What is the BaFin and what does “regulation” mean?

Turbulence in the banking and insurance industries

The international financial markets have historically been hit by upheaval. Well-known examples of this are the speculative bubble of the New Economy in 2001, often referred to as the dotcom bubble, or the meltdown of the US real estate market in 2007, followed by the insolvency of the major US bank Lehman Brothers Inc., in September 2008.

In Germany, too, some credit institutions ran into considerable difficulties at the time. For example, a multi-billion-euro rescue package had to be set up for IKB Deutsche Industriebank AG. Düsseldorfer Hypothekenbank AG and Hypo Real Estate Holding (HRE) had to be saved from collapse or nationalized.

This turmoil shows that a functioning banking and insurance system is essential for any economy, and thus also for the individual consumer. Regulations are obviously needed, along with the authority to monitor compliance with these regulations and to intervene as necessary. For these reasons, the former German Federal Supervisory Offices for Securities Trading (BAWe) and Insurance (BAV) were merged with the Federal Banking Supervisory Authority (BAKred) on May 1, 2002, resulting in the establishment of the Federal Financial Supervisory Authority (BaFin for short). The newly established authority was headed by President Jochen Sanio.

The BaFin is a German federal agency and acts in the public interest. It is designed to ensure stability in the financial markets of continental Europe and to ensure trust among bank customers, policyholders, and investors. It supervises and controls all areas of the financial system in Germany. These include banking, financial, payment and e-money institutions, German branches of foreign credit institutions from the European Economic Area, insurers and pension funds, as well as capital management companies and domestic funds. Furthermore, the BaFin also aims to inform and protect consumers. The approximately 2,700 employees of the BaFin work in Bonn and Frankfurt am Main. The BaFin is financed by fees and levies from the companies and institutions it supervises.

Written permission required for banking or insurance transactions

Banking or insurance business in a manner requiring a license may only be conducted in Germany if BaFin has granted written permission in advance. This applies to larger institutions and in some cases to smaller FinTechs and InsurTechs – i.e., companies that offer financial innovations. Typically, however, FinTechs and InsurTechs tend to operate their business without a banking license or to work with a bank that has one.

BaFin has extensive investigative and intervention powers and can prohibit unauthorized or illegal business activities. The website of BaFin regularly publishes relevant reports and information on the measures it has ordered. Of course, the financial market is not limited to Germany, but also operates at the European and international level. For this reason, a European system of financial supervision was established at the beginning of 2011. In November 2014, the starting signal was given for the Single Supervisory Mechanism. Since then, the 125 largest banking groups in the euro area are directly supervised by the European Central Bank (ECB).

The task of the BaFin

Now that we have explained what the BaFin is and where it came from, we will now take a closer look at this institution’s five central tasks.

a) Banking supervision

The turbulence in international financial markets has shown that trust in the market participants and the functioning of the banking system is very important for a stable economy and individual consumers. If there are disruptions here – as was the case in Greece in 2015 – then individuals are severely affected. In this case, only 60 euros could be withdrawn at ATMs, while pension payments could not be made or were significantly delayed. When a new bank is established, several requirements must be met. A minimum capital of €730,000 is required, and there must be at least two reliable and professionally suitable managers. Furthermore, significant holdings must be disclosed and a viable business plan must be in place. Existing institutions are monitored on an ongoing basis. Here, sufficient and appropriate capital must be available. Furthermore, operational risks, in addition to default and market risks, must be backed by appropriate capital reserves.

b) Insurance supervision

Consumers want to protect themselves against risks with insurance policies, e.g., against occupational disability. If such a risk occurs, it is important that the insurance company is solvent and can make the payments agreed in the insurance contract. Only then can trust in the insurance company be established. Insurance supervision aims to protect the insured and make certain that insurance companies fulfill their contractual obligations.
Key requirements must also be met when an insurance company is established. For example, the company must have a specific legal form, may only conduct insurance business, must present a business plan, have sufficient equity capital and employ at least two managing directors who are reliable and professionally suitable. As part of ongoing supervision, information about the company is collected and evaluated. The business operations are monitored. This is to ensure that irregularities are detected in good time. If necessary, BaFin intervenes to restore orderly conditions.

c) Securities supervision

The aim here is to detect and counter insider trading and market manipulation. Furthermore, certain publications and investor prospectuses are checked.

d) Prevention of money laundering and terrorist financing

The financial system can be misused for money laundering or terrorist funding. It is the BaFin’s job to prevent this. A key part of this is detailed in Section 24c of the German Banking Act (KWG). This enables the automated identification of accounts held by suspected terrorists or other criminals at credit institutions based in Germany. Furthermore, the BaFin ensures that the requirements for the prevention of money laundering are implemented in the institutions and insurance companies. The “know your customer principle” is important here, according to which the business partner must be clearly identified.

e) Consumer protection

It is often not well known that the BaFin’s responsibilities also include consumer protection. Extensive information and the number of a consumer telephone hotline can be found on the BaFin homepage. The information on the internet is intended to create transparency and provide clarification. Consumers and customers who have problems or run into trouble with a bank or insurance company can file complaints with BaFin. The agency also monitors whether institutions are complying with their duties of conduct under the Securities Trading Act – in this case, their duties towards customers.

