Prof. Dr. iur. Philipp Maume, S.J.D.

(La Trobe)

Assistant Professor for Corporate Governance & Capital Markets Law

TUM School of Management, Technical University of Munich
Visiting Scholar at Cornell Law School, Ithaca (NY)

IN UNCHARTERED TERRITORY – BANKING SUPERVISION MEETS FINTECH

Will be published in Corporate Finance in early 2018

Unedited Author’s Copy

Executive Summary
There is uncertainty among financial markets participants as to how to apply the traditional
banking regulation to fintechs. This article focuses on fintech regulation through the lens of
banking supervision. It discusses the trend towards co-operation between banks and fintechs,
the applicable legal framework, potential banking license requirements and the obstacles of
outsourcing of banking functions to fintechs under the current framework.
This article lays out the German legal framework. However, in the EU credit institutions and
financial service providers, including outsourcing, are regulated under EU laws, most
notably Directive 2014/65/EU (‘MiFiD2’), Directive 2013/36/EU (‘CRD IV’) and Regulation
(EU) 575/2013 (‘CRR’). Thus, the rules and principles discussed in this article apply in other
EU jurisdictions accordingly.
Executive Summary End

Stichworte: Fintech, Outsourcing, Banking License, Robo-Advisory, Crowdfunding, Payment

Solutions

Electronic copy available at: https://ssrn.com/abstract=3051837

I. Introduction
‘Fintech’ is a buzzword in the financial industry. New technology-based business models are
emerging and many predict an overhaul of the markets for financial services. Regulation is
struggling to cope with these changes. There is indeed a high level of legal uncertainty
because young, dynamic fintech start-ups design their products based on what is possible and
what consumers might appreciate, but do not pay much attention to banking laws and
compliance. Typical questions from market participants include: Do the banking rules apply
to fintechs in the same way? Which fintechs require banking licenses? What are the obstacles
for banks that want to co-operate with fintechs?
This article focuses on co-operation between banks and fintechs and the ensuing issues
regarding outsourcing, banking regulation and supervision. Conversely, ‘regular’ outsourcing
of non-fintech services such as call-centres, payroll management, cloud-computing and
facility management will not be covered. First, the movement towards stronger co-operation
between banks and fintechs will be discussed in Part II. In Part III, the focus will be on the
lack of specialised fintech regulation and supervision in Germany,1 and its consequences. Part
IV discusses which banking licenses are required for typical fintech models. The implications
of outsourcing services that require bank licenses to fintechs are discussed in Part V.

II. Competition and Symbiosis

Over the last few years, German media has emphasised the dangers the fintech scene presents
to their incumbent competitors.2 Today banks increasingly recognise the benefits of
collaborating with fintech upstarts. It seems like the perfect marriage of skill sets. Banks have
access to capital, infrastructure, customers, and vast amounts of customer and market data.
They also bring to the table specific knowledge about risk management, financial analysis and
regulatory compliance.3 Fintechs specialise in technology to create consumer friendly access
to financial services and efficiencies that eliminate the need for a large organisation. They are
agile and highly responsive to customer needs. But what they offer in innovation, they lack in
experience and resources, especially with regard to security and compliance.
A study commissioned by the Ministry of Finance found that 87 per cent of German banks are
already co-operating with fintechs.4 Global studies with larger sample sizes point in a similar
direction, with 48 per cent of financial service providers having collaborated with fintechs and

1
Credit institutions and financial service providers, including outsourcing, are regulated under EU laws, most
notably Directive 2014/65/EU (‘MiFiD2’), Directive 2013/36/EU (‘CRD IV’) and Regulation (EU) 575/2013
(‘CRR’). Thus, most of the rules and principles discussed in this article apply in other EU jurisdictions as well.
2
See, for example, the headings of leading newspapers: „Wie Fintechs die Banken ärgern“, Manager Magazin,
15.10.2015; „Neue Fintech-Wettbewerber: Zunehmender Druck auf die Finanzinstitute“, NZZ, 17.01.2017.
3
Kashyap/Weber, in: Chishti/Barberis (Hrsg.), The Fintech Book, 2016, S. 228.
4
Dorfleitner/Hornuf, Fintech-Markt in Deutschland, 2016, S. 52, abrufbar unter:
www.bundesfinanzministerium.de, Abruf am 18.09.2017.
2

Electronic copy available at: https://ssrn.com/abstract=3051837

31 per cent having acquired a fintech start-up.5 BaFin also noted that German banks have
been making increasing use of fintechs to reduce costs and offer new services to their clients.6
It is a fair assumption to say that in many cases, banks and fintechs have found some kind of
co-operative competition.7
Broadly, banks have four options if they want to benefit from fintech services. First, they can
build up in-house capabilities. Alternatively, they may invest in fintech equity by making the
fintech a bank subsidiary or by acquiring a substantial shareholding. Sometimes, as a third
option, banks and insurances nurture and grow fintech start-ups through incubators and
business angel programmes. Fourthly, fintechs could provide services to the bank on a
contractual basis. This will often be a form of outsourcing. Through the lens of banking
supervision, option number four is problematic because it raises the question as to how
banking regulation deals with a fintech providing banking services for the bank, and often in
the name of the bank, to third parties.

