFin. Where services do not fall under such regulation, authorisation under the Industrial Ordinance (GewO) may be necessary, with supervision carried out by the relevant regional trade authorities.

BaFin will grant the necessary authorisation if all applicable legal and regulatory requirements are fulfilled. Where the institution seeks a banking or investment firm authorisation and is classified as 'significant' under the EU Single Supervisory Mechanism, the ECB is involved in both the authorisation process and the ongoing supervision in close coordination with BaFin. This EU-level involvement reflects the integrated structure of banking supervision in the European Union and is particularly relevant for fintechs planning to scale cross-border or operate across multiple EU member states.

Once authorised, fintech companies are subject to continuous supervision. BaFin is empowered to take enforcement action against any entity providing regulated services. This may include ordering:

  • the immediate cessation of operations; and
  • the settlement of affected transactions.

Enforcement measures can apply to both the company and its management. BaFin may:

  • issue formal warnings;
  • impose administrative fines; or
  • revoke an institution's authorisation.

Moreover, the unauthorised provision of banking, financial or payment services constitutes a criminal offence under German law. A detailed legal assessment at an early stage is essential to ensure compliance and mitigate regulatory risk.

1.4 What is the regulators' general approach to fintech?

BaFin's supervisory approach is both competition and technology neutral. This means that companies are neither favoured nor disadvantaged based on:

  • their market position; or
  • the technologies that they deploy.

BaFin supervises a company if it engages in activities that require authorisation or registration under applicable financial regulations, regardless of the tools or platforms used to provide those services.

The legal scope of BaFin's supervisory authority is defined by the relevant technical legislation – such as the Banking Act (KWG) or the Payment Services Supervision Act (ZAG)– and applies irrespective of the underlying technology used by the fintech. However, specific technological risks are taken into account when assessing compliance with requirements for sound business organisation, such as:

  • IT security;
  • outsourcing arrangements; or
  • operational resilience.

BaFin applies the principle of "Same business, same risk, same rules", ensuring regulatory consistency across business models offering functionally equivalent services. This is combined with the principle of proportionality, which allows supervisory expectations to be tailored to the size, complexity and risk profile of the regulated entity.

1.5 Are there any trade associations for the fintech sector?

Fintech companies operating in Germany benefit from a range of trade associations and interest groups that advocate for their regulatory, commercial and political interests. These include both dedicated fintech associations and broader organisations representing the financial services, technology and startup sectors:

  • The Federal Association of German Startups (Startup-Verband) currently represents more than 1,000 members from a wide range of industries. Its fintech platform brings together stakeholders from various segments of the sector, including:
    • payments;
    • lending;
    • crowdfunding;
    • investment banking;
    • blockchain; and
    • technology infrastructure.
  • It plays a central role in policy discussions affecting the startup and fintech landscape in Germany.
  • The German Blockchain Association (Blockchain Bundesverband) represents leading startups and innovators in the blockchain space. With over 60 members, it focuses on education, awareness and regulatory engagement, particularly with political decision-makers and enterprise leaders. The association is a key player in shaping blockchain-related policy debates within Germany.
  • The German IT Association (Bitkom) serves as the principal trade body for Germany's digital economy. Bitkom represents more than 2,700 companies, including approximately 500 startups and 1,000 medium-sized businesses. Many of its members are active in fintech and the association regularly contributes to digital finance and technology policy at both the national and EU levels.
  • The Association of German Banks (Bankenverband) was originally established to represent private sector banks. The association now also includes numerous fintechs as associated members. It plays a prominent role in discussions on banking regulation, financial innovation and industry standards.
  • Fintechs operating in the alternative finance space are represented by the German Crowdfunding Association (Bundesverband Crowdfunding). This network brings together commercial crowdfunding platforms and acts as a forum for best practice exchange and regulatory advocacy.
  • At the European level, many German fintechs are also members of the European Fintech Association (EFA), based in Brussels. The EFA:
    • represents fintechs from across the European Union; and
    • advocates for proportionate, innovation-friendly regulation in Brussels policymaking.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

Germany's fintech sector has matured significantly over the past decade, with several sub-sectors becoming particularly well established and embedded within the country's financial landscape. The most prominent are as follows:

  • Payment and banking: Payments and banking are among the most developed fintech sub-sectors in Germany. The country is home to:
    • major players such as Unzer, Sofort (now part of Klarna), Ratepay and Payone;
    • newer digital payment providers and infrastructure firms; and
    • Neobanks such as N26, Trade Republic and Raisin have gained significant market share, offering app-based current accounts, savings and investing tools.
  • Lending and credit: Germany has seen strong growth in peer-to-peer lending, small and medium-sized enterprise (SME) financing and buy now, pay later (BNPL) platforms. Platforms such as Auxmoney have become major providers of consumer credit. BNPL solutions are growing rapidly, with German fintechs such as Ratepay active in this space. SME-focused lenders offer alternatives to traditional bank loans, often using digital credit scoring and automated onboarding.
  • Capital investment and wealth: The automated investment management and retail investing segment is well developed. In particular, Trade Republic, Scalable Capital and Raisin have gained traction among younger, tech-savvy investors seeking low-cost, algorithm-driven investment solutions. Some firms are branching out into more comprehensive digital brokerage and savings products.
  • Blockchain and crypto: Germany has taken a relatively progressive stance on crypto regulation and this has fostered a strong blockchain and crypto-asset sector. Regulated crypto custody under the Banking Act (KWG) has attracted institutional players. Firms such as Bitpanda, Nuri (formerly Bitwala) and Tangany have helped to build a compliant crypto ecosystem. The Federal Financial Supervisory Authority's (BaFin) guidance and the EU Markets in Crypto-Assets Regulation have positioned Germany as a credible hub for crypto-finance innovation.
  • Crowdfunding and alternative finance: Though smaller in scale than payments or lending, crowdfunding and crowdlending platforms are active in Germany and are regulated under the EU Crowdfunding Service Providers Regulation. Notable platforms include Seedmatch, Companisto and Kapilendo. These platforms fund:
    • startups;
    • real estate projects; and
    • SMEs.