BaFin publications

To fulfill the above-mentioned tasks, the BaFin releases publications, such as annual reports and statistics. Furthermore, databases with information on authorized banks, financial service providers and insurance companies are provided, but also for end customers. The BaFin can order measures and issue decrees. The relevant participants in the financial sector in Germany, such as banks and insurers, are required to provide information in the form of notifications and reports to the BaFin.

But what exactly does “regulatory” mean?

Now that we have discussed what BaFin is all about, we want to look at the so-called “regulatory” framework. What is this and how does it work? The setting of rules for institutions in the banking industry is also referred to as “banking regulation” or, in general, as “regulatory.” In developed countries, banking is one of the most highly regulated submarkets. Banking regulation is intended to ensure the functioning of general payment transactions and the protection of investors. Furthermore, accounting and disclosure requirements are intended to increase transparency.

Laws and regulations

In the course of banking regulation, a large number of laws and regulations have been defined. They govern the relationship between credit institutions and banking supervision. In Germany, these regulations include:

  • German Banking Act (KWG)
  • Capital Adequacy Regulation
  • Minimum Requirements for Risk Management (MaRisk)
  • Insurance Supervision Act (VAG)
  • Supervisory Requirements for IT (BAIT)
  • Large Exposure Regulation
  • Pfandbrief Act

Capital Adequacy Regulation

The Capital Adequacy Regulation, known as Regulation (EU) No. 575/2013[1], is an EU regulation applicable to the banking industry. Based on the Basel III regulations, this regulation provides guidelines for the appropriate utilization of equity in financial holding groups or mixed financial holding groups as well as institutions or groups of institutions. It also regulates individual provisions that were implemented in the previous Solvency Regulation.

BAIT (Bankaufsichtliche Anforderungen an die IT)

The laws and regulations mentioned so far have little or nothing to do with IT, with the exception of MaRisk.

However, the administrative instructions in BAIT are explicitly aimed at the secure design of IT systems and the associated business processes. IT governance in German credit institutions is also affected. The regulations and requirements in BAIT are absolutely relevant and must therefore be implemented. BAIT formulates the technical and organizational requirements for the institutions. The Insurance Supervisory Requirements for IT (VAIT) apply to the insurance industry, and the Capital Management Supervisory Requirements for IT (KAIT) apply to investment companies.

German Banking Act (KWG)

The purpose of the KWG is to regulate and organize the credit system. The functioning of the credit industry should be ensured and creditors of said institutions should be protected against the loss of their deposits. Credit institutions should not be allowed to take any risks. Therefore, the KWG regulates the possibilities for credit institutions to take risks. The types of risk addressed here are default risk, market risk, liquidity risk, operational risk and information risk. In the case of operational risk, the minimum requirements for risk management (MaRisk) are mentioned as a specification.

Credit institutions have various reporting obligations to BaFin and the Bundesbank. Information must be provided here regarding solvency, liquidity, so-called large loans, monthly statements and annual financial statements. Information must also be provided in the event of special occurrences, such as the granting of multi-million loans, organizational changes and the appointment or resignation of a managing director. The KWG also sets out requirements for the operational and organizational structure of credit institutions.

Minimum Requirements for Risk Management (MaRisk)

Minimum requirements are a tool used by the German Federal Financial Supervisory Authority (BaFin) to organize risk management and related areas at German financial institutions and insurance companies. These are published in the form of BaFin circulars and internal administrative instructions from BaFin, which represent the supervisory practice of the institution in interpreting general legal requirements.

The BaFin has published the following industry-specific (general) guidance: Minimum Requirements for Risk Management:

  • MaRisk (BA): Minimum requirements for risk management, which are aimed at credit institutions.
  • MaRisk (VA): Minimum requirements for risk management, which are aimed at the insurance industry. Note: As of January 1, 2016, MaRisk VA was repealed and replaced by the European Solvency II supervisory regime and its Solvency II guidelines, based on the circular dated January 22, 2009. The new requirements are set out in §§ 23-32 of the Insurance Supervision Act.
  • InvMaRisk: Minimum requirements for risk management, which are aimed at investment companies.

Impact

IT is affected by MaRisk and, of course, by BAIT, since it regulates the secure design of IT systems and processes and the requirements for IT governance.

Let's get talking