With the fourth-largest economy in the world and a robust regulatory landscape regarding data protection, AML and crypto, Germany is well-positioned for innovation in the fintech sector. Still, the COVID-19 pandemic highlighted a nationwide hesitancy towards digitalization—fax machines and handwritten checklists still utilized by government officials, low broadband access in schools and rural areas and the absence of an electronic patient database.1 On the other hand, German authorities have reacted to these weaknesses by revamping the country’s commitment to digital transformation, and it neither lacks in funds nor ideas.
Although its economy contracted by 5% in 20202 amidst the COVID-19 pandemic, the economic powerhouse remains undeterred in its modernization goals. Germany plans to spend 90% of its 28 billion-euro COVID-19 recovery package on climate change and digitalization,3 far surpassing the EU’s target goal of 20% towards digital transformation.4 Key areas of focus include digitalization in the economy—as well as education, infrastructure and public health sectors—alongside a sovereign and scalable European cloud infrastructure and reducing barriers to investment.
Important steps have already been taken. One of Germany’s longstanding digitalization goals has been the development of a convenient and efficient digital identity, which would simplify traditionally cumbersome bureaucratic processes. On 20 May 2021, the Bundestag passed a law allowing German citizens to access government services online using their mobile phones and existing identity cards. This could pave the way for increased use of digital identity in banking, which would dovetail with financial inclusion goals. Meanwhile, regulators have cracked down on big tech and cleared up legal uncertainties regarding crypto, which will attract more diverse players and financial investment to Germany’s fintech ecosystem. Berlin, already a major site for fintech startups, is poised for immense growth.
Germany’s digital transformation will not come without hurdles—like the rocky implementation of the PSD2’s Strong Customer Authentication requirements—but its prospects remain rosy. Recent regulatory updates in blockchain, crypto and AI will spur on further innovation, while the strengthening of consumer protection and convenience will reinforce support for and trust in digitalization.
Financial Regulatory Authorities
Central Bank: The Deutsche Bundesbank (BBk) is the independent central bank of Germany. The Deutsche Bundesbank is considered the most influential member of the European System of Central Banks and has helped shape the Euro system.
The Federal Financial Supervisory Authority (BaFin) is Germany’s main financial regulatory authority
working independently under the Federal Ministry of Finance. It supervises the banking, insurance, securities, and other financial services industries.
Other Regulatory Authorities
Data Protection Authority: The Federal Commissioner for Data Protection and the Freedom of Information (BfDI) is the national data protection authority in Germany for telecommunications providers. However, in addition to the BfDI, there are multiple data protection authorities for all 16 states, each responsible for enforcing EU data protection laws and regulations.
The Federation of German Consumer Organizations (VZBV) is an independent consumer rights organization representing 42 consumer associations in Germany. The organization is non-governmental and works with legislators and the private sector to protect consumers.
The Federal Network Agency (Bundesnetzagentur) is the regulatory office for the telecommunications sector, as well as electricity, gas, post and railway markets.
The Federal Office for Information Security (BSI) is a federal agency providing IT security services to the German government, manufacturers and private and commercial users.
Standards, Laws and Regulations
Parliament Adopts Law on Data Protection and Privacy in Telecommunications and Telemedia, 20 May 2021
The Bundestag adopted the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz, TTDSG), which seeks to unify previously contradictory national laws on data protection and further adhere to the EU’s GDPR and ePrivacy directive. Almost ten years after the deadline, the new law transposes the ePrivacy requirement that users must consent to cookie settings, unless cookies and similar technology are “necessary to provide the service(s) requested by the end user” (Section 22).5 Democrat MP Hansjörg Durz stated that the law established the “basis of the data economy of the future,6” although opposition members fear the law is not substantive enough.
Bundestag Passes Law on the Introduction of Electronic Securities, 06 May 2021
Parliament passed the Electronic Securities Act (elektronisches Wertpapiergesetz, RegE-eWpG), which enables blockchain-driven securities trading. The new law enables the dematerialization of securities, establishes the necessary legal certainty and application safety, adds detail to the previously-introduced crypto custody license and provides clarity on the emerging digital asset ecosystem. It also establishes mandatory licensing requirements for the administration of electronic registers and safekeeping of cryptographic keys. BaFin will supervise the administrators of crypto security registers. The law marks key progress in the country’s blockchain technology strategy and overall digital transformation, and is expected to encourage further innovation in finance.
New Law Allows Institutional Investment Funds to Invest in Crypto, 22 April 2021
The Bundestag approved legislation allowing managers of wealth and institution investment funds (Spezialfonds) to invest up to 20% of their portfolios in cryptocurrencies. Under current regulations, Spezialfonds—which hold around EUR 1.2 trillion in investments7—have zero funds invested in crypto. The move could prove significant in bolstering Germany’s status as an international financial investment hotspot and legitimizing the cryptocurrency sector. About 4000 funds would be eligible under the law, which is scheduled to come into effect 01 July 2021.
