1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

The German legislature has not yet enacted fintech-specific regulations. Therefore, fintech companies are subject to the same provisions as traditional companies in the financial services sector. The applicable requirements and rules depend on the business model of the respective fintech. Depending on its structure, a fintech may require authorisation or approvals by the Federal Financial Supervisory Authority (BaFin), or by another supervisory authority (eg, a trade supervisory authority).

Depending on the business model, the applicable law may include:

  • the Banking Act;
  • the Payment Services Supervision Act;
  • the Capital Investment Code;
  • the Insurance Supervision Act;
  • the German Securities Prospectus Act;
  • the Capital Investment Act;
  • Regulation (EU) 2017/1129;
  • the Securities Trading Act;
  • the German Industrial Ordinance; and
  • various European regulations, including the Market Abuse Regulation.

1.2 Do any special regimes apply to specific areas of the fintech space?

Germany has not implemented a regulatory sandbox, but has adopted a level playing field approach to regulation. BaFin applies the principle of "same business, same risk, same rules" – which means that all players that provide the same financial services with the same risks are subject to the same level of regulation and supervision.

Whether a fintech business model requires authorisation by a supervisory authority depends on its structure and on the circumstances of each individual case. Most business models (eg, alternative payment methods, automated portfolio management and crowdfunding) require authorisation pursuant to the Banking Act or the Payment Services Supervision Act. Insurtech companies are subject to insurance supervision if they conduct insurance business. If this is the case, they require authorisation pursuant to the Insurance Supervision Act from the competent German supervisory authority, usually BaFin. Mere insurance broking requires an authorisation under the German Industrial Ordinance.

In contrast, the use of blockchain technology is in principle not subject to authorisation, as this is simply a form of technology. Supervisory assessments depend on how the technology is applied and which activities are to be conducted with it – for example, a token could be regarded as a regulated financial instrument. Due to the wide range of potential applications of blockchain technology, general statements about notification or licensing requirements cannot be made.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

Fintech business models requiring authorisation pursuant to the Banking Act, the Payment Services Supervision Act or the Insurance Supervision Act are supervised by BaFin. Fintech business models requiring authorisation pursuant to the Industrial Ordinance are supervised by other competent supervisory authorities at regional level. Upon application, BaFin grants authorisation to institutions if they meet certain requirements and monitors them on an ongoing basis. BaFin may grant licences subject to conditions or limit licences to individual financial services. If financial services are provided without the required licence, the supervisory authority may order the immediate termination of the business operations and the immediate settlement of the transactions vis-à-vis the company and the members of its bodies. Coercive measures may be imposed on companies and members of their bodies involved in the initiation, conclusion or execution of the unauthorised transactions. BaFin's measures range from written warnings to fines and even withdrawal of an institution's authorisation. The provision of banking services, financial services or payment services without permission is a criminal offence. BaFin's powers apply irrespective of whether the fintech company is located inside or outside of Germany if the fintech's services are offered to German customers.

1.4 What is the regulators' general approach to fintech?

BaFin's supervisory activities are competition neutral and technology neutral. BaFin supervises a company if it engages in business or provides services that are subject to mandatory authorisation or registration. The statutory scope of this (technical) supervision is determined irrespective of the technology deployed for these business activities. By contrast, the specific risks of these technologies are taken into consideration by BaFin in its monitoring of the requirements concerning proper business organisation that are imposed by the relevant technical supervision legislation. The principle of "same business, same risk, same rules" applies, in combination with the principle of proportionality.

1.5 Are there any trade associations for the fintech sector?

There are several trade associations and interest groups for fintechs in Germany. The interests of fintechs are represented not only by pure ‘fintech associations', but also by larger associations in the financial industry and the start-up scene:

Fintech platform of the Federal Association of German Start-ups: This is a registered association with its headquarters in Berlin and a lobby group for the German start-up industry. It was founded in 2012 to represent the interests of start-ups in Germany. At present, the association has more than 1,000 members. It covers a wide range of industries, professions and topics, with various platforms and networks, including a fintech platform. The members of the fintech platform cover a wide range of segments, including payments, lending, crowdfunding, investment, banking, insurtech, blockchain and technology services.

German Blockchain Association: The German Blockchain Association was founded in 2017 by the blockchain community in Germany. It has since grown to more than 60 members. They include the leading start-ups in the blockchain sector in Germany. The association focuses on education and training for both decision makers in politics and industry-leading companies.

The German IT Association (Bitkom): Bitkom is the trade association of the German information and telecommunications industry. Bitkom, which was founded in 1999, represents more than 2,700 companies in the digital economy, including around 1,000 mid-sized companies, 500-plus start-ups and a considerable number of global players.

Association of German Banks: The Association of German Banks represents the interests of private banks in Germany. The association was founded in 1951. It represents about 180 private financial institutions and more than 20 fintechs as associated members.

German Crowdfunding Association: The German Crowdfunding Association is an interest group and network of commercial crowdfunding platforms in Germany, founded in 2015.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

The German fintech industry covers all kinds of regulated and unregulated activities.

Typical examples include:

  • payment services (including mobile payments, payment initiation services and account information services);
  • crowdfunding and crowdlending (peer-to-peer lending);
  • roboadvice and automated portfolio management;
  • crypto assets, virtual currencies and other blockchain-related activities;
  • insurtech; and
  • regtech.

