Federal Financial Supervisory Authority Bafin

Overview

The Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin), translated as the Federal Financial Supervisory Authority, is Germany's integrated financial supervisory authority. It is an independent federal institution headquartered in Bonn and Frankfurt, operating under the legal and technical oversight of the Federal Ministry of Finance. BaFin is Germany's unified regulator for banks, financial services providers, insurance undertakings, securities trading, payment institutions, e-money institutions, crypto custody services, and investment firms.

Basic Identity

Classification

Inclusion Justification

What This Entity Oversees

Regulated Entities

BaFin supervises approximately:

• 2,700 banks (credit institutions and branches of foreign credit institutions)
• 800 financial services institutions (including investment firms, brokers, and fund managers)
• 700+ insurance undertakings (life, property and casualty, reinsurers)
• Payment institutions and electronic money (e-money) institutions
• Crypto asset service providers (CASPs) holding crypto custody licenses
• Securities trading firms and investment advisors

Supervisory Authority and Control

BaFin exercises binding supervisory authority over all regulated entities within its jurisdiction. As a Layer 1 control authority, BaFin's regulatory determinations are enforceable and legally binding, with violation subject to administrative and criminal penalties under German financial law.

Crypto Asset Custody and Regulation

Regulatory Framework

BaFin has been at the forefront of crypto regulation since 2020, requiring all entities storing crypto assets for clients to obtain licenses. Germany's regulatory approach was formalized under MiCAR (Markets in Crypto-Assets Regulation), which came into effect on 1 January 2025, and has been transposed into German law through amendments to the Banking Act (KWG).

Crypto Asset Service Provider (CASP) Licensing

BaFin issues authorization for crypto custody business (Kryptoverwahrgeschaeft) under Section 64 of the Banking Act (KWG).

Scope of CASP Authorization

The crypto custody license permits:

• Custody and administration of crypto assets on behalf of clients
• Safeguarding of digital asset keys and wallet management
• Mixed portfolios combining crypto with traditional financial assets
• Multi-signature and cold storage solutions
• Account reconciliation and reporting services

Services requiring CASP authorization:

• Custody of crypto assets for clients
• Operation of crypto trading platforms
• Exchange of crypto for fiat currency
• Exchange of crypto for other crypto assets
• Crypto-to-crypto conversion services
• Portfolio management involving crypto assets

Authorization Requirements

BaFin's authorization process requires 47 separate documentation components. Key requirements include:

• Minimum capital: EUR 150,000 initial capital
• Ownership structure: Reliable and fit-and-proper owners
• Management team: Qualified, experienced, and honest managing directors
• Risk management: Comprehensive operational and cybersecurity frameworks
• Customer protection: Segregation of client assets and custody procedures
• AML/CFT compliance: German Money Laundering Act (GwG) compliance
• Business continuity: Disaster recovery and operational resilience planning

Regulatory Timeline

• Processing time: Average of 7.2 months
• MiCAR implementation: Fully effective since 1 January 2025
• Transitional provisions: Legacy crypto businesses given grace periods for compliance

Anti-Money Laundering and Compliance Obligations

Institutions conducting crypto custody business must comply with the German Money Laundering Act (Geldwäschegesetz - GwG).

Key obligations:

• Customer Due Diligence (CDD) - Identity verification and beneficial ownership verification
• Enhanced Due Diligence (EDD) - High-risk customers and jurisdictions
• Transaction monitoring - Detection of suspicious activity patterns
• Crypto Asset Transfer Regulation (CATR) - Specific due diligence for crypto transfers
• Reporting - Suspicious transaction reporting (STR) to Financial Intelligence Unit (FIU)

European Regulatory Integration

Authority Status Within EU Framework

BaFin serves as Germany's national competent authority within European financial supervision and holds voting membership in the Boards of Supervisors of:

• European Banking Authority (EBA) - Banking regulation and supervision
• European Insurance and Occupational Pensions Authority (EIOPA) - Insurance and pension scheme oversight
• European Securities and Markets Authority (ESMA) - Securities market regulation

Supervisory Colleges and Coordination

BaFin participates in:

• Single Supervisory Mechanism (SSM) - Joint ECB-BaFin supervision of significant banking institutions
• Banking Union governance - Asset Quality Review (AQR) and stress testing
• European Systemic Risk Board (ESRB) - Macroprudential surveillance
• AML/CFT coordination - Information sharing through FIU and Europol networks

Current Supervisory Priorities (2026)

Risk Assessment and Focus Areas

BaFin publishes annual risk assessments in its "Risks in BaFin's Focus" publication. For 2026, identified supervisory priorities include:

• Digital investment services - High-risk exposure to retail investors in digital assets and cryptocurrencies
• Short-term and unsecured lending - Rapid growth in high-cost consumer credit
• Property fund stability - Increasing risks in smaller real estate funds
• Cyber resilience - Operational technology and data security threats
• Geopolitical disruption - Financial system stability under international tensions
• Artificial intelligence in financial services - Model validation and governance frameworks

Regulatory Modernization Initiatives

MaRisk Amendment (9th Amendment):

BaFin issued a draft for the 9th Amendment of the Minimum Requirements for Risk Management (MaRisk - Mindestanforderungen an das Risikomanagement) on 1 April 2026, with industry consultation period. MaRisk establishes foundational risk management standards for all institutions under BaFin supervision.