Germany Approves Use of AI in Identity Verification, 01 April 2021
The Federal Network Agency (Bundesnetzagentur, or BNetzA) and the Federal Office for Information Security (BSI) have approved the use of AI-driven identification verification methods, including biometric and document recognition systems. The decision, outlined in the “Identification of a natural person when applying for a qualified certificate using video transmission (video identification) with an automated process,” is premised on the German Trust Services Act, which implements the EU’s eIDAS Regulation. Germany is known for its affinity for cash, paper and pen, but its digitalization efforts show a commitment towards making everyday technologies accessible and convenient for users who might otherwise be wary.
The announcement by the BNetzA and BSI comes about one year after the Financial Action Task Force published its Digital Identity Guidance. The FATF recommends a risk-based approach to identity verification and notes the use of AI and machine learning for determining validity of government-issued ID. Germany is the latest in a long line of jurisdictions approving the use of AI for identity verification.
Digitalization Act Enters into Force, 19 January 2021
The Digitalization Act, which comprises the 10th Amendment of the German Competition Act (ACR), expands Germany’s regulatory scope with regard to competition in the digital sector. The act targets digital platforms in an aim to bolster competition and tamp down on unfair practices. To this end, the German Federal Cartel Office (Bundeskartellamt), watchdog and antitrust authority, now has the power to prohibit companies from creating barriers to entry, initiating preferential treatment of its own services and putting constraints on interoperability of data, products and services. This comes amidst an EU-wide spate of antitrust regulations in an effort to reign in big tech. The German Federal Cartel Office has been embroiled in numerous cases against industry giants Amazon and Apple for suspected anti-competition practices, which have contributed to the crackdown.
Bundestag Adopts Draft Bill on Implementation of 6AMLD, 14 October 2020
The Draft Act for the Effective Prosecution of Money Laundering (Gesetz zur Verbesserung der strafrechtlichen Bekämpfung der Geldwäsche) transposes the EU’s 6AMLD (Sixth Anti-Money Laundering Directive) onto national law and seeks to make AML measures more all-encompassing. The act does not impose significant regulatory changes on obliged entities, although processes and procedures will change. Obliged entities must still carry out transaction monitoring and reporting, but they do not have to determine a particular offense as this is the role of the prosecutor. Indeed, prosecutors’ investigative powers are greatly enhanced, which is expected to make AML measures simplified and more effective.
BaFin Issues Announcement on Licensing for Crypto ATMs, 08 September 2020
Under the German Banking Act, new provisions mandate that the installation of crypto ATMs must acquire prior BaFin approval. ATMs operating without approval will be considered illegal and subject to prosecution. Germany has established itself as a vanguard in crypto regulation, both facilitating the use of crypto while enabling increased BaFin oversight. Germany was one of the first countries in the world to allow financial institutions to custody cryptoassets, classified as a financial service. As of 01 January 2020, all entities seeking to custody cryptoassets must apply for BaFin authorization. Per the implementation of the 4AMLD into German law, all entities engaging in the trade of crypto must also be licensed by BaFin. Many of these entities must apply for a banking business license in addition. The German Banking Act considers all crypto custodians and exchanges as financial institutions, so they must adhere to AML/CFT regulations.
Legislation and Policy
The Bundesrag, the lower house of parliament, submitted a draft law on strengthening data protection supervision (DSaufsichtsG), which would amend the Federal Data Protection Act (BDSG) and ensure compliance with EU law. The draft law seeks to bolster the powers of the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI), especially in the case of data protection violations that fall outside GDPR purview.
Parliament Adopts the IT Security Act 2.0, 07 May 2021
The upper house of parliament, the Bundesrat, endorsed the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0, IT-SiG 2.0), which had been adopted by the Bundesrag on 23 April 2021. The Act seeks in part to strengthen consumer protection, and expands the powers of the Federal Office for Information Security (BSI) towards this end. Upon passage into law, the BSI would be responsible for establishing binding minimum standards for IT security, and have heightened authority in receiving information on IT vulnerabilities and advising IT manufacturers. A special category of companies—and firms from the supply chains of such companies—would be established in order to deliver enhanced protection. Protected entities include defense industry companies and others that are consequential in upholding the German economy. This would require increased compliance measures on the part of those companies in meeting and recording stringent IT security requirements. The law also simplifies data protection requirements for the BSI with regard to federal communication technology and the processing of log data.