III. The Absence of Fintech Regulation

Due to the lack of an official definition, commentators tend to categorise fintech companies
according to their business models. The result is, depending on the approach taken, four,8
five9 or six10 clusters of fintech activities, typically including payment solutions,
credit/lending platforms, crowdfunding and related activities, online trading, crypto
currencies, e-money and robo advisory.

The reason for the current excitement about fintech is not about the influx of technology as
such, but who is applying the technology to finance and the speed of the changes to the
markets.11 Many fintech business models will vanish from the markets in due course, and
some will remain niche products. Accordingly, it is a difficult task for regulators and
policymakers to figure out which market developments require regulatory intervention. Due
to the fast-moving markets, the regulatory gap in the fintech area appears to be particularly
wide.
Under German law, the only regulation specifically designed for the fintech environment is §
2a VermAnlG, which prescribes an exception from the obligation to publish an investment

5
Simmons & Simmons LLP, Hyperfinance: Accelerating Digital Innovation in Financial Services, 2017, S. 7-8,
abrufbar unter: https://hyper-finance.com/articles, Abruf am 18.09.2017.
6
BaFin Jahresbericht 2016 pp. 22, 111; available at www.bafin.de, Abruf am 18.09.2017.
7
Gelis, in: Chishti/Barberis (Hrsg.), The Fintech Book, 2016, S. 235. A similar development can be observed in
the insurance industry (‘Insurtech’).
8
Söbbing, BKR 2016, 360 (361); Paul, Wpg 2016 S. 57
9
Arner/Barberis/Buckley, Georgetown Journal of International Law 2015-2016 S. 1271 (1292-1293); Danker
(BaFin), Fintechs: Junge IT-Unternehmen auf dem Finanzmarkt, abrufbar unter: www.bafin.de, Abruf am
18.09.2017.
10
Scholz-Fröhling, BKR 2017 S. 133 (134).
11
Arner/Barberis/Buckley, Georgetown Journal of International Law 2015-2016 S. 1271 (1275-1276).
3
prospectus for crowdfunding and related campaigns. Countries such as the United Kingdom,12
Switzerland, 13 Australia,14 Canada15 and Singapore16 have introduced so-called ‘regulatory
sandboxes’ which allow fintechs to test their business models under a lightened regulatory
regime in constant cooperation with the regulators. In Germany, no initiatives have been
initiated, although the aforementioned study commissioned by the Ministry of Finance might
be seen as a scoping exercise.17 Importantly, BaFin has no statutory mandate to introduce a
sandbox or other softened regulatory requirements for fintechs.18 It seems likely that German
or EU legislators (or regulators) may enact new specific fintech regulations in the near
future.19 However, this will most likely be tailored regulation for specific fintech services
(comparable to § 2a VermAnlG) and not an overarching ‘fintech law’.
As there is currently no specific regulation and no option to test fintech business models in a
sandbox, the regular rules on banking supervision and outsourcing apply to fintechs in the
same way as other market participants. Thus, fintechs are subject to the same regulatory
requirements as other businesses in the financial industry, and there is no leeway for the
regulator to treat them differently from other market participants. This might for good reasons
be perceived as a market entry barrier, but it also provides a level playing field between
market participants.

IV. (Banking) Licenses for Fintechs

1. Types of Licenses
Pursuant to § 32 KWG, the provision of banking services (defined in § 1(1) KWG) or
financial services (§ 1(1a) KWG) requires permission by the regulators.20 Licensed providers
need to meet the strict capital requirements for banks (§ 33 KWG). Management needs to
meet ‘fit and proper’ requirements, to have sufficient theoretical and practical knowledge and
to be experienced in the respective field (§ 25c KWG). If the license is granted, the fintech is
subject to organisational and reporting requirements and stricter duties, for example in