2.2 What products and services are offered?

The services offered by fintechs are diverse. The most common services are those relating to alternative payment methods, automated financial portfolio management, virtual currencies, blockchain technology, crowdfunding, crowd-investing, crowd-lending, investment advice and automated order execution.

2.3 How are fintech players generally structured?

Most fintechs in Germany are structured as limited liability companies. However, there are also stock corporations.

2.4 How are they generally financed?

In 2019 Germany ranked second for fintech venture funding in Europe. As a rule, equity financing is initially the most common form of funding for fintechs; debt financing becomes more important as they mature. In general, funding is driven by financial institutions.

2.5 How are they positioned within the broader financial services landscape?

Fintechs cooperate with established financial service providers in order to increase their expertise, expand their client base and reduce costs. An increasing number of German financial service providers invests in fintechs, and especially in B2B fintechs.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

The outsourcing of back office functions is not unusual for start-ups, as it enables them to focus on their core business and save on human resources. Several companies already offer such services and some start-ups have even been set up as pure ‘white label' providers of regulated financial services to fintechs (so-called ‘reverse outsourcing'). In German financial services law, outsourcing is generally permitted, but strictly regulated. Fintech companies that are subject to the Banking Act and the Payment Services Supervision Act must comply with their provisions concerning outsourcing. In addition, white label providers of regulated services to fintechs must comply with the same rules which apply to the fintech's business.

The Banking Act sets out different standards for material and non-material outsourcing. Outsourcing is material if:

  • banking transactions, financial services and other services typical of an institution are affected by the outsourcing; and
  • the outsourcing gives rise to risks relevant to banking supervision.

Based on a risk analysis, the institution must determine whether the outsourcing is material. Non-material outsourcing includes, for example:

  • debt collection;
  • cash dispenser services;
  • general and support services (eg, facility management);
  • pure consulting services (eg, consulting on legal and tax matters);
  • standardised services (eg, market information services).

Outsourcing must not lead to a delegation of management responsibility. In case of non-essential outsourcing, the general requirements for proper business organisation in accordance with the Banking Act and the Federal Financial Supervisory Authority's (BaFin) administrative practice must be observed. Additional requirements apply in the case of essential outsourcing (eg, specification and delimitation of outsourcing services in the outsourcing agreement). Furthermore, the European Banking Authority (EBA) Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) – which in some respects go beyond the national requirements on outsourcing of BaFin – must be observed. Significant institutions supervised by the European Central Bank must, in principle, apply these guidelines directly. However, as a rule, it may be expected that BaFin will incorporate the EBA guidelines into its administrative practice. Otherwise, BaFin sets out the guidelines on its homepage.

With regard to national implementation, in July 2019 BaFin stated that it "intends to comply with the EBA Guidelines on outsourcing arrangements by 31 December 2020", and pointed out that the Minimum Requirements for Risk Management (MaRisk) will be subject to modifications in this regard. However, BaFin expects indirect but immediate application of the EBA guidelines on outsourcing for less significant institutions (LSIs), with regard to requirements that mainly contain concretisations and that are already addressed in the principle-based MaRisk and the Supervisory Requirements for IT in Financial Institutions BAIT. Although LSI will have to observe further requirements only after the amendments to MaRisk have been implemented, BaFin generally recommends that they familiarise themselves with the content of the EBA guidelines at an early stage. Experience suggests that an additional transition period after publication of the amendments is expected to be limited to those amendments that result from national scope of interpretation or that require national interpretation.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

Many e-commerce platforms provide facilities to make payments, including the transfer of funds to a payment account (eg, by payment cards). However, if an online platform is involved in the transfer of funds, it may conduct a money remittance business within the meaning of the Payment Services Supervision Act. Conducting payment services without prior authorisation of the Federal Financial Supervisory Authority (BaFin) is prohibited. If a payment service is provided without a licence from BaFin, sanctions may be imposed (eg, termination of business operations).

The licensing requirement does not apply to commercial agents that process payment transactions in the context of e-commerce as part of their intermediary activities, if the platform operator can be clearly assigned to the camp of the payer or the payee and has the freedom to negotiate or conclude the sale or purchase of goods and services. Merely stating in the general terms and conditions that the platform acts for one party is not sufficient. In order to obtain confirmation that the conditions for the exception are met, the platform operator can apply for a certificate from BaFin.

Contracts regarding e-commerce between an entrepreneur and a consumer are subject to certain pre-contractual information obligations vis-à-vis the consumer pursuant to the Civil Code and (if applicable) the Act against Unfair Competition and/or the Telemedia Act. In addition, compliance with data protection laws – in particular, with the General Data Protection Regulation (2016/679) – is required.

(b) Mobile (m-commerce)

In Germany, m-commerce is regarded as a part of e-commerce. Please see question 3.1.

(c) Big data (mining)

The use of big data and data mining is not subject to any specific regulation in Germany.

However, the origin of the data must always be taken into account in order to identify the general regulations to be complied with. For instance, if the data originates from a third-party database (which under certain circumstances is copyright protected by default by statutory law), the use may be lawful only under licence. This requires a legal assessment under the Copyright Law.