BaFin published its Supervisory Priorities for 2021, which include addressing compliance with PSD2’s Strong Customer Authentication (SCA) requirements, IT and cyber risks, cryptoassets, the pandemic’s impact on financial markets, consumer protection and AML/CTF. SCA compliance has been an especially weighty issue as member states across the EU have struggled in its implementation, with many states continuously delaying rollout of requirements. Germany fully implemented SCA requirements on 15 March 2021, and friction in payments services has caused problems for both users and merchants. The 3-D Secure authentication stage has an abandonment rate of 17-20% in Germany, often due to customers inputting an incorrect verification code or not completing a step in time, which leads to issuer decline. This has caused customer frustration and revenue loss for businesses,8 proving merchants’ pre-implementation concerns valid. President of the European Commission and German citizen Ursula von der Leyen has made cashless payments a top EU priority, but SCA difficulties might discourage Germans, who have been slower to adapt than many of their European counterparts. Indeed, the state has a reputation for digital shyness and cash use is still relatively high, though it has taken a dip in recent years.9
Six years in the making, the Deutsche Bundesbank, Deutsche Börse and Germany’s Finance Agency have successfully tested a blockchain-based settlement interface for electronic securities. The development shows that blockchain technology and traditional payment systems can be linked to settle securities without the need for a central bank digital currency (CBDC). Burkhard Balz of Bundesbank stated, “Following successful testing, the Eurosystem should be able to implement such a solution in a relatively short space of time—at least in far less time than it would take to issue central bank digital currency, for instance.”10
BaFin Issues Warning on Cryptocurrency, 19 March 2021
The German regulator issued a warning to small investors that, despite soaring prices in virtual currencies like Bitcoin, cryptocurrency poses inherently high risks. The warning comes on the heels of a European Supervisory Authorities (ESA) caution on risks in crypto. Still, Germany is keen on cultivating the regulated use of cryptocurrency by large entities as it seeks to make the country more attractive to financial investment.
Germany Adopts Draft of the Act to Amend the Anti-Money Laundering Act, 10 February 2021
The German government adopted the draft of the Act to Amend the Anti-Money Laundering Act (Anti-Money Laundering Transparency Register and Financial Information Act, “Draft TraFinG Gw”) in order to align with an EU draft act seeking to interconnect member states’ beneficial owner registers per AML purposes. Should the draft become law, German companies will have to report their beneficial owners to the Transparency Register, which is currently not mandatory if information on the beneficial owner is readily viewable from other public registers. This marks an important step in harmonizing and coordinating the EU member states’ approach to AML, especially as criminals’ methods become more sophisticated and transnational. The move might also cause friction in light of increasing compliance measures to be undertaken by financial institutions.
1. Connolly, Kate. “New ID law aims to help reduce ‘digital shyness’ in Germany.” The Guardian, 22 May 2021. https://www.theguardian.com/world/2021/may/22/new-id-law-aims-to-help-reduce-digital-shyness-in-germany.
2. Dao, Mai Chi and Aiko Mineshima. “Germany’s Post-COVID-19 Recovery in Five Charts.” International Monetary Fund, 19 January 2021. https://www.imf.org/en/News/Articles/2021/01/15/na011921-germanys-post-covid19-recovery-in-five-charts
3. “Germany to spend 90% of EU recovery money on green, digital goals.” Reuters, 27 April 2021. https://www.reuters.com/article/us-health-coronavirus-germany-recovery-idUSKBN2CE1HY.
4. “Scholz: Clear signal for climate action and digitalization.” Federal Ministry of Finance, 27 April 2021. https://www.bundesfinanzministerium.de/Content/EN/Pressemitteilungen/2021/2021-04-27-german-recovery-and-resilience-plan-adopted.html.
5. Hüsch, Moritz et al. “Germany Publishes New Draft Rules for Cookies and Similar Technologies.” Inside Privacy, Covington & Burlington LLP, 27 January 2021. https://www.insideprivacy.com/data-privacy/germany-publishes-new-draft-rules-for-cookies-and-similar-technologies/.
6. Noyan, Oliver. “Germany adopts new data protection and privacy law.” EURACTIV, 21 May 2021. https://www.euractiv.com/section/digital/news/germany-adopts-new-data-protection-and-privacy-law/.
7. Hamacher, Adriana. “'Damn Huge': Germany Opens Up to Institutional Crypto Funds.” Decrypt, 28 April 2021. https://decrypt.co/69323/damn-huge-germany-opens-up-to-institutional-crypto-funds.
8. Michel, Galit. “The Real Impact of PSD2.” Global Banking and Finance Review. https://www.globalbankingandfinance.com/the-real-impact-of-psd2/.
9. Heinrich, Daniel. “Germany, EU move toward cashless payment during pandemic.” Deutsche Welle, 05 January 2021. https://www.dw.com/en/germany-eu-move-toward-cashless-payment-during-pandemic/a-56138122.
10. German central bank makes case for blockchain settlement in CBDC debate.” Finextra, 25 March 2021. https://www.finextra.com/newsarticle/37745/german-central-bank-makes-case-for-blockchain-settlement-in-cbdc-debate
*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.
Last updated: November 2021