12
UK Financial Conduct Authority Webseite, “Regulatory Sandbox” (11.05.2015), abrufbar unter
https://www.fca.org.uk/firms/regulatory-sandbox, Abruf am 18.09.2017.
13
See Essebier/Opplinger, Die neue FinTech-Lizenz (19.07.2017), abrufbar unter:
http://blog.vischer.com/finanzmarktrecht/page_id00019, Abruf am 18.09.2017.
14
Australian Securities and Investment Commission website, “Regulatory Sandbox”, abrufbar unter:
www.asic.gov.au, Abruf am 18.09.2017.
15
Canadian Securities Administrators website, “The Canadian Securities Administrators Launches a Regulatory
Sandbox Initiative” (23 February 2017), abrufbar unter: www.securities-administrators.ca, Abruf am 18.09.2017.
16
Monetary Authority of Singapore website, “Fintech Regulatory Sandbox”, abrufbar unter: www.mas.gov.sg,
Abruf am 18.09.2017.
17
The German Monopolies Commission (Monopolkommission) had suggested the Federal Government to
review the possibilities of introducing a sandbox, see Monopolkommission, Hauptgutachten XXI: Wettbewerb
2016, Kapitel V, S. 65; abrufbar unter: http://monopolkommission.de, Abruf am 18.09.2017.
18
See expressly BaFin, Jahresbericht 2015 S. 41.
19
In March 2017, the European Commission started a formal consultation on fintech regulation, see European
Commission website, “Public consultation on FinTech: a more competitive and innovative European financial
sector”, abrufbar unter https://ec.europa.eu; Abruf am 18.09.2017.
20
Both alternatives will be referred to as ‘banking license’ for reasons of convenience.
4
relation to money laundering.21 In total, insiders estimate the total costs of getting a fintech
ready for a full banking license in Europe at €20 million.22 It is extremely difficult for a start-
up to meet these requirements.23 Besides, it could take years to build the internal structures
that are expected by the regulators to meet the ongoing license requirements.
For some business models, licenses under §§ 34c, 34f GewO (instead of § 32 KWG) apply.24
The result is a lighter regulatory regime. The fintech would not be subject to supervision by
BaFin, but by the local trade authorities (Gewerbeaufsichtsamt) or the local chamber of
commerce (Industrie- und Handelskammer), depending on the applicable state regulation.
This lighter GewO regime might seem a sensible first step for start-ups,25 but there are also
drawbacks. The fintech would need to narrow their business models and, for example, only
invest in certain investment vehicles. If a fintech starts with a license under § 34f GewO and
then grows into a ‘full’ robo-advisor requiring a license under § 1 KWG,26 supervision moves
from state authorities to BaFin.27 In the worst case, the fintech would need to redesign its
internal structure and processes. Besides, it remains to be seen if the local state authorities
have sufficient know-how and resources to deal with fintech oversight. In any event, the
fintech should get in touch with BaFin and ensure that it is not subject to the KWG licensing
regime.28
A common but nevertheless often overlooked regime is a license for money and payment
transactions under § 8 ZAG, supervised by BaFin. This licensing regime is nowhere near as
strenuous as banking licenses, but it still puts additional obligations on the fintech. Moreover,
it is not an alternative to banking licenses, but a necessary ancillary for particular banking
services.

2. Fintech Business Models and License Requirements

a. Payment Solutions
In many cases, fintechs act as intermediaries via internet market platforms. Some fintechs
process the money transfer between the parties as a part of their services. In these cases, they
might be money transfer providers under § 1(2) no. 6 ZAG and require a license under § 8
ZAG. If a SEPA transaction is offered, the license requirement flows from § 1(2) no. 5 ZAG.
Payment models using e-money (i.e., money which is stored electronically) are subject to § 1a
ZAG, and also a license requirement pursuant to § 8a ZAG. As these definitions are extremely

21
Another consequence, which will not be considered in detail in this article, is the application of further duties
under §§ 31 et seqq WpHG.
22
Gelis, a.a.O. (Fn. 7), S. 237.
23
Oppenheim/Lange-Hausstein, WM 2016 S. 1966 (1969); Möslein/Lordt, ZIP 2017 S. 793 (797).
24
This could be the case for services that are limited to brokerage but do not give advice, or limit their advice to
particular financial products, see below Part IV.2.
25
Möslein/Lordt, ZIP 2017 S. 793 (797).
26
27
For criticism about this fragmentation, see also Hartmann, BKR 2017 S. 321 (326).
28
Oppenheim/Lange-Hausstein WM 2016, 1966 (1970).
5
wide,29 the ZAG licensing regime will apply to a lot of fintechs, in particular to those running
internet market platforms that involve the transfer of money.30