2.2 What products and services are offered?

Fintech companies operating in Germany offer a wide range of innovative products and services across different segments of the financial market. These services are designed to:

  • streamline financial processes;
  • enhance access to capital; and
  • improve the user experience with modern technology.

The German fintech market can broadly be grouped into five key categories:

  • Payment and banking: Offerings in this space include:
    • mobile payment solutions;
    • digital wallets;
    • online checkout systems; and
    • application programming interface (API) based open banking services.
  • also covers core banking services such as:
    • current accounts;
    • savings and debit cards delivered through neobanks; and
    • banking-as-a-service platforms.
  • Lending and credit: Fintechs in this space offer:
    • digital consumer loans;
    • peer-to-peer lending;
    • SME financing; and
    • BNPL solutions.
  • These platforms leverage technology to automate credit checks, customer onboarding and loan servicing, often integrating directly with e-commerce or digital banking environments.
  • Capital investment and wealth: This category includes services such as:
    • automated investment management (robo-advisory);
    • online brokerage; and
    • access to private equity.
  • These tools provide retail and other investors with accessible, low-cost alternatives to traditional wealth management.
  • Blockchain and crypto: Fintechs in this segment include crypto custodians, exchanges, wallet providers and tokenisation platforms involved in the issuance and trading of digital assets. Activities in this area increasingly operate under dedicated regulatory frameworks, such as MiCA.
  • Crowdfunding and alternative finance: Fintechs in this space facilitate scalable financing alternatives to traditional banking by connecting retail and institutional investors with startups, SMEs and real estate projects. Many rely on automated tools for onboarding, risk assessment and investor communication to support efficient fundraising and compliance.

2.3 How are fintech players generally structured?

Most fintechs in Germany are structured as a German limited liability company (GmbH), the preferred legal form for startups due to its:

  • low capital requirement (€25,000);
  • limited liability; and
  • flexible governance.

The GmbH is well suited for startups, particularly in their early stages.

As companies scale or enter more regulated segments – such as banking, investment services or crypto custody – some convert into a German stock corporation (Aktiengesellschaft), which allows for:

  • broader equity financing; and
  • access to public capital markets.

German stock corporations are subject to stricter corporate governance but are often chosen by fintechs preparing for initial public offerings (IPOs). Larger or internationally active fintechs may also adopt the European counterpart of the German stock corporation, the Societas Europaea (SE). The SE enables cross-border operations within the European Union under a single legal entity and is attractive for fintech groups with pan-European strategies.

In some cases, fintechs operate as subsidiaries or branches of foreign parent companies, especially when relying on EU passporting rights under financial regulatory laws.

2.4 How are they generally financed?

German fintech companies are typically financed through a mix of founder capital, angel investment and public support in the early stages. Many start by bootstrapping or securing pre-seed funding from:

  • business angels;
  • accelerator programmes; or
  • early-stage incubators.

Government-backed initiatives and regional funding schemes also play a role in supporting innovation and product development during this phase.

As fintechs scale, they often attract venture capital (VC) from both domestic and international investors:

  • Early-stage VC investors participate in seed and Series A rounds.
  • Growth financing tends to involve:
    • larger VC firms;
    • corporate venture arms; or
    • strategic investors from the financial industry.

Notable players in the German fintech ecosystem include:

  • HV Capital;
  • Earlybird;
  • Project A; and
  • international firms such as Index Ventures and Accel.

Partnerships with banks, insurers and financial institutions are also common and may combine capital investment with commercial collaboration. A smaller number of fintechs, especially in crypto and alternative finance, raise funds through crowdfunding or token-based offerings.

At the later stages, many fintechs:

  • pursue IPOs; or
  • are acquired by larger financial institutions or global fintech platforms.

Exit strategies and funding models typically evolve with the company's:

  • growth;
  • regulatory profile; and
  • international ambitions.

2.5 How are they positioned within the broader financial services landscape?

Fintechs have become an increasingly influential part of the broader financial sector in Germany, positioning themselves as both complementary partners and competitive challengers to traditional financial institutions. Their core value lies in leveraging technology to deliver more efficient, user-friendly and cost-effective services, particularly in areas where incumbents have been slow to innovate.

In many cases, fintechs operate in niche segments – such as mobile payments, robo-advisory, digital lending or crypto services – where they can respond quickly to changing consumer demands and regulatory developments. While some fintechs compete directly with banks and asset managers, many pursue collaborative models, integrating their services into established players' platforms through:

  • white-label solutions;
  • APIs; or
  • business-to-business licensing arrangements.

This has led to an increase in partnerships, minority investments and joint ventures between fintechs and banks, insurers and payment providers.