In the fintech field, the use of big data will regularly be limited to the processing of non-personal – that is, anonymous – mass data (eg, share prices or other financial figures). In this case there are no data protection regulations to be complied with. However, if personal data is processed, the processing must comply with the EU General Data Protection Regulation (2016/679) (GDPR) and the accompanying national laws. For a general overview of the applicable data protection legislation, see question 5.1.

Nevertheless, the principle of data minimisation laid down in the GDPR is relevant here, as it is of particular importance to big data. It stipulates that "personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed". This principle regularly conflicts with the basic idea behind big data (ie, to collect as much data as possible). How to reconcile these conflicting interests must be examined on a case-by-case basis.

The algorithms behind big data and data mining can be protected under the Trade Secret Protection Act as know-how or business information if the algorithm can be qualified as a trade secret. As a prerequisite for this, protective measures must have been taken and the subject matter must be secret (ie, not public) and thus of value.

(d) Cloud computing

Fundamentally, cloud computing is subject to regulatory requirements only if it constitutes outsourcing by a regulated (fintech) company. This is the case where an activity previously (or typically) performed by the outsourcing company itself is to be performed by a service provider in the future. The question of whether cloud computing constitutes outsourcing cannot be answered in general, but requires a detailed examination of the relevant regulations in each specific cloud computing application.

If the cloud computing does constitute outsourcing, the specific relevant regulatory requirements depend on the nature of the outsourcing company. Some of the most essential regulatory regimes to be considered in the field of fintech include the following:

  • The outsourcing company is a national credit financial services institution: If the outsourcing company is a credit financial services institutionin terms of the Banking Act, the regulatory requirements to be complied with are set out in that act. These regulations are specified in more detail in the Minimum Requirements for Risk Management and the guidance on outsourcing to cloud service providers of BaFin.
  • The outsourcing company is an exceptionally large credit financial services institution: If a credit financial services institution meets the significance criteria of the European Single Supervision Mechanism, it will be subject to direct supervision of the European Central Bank – this is rather unlikely for fintech startups. In this case, since October 2019 the Guidelines on Outsourcing of the European Banking Authority (EBA) have applied; these incorporate the EBA's Recommendations on Outsourcing to Cloud Service Providers from 2017. With respect to the application of the EBA guidelines on outsourcing arrangements in relation to less significant institutions, please see question 2.6.
  • The outsourcing company is a payment service provider: If the outsourcing company is a payment service provider, regulatory requirements for outsourcing arise from the Payment Services Supervision Act.
  • The outsourcing company is a capital management company: If the outsourcing company is a capital management company or an investment fund, regulatory requirements for outsourcing arise from the Capital Investment Code.

Almost all outsourcing regulations further distinguish between non-material and material outsourcing. Material outsourcing is also referred to as ‘outsourcing of important and critical functions'. This significantly influences the scope of the regulations to be observed. The assessment of whether the outsourcing is substantial must be carried out by the outsourcing company itself based on a risk analysis.

Some exemplary aspects of outsourcing regulation, common to all regulatory regimes, include the following:

  • information and audit rights of the outsourcing company and its supervisory authorities, as well as sometimes rights to instruct;
  • rules governing the conditions under which the IT service provider may outsource itself (sub-outsourcing);
  • special termination rights for the outsourcing company; and
  • rules which, under certain circumstances, lay down the support and transition obligations of the IT service provider, even after termination of the outsourcing agreement.

If the cloud computing in the specific application does not constitute outsourcing, only a few regulatory requirements need to be considered – for instance:

  • where credit financial services institution(in terms of the Banking Act) utilises the IT services of another company (eg, cloud computing) and this specific application does not constitute outsourcing (so-called ‘other external procurement'), the regulatory requirements to be considered are laid down in BaFin's Supervisory Requirements for IT in Financial Institutions; and
  • according to the Fiscal Code, documents relevant to taxation may be transferred and stored to a cloud abroad only under certain conditions and upon the written request of the taxable person.

(e) Artificial intelligence

Artificial intelligence (AI), especially in connection with big data – jointly referred to as BDAI – is a topic that attracts a lot of attention in the financial market and from BaFin. BaFin published a study on BDAI in 2018, which examined the technological developments of BDAI with regard to the financial market and the possible implications for financial regulatory supervision. In this context, BaFin has stated that the responsibility for proper business organisation must remain with the managers in the context of the use of BDAI. This responsibility must not be automated or outsourced by BDAI applications.

The use of AI as such is not regulated in Germany. However, its use in applications such as roboadvice requires authorisation if financial services subject to an authorisation requirement are performed. Roboadvice is described in detail in question 4.8. According to the German Data Ethics Commission (DEK), AI is a special characteristic of algorithmic systems. DEK recommends a risk-adapted regulatory approach for algorithmic systems, based on the principle that increased potential for damage goes hand in hand with increased requirements and intervention of regulatory instruments.

DEK identifies five levels of criticality and recommends a graduated regulation:

  • Applications with no or low damage potential: No special control or requirements;
  • Applications with certain damage potential: Demand-oriented regulation (eg, disclosure obligations towards supervisory authorities).
  • Applications with regular or significant potential for damage: Additional approval procedures.
  • Applications with significant potential for damage: Additional approval procedures, stricter control and transparency obligations, and potentially even the publication of the factors used in the algorithmic calculation, their weighting, the data basis and the algorithmic decision model, as well as the possibility to establish continuous official control over a live interface to the system.
  • Applications with unacceptable damage potential: Complete or partial ban.