b. Robo-Advisory
Robo-advisory31 is commonly understood as financial investment services that are based on
algorithms and provided to customers online. The purported advantages are increased
efficiency due to lower costs and increased objectivity. Robo-advisors can be grouped into
three categories.32 On the highest tier, the robo-advisor not only gives advice, but also
manages financial instruments on behalf of the client.33 It does not need client approval for
investment decisions.34 Such portfolio management needs to be licensed under § 1(1a) cl. 2
no. 3 KWG (Finanzportfolioverwaltung). Alternatively, the fintech provides advice based on
the client’s preferences and the client makes the investment decision.35 This typically meets
the criteria of a financial adviser under § 1 (1a) cl. 2 no. 1a KWG (Anlageberatung).36 It is not
relevant whether the fintech has a disclaimer on its website stating that no financial advice is
provided.37 Robo-advisors that do not meet these requirements (for example, because they do
not take into account the personal situation of the client) will typically be brokers pursuant to
§ 1(1a) cl. 2 no. 1 KWG (Anlagevermittlung) and thus also subject to a banking license
requirement.
If financial advice or brokerage is only provided in relation to domestic investment assets
which are held by EU-regulated undertakings for collective investment in transferable
securities (UCITS, in German: OAGW) or alternative investment funds managers (AIFM),
the respective robo-advisor does not require a banking license according to § 2(6) cl. 1 no. 8
KWG. However, permission for their business is required pursuant to § 34f GewO.

c. Lending Platforms
Lending platforms (not to be confused with crowdlending platforms which will be discussed
below) are one of the most common fintech applications.38 The user puts his details and the

29
See the Lieferheld decision by the District Court of Cologne, in which the court held that even food delivery
platforms are subject to the ZAG licensing regime; LG Köln, 29 September 2011, Case No. 81 O 91/11 = MMR
2011, 815.
30
Scholz-Fröhling, BKR 2017 S. 133 (135).
31
As the term was coined in the United States, the American English version (‘advisory’) has become commonly
accepted and will be used in this article.
32
Oppenheim/Lange-Hausstein WM 2016, 1966; BaFin applies an unnecessarily narrow understanding of the
term and limits robo-advisory (in contrast to asset management and brokerage) to a fintech giving investment
advice, see BaFin Journal August 2017 S. 22, Abruf am 18.09.2017.
33
For example, fintego (operated by European Bank for Financial Services GmbH) or Scalable Capital.
34
Baumanns BKR 2016, 366 (369); Möslein/Lordt ZIP 2017, 793 (795-796).
35
For example, easyfolio or growney.
36
Baumanns BKR 2016, 366 (369); BaFin a.a.O (Fn. 32); Möslein/Lordt, ZIP 2017 S. 793 (795-796). An issue
that will not be discussed here is how a robo-advisor’s conflict of interest can be regulated under §§ 31 et seqq
WpHG.
37
Oppenheim/Lange-Hausstein, WM 2016 S. 1966 (1969); BaFin, a.a.O (Fn. 32), S. 19.
38
For more details, see Hartmann, BKR 2017, 321.
6
desired amount into the online interface. The ensuing service provided by the fintech can
vary, but they typically comprise a comparison of different bank offers, or improved identity
verification and credit screening processes. In particular the latter can be attractive for
established banks because a streamlined process makes it more likely that the customer enters
into an agreement with that particular bank.
If the fintech itself becomes a party to the loan agreement, it needs to apply for a banking
license under § 1(1) no. 2 KWG (Kreditgeschäft). A fintech taking deposits from the customer
on behalf of the bank is subject to a license requirement pursuant to § 1(1) no. 1 KWG
(Einlagengeschäft). If the fintech merely establishes the contact between bank and customer,
no banking license is required.39 However, such loan brokerage can be subject to a license
under § 34c(1) no. 2 GewO.

d. Crowdfunding
In 2014, Slava Rubin, founder of the crowdfunding platform Indiegogo, prophesised that
every bank worldwide would offer crowdfunding models in a few years.40 In September 2017,
eight major German banks directly or indirectly operated crowdfunding platforms.41
Three different models of crowdfunding can be identified. All are based on the idea that
numerous parties provide the required capital. The classical crowdfunding is based on
donations for particular projects, sometimes in return for symbolic consideration. In these
cases, crowdfunding platforms do not perform banking services or financial services. Thus,
they are usually not subject to licensing regimes under § 32 KWG.42 However, if the
crowdfunding platform collects money from donators and forwards it to the campaigners,
which is usually the case, a payment license under § 8 ZAG is required.43
Crowdlending platforms try to bring together potential investors and fundraisers. The
investment is based on loan agreements and comparable arrangements. Similar to the
aforementioned lending platforms, operators of crowdlending platforms typically only
establish the contact between the parties.44 Thus, they are not subject to the KWG licensing
regime, but potentially subject to § 34c(1) no. 2 GewO.45 A stronger involvement in the
process might trigger the need for a license under § 1(1) no. 2 KWG (Kreditgeschäft) if the