From a regulatory perspective, fintechs are now firmly embedded in the financial ecosystem. If fintechs provide regulated services, they are subject to the same authorisation and compliance obligations as traditional financial institutions. Supervisory authorities such as BaFin and, in some cases, the European Central Bank treat fintechs as regulated financial entities based on their function rather than their form. As a result, fintechs are no longer seen as fringe disruptors, but as institutionalised players contributing to the digital transformation of the financial sector.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

Outsourcing of back-office functions is common among fintech startups in Germany, especially in the early growth stages. This enables companies to focus on core product development and customer acquisition, while external providers handle tasks such as:

  • compliance;
  • customer onboarding (know your customer/anti-money laundering checks); and
  • IT infrastructure.

A mature market of specialist providers supports this demand, including white-label providers offering turnkey infrastructure and regulated services, often referred to as 'reverse outsourcing'. If a fintech relies on such a white-label provider for regulated services, that provider:

  • is itself fully subject to regulatory supervision; and
  • must meet the same standards that would apply to the fintech directly.

Legally, outsourcing is permitted under German financial regulation but subject to strict rules, particularly when considered material outsourcing. Fintechs authorised under the Banking Act (KWG), the Payment Services Supervision Act (ZAG), or comparable legislation must comply with detailed requirements concerning, in particular:

  • risk management;
  • oversight; and
  • audit rights.

These obligations are further outlined in circulars of BaFin and harmonised with the European Banking Authority guidelines on outsourcing arrangements. Fintechs remain legally responsible for ensuring that outsourcing does not impair their compliance. In certain cases, BaFin must be notified or must grant approval. Careful contractual arrangements, ongoing monitoring and proper documentation are essential to manage regulatory and operational risk.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

E-commerce platforms often facilitate payments, including the transfer of funds via credit cards or other digital methods. If a platform is involved in the actual transfer of funds, it may be deemed to provide payment services under the Payment Services Supervision Act (ZAG). In such cases, prior authorisation from the Federal Financial Supervisory Authority is required. Offering payment services without authorisation is prohibited and may trigger enforcement measures, including orders to cease operations.

An exemption exists for commercial agents acting on behalf of either the payer or the payee in the sale of goods or services, provided that the platform operator is authorised to negotiate or conclude transactions. The exemption applies only if the agent is clearly aligned with one party; a general clause in the platform's terms and conditions is not sufficient. Platform operators may apply to BaFin for a certificate of non-objection to confirm whether the exemption applies.

In addition to financial regulation, e-commerce platforms must comply with consumer protection and data privacy laws. Contracts with consumers are subject to pre-contractual information obligations under the Civil Code (BGB). Further requirements may arise under the Unfair Competition Act (UWG) and the Telemedia Act (TMG). Compliance with the EU General Data Protection Regulation is also essential, particularly where personal data is processed in connection with payments or customer accounts.

(b) Mobile (m-commerce)

In Germany, mobile commerce (m-commerce) is legally treated as a subset of e-commerce, meaning that the same regulatory principles apply when goods or services are sold via mobile devices or applications. However, mobile platforms often raise additional compliance considerations due to their technical features and user interface design. For a more detailed overview of the applicable legal requirements, please see question 3.1.

(c) Big data (mining)

There is no fintech-specific or standalone regulation governing big data or data mining in Germany. However, several legal frameworks may apply depending on the type, origin and use of the data involved.

If the data is sourced from third-party databases, its use may require a licence under copyright law, especially where database protection applies under the Copyright Act (UrhG). A legal assessment is needed to determine whether and how such data can be reused. In addition, the algorithms and models used in data mining may qualify as trade secrets under the Trade Secret Protection Act (GeschGehG), provided that:

  • they are not publicly known; and
  • appropriate protective measures have been taken.

In the fintech sector, big data is often based on non-personal or anonymised data (e.g., share prices, financial indices), which falls outside the scope of data protection law. However, if personal data is involved, the use must fully comply with the GDPR and relevant national provisions. Of particular relevance is the data minimisation principle, which requires that personal data be limited to what is necessary for the stated purpose, often at odds with the 'collect-everything' logic behind big data. This tension must be assessed on a case-by-case basis. Where artificial intelligence (AI) is used, additional obligations may arise under the EU GDPR and the EU AI Act (see question 3.5).

(d) Cloud computing

Cloud computing is central to many fintech business models. From a regulatory perspective, its use becomes relevant when it qualifies as outsourcing – specifically, when a function normally performed by the fintech is delegated to a third-party cloud provider. If the arrangement involves the outsourcing of critical or important functions (formerly known as 'material outsourcing'), it triggers a range of regulatory obligations.

For fintechs authorised under the Banking Act (KWG), the Payment Services Supervision Act (ZAG), or similar legislation, cloud outsourcing is subject to strict requirements. These include:

  • risk assessments;
  • contractual safeguards;
  • audit and access rights; and
  • in some cases, notification or prior approval by regulators.

As of January 2025, the entry into force of the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554) introduced a harmonised EU-wide framework. DORA sets out uniform rules on:

  • information and communications technology (ICT) risk management;
  • incident reporting; and
  • oversight of third-party ICT service providers.

Notably, it empowers EU authorities to supervise designated critical ICT third-party providers, including major cloud service providers, directly.

While DORA will supersede or require the amendment of certain existing national guidance, such as the Outsourcing Circular of BaFin and the European Banking Authority Guidelines on Outsourcing Arrangements, these documents remain relevant in areas not yet fully harmonised. National regulators are expected to align their frameworks accordingly.