To implement the proposed measures, DEK recommends the regulation of algorithmic systems through general horizontal requirements in EU law. The European Commission shares the view that a risk-based approach to AI should be adopted in order to ensure the proportionality of the regulatory intervention. In February, the European Commission presented a white paper on AI that was open for comments until 19 May 2020.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

In principle, the use of blockchain technology is not subject to an authorisation requirement, as it is simply a form of technology. Supervisory assessments depend on how the technology is applied and which activities are conducted with it. Due to the wide range of potential applications of blockchain technology, general statements about notification requirements cannot be made. According to the German government's blockchain strategy of 18 September 2019, the trading and custody of tokens must be regulated. Blockchain technology allows values and rights to be represented digitally, which allows for the creation and transfer of digital investment products. Previous intermediaries (eg, banks) are no longer needed for transactions on the blockchain. As part of the implementation of the requirements of the Fifth Anti-money Laundering Directive (EU) 2018/843 the federal government has introduced the safekeeping of crypto assets for third parties as a new financial service (‘crypto depository service') that requires authorisation pursuant to the Banking Act. This is accompanied by strict requirements relating to, for example, the management board members running a financial services institution: they must demonstrate adequate theoretical and practical knowledge of the business concerned, as well as managerial experience. It is assumed that a person has the necessary professional qualifications if he or she can demonstrate three years' managerial experience at an institution of comparable size and conducting a comparable type of business.

‘Crypto assets' are defined in the Banking Act as digital representations of a value that has not been issued or guaranteed by any central bank or public authority and does not have the legal status of currency or money, but which is accepted by natural or legal persons as a means of exchange or payment on the basis of an agreement or actual practice, or which serves investment purposes and which can be transferred, stored and traded electronically.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

Crowdfunding can be structured in different ways and is subject to different regulation depending on its form. Usually, fintechs choose a structure which has reduced regulatory requirements, as their activity is limited to the brokering of loans, which are technically capital investments under German regulatory law. One fintech obtained a licence as a financial institution, but returned the licence to work on a less regulated basis.

Several crowdfunding and peer-to-peer lending platforms cooperate with fully licensed fronting banks which issue the loan and thereafter sell portions of the loan to investors.

Loans made via crowdfunding platforms may be subject to prospectus and publication requirements under the Capital Investment Act, to be fulfilled by the respective borrower.

These requirements are reduced if the capital investments of the same issuer:

  • do not exceed €6 million;
  • are brokered via an online platform as investment broker or investment adviser and

each investor can invest only:

  • €1,000;
  • €10,000 if the investor holds bank deposit and financial instruments of at least €100,000; or
  • twice of their average net income, to a maximum of €25,000.

Additional exemptions can reduce the burdens of the Capital Investment Act.

(b) Online lending and other forms of alternative finance

Online lending to both consumers and businesses may be considered as a banking business that is subject to authorisation, particularly as credit business on the part of the lender and as deposit business on the part of the borrower. Banking business is subject to authorisation pursuant to the Banking Act if it is conducted commercially or on a scale which requires commercially organised business operations.

Depending on the structure of the alternative finance an authorisation may be required pursuant to the Banking Act, the Payment Services Supervision Act, the Capital Investment Act or the Industrial Ordinance.

(c) Payment services (including marketplaces that route payments from customers to suppliers (e. g., Uber and AirBnb)

In Germany, payment services are regulated by the Payment Services Supervision Act, which implemented the Second Payment Services Directive into German law. Anybody that wants to provide payment services requires authorisation from the Federal Financial Supervisory Authority.

Payment services include:

  • operation of a payment account;
  • payment transactions;
  • the issue of payment instruments;
  • acquiring payment transactions;
  • money remittance;
  • payment initiation services; and
  • account information services.

Marketplaces that route payments from customers to suppliers usually provide payment services requiring authorisation. However, there are different ways to avoid this requirement (eg, making use of exemptions under the Payment Services Supervision Act or cooperation with a licensed payment service provider) if such exemption fits the business model of the marketplace.

(d) Forex

Foreign exchange trade is a financial instrument pursuant to the Banking Act. It is thus subject to approval by the Federal Financial Supervisory Authority (BaFin). The requirement to obtain a licence pursuant to the Banking Act is accompanied by numerous obligations under supervisory law, including liquidity requirements.

If a forex broker based in another member state of the European Economic Area (EEA) holds a licence from the competent authority, a separate licence from BaFin is not required. The same exemptions can apply with regard to forex brokers in a non-EEA state by way of a statutory order of the Federal Ministry of Finance. It may be issued if reciprocity is assured and if:

  • the undertakings are supervised in the country of domicile in the areas covered by the exemption in accordance with internationally recognised principles;
  • branches of corresponding undertakings domiciled in Germany are afforded comparable exemptions in that state; and
  • the competent authorities of the country of domicile are willing to cooperate satisfactorily with BaFin and this is guaranteed by means of an international agreement.