39
Scholz-Fröhling, BKR 2017 S. 133 (134-135).
40
Hecking, Der Zugang zum Kapital ist kaputt, Manager Magazin, 21 January 2014, abrufbar unter:
www.manager-magazin.de, Abruf am 18.09.2017.
41
See Crowdfunding.de, Deutsche Banken im Crowdfunding-Check, 23 April 2017, abrufbar unter:
www.crowdfunding.de, Abruf am 18.09.2017.
42
Söbbing, BKR 2016 S. 360 (364); Scholz-Fröhling, BKR 2017 S. 133 (136).
43
Berger (BaFin), Crowdfunding im Licht des Aufsichtsrechts, 5 September 2012; abrufbar unter:
www.bafin.de; Abruf am 18.09.2017.
44
For the different models, see in more detail Hartmann, BKR 2017 S. 321 (323-324).
45
Müller-Schmale (BaFin), Crowdfunding: Aufsichtsrechtliche Pflichten und Verantwortung des Anlegers, 2
June 2014, abrufbar unter: www.bafin.de; Abruf am 18.09.2017.
7
crowdlending platform temporarily holds the funds,46 or under § 1((1a) cl. 2 no. 9 KWG if the
business model involves a transfer of contract via the crowdlending platform (Factoring).47
Crowdinvesting, sometimes also referred to as equity crowdfunding,48 refers to investments in
financial instruments (shares, bonds etc). These services often require a license under § 1((1a)
cl. 2 no. 1 and no. 2 (Anlagevermittlung).49 However, if the platform only provides brokerage
services in relation to investments subject to § 1(2) VermAnlG and does not receive any
property or possession regarding the investments, the crowdinvesting platform is exempt.50

3. Consequences
The conclusion is that more or less every fintech will require some kind of license.51 Provided
that the fintech is aware of this necessity (which is, given the entrepreneurial nature of the
fintech community, not necessarily the case), it has three options.
First, it could bite the bullet and apply for the respective license. This is the logical step for
very successful fintechs that have established a broad customer base.52 However, this would
hardly be viable for ‘normal’ fintechs due to the conditions and restraints imposed. This is
corroborated by the fact that there are hardly any fintechs listed in the BaFin license
database.53 Market participants expect that some fintechs will grow into online ‘marketplace
banks’ with their own compliance infrastructure, their own banking license and their own
customer support team.54 Funds holding and payment options will be provided directly whilst
all other services will be performed by third parties through application programming
interfaces (API).55 However, although this might be a suitable path for some, it will most
likely not work for all fintech companies.
Secondly, fintechs might take their chances and run their businesses without the required
license. Financial markets law enforcement might not have the best reputation in Germany,56
but such an approach is still highly unadvisable. If banking or financial services are provided
without a license, BaFin could make an order to shut down the respective business instantly
under § 37 KWG. Operating a business without a license is a criminal offence punishable
with imprisonment not exceeding five years, § 54 KWG.
The third and most popular option, as outlined in Part II, is cooperation between fintech and
bank. In this model, the role of the fintech is limited to providing services. Technically, the

46
This model has not been successful in Germany, see Hartmann, BKR 2017 S. 321 (322).
47
Scholz-Fröhling, BKR 2017 S. 133 (136).
48
For detailed analysis, see Pekmezovic/Walker, 7 Wm. & Mary Bus. L. Rev. 347 (2016).
49
Müller-Schmale, a.a.O. (Fn. 45).
50
Müller-Schmale, a.a.O. (Fn. 45); Söbbing, BKR 2016 S. 360 (364, 365)
51
Scholz-Fröhling, BKR 2017 S. 133 (135-136).
52
For example, the fintech start-up N26 GmbH used the banking license of Wirecard AG before obtaining an
own license pursuant to § 32 KWG in July 2016. As at August 2016, the company claimed to have more than
500,000 customers, see https://n26.com/n26-hat-jetzt-500000-kunden; Abruf am 16.10.2017.
53
Scholz-Fröhling, BKR 2017 S. 133 (138).
54
Gelis, a.a.O. (Fn. 7), S. 235.
55
Gelis, a.a.O. (Fn. 7), S. 236.
56
For an overview, see Maume ZHR 2016, 358.
8
bank outsources some of its functions to the fintech. The advantage for the latter is that it will
typically not require a banking license but could ‘hide under the wings’ of the bank.