(e) Artificial intelligence

The use of AI is now subject to the EU AI Act, a dedicated and not financial sector-specific EU regulation. The AI Act entered into force in 2024 and applies in stages starting from 2025. It introduces a risk-based regulatory framework that directly affects fintechs that develop or deploy AI systems, particularly in areas such as:

  • credit scoring;
  • fraud detection; or
  • automated investment systems.

Fintech-related AI systems will often fall into the 'high-risk' category, triggering obligations such as:

  • conformity assessments;
  • risk management;
  • human oversight; and
  • transparency measures.

Providers of general-purpose AI models or applications must also comply with specific obligations depending on the scale, use and nature of the model. Compliance will be overseen by national authorities and coordinated through a new European AI Office in Brussels.

In addition to the AI Act, fintechs using AI must still comply with:

  • existing legal frameworks, including the GDPR where personal data is processed; and
  • financial regulatory law.

BaFin has indicated that supervisory expectations such as traceability, explainability and robust risk controls apply regardless of the technology used.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

As a form of infrastructure, distributed ledger technology (DLT) and blockchain are not regulated in themselves under German law. However, regulatory requirements depend entirely on how the technology is used. Activities involving crypto assets – such as token issuance, custody, exchange or investment services – may trigger authorisation, prospectus and other capital markets obligations under German or EU law.

At the EU level, the Markets in Crypto-Assets Regulation (MiCA) entered into force in 2023 and now fully applies. MiCA introduces a harmonised authorisation and conduct regime for:

  • crypto-asset service providers (CASPs); and
  • issuers of asset-referenced and e-money tokens.

It sets out requirements for:

  • capital;
  • governance;
  • investor disclosures; and
  • ongoing supervision.

In Germany, CASPs are supervised by BaFin. Also, depending on their legal classification, security tokens or tokenised financial instruments may fall under:

  • the Second Markets in Financial Instruments Directive (MiFID II);
  • the EU Prospectus Regulation (Regulation (EU) 2017/1129); and
  • national capital markets law.

Finally, the issuance of electronic securities on DLT platforms is governed by the Electronic Securities Act (eWpG).

In summary, while blockchain is not regulated per se, fintechs using it must assess, on a case-by-case basis, whether their use of tokens or DLT-based services triggers authorisation and other obligations under applicable crypto, regulatory and capital markets law.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

In Germany, crowdfunding and peer-to-peer lending (P2P) lending can follow three distinct regulatory tracks, depending on the structure and type of the offering:

  • Crowdfunding: Platforms offering investment-based or lending-based crowdfunding can operate under the European Crowdfunding Service Providers Regulation, which provides a harmonised EU-wide framework. This regime:
    • requires authorisation as a crowdfunding service provider; and
    • imposes rules on governance, disclosure and investor protection.
  • It:
    • applies to offerings of up to €5 million per issuer per year; and
    • allows cross-border activity based on a single authorisation.
  • Capital investments: If a platform brokers capital investments (e.g., subordinated loans, profit participation rights) and does not fall under the European Crowdfunding Service Providers Regulation, it may be subject to the Capital Investment Act (VermAnlG). This may trigger prospectus and other publication requirements, unless exemptions apply.
  • Financial instruments: Where the instruments qualify as financial instruments under the Second Markets in Financial Instruments Directive (MiFID II) (e.g., shares or investment funds), the platform may require authorisation under the Banking Act (KWG) or the Securities Institutions Act (WpIG). This route involves the highest level of regulatory obligations.

In practice, many platforms:

  • partner with banks to avoid direct authorisation requirements; or
  • structure offerings to fit within the lighter Capital Investment Act (VermAnlG) or European Crowdfunding Service Providers Regulation regimes.

(b) Online lending and other forms of alternative finance

Online lending by fintechs in Germany is generally subject to regulation under the Banking Act (KWG) if the activity involves granting loans on a commercial basis. As banking authorisation is complex and requires significant capital and compliance infrastructure, many fintech lenders use the 'fronting bank' model. In this setup, a fully authorised partner bank issues the loans, while the fintech provides the technology, customer interface and risk analysis under a service or cooperation agreement.

Alternatively, if the financing is structured as capital investments, such as subordinated loans or profit-participating rights, the offering may fall under the Capital Investment Act (VermAnlG). This law imposes prospectus and publication obligations, unless certain exemptions apply (e.g., for offers below €6 million and per-investor limits). These models are commonly used for crowd-lending or platform-based small and medium-sized enterprise financing where direct lending is avoided.

If the products offered qualify as financial instruments (e.g., bonds, structured notes or asset-backed securities), the activity may:

  • constitute investment services under the Second Markets in Financial Instruments Directive; and
  • require authorisation under:
    • the Securities Institutions Act (WpIG); or
    • the Banking Act (KWG).

Fintech lenders must also comply with additional requirements, including:

  • consumer credit regulations;
  • distance selling rules; and
  • general contract law.

(c) Payment services (including marketplaces that route payments from customers to suppliers (e.g., Uber and AirBnb)

Payment services in Germany are regulated under the Payment Services Supervision Act (ZAG), which implemented the Second Payment Services Directive into national law. Fintechs and platforms offering services such as payment execution, issuing instruments or account operation must obtain authorisation from the Federal Financial Supervisory Authority (BaFin) unless an exemption applies.