Legal Instruments and Powers

Primary Legal Authorities

BaFin's regulatory powers are grounded in:

1. Banking Act (Kreditwesengesetz - KWG) - Core banking supervision framework
2. Securities Trading Act (Wertpapierhandelsgesetz - WpHG) - Securities market conduct
3. Insurance Supervision Act (Versicherungsaufsichtsgesetz - VAG) - Insurance regulation
4. Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz - ZAG) - Payment services
5. Money Laundering Act (Geldwäschegesetz - GwG) - AML/CFT compliance
6. BaFin Statutes (Satzung) - Organizational governance

Enforcement Powers

BaFin exercises extensive enforcement authority:

• Licensing and authorization - Grant, revoke, or condition operating licenses
• Supervisory measures - On-site examinations, remote audits, and data requests
• Administrative penalties - Fines up to EUR 10 million or 10% of annual revenue
• Operational restrictions - Prohibition of activities, account freezing, asset seizure
• Emergency intervention - Receivership, asset transfer, or wind-down procedures
• Market conduct enforcement - Market manipulation, insider trading, and conduct rule violations

Funding and Operational Structure

Financial Model

BaFin is funded through:

• Fees and contributions from supervised institutions
• Budgetary allocation from the Federal Ministry of Finance
• User fees for specific licensing and approval services

This model ensures operational independence while maintaining accountability to the Federal Ministry of Finance and the German Parliament.

Employment and Workforce

BaFin employs over 1,500 regulatory professionals, economists, technology specialists, legal experts, and support staff across its Bonn and Frankfurt offices.

Key Prudential Standards

BaFin enforces European and German prudential standards including:

• Capital Requirements Regulation (CRR/CRD IV) - Minimum capital ratios and buffers
• Anti-Money Laundering Directive (AMLD5/AMLD6) - AML/CFT compliance
• Markets in Crypto-Assets Regulation (MiCAR) - Crypto service provider requirements
• Deposit Guarantee Scheme Directive (DGSD) - Depositor protection
• Central Bank payment system participation - TARGET2 and other core infrastructure

Consumer Protection Standards

• Payment Services Directive (PSD2/PSD3) - Consumer rights and redress
• Distance Marketing Finance Directive (DMFD) - Remote sales regulations
• Insurance Distribution Directive (IDD) - Insurance product governance
• Investor Compensation Scheme Directive (ICSD) - Investor protection up to EUR 20,000

Performance Indicators (2026)

• Authorization processing time (Payment Institutions): 90-120 days typical
• Authorization processing time (Crypto Custody): 180-240 days (7.2 months average)
• On-site examination frequency: Annual for significant institutions; multi-year cycles for smaller entities
• Supervisory staffing per institution: Average 2-4 dedicated supervisors per significant bank
• Regulatory technology investment: Ongoing modernization of supervisory tools and data analytics

Conclusion

BaFin stands as one of Europe's most comprehensive and integrated financial supervisors, combining banking, insurance, securities, and payment services regulation under a unified structure. Established through the FinDAG 2002 merger and headquartered in Bonn and Frankfurt, the authority has evolved to meet contemporary challenges including cryptocurrency regulation, digital finance services, and cross-border payment innovation. With binding Layer 1 authority over approximately 4,200+ active regulated entities and 1,500+ supervisory professionals, BaFin plays a central role in maintaining financial stability, consumer protection, and market integrity across Germany's financial system and European markets.

Regulatory Powers

This entity exercises integrated regulatory powers across multiple financial sectors:

Regulatory Role and Function

BaFin is led by a Board consisting of:

• President - Executive head of the authority
• Four Executive Directors overseeing:
• Securities supervision
• Banking supervision
• Insurance supervision
• Cross-functional areas and internal administration

Current Leadership

Mark Branson has served as President of BaFin since August 2021. Branson, born in the United Kingdom in 1968, leads the organization's modernization efforts and strategic direction.

Key Contact Information:

• Head of Communications and President's Spokesperson: Phone: +49 (0) 228 / 4108-4629; Email: [email protected]
• Head of Press Relations and Social Media: Phone: +49 (0) 228 4108-7094; Email: [email protected]
• Official Website: https://www.bafin.de

BaFin's organizational framework comprises operational pillars and cross-organizational departments:

Operational Pillars (Sectors)

The authority is organized into specialized divisions with dedicated supervisory responsibilities:

1. Banking Supervision Division - Oversight of credit institutions, payment institutions, and financial services providers
2. Insurance Supervision Division - Regulation of insurance undertakings and occupational pension schemes
3. Securities Supervision Division - Market conduct, trading venue supervision, and securities regulation
4. Payment Services and FinTech Division - Payment institutions, e-money institutions, and crypto custody authorization

Cross-Organizational Departments

Supporting departments include:

• Risk Modeling and Analysis
• Anti-Money Laundering (AML) and Counter-Terrorist Financing
• International Cooperation and Regulatory Affairs
• Human Resources and Administration
• Financial Reporting Enforcement

As defined in the BaFin Statutes, the organizational structure is established by the President with approval of the Federal Ministry of Finance.