V. Fintech Outsourcing
1. Definitions and Applicable Law
Outsourcing describes the process of contracting out a formerly internal business function to
someone else. Alternatively, the bank enlists a fintech to carry out a function that the bank did
not provide in the past. This can be referred to as sourcing,57 because the bank is extending its
services. For the purposes of this article, both settings will be referred to as outsourcing.
Outsourcing by banks is subject to strict rules. The idea is that banks should not be able to
outsource responsibility.58 In particular, this extends to ongoing compliance with regulatory
requirements and their supervision.59 Special requirements for outsourcing of significant
processes and activities are set out in § 25b(1) KWG.60 This is further set out in BaFin’s
MaRisk,61 which elaborates on outsourcing at AT 9.
As discussed above, the statutory law does not contain any special rules on fintechs and
outsourcing. The requirements set out in § 25b KWG remain vague. From a regulator’s
perspective this is straightforward because it is the bank’s responsibility to analyse and design
its internal structure and processes. However, this regulatory technique is problematic in
evolving areas due to its uncertainty. BaFin is quite active regarding fintech and providing
assistance and guidance on various business models, but the BaFin website contains no
further information on fintech outsourcing. However, BaFin prides itself on investing a lot of
time in dialogue with fintechs.62 It has also established a contact form on its website that
allows fintechs to contact BaFin regarding the nature and regulatory implications of their
business models. There are no obvious reasons why banks and fintechs should not seek active
guidance from the regulator.
The problem is not just a German one. The cornerstones of banking regulation are harmonised
among EU and other jurisdictions. Outsourcing is a standard business procedure around the
globe. Although they cannot be binding for the application of § 25b KWG, recommendations
provided by foreign regulators can give some helpful guidance. The US Office of the
Comptroller of the Currency (OCC), a part of the US Department of Treasury and the
responsible federal banking regulator, has issued guidelines that are roughly comparable with

57
Taylor, FinTech Law, 2014, para 8-3.
58
See, e.g., Committee of European Banking Supervisors (CEBS), “Guidelines on Outsourcing”, 14 December
2016, Guideline 2.1; available at: www.eba.europa.eu, Abruf am 18.09.2017.
59
Wolfgarten in: Boos/Fischer/Schulte-Mattler, KWG/CRR-VO, 5. Aufl. 2016, § 25b KWG Rdn. 17.
60
For payment solutions licenses, § 20 ZAG sets out similar requirements.
61
BaFin, „Mindestanforderungen an das Risikomanagement (Rundschreiben 10/2012) (MaRisk)“, abrufbar
unter: www.bafin.de, Abruf am 18.09.2017. BaFin is currently working on an updated version; the draft is
available on the BaFin website.
62
Felix Hufeld, „Regulierung - Künftige Chancen und Herausforderungen“, Felix Hufeld (BaFin President),
delivered 22 March 2017 at the SZ-Finanztag in Frankfurt; abrufbar unter: www.bafin.de, Abruf am 18.09.2017.
9
§ 25b KWG and MA Risk AT 9 in its Bulletin 2013-29 on third-party relationships.63 The
OCC recently published FAQ on various aspects of outsourcing, including some issues
involving fintechs.64 Similarly, the UK Financial Conduct Authority (FCA) released guidance
for firms using third-party technology banking solutions in 201565 and for financial service
firms outsourcing to the ‘cloud’ and other third-party IT services in 2016.66

2. Requirements of § 25b KWG

a. Outsourcing
For § 25b KWG to apply, the transfer of functions to the fintech needs to constitute
‘outsourcing’ within the meaning of § 25b KWG and MaRisk AT 9.1. This is the case for all
transfers of activities and processes that are necessary for the provision of banking and
financial services which would otherwise be performed by the bank. Importantly, it is
sufficient to transfer a non-banking service if this service is necessary for the provision of
banking services by the bank. Included are also ancillary services that are as such not subject
to KWG license requirements, but which are typically provided by banks.67 Examples of
ancillary services are listed in Annex I sec. B of Directive 2004/39/EC (MiFiD 1). These refer
to niche services, such as financial analysis without providing advice, or foreign exchange
services that are connected to the provision of investment services. Fintech services typically
concern services that are closely related to the business of banking (e.g., payment, e-money
solutions, financial advice), that they are provided on a regular basis and that these or
comparable services would otherwise be provided by the bank. Thus, the transfer of functions
to a fintech will basically always be ‘outsourcing’ within the meaning of § 25b KWG.68

b. Significance
The outsourced banking function must be significant (‘wesentlich’). This flows from the
principle of proportionality underlying the MiFiD Directive.69 There is no specific definition
of ‘significance’ in the legislation. MaRisk AT 9.2 sets out that the bank needs to carry out a
risk-based assessment as to which activities and processes are significant. Aspects that need to
be taken into account are, inter alia:70