Marketplace operators (e.g., ride-hailing or booking platforms) that route funds from customers to suppliers may inadvertently perform regulated payment services if they hold or control client funds, even temporarily. This applies whether the funds are passed directly or settled via third parties. Without appropriate structuring, such models typically require authorisation under the Payment Services Supervision Act (ZAG). Therefore, many platforms partner with authorised payment service providers or electronic money institutions that legally handle fund flows. In some cases, exemptions under the Payment Services Supervision Act may apply, but BaFin interprets these narrowly and on a case-by-case basis. Providing payment services without proper authorisation can result in enforcement action or even criminal charges.

In short, structuring payment flows through or around regulated activities is legally complex and must be assessed early. Fintechs and marketplaces should conduct a regulatory analysis before going live, especially if handling third-party funds.

(d) Forex

In Germany, foreign exchange (forex) trading is classified as dealing in financial instruments under the Banking Act (KWG). Firms offering forex trading services – such as brokerage, proprietary trading or portfolio management – typically require authorisation from BaFin, unless they operate under a valid exemption. Forex services may also qualify as investment services under the Securities Institutions Act (WpIG),– for example, when offering execution-only trading to retail clients. In either case, authorisation requirements and regulatory scrutiny are high due to the volatility, leverage and consumer risk associated with forex products. European Economic Area (EEA) based forex brokers can passport their existing authorisation into Germany under the Second Markets in Financial Instruments Directive (MiFID II). Non-EEA firms, however, may offer services in Germany only under limited circumstances.

Given the regulatory intensity and cross-border restrictions in the forex space, fintechs offering or integrating forex services should:

  • conduct early legal assessments; and
  • carefully structure their authorisation distribution, and compliance strategy.

(e) Trading

In Germany, financial instruments under MiFID II include:

  • shares;
  • bonds;
  • derivatives;
  • fund units; and
  • certain tokenised securities.

These instruments are typically distributed via authorised investment firms, such as brokers or portfolio managers, which may operate directly or through fintech front ends. The trading infrastructure for these instruments consists of:

  • regulated venues such as stock exchanges;
  • multilateral trading facilities; and
  • systematic internalisers.

Prospectus obligations and other capital markets disclosure requirements often apply, particularly in public offerings. Fintechs entering this space often build on white-label brokerage platforms or connect via application programming interface to authorised intermediaries with exchange access.

Other capital investments under the Capital Investment Act (VermAnlG), include:

  • subordinated loans;
  • profit-participation rights; and
  • similar instruments that do not qualify as financial instruments under MiFID II.

These are commonly distributed through crowd-investing or online lending platforms targeting retail investors. As there is often no organised secondary market, trading infrastructure tends to be absent or informal; investors typically hold these assets until maturity. Subject to certain exemptions, public offerings may trigger prospectus or disclosure obligations under the Capital Investment Act (VermAnlG). Fintech platforms provide bespoke issuance and investor dashboards, often integrating identity verification, risk disclosures and prospectus management tools.

Crypto-assets form a distinct category and are regulated:

  • as financial instruments;
  • as capital investments; or
  • if neither of these categories applies, as bespoke crypto-assets under the Markets in Crypto-Assets Regulation.

Distribution depends on the classification:

  • Security tokens may be offered via authorised brokers; and
  • Utility or payment tokens are typically distributed through crypto exchanges or token issuance platforms.

The trading infrastructure includes:

  • centralised crypto exchanges;
  • decentralised trading protocols; and
  • increasingly, regulated distributed ledger technology (DLT) trading facilities.

In Germany, firms offering trading or custody of crypto assets:

  • require authorisation from BaFin; and
  • must comply with anti-money laundering and investor protection standards.

(f) Investment and asset management

Fintech companies offering portfolio management or brokerage services to individual investors in Germany generally require authorisation under the Securities Institutions Act. These services qualify as investment services under MiFID II. Unless authorised as a bank, fintechs such as neo-brokers or robo-advisers often:

  • use white-label platforms; or
  • partner with authorised banks that hold client funds as custodians and execute trades on regulated trading venues.

By contrast, asset management for investment funds is regulated under the Capital Investment Code (KAGB), which implements both:

  • the Undertakings for Collective Investment in Transferable Securities Directive (Directive 2009/65/EC); and
  • the Alternative Investment Fund Managers Directive (Directive 2011/61/EU).

Depending on the assets under management and the use of leverage, fintechs managing collective investment vehicles must either:

  • obtain full authorisation as a capital management company (KVG); or
  • register as a small alternative investment fund manager.

These firms operate at the fund level and serve investors indirectly through the fund structure. The regulatory regime is more institutional and includes obligations relating to:

  • custody;
  • valuation; and
  • investor disclosures.

The distribution and infrastructure used in both models differ:

  • Portfolio managers typically rely on:
    • digital onboarding tools;
    • risk profiling modules; and
    • broker application programming interfaces.
  • Fund managers, by contrast, operate through:
    • custodian banks;
    • fund administrators; and
    • increasingly, DLT-based issuance platforms for tokenised units.

Fintechs should align their legal structure and authorisation strategy with their business model and target investor base.

(g) Risk management

Risk management is a core supervisory requirement for authorised fintechs in Germany. Depending on the applicable regime – such as the Banking Act (KWG), the Payment Services Supervision Act (ZAG), or the Capital Investment Code (KAGB),– regulated entities must implement a risk framework proportionate to the nature, scale, and complexity of their business. This forms part of the obligation to maintain a 'proper business organisation'.