(e) Trading

Anyone wishing to provide financial services in Germany on a commercial basis or on a scale that requires a commercially oriented business operation requires written authorisation from the Federal Financial Supervisory Authority pursuant to the Banking Act. Exceptions apply to entities domiciled in another EEA member state. As crypto assets are financial instruments, authorisation from BaFin is required for the operation of a crypto exchange. Crypto exchanges through which tokens can be purchased, sold or exchanged may require a licence from BaFin because, depending on the structure of the crypto exchange, proprietary trading, the operation of a multilateral trading system, investment brokering or deposit business and, in some cases, a crypto depository service may be conducted. The operator of a crypto exchange may also be subject to anti-money laundering obligations if financial services are provided.

(f) Investment and asset management

There are two types of investment funds: undertakings for collective investment in transferable securities (UCITs) and alternative investment funds (AIFs). UCITs are investment funds that meet the requirements of Directive 2009/65/EC. Any investment fund that is not a UCIT is an AIF. There are also several types of management companies: German UCITs management companies, AIF management companies and German asset management companies that manage both types of investment funds.

If a company wishes to manage an investment fund as German asset management company with its registered office and head office in Germany, it needs written authorisation from, or must register with, BaFin.

Registration with BaFin is sufficient for German AIF management companies if:

  • they exclusively manage special AIFs and the managed assets do not exceed the value of €100 million with the use of leverage or €500 million without the use of leverage, where in the latter case, investors cannot exercise redemption rights within five years of the first investment;
  • they manage closed-ended retail AIFs in Germany whose units are held by not more than five natural persons and whose assets do not exceed the sum of €5 million with leverage; or
  • they manage directly or indirectly closed-ended AIFs issued in Germany, including retail AIFs, and their assets do not exceed the sum of €100 million with leverage.

(g) Risk management

Depending on their structure, companies may have to ensure that they have in place an adequate and effective risk management system that includes outsourced activities and processes. This goes hand in hand with, and is part of, proper business organisation. If facts are doubtful or unusual, based on experience and knowledge of the methods of money laundering and terrorist financing, the company must investigate them in light of the ongoing business relationship and individual transactions.

What constitutes ‘proper business organisation' depends on the nature, scope, complexity and risk level of the company's business activities. The company must take measures proportional to its business risk, which are appropriate to the nature and circumstances of the respective activities.

Special attention must be paid to counterparty default risks and market price risks, as well as to operational risks and related risk concentrations.

Proper business organisation includes, in particular:

  • appropriate measures of corporate management, control mechanisms and procedures, which ensure that the company meets its obligations;
  • the maintenance and updating of a loss database and complete documentation of the business activity, which ensures that BaFin can fully monitor its activities;
  • appropriate emergency measures for IT systems; and
  • data processing systems that ensure compliance with the requirements of the Anti-money Laundering Act.

The outsourcing of risk management (eg, to fintechs) is permissible only to a limited extent. For example, the management tasks of the executive management of a bank or financial services institution may not be outsourced, as the responsibility of the executive management cannot be delegated under the Minimum Requirements for Risk Management (MaRisk). MaRisk does not apply directly to payment service providers; however, according to BaFin, it provides indications of the requirements that are to be met in the course of proper business organisation. It is possible to outsource the risk control function, the compliance function or internal auditing if proper business organisation is ensured.

Complete outsourcing of the compliance function and internal auditing is possible only for small institutions, where the establishment of their own compliance function and internal auditing does not appear appropriate due to their size and the nature, scope, complexity and risk content of their business activities. Safeguard measures with regard to the prevention of money laundering or terrorist financing may be outsourced to third parties, but BaFin may require that they be transferred back to the institution if necessary. With regard to insurance companies, it is possible to outsource certain parts of the risk management system or the internal control system. AIF capital management companies may outsource risk management to companies that are authorised or registered for the purpose of asset management or financial portfolio management and are subject to supervision. Alternatively, BaFin can also approve the outsourcing. In addition, the general requirements for outsourcing must be observed. Please see questions 2.6 and 3.4.

(h) Roboadvice

Depending on the type and scope of the financial services offered, providers of automated distribution of financial instruments (roboadvice) can be financial service providers subject to the supervision of BaFin or financial investment brokers which are supervised by the Chamber of Commerce and Industry. The regulatory assessment depends greatly on how the platform is designed and on the contractual arrangements with users. Roboadvice can be provided in numerous ways, including in the form of regulated financial services such as investment advice, investment or contract brokerage or financial portfolio management. Therefore, roboadvice usually requires a licence under banking or industrial law. Providing roboadvice without obtaining prior authorisation pursuant to the Banking Act or the Industrial Ordinance (as applicable) is prohibited. The information that is provided through roboadvice might constitute investment advice if the result generated by the roboadviser has the character of a personal recommendation. Portfolio management, however, includes the management of the portfolio on an ongoing basis.

(i) Insurtech

German law does not define the term ‘insurtech'. However, the term is generally used to refer to all new technology-based companies focusing on insurance. There are many different business models of insurtech companies. Common areas in which insurtechs operate are distribution and contract management. If insurtech companies assume the role of insurance intermediaries, they fall within the scope of the Industrial Ordinance.