63
OCC, “Third-Party Relationship: Risk Management Guidance (Bulletin 2013-29)”, 30 October 2013, abrufbar
unter: www.occ.gov, Abruf am 18.09.2017.
64
OCC, “Third-Party Relationship: Frequently Asked Questions to Supplement OCC Bulletin 2013-29 (Bulletin
2017-21)”, 7 July 2017, abrufbar unter: www.occ.gov, Abruf am 18.09.2017.
65
FCA, “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions”,
July 2014, abrufbar unter: www.fca.org.uk, Abruf am 18.09.2017.
66
FCA, “FG 16/5 - Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services”, July 2016;
abrufbar unter: www.fca.org.uk, Abruf am 18.09.2017.
67
Wolfgarten, a.a.O (Fn. 59) Rdn. 27.
68
Same conclusion regarding payment and e-money solutions in general: Wolfgarten, a.a.O (Fn. 59), Rdn. 29.
69
CEBS, a.a.O (Fn. 58), S. 2.
70
For comprehensive list, see Wolfgarten, a.a.O (Fn. 59), Rdn. 44, with further references; very similar criteria
were established in the US, see OCC, a.a.O. (Fn. 64), S. 4.
10
 • Does the function need to be available at all times, and what would be the worst case
scenario in the case of unavailability?
• What are the dangers for the bank’s reputation in case of default or other problems?
• Can the fintech be included in the bank’s internal risk management and auditing
processes?
• Could the fintech be substituted by a competitor in due course, or could the function
be carried out by the bank if need be?
• Has the fintech demonstrated adequate reliability, and what are its financial resources?
The assessment needs to be made on a case-by-case basis, so it is difficult to make general
statements. Insignificant outsourcing could relate to hardware maintenance (including IT),
factoring, general services for employees (e.g., company physician, canteen), supply to
ATMs,71 and generally all standardised services (e.g., market information services).72
Front-end solutions (i.e., websites that are available to customers) which are typically
provided by fintechs are more significant than back-end functions because problems could
make services unavailable and the bank’s reputation could be at stake. Fintechs typically
provide specialised, customised services that cannot be replaced instantaneously. Young
fintechs might be financially less stable than an incumbent service provider. All these factors
indicate that outsourcing to a fintech is not necessarily significant,73 but more often than not it
will be.

c. Limits
Broadly, all activities and processes can be outsourced, provided that the requirements of
proper business organisation under § 25a KWG are met. However, § 25b(2) KWG stipulates
that outsourcing must not result in a transfer of management responsibility to the external
service provider (i.e., the fintech). Management functions such as the setting of strategies and
policies in respect of the bank’s risk profile and control, the oversight of the bank’s internal
processes and the final responsibility towards customers and supervisors hence cannot be
outsourced.74
This raises the question as to which remaining business functions can be outsourced to
fintechs. Lending or the acceptance of deposits by the fintech are only possible if it holds a
respective license under § 32 KWG.75 Any other activity can be outsourced in principle if the
orderliness of the fintech’s conduct is provided, and if the bank’s management is able to
manage and monitor the fintech’s business.76 In other words, the fintech does not have any
decision-making authority. All decisions must be made on the basis of predetermined criteria
that do not leave any discretion for the fintech. Thus, outsourcing of payment solutions and

71
Wolfgarten, a.a.O (Fn. 59) Rdn. 49, citing MaRisk in its 2007 version.
72
Langen, in: Schwennicke/Auerbach, KWG, 3. Aufl. 2016, § 25 KWG Rdn. 132.
73
Similarly OCC, a.a.O. (Rdn. 64), using the term “critical” instead of “significant”.
74
CEBS, a.a.O (Fn. 58), Guideline 3.1.
75
CEBS, a.a.O (Fn. 58), Guideline 4.1.
76
CEBS, a.a.O (Fn. 58), Guideline 4.2.
11
the operation of crowdfunding platforms should be possible because the fintech only carries
out other people’s orders. The same applies to lending services regarding services if the
service provided is limited to improved processes that do not relate to the decision as to
whether to enter into a loan agreement. Decisions made based upon predetermined criteria
such as the customer’s credit score would be possible.
Similarly, robo-advisory services are not problematic as the advice does not entail any
management decisions by the bank (although the basis on which the decisions are made
require bank approval). At first glance, automated portfolio management could pose a
problem because there are no human-made decisions. However, strictly speaking an
automated portfolio management service carries out sell/purchase order on behalf of the client
and not for the bank. Thus, there is no transfer of management functions to the fintech.