In general, banks, investment firms and other regulated financial entities must establish dedicated internal functions for risk control, compliance and internal audit. They must ensure:

  • robust governance;
  • operational continuity; and
  • effective controls for credit, market, operational and IT risks.

These requirements also apply to outsourced activities and include obligations to monitor external providers.

Outsourcing is permitted, subject to clear limitations. Executive management remains ultimately responsible and cannot delegate core management functions. However, smaller institutions may outsource compliance, internal audit or risk control under strict conditions. External service providers must be:

  • contractually bound;
  • reliable; and
  • subject to:
    • oversight;
    • audit rights; and
    • contingency planning.

(h) Roboadvice

Robo-advice often qualifies as an investment service under the Securities Institutions Act (WpIG), such as investment advice, investment brokerage or financial portfolio management, which requires prior authorisation from BaFin. Where the service is limited to non-discretionary advice or brokerage, the provider may register instead as a financial investment broker under the Industrial Code (GewO).

The regulatory classification depends on:

  • the platform's design;
  • the level of automation; and
  • the contractual arrangement between the fintech and the client.

For example:

  • if the system generates tailored investment suggestions based on user input, it may constitute personal investment advice; and
  • if the platform manages client portfolios on a discretionary basis, this qualifies as portfolio management and requires full authorisation under financial regulatory law.

Operating a robo-advice platform without the necessary authorisation or registration is prohibited and may trigger enforcement action or even criminal liability. Therefore, fintechs offering robo-advice should conduct a detailed legal assessment of their business model and secure the appropriate authorisation or registration before going to market.

(i) Insurtech

While the term 'insurtech' is not defined under German law, it generally refers to technology-driven businesses that offer digital innovations in the insurance sector. Common insurtech business models include digital insurance distribution, policy administration, claims management and customer engagement tools. The regulatory treatment depends on:

  • the specific business activities; and
  • how risk is allocated.

If the insurtech acts purely as an insurance intermediary (e.g., a broker or agent), the company typically does not assume insurance risk itself. In such cases, it is not subject to the insurance supervision of BaFin but must obtain an authorisation under the Industrial Code (GewO), issued by the relevant Chamber of Industry and Commerce. However, the insurer underwriting the risk must hold an authorisation from BaFin under the Insurance Supervision Act (VAG).

Insurtechs that directly assume insurance risk or operate as risk carriers:

  • must obtain full authorisation under the Insurance Supervision Act (VAG); and
  • are subject to ongoing prudential supervision by BaFin.

In Germany, insurance authorisations may only be granted to specific legal forms, such as:

  • stock corporations;
  • mutual insurance associations (VVaG), or ; and
  • certain public law entities.

The authorisation requirements vary by insurance class and include capital, governance and risk management obligations. Notably, BaFin applies the same supervisory standards to insurtechs and traditional insurers, reflecting its principle of technology and competition neutrality.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

Fintech companies in Germany must comply with the EU General Data Protection Regulation, which governs the processing of personal data across the European Union. The GDPR is supplemented by the Federal Data Protection Act (BDSG), which provides clarifications in certain areas (e.g., employee data) but has limited relevance to most fintech operations. 'Personal data' under the GDPR includes any information that directly or indirectly identifies a natural person. This broad scope means that fintechs must carefully distinguish between personal and anonymised data, as only the former is subject to GDPR rules.

Key implications for fintech companies include enhanced compliance obligations when using automated decision-making or profiling technologies, common in services such as:

  • robo-advice;
  • credit scoring; and
  • fraud detection.

Such processing must meet strict transparency, legal justification and human oversight requirements. In many cases, the processing of personal data is justified by legal obligations under financial regulatory, crime prevention or tax laws. Fintechs must ensure privacy-by-design, clear user communication and secure technical measures across all data systems. Failure to meet GDPR obligations can result in significant administrative fines and reputational harm, making data protection a critical compliance function for regulated fintech businesses.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

Regulated fintech companies in Germany – such as banks, payment institutions and investment firms – are primarily subject to the EU Digital Operational Resilience Act (DORA). DORA establishes harmonised rules for information and communications technology (ICT):

  • risk management;
  • incident reporting;
  • resilience testing; and
  • oversight of critical third-party providers.

Supplementary regulatory technical standards, implementing technical standards and administrative guidance (e.g., from the Federal Financial Supervisory Authority) further detail these obligations.

Other EU and national cybersecurity laws – such as the Second Network and Information Systems Directive – do not apply to regulated financial entities, as DORA (Regulation (EU) 2022/2554) provides a sector-specific and harmonised framework that takes precedence. However, these laws may still apply to non-financial ICT providers, including third-party service providers and fintech vendors, which can indirectly impact regulated firms through outsourcing and supply chain dependencies.

The Act on the Federal Office for Information Security (BSIG) may apply to financial institutions only if they:

  • qualify as critical infrastructure operators under the relevant thresholds; or
  • manage IT systems of special national interest.

In such cases, obligations under the Act on the Federal Office for Information Security (BSIG), such as incident reporting and minimum IT security standards, apply in addition to DORA.

In contrast, the Telecommunications Act (TKG) and the Telemedia Act (TMG) are typically not relevant for most financial institutions, unless they also operate as telecommunications or digital content service providers, which is uncommon in the core fintech sector.

