Germany’s Federal Financial Supervisory Authority (BaFin) is consulting on its first-ever guidance for payments and e-money institutions, with a focus on risk management.
Payments and e-money operators in Germany have until December 6, 2023 to submit comments for a consultation on new guidelines from BaFin.
The document, titled "ZAG-MaRisk - Minimum Requirements for the Risk Management of ZAG Institutions", is important for payment institutions and e-money institutions in the country, and provides separate guidance from what is already in existence for credit institutions.
"BaFin has always said that this guidance is not expressly applicable to e-money and payment institutions," explained Johannes Wirtz, a partner at Bird & Bird.
Wirtz said that Germany has never drawn up a document, even since the first iteration of the Payment Services Directive, which was adopted in 2007.
"This is the first time that BaFin has written up guidance specifically for payment institutions,” said Wirtz.
"We're seeing more and more relevance for payment institutions than a decade ago. Therefore, it has become increasingly challenging for these firms to understand how to comply with the regulations."
BaFin highlights core risks and compliance responsibilities
The document outlines issues including counterparty default risks (such as settlement and chargebacks), market price risks like FX, and business model risks.
In addition, BaFin has referenced environmental, social and governance (ESG) risks.
"As part of a risk inventory, an overview of the institution's risks is provided and, as required, the impact of ESG risks must be appropriately and explicitly taken into account," the document, translated from German, says.
With regard to the compliance function of companies specifically, BaFin dictates that payments and e-money institutions must appoint a compliance officer who is responsible for carrying out the tasks of the compliance function.
Depending on the type, scope, complexity and risk of the institution's business activities, in exceptional cases, the function of the compliance officer can also be assigned to a manager.
“Employees of the compliance function must be granted sufficient authority and unrestricted access to all information necessary to carry out their tasks,” BaFin further advises.
“The employees of the compliance function must be informed in a timely manner about any significant changes to the regulations that are intended to ensure compliance with the essential legal regulations and requirements.”
BaFin also wants the compliance function to report to management on its activities at least annually and as required.
"This must address the appropriateness and effectiveness of the regulations for compliance with the essential legal regulations and requirements," BaFin says. "The report must also contain information on possible deficits and measures to eliminate them. The reports must also be forwarded to the supervisory body and internal audit."
Wirtz noted that change is unlikely in daily compliance for payments and e-money firms as they come up to standard with the incoming BaFin rules.
According to the Frankfurt-based lawyer, the consultation is helpful in guiding firms on how to comply.
“Some of it is copied and pasted from banking rules, but other areas such as safeguarding requirements and the use of agents are more individual,” he said.
Wirtz said that this is very welcome and reflects the fact that the needs of payment institutions are different from credit institutions and financial services institutions.
"Let's hope that the consultation leads to a clear and appropriate guidance document that allows institutions to even better understand regulatory expectations."