Legal Foundation

BaFin was established on 1 May 2002 through the merger of three predecessor agencies under the Financial Services Supervision Act (Gesetz über die integrierte Finanzaufsicht, known as FinDAG), which was enacted on 22 April 2002. This landmark legislation consolidated:

• Bundesaufsichtsamt für das Kreditwesen (BAKred) - Federal Banking Supervisory Office
• Bundesaufsichtsamt für das Versicherungswesen (BAV) - Federal Insurance Supervisory Office (established 1952 in West Berlin; relocated to Bonn in 2000)
• Bundesaufsichtsamt für den Wertpapierhandel (BAWe) - Federal Supervisory Office for Securities Trading (established 1995 in Frankfurt)

The primary objective of the FinDAG 2002 was to create a single integrated financial regulator capable of supervising all financial markets under one unified authority, eliminating regulatory fragmentation and enhancing supervisory coordination.

Licensing and Authorization Relevance

Official Registers

• ZAG Register (Payment Institutions and E-Money Institutions) - Public database of authorized payment service providers
• Bank Register - Register of authorized credit institutions
• Insurance Register - Register of authorized insurers
• Organizational Chart (PDF) - Current BaFin organizational structure

Main Office Locations

• Bonn Office - Graurheindorfer Straße 108, 53117 Bonn, Germany
• Frankfurt Office - Lurgiallee 12, 60439 Frankfurt am Main, Germany

Inquiry and Support

• General inquiries: Phone: +49 (0) 228 4108-0 | Email: [General contact form available on website]
• Licensing questions: Dedicated application portals for payment institutions, e-money institutions, and crypto custody
• Supervisory concerns: Anonymous whistleblower hotline available

Payments and Money Movement Relevance

Legal Framework

BaFin oversees payment institutions and e-money institutions under the Payment Services Supervision Act (ZAG - Zahlungsdiensteaufsichtsgesetz), which implements the European Union's Payment Services Directives.

Payment Institutions (Section 10 ZAG)

Entities wishing to provide payment services as a payment institution in Germany require written authorization from BaFin. BaFin maintains a public register of authorized payment institutions pursuant to Section 34 ZAG and Section 43(1) ZAG.

Authorization Requirements:

• Documented business plan with risk management framework
• Sufficient initial capital (minimum thresholds vary by institution type)
• Reliable ownership structure
• Qualified and fit-and-proper managing directors
• Professional indemnity insurance or equivalent guarantee

E-Money Institutions (Section 11 ZAG)

E-money institution licensing is governed by Section 11 ZAG. An e-money institution license permits:

• Issuance of electronic money
• Provision of all payment services under PSD2/PSD3
• Automatic authorization to offer complete payment service offerings

PSD2 and PSD3 Implementation

BaFin implements the European Payment Services Directive 2 (PSD2) through German law and is actively managing the transition to PSD3.

PSD2 Supervisory Requirements

BaFin oversees authorization procedures and ongoing supervision under PSD2. Key requirements include:

• Payment Initiation Services (PIS) - Requires BaFin authorization
• Account Information Services (AIS) - Requires registration with BaFin
• Open Banking/Open Finance - Supervised under BaFin's FinTech division
• Strong Customer Authentication (SCA) - Enforcement and oversight
• Payment transaction security - Operational resilience standards

PSD3 Transition and Grandfathering

Under the new PSD3 framework:

• EMIs are reclassified and aligned with payment institutions
• Existing PSD2 licensees benefit from phased transition periods
• 18-month deadline: Capturing of existing PSD2 licenses
• 24-month deadline: Final compliance deadline and end of grandfathering period
• BaFin manages orderly migration to PSD3 requirements

Freedom of Establishment and Passport Rights

BaFin facilitates cross-border passport rights for payment institutions and e-money institutions within the European Economic Area (EEA). Payment service providers authorized by BaFin may:

• Establish branches in other EEA member states without separate authorization
• Provide payment services across the EEA under freedom to provide services
• Operate under the "pass-through" provisions of PSD2/PSD3

Payment Systems Governed or Overseen

The Federal Financial Supervisory Authority Bafin has the following relationship to payment infrastructure in Germany:

This entity's role in payment systems is primarily regulatory and supervisory rather than operational. It does not directly operate national payment infrastructure but contributes to the regulatory framework governing payment activities in Germany.

Relationship to Other Regulators

The Federal Financial Supervisory Authority Bafin operates within Germany's broader financial regulatory architecture and maintains relationships with:

Geography and Jurisdiction Notes

Important Departments and Divisions

Key Public Resources

Notes on Naming and Language