The GDPR remains relevant for all entities handling personal data, particularly regarding data breach notification obligations. In short, DORA is the central cybersecurity regime for regulated fintechs, aligning operational resilience standards across the EU financial sector.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

Depending on their activities, fintech companies may qualify as obliged entities under the Anti-Money Laundering Act (GwG), which implements the EU anti-money laundering framework. Obliged entities include:

  • credit institutions;
  • payment institutions; and
  • investment firms.

These entities must implement a risk-based crime prevention framework, including:

  • customer due diligence and ongoing monitoring;
  • identification of ultimate beneficial owners;
  • the appointment of an AML officer;
  • the implementation of internal controls, policies and employee training; and
  • the filing of suspicious activity reports with the Financial Intelligence Unit (FIU).

In addition, fintechs must comply with EU sanctions and embargo regulations, which prohibit business with designated individuals, entities or jurisdictions. These include:

  • financial sanctions (e.g., asset freezes); and
  • trade restrictions.

Regulated firms must:

  • screen clients and transactions against official sanctions lists; and
  • implement safeguards to prevent indirect or inadvertent breaches.

Non-compliance with these requirements can lead to:

  • enforcement measures by the Federal Financial Supervisory Authority and the FIU; and
  • potential criminal liability.

Fintechs should therefore:

  • conduct an early legal assessment; and
  • ensure that compliance measures are properly implemented, maintained and documented.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

Fintech companies in Germany are subject to the same legal and regulatory regime as traditional financial institutions. There is no fintech-specific regulation or dedicated sandbox regime. Instead, the principle of "Same business, same risk, same rules" applies. Fintechs must obtain the same authorisations and comply with the same regulatory requirements as incumbents when offering banking, financial or other regulated services. These authorisation and compliance obligations can act as market entry barriers, particularly for:

  • startups;
  • new market entrants; and
  • non-EU players.

In addition, fintechs are subject to two distinct bodies of law promoting fair competition:

  • Competition and cartel law, enforced by the Federal Cartel Office (Bundeskartellamt) and the European Commission, prohibits:
    • anti-competitive agreements;
    • abuse of market dominance; and
    • certain types of mergers.
  • The Unfair Competition Act (UWG) prohibits:
    • misleading advertising;
    • aggressive sales practices; and
    • violations of market conduct rules.
  • In some cases, fintechs operating without proper authorisations have faced civil lawsuits from competitors under this act for gaining an unfair advantage by bypassing regulatory requirements.

Although there are no fintech-specific pro-competition measures at the national level, EU initiatives such as the Second Payment Services Directive and the EU Digital Finance Strategy seek to promote data access, interoperability and a level playing field across the financial sector. While established firms may face higher costs due to legacy systems and compliance structures, fintechs often encounter challenges around:

  • regulatory clarity;
  • complexity of the authorisation process; and
  • scaling under supervisory scrutiny.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

Innovation in the German fintech sector, as in any other sector, can be protected through a range of IP rights, including:

  • patents;
  • copyrights;
  • trademarks; and
  • trade secrets.

However, the protection of software-based innovation is generally more limited in Germany than in some other jurisdictions, particularly the United States, where software patents are more readily granted.

In the European Union and Germany, patents are only available for software that makes a technical contribution beyond a mere business method or abstract algorithm. As a result, many fintechs instead rely on:

  • copyright, which automatically protects source code as a literary work; and
  • trade secrets, especially for:
    • proprietary algorithms;
    • scoring models; or
    • data-driven processes.

However, protection under the Trade Secrets Act (GeschGehG) requires companies to take appropriate confidentiality and access control measures to safeguard their know-how. When developing an IP strategy, fintechs must weigh the benefits of patent protection – which involves public disclosure – against the strategic value of keeping critical technology confidential.

In short, German law offers effective IP protection tools, but their suitability depends on:

  • the nature of the innovation; and
  • the fintech's broader commercial and regulatory strategy.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

Innovation in the German fintech sector is incentivised primarily through public funding, infrastructure support and market-driven initiatives-rather than through fintech-specific regulation. Germany has deliberately not introduced a regulatory sandbox, preferring a "Same business, same risk, same rules" approach. This means that fintechs must meet the same regulatory requirements as incumbent financial institutions when offering equivalent services.

A range of public funding and accelerator programmes support fintech innovation, particularly at the early and growth stages:

  • INVEST Venture Capital Grant offers private investors a 20% acquisition subsidy for investments in young, innovative companies.
  • EXIST supports academic spinoffs and technology-driven startups with funding and business planning assistance.
  • The High-Tech Start-up Fund and coparion provide early-stage venture capital, backed by public and EU funding.
  • German Accelerator assists startups with scaling internationally.
  • ERP/EIF Fund of Funds and KfW Capital invest in venture capital funds focused on early and growth-stage tech companies.

Initiatives such as FinTech Hub Frankfurt, the Deutsche Börse Venture Network and UnternehmerTUM at TUM Munich offer office space, mentoring and access to investors. In short, while Germany does not offer fintech-specific regulatory incentives, it maintains a strong innovation ecosystem supported by public funding and private-sector infrastructure.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

Fintech companies in Germany are subject to general employment law, including:

  • the Civil Code (BGB);
  • the Part-Time and Fixed-Term Employment Act (TzBfG);
  • the Protection Against Unfair Dismissal Act (KSchG); and
  • the Minimum Wage Act (MiLoG).

German labour law is relatively strict and employee friendly, which can:

  • add legal complexity; and
  • limit operational flexibility for employers.

As fintechs grow, they should anticipate rising HR, compliance and co-determination obligations, particularly around:

  • contract formalities;
  • terminations; and
  • internal governance.