In this case, the risk inherent in an insurance contract is assumed not by the insurtech, but by an insurance company, which must have a licence from BaFin under the Insurance Supervision Act to operate the insurance business. Insurance intermediaries may obtain a licence from their local chamber of industry and commerce. In the course of its ongoing supervision, BaFin does not distinguish between traditional insurance companies and insurtechs. If insurtechs domiciled in Germany conduct insurance business, they are subject to insurance supervision and therefore require authorisation from the competent German supervisory authority. The competent German supervisory authority is usually BaFin. However, authorisations may be granted only to public limited companies, mutual societies, public corporate bodies and institutions under public law. Different authorisation requirements apply depending on the pursued line of business.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

If personal data is processed, the processing must comply with the EU General Data Protection Regulation (2016/679) (GDPR) and, where applicable, the accompanying Federal Data Protection Act, as well as industry-specific laws containing special national data protection provisions (eg, the Payment Services Supervision Act). The Federal Data Protection Act modifies and refines the GDPR in certain areas, most of which are not particularly important in the fintech field.

Whether the GDPR is applicable is not always easy to determine. According to the GDPR, data is personal even if the data subject can be identified only indirectly "by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person". This definition is very broad and in practice a legal distinction from non-personal – that is, anonymous – data must regularly be made.

The fintech-specific implications of the applicable data protection legislation include the following:

  • The GDPR contains special provisions for "automated individual decision-making" and profiling, both of which are likely to be used regularly in the fintech sector. In order to protect the data subjects, this kind of processing is subject to stricter requirements.
  • In general, the processing of personal data is justified if it is necessary to comply with legal obligations. Such a legal obligation can arise from legislation specific to the financial sector, such as the Banking Act or the Anti-money Laundering Act.
  • If payment services according to the Payment Services Supervision Act are involved, the act provides special justification for the processing of personal data: payment service providers may process personal data to the extent necessary for the prevention, investigation and detection of fraud in payment transactions.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

There is no unified cybersecurity regime in Germany. The applicable regime is spread over various laws, including:

  • the GDPR;
  • the Banking Act;
  • the Minimum Requirements for Risk Management;
  • the Supervisory Requirements for IT in Financial Institutions;
  • the European Banking Authorities Guidelines on outsourcing arrangements (EBA/GL/2019/02);
  • the Telemedia Act;
  • the Telecommunications Act; and
  • the Act on the Federal Office for Information Security.

A new national IT security law is currently being drafted. It will amend some of the above laws and will lead to a major expansion of IT security obligations.

For fintech players to understand which of these requirements will apply to them, they must determine, on a case-by-case basis, which of the abovementioned areas their business falls into.

For instance, the Act on the Federal Office for Information Security provides a legal framework for cooperation between the state and companies to enhance cybersecurity in critical sectors. Operators in critical sectors must implement IT security according to the state of the art and report significant security incidents to the Federal Office for Information Security. The regulations are supplemented by the Ordinance on the Determination of Critical Infrastructures according to the Act on the Federal Office for Information Security. It covers seven sectors, including finance and insurance, and applies only if certain high conditions are met (critical infrastructure).

At the European level, in 2016 the Directive on Security of Network and Information Systems (2016/1148) was enacted as the first statute in an EU-wide cybersecurity regime. The aim is to enhance cybersecurity across the European Union. The directive has three parts:

  • building capacity for cybersecurity (national strategies, authorities and certifications) in all member states;
  • improving cross-border cooperation; and
  • comparable to the Act on the Federal Office for Information Security, setting minimum requirements and reporting obligations for operators in critical sectors as well as providers of digital services such as cloud services and online marketplaces.

The German transposition law has extended the supervisory and enforcement powers of the Federal Office for Information Security to operators in critical sectors and providers of digital services. This regulation is not fintech specific, however, so fintech companies may also be subject to it.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

The Federal Financial Supervisory Authority (BaFin) aims to prevent misuse of the financial system for the purpose of money laundering, terrorist financing and other criminal offences, which can present a threat to the assets of institutions. Therefore, all companies in the financial sector are expected to have formal business policies to prevent transactions with a criminal background, and to work towards detecting and combating such transactions and terrorist financing activities.

Among others, credit institutions, financial services institutions, payment institutions, life insurance undertakings, German asset management companies and persons and companies that sell or convert e-money are subject to the anti-money laundering supervision of BaFin.

BaFin ensures that the parties subject to its supervision meet their respective statutory obligations under the Anti-money Laundering Act, the Insurance Supervision Act, the Payment Services Supervision Act and the Capital Investment Code. The regulations aim to ensure transparency in business relationships and financial transactions through the use of specific precautions – in particular, the implementation of an appropriate risk management system, including risk analysis and internal risk measures. Parties which are subject to this regime must conduct risk-appropriate customer due diligence. If they discover facts indicating that an asset relating to a business relationship or transaction originated from a criminal act that could constitute a predicate offence of money laundering or a business transaction relating to terrorist financing, such suspicions must be notified to the Financial Intelligence Unit of the Central Customs Authority. Fintech companies are not automatically more vulnerable to money laundering and terrorist financing than other companies and are therefore subject to the same regulation. Caution should be exercised when established market players cooperate with fintech companies that do not hold a licence, because innovative technologies that allow fast and anonymous payment may facilitate money laundering and terrorist financing.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