3. Consequences for the Bank

If outsourcing is not relevant pursuant to § 25b KWG, the bank only needs to comply with the
general organisational requirements of § 25a KWG, which means the external service
provider needs to be chosen carefully and the quality of services provided need to be
monitored.77

For significant outsourcing a much tighter regime applies. In short, the bank needs to create a
system that allows a level of supervision and monitoring which is equivalent to the bank’s
internal systems. The extent of this monitoring depends on the importance of the outsourced
function (principle of proportionality), but also on the nature of the external service provider.
If a fintech provides the same services to several banks, which indicates a certain size, or has
their own bank license, the fintech will typically have built up its own supervision and
compliance structures.

Generally, the bank’s internal compliance function needs to extend to the outsourced
processes and services because the bank is directly responsible for all breaches that the fintech
commits (for example regarding privacy laws and money laundering laws).78 That means that
MaRisk and the neighbouring MaComp79 need to be complied with. In addition, the bank
needs to include the fintech into its internal risk management system, including the bank’s
risk bearing ability concept.80 The outsourced services must be subject to continuing
controlling mechanisms, in particular regarding the fintech’s financial stability.81 The bank
must ensure that its internal revision is able to investigate all issues that might arise in the
sphere of the fintech. The same applies to all audits and probes conducted by the regulators.82
The irony is that a lot of this monitoring would need to be carried out in the classical way,

77
Wolfgarten, a.a.O (Fn. 59), Rdn. 51.
78
Wolfgarten, a.a.O (Fn. 59), Rdn. 54; similar in the US, see Taylor, a.a.O. (Fn. 57).
79
BaFin, „Mindestanforderungen an die Compliance-Funktion (…) (Rundschreiben 4/2010)“, abrufbar unter:
www.bafin.de, Abruf am 18.09.2017.
80
Wolfgarten, a.a.O (Fn. 59), Rdn. 55.
81
OCC, a.a.O. (Fn. 64), S. 3-4.
82
CEBS, a.a.O (Fn. 58), Guideline 11.
12
which means by manual scrutiny. This is in sharp contrast to the promise of digitisation and
increase of efficiency made by the fintech community.

All these mechanisms need to be laid out in the outsourcing contract, including the bank’s
right to give directions to the fintech.83 Due to a fintech’s limited resources, banks need to
have contingency plans for interruptions of service84 and for other emergencies. For example,
a fintech will not have the know-how or the resources to handle problems in social media
(‘shitstorms’). If incidents happen in the sphere of the fintech but are related to the
outsourcing bank, the latter must be able to react as quickly as if the problem existed within
the bank itself. All these issues require a deep level of understanding of the fintech’s internal
structure and processes, as well as the underlying technology. For example, the fintech might
need to actively train bank staff if the bank’s telephone hotline covers the services provided
by the fintech.

4. Consequences for the Fintech

Accordingly, the fintech might need to restructure its business in order to comply with the
banking regulation requirements. Thus, the view that the fintech could ‘hide’ behind the
bank’s license is not fully accurate. The fintech would also need to disclose its know-how to
the extent that the outsourcing bank is able to monitor the fintech’s performance and provide
for contingency plans. Last but not least, the fintech would lose a part of its independence.
The right to make decisions regarding the banking services remains with the bank, which is
even entitled to give directions if necessary. The potentially stifling consequences for the
fintech in particular, but also for the fintech industry as a whole should not be
underestimated.85 The claim that the fintech could hide ‘under the wings’ of the bank may be
true, but this strategy comes with a cost.

VI. Conclusion
There are many uncertainties as to how fintechs fit into the regulatory banking landscape. As
we have seen, the term ‘fintech’ can be slightly misleading. It is better to start the analysis
from the particular business model. As there is currently no specific regulation and no option
to test fintech business models in a sandbox, fintechs are subject to the same regulatory
requirements as other businesses in the financial industry. Most fintech business models
require banking licenses or other licenses. It might be a popular approach for banks to
outsource some functions to fintechs. However, this requires a significant extension of the
bank’s monitoring, supervision and auditing systems because many fintech lack the internal
structures required under banking regulation. Outsourcing also comes with numerous
restraints for the fintech’s indepence. As a consequence, the outsourcing model might even

83
For full list of contractual requirements, see MaRisk AT 9.6.
84
OCC, a.a.O. (Rdn. 64), S. 4.
85
Scholz-Fröhling, BKR 2017 S. 133 (139).
13
be unattractive for the fintech. In any event, banks and fintechs should not embrace
outsourcing prematurely, but weigh the advantages and disadvantages carefully.

14