Employment contracts may be indefinite or fixed term. Fixed-term contracts must be concluded in writing before employment begins; otherwise, they default to indefinite. Employees are entitled to statutory protections such as:

  • continued pay during illness or holidays;
  • minimum annual leave; and
  • the statutory minimum wage.

Special protections apply under maternity, parental leave and disability regulations.

The Protection Against Unfair Dismissal Act applies where:

  • a company regularly employs more than 10 full-time equivalents; and
  • the employee has passed a six-month probationary period.

Under that act, dismissals must be socially justified for personal, behavioural or operational reasons. Procedural errors can make terminations invalid and settlements involving severance are rather common.

Larger fintechs may also face co-determination requirements. Works councils can be formed under the Works Constitution Act (BetrVG), granting employees the right to be consulted on HR and operational decisions. In companies with over 500 employees, employee participation on the supervisory board may also be triggered under corporate law.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

The German labour market has undergone significant liberalisation in recent years, particularly through reforms to the Skilled Immigration Act (Fachkräfteeinwanderungsgesetz), which facilitate residence and employment for qualified professionals from non-EU countries. The EU Blue Card:

  • offers a streamlined path for university graduates with a job offer above a salary threshold; and
  • does not require separate approval from the Federal Employment Agency (Bundesagentur für Arbeit).

EU/European Economic Area nationals and Swiss citizens continue to enjoy unrestricted access to the German labour market. For third-country nationals, work-related immigration typically requires approval unless an exemption applies, such as under the Blue Card scheme or relevant bilateral agreements.

To attract and retain specialist tech talent, especially when unable to offer large corporate salaries, startups and fintechs frequently rely on alternative compensation models. These include:

  • bonus programmes; and
  • employee participation via virtual shares (phantom stock) or actual equity.

However, most non-equity incentives are treated as taxable income and equity participation structures remain relatively complex and burdensome to implement in Germany. Compared to many Anglo-Saxon jurisdictions, the tax treatment for employee ownership is still seen as less favourable. Nonetheless, recent reforms have improved conditions and indicate growing political support for employee equity incentives.

In short, Germany is becoming more attractive to global talent, and fintech companies are increasingly able to hire from abroad. However, they must carefully structure compensation and ensure compliance with immigration, labour and tax regulations.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Germany hosts one of Europe's most mature fintech ecosystems, centred in hubs such as Berlin, Frankfurt and Munich. The landscape has shifted from early-stage disruption to a more integrated, service-oriented phase. Many fintechs now also operate in business-to-business models, embedding themselves in the value chains of traditional banks, insurers and asset managers as infrastructure providers or white-label partners. This has strengthened cooperation between fintechs and incumbents, leveraging fintechs' speed and innovation alongside the regulatory expertise and client base of established players.

Key trends include:

  • increasing regulatory maturity;
  • a growing focus on embedded finance; and
  • the use of AI, particularly in:
    • credit scoring;
    • fraud prevention; and
    • investment solutions.

Blockchain adoption continues, especially in asset tokenisation and digital securities, spurred by EU initiatives such as:

  • the Markets in Crypto-Assets Regulation; and
  • the Distributed Ledger Technology Pilot Regime.

The funding environment has become more selective, prompting consolidation and strategic M&A. Fintechs that fail to scale or meet regulatory thresholds increasingly seek partnerships or exits. Conversely, large tech and e-commerce firms are entering financial services, intensifying competitive pressure.

In 2025 the full application of the EU AI Act and the EU Digital Operational Resilience Act will significantly impact fintech operations, requiring firms to implement risk, compliance and transparency measures. While Germany does not offer a regulatory sandbox, EU-wide initiatives (e.g., open finance, digital identity) are expected to shape the market further in the next 12 months.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

Entering the German fintech market requires:

  • careful planning;
  • regulatory awareness; and
  • strong operational execution.

Fintechs should begin by assessing whether their activities require authorization from the Federal Financial Supervisory Authority (BaFin) under German or EU law. Depending on the business model, firms may:

  • rely on local authorisations;
  • use EU passporting rights; or
  • partner with authorised entities.

Engaging experienced legal or compliance advisers early in the process is essential to avoid misclassification and delays. Timelines for obtaining authorisations can be lengthy, so realistic planning is critical, particularly for non-EU providers that are unfamiliar with German regulatory expectations.

Equally important is operational readiness. German regulation requires a 'proper business organisation' that includes:

  • internal controls;
  • risk and compliance frameworks; and
  • qualified personnel.

Fintechs must:

  • establish governance structures that reflect the complexity of their business; and
  • appoint key functions such as compliance and anti-money laundering officers.

Close coordination with the firm's statutory auditor, who is required to report compliance shortcomings to BaFin, can help to avoid operational pitfalls. Hiring staff with proven financial services experience, especially for management and control roles, is advisable and often expected by supervisors.

Finally, ongoing regulatory awareness is key. Fintechs should stay informed through:

  • events such as the BaFin Tech conference;
  • legal updates from advisers; and
  • publications from:
    • BaFin;
    • the European Supervisory Authorities; and
    • relevant industry groups.

Regulatory requirements can evolve quickly – especially under EU frameworks such as the Digital Operational Resilience Act, the Markets in Crypto-Assets Regulation and the AI Act – so proactive monitoring and timely implementation are critical for long-term success in Germany's regulated environment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Alexis Darányi
Alexis Darányi
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More