Fintechs drive innovation and promote competition. Specific pro-competition measures with regard to fintechs do not exist in Germany. Many services provided by fintechs are subject to regulatory requirements – for example, under the Payment Services Supervision Act or the Banking Act. However, many fintechs focus on business areas that are not subject to supervision by the Federal Financial Supervisory Authority. In addition, many fintechs that do not hold a banking licence, but focus on areas that are subject to regulation, cooperate with banks. The lower level of regulation applicable to fintechs can present a challenge for banks, as the stricter regulatory requirements to which they are subject, and the higher costs incurred in meeting them, can negatively affect their competitiveness vis-à-vis fintechs. For fintechs, on the other hand, it may be difficult to identify their regulatory obligations. The precise determination of those requires a case-by-case analysis. However, fintechs seem to base their offerings on the prospects of success in the respective market, rather than on the extent of the regulatory requirements. A further competitive disadvantage for fintechs is that eg. the established banks have a loyal customer base. It can be difficult for fintechs to attract a significant number of customers through their own efforts. Banks, on the other hand, can increase the loyalty of their customers by integrating fintech solutions. In order to survive in competition with banks, fintechs are forced to expand. However, the more a fintech broadens its offering, the more likely it is that it will end up providing regulated services. This can present fintechs with organisational, financial and personnel challenges, especially with regard to the practical knowledge of managers.

Some unfair competition law cases in Germany have involved the operation of fintech businesses without the necessary licence. In these cases competitors (rather than the regulators) sued the fintechs for gaining a competitive advantage by breaking the law.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

Fintech innovation can be protected through instruments such as IP rights. Fintechs can apply to register patents at the German Patent and Trademark Office (DPMA). In the patent application, the applicant must describe the invention and specify what is to be protected as patentable. As soon as the patent application is published in the patent office journal, the applicant can take action against anyone that uses the invention even though they knew, or ought to have known, that a patent application has been submitted for the invention. After disclosure, the patent application is examined by the DPMA in order to determine whether the formal and material requirements for patentability are met. If this is the case, the patent will be granted by the DPMA and published in the patent office journal. Fintechs should think carefully before filing for a patent, in order to avoid unnecessary costs and because the innovation must be published in connection with a patent application. For fintech companies, a technological advantage can be decisive from a competitive perspective, and this can be lost if the innovation is published.

Other IP rights that can be used to protect innovation include utility models and copyrights.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

Germany has not implemented a regulatory sandbox but has adopted a level playing field approach to regulation. BaFin applies the principle of "same business, same risk, same rules" – which means that all players that provide the same financial services with the same risks are subject to the same level of regulation and supervision. However, the German regulator provides information on regulatory implications on its website and organises events such as the BaFin Tech conference which addresses both established companies and start-ups in the fintech sector.

Several funding programmes and instruments provide equity capital and grants for innovative start-up projects and programmes that provide them with professional advice and even office space. They include the following:

  • INVEST – Venture Capital Grant Programme: Through this programme, the Federal Ministry of Economics and Energy supports the participation of private investors in young companies with an acquisition grant of 20% of the investment sum.
  • EXIST - Business Start-ups from Science Programme: Through this programme, the federal government supports specific high-tech start-up projects by, for example, supporting students and graduates in preparing innovative start-ups and drawing up a business plan.
  • German Accelerator: This programme helps start-ups to introduce their business models abroad and take advantage of the growth opportunities offered by foreign start-up hubs.
  • High-Tech Start-up Fund: This assists young start-ups in attracting venture capital and supports their management.
  • coparion venture capital fund: This venture capital fund, which is financed by the ERP Special Fund, KfW Capital and the European Investment Bank, invests venture capital in innovative technology companies in the start-up and early growth phase.
  • ERP/EIF fund of funds: This fund invests in venture capital funds that invest in technology companies which are at an early stage or that provide follow-on financing in the early or growth stages.
  • KfW investment company KfW Capital: This company participates in venture capital funds in Germany and Europe on behalf of the ERP Special Fund in order to support technology-oriented start-ups in the growth phase in Germany through venture capital.
  • FinTech Hub of Deutsche Börse and Deutsche Börse Venture Network team: This aims to promote the fintech community in Frankfurt am Main and the Rhine-Main region. The FinTech Hub provides start-ups with office space; whereas the Deutsche Börse Venture Network team provides them with professional advice and arranges contacts with experienced financing and market experts and investors.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

There is no specific labour law for fintechs. German labour law is based on various statutes. The establishment of the employment relationship is regulated by the Civil Code. Employment contracts may be either fixed term or indefinite; as a result, the Part-Time and Limited Term Employment Act may or may not apply. These statutes are complemented by regulations designed to protect employees. Employees are entitled to wages and salaries in the event of illness or on public holidays pursuant to the Continued Remuneration Act; there is also an obligation to provide minimum vacation and payment during an approved vacation pursuant to the Federal Vacation Act. Special protection against termination of the employment contract may result from the Maternity Protection Act or the Protection Against Unfair Dismissal Act. Furthermore, there is a minimum wage in Germany.

However, employees are subject to the employer's right to issue instructions and may not compete with the employer during the employment relationship. Non-compete obligations that go beyond this can be contractually agreed. Furthermore, co-determination rights may arise under the Works Constitution Act if the employer is a certain size.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

Access to the German labour market has been further liberalised in recent years. The Skilled Immigration Act, which has been in force since March 2020, facilitates labour immigration to Germany for skilled workers with vocational, non-academic training from non-EU countries. Foreign skilled workers fall into three categories:

  • foreign skilled workers from EU/European Economic Area states;
  • foreign skilled workers from those third countries that are allowed to enter Germany without a visa; and
  • foreign skilled workers from all other third countries.

Foreign nationals of the European Union and the European Economic Area enjoy unrestricted access to the German labour market. The same applies to Swiss nationals. As a result, there is no visa requirement for workers from these jurisdictions and such nationals do not need a residence permit to take up employment in Germany. There is a transition period with regard to UK nationals until the conclusion of an agreement with the European Union in order to regulate residence legislation. The transition period ends on 31 December 2020 at the latest. As a rule, nationals of third countries need a visa to enter Germany and must convert this visa into a residence permit to be allowed to work in Germany. However, for nationals of Australia, Canada, Israel, Japan, the Republic of Korea, New Zealand and the United States, it is possible to enter Germany without a visa, but there is a requirement to apply for a residence permit for purpose of employment in Germany. A foreign skilled worker who wishes to work in Germany cannot do so without a residence authorisation approved by the Federal Employment Agency in accordance with the Residence Act. However, exemptions apply if, for example, an intergovernmental agreement exists or an exemption is available pursuant to the Ordinance on the Employment of Foreigners. As a temporary residence authorisation for foreign skilled workers with an academic degree, the EU Blue Card offers third-country nationals easy access to the German labour market and is therefore particularly attractive. It is issued without any need for approval from the Federal Employment Agency if the person earns above a certain threshold.

Companies are keen to attract and retain highly qualified employees on a long-term basis. However, start-ups in particular do not always have sufficient financial means to pay attractive salaries. Therefore, many start-ups attempt to compensate for this by having their employees participate in the start-up. A wide range of models for employee participation are available, ranging from the free or discounted grant of shares in the company or the issue of stock options to option programmes which are purely based on the law of obligations. For example, if the shares in a limited liability company are transferred to an employee, the employee becomes a shareholder. As the transfer of shares is associated with tax disadvantages, the employee has voting rights and the grant of the shares must be notarised and therefore involves notarial costs, many companies prefer to grant virtual shares (phantom stocks/virtual shares). The issue of virtual shares gives employees (only) the opportunity to participate in the future increase in the company's enterprise value. If the exercise conditions defined in the phantom stock programme are met, the employee has a contractual claim against the company to payment of a certain amount of money (as non-cash or cash consideration).

In addition, companies provide incentives such as non-cash bonuses, vouchers, travel, events, bonus programmes, cars, mobile phones and gifts. However, according to the Civil Code, bonuses are considered part of the employee's remuneration. As a rule, they are therefore fully taxable. Strict standards apply to tax-free incentives. Special benefits in the form of bonuses granted by the employer on certain occasions (eg, business and anniversaries) in addition to remuneration must be distinguished from this.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The German fintech landscape – with its capital in Berlin, where most fintechs are located – is shaped by a winner-takes-all dynamic. As a rule, just one fintech in each segment manages to attract a sufficient number of customers to prove interesting to investors. Fintechs in Germany are closing the gaps left by established companies. Many fintechs have professionalised themselves over the years, changing their business model from business-to-consumer to business-to-business (B2B), and have become part of the value chains of banks and insurance companies as service providers. Furthermore, many start-ups focus on B2B. This trend is promoting cooperation between fintechs and established companies, driven by the synergies between them: established companies have capital, access to customers and the necessary regulatory know-how; while fintechs are innovative and have the technology and the ability to bring new products quickly to market. As it is difficult for fintechs to attract a significant number of customers through their own efforts, this trend of cooperation is expected to continue.

Trending fintech technologies are artificial intelligence in combination with big data and blockchain technology. With regard to blockchain technology, one of the current trends is the tokenisation of assets. Consolidation between fintechs on the market is also increasing. It is becoming increasingly difficult for less successful fintechs to raise additional funding, especially where they are obliged to comply with regulation. Thus, M&A activity has increased significantly. At the same time, a number of well-established e-commerce players have started to develop fintech business models based on their existing customer base.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

The trend of cooperation between incumbents and fintechs can lead to many technical differences and culture clashes. It can also be difficult for fintechs to identify the applicable regulatory regime and ensure compliance with their obligations thereunder (eg, both when a fintech starts operating and when it changes its business model). Fintechs can obtain information on the regulatory implications from the website of the Federal Financial Supervisory Authority (BaFin). BaFin also organises events such as the BaFin Tech Conference, aimed at both established companies and start-ups.

When entering the German market, it is often crucial to have skilled personal on the ground by opening a branch or subsidiary. The pure cross-border provision of services, in particular from outside the European Union, is seldom welcomed by German customers.

Furthermore, the German regulator has a tendency to gold-plate European regulations. It can be a costly mistake to assume that an activity which is unregulated in one or more EU member states will also be unregulated in Germany.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.