Simon Waldbröl, MBA (Boston)
Summary
At the HoFT Scale-Up Academy session on "Regulation & Compliance | Regulatory Roadmap", one central message ran through the entire discussion: Regulation is not a gate you pass through once. It is infrastructure. It shapes your product design, your partnership strategy, your organisational set-up, your fundraising narrative, and ultimately your ability to scale. The sooner FinTechs treats regulatory thinking as a core product discipline, rather – than a downstream legal exercise, the faster and more robustly they will grow.
Any regulatory analysis has to start somewhere. The natural starting point is not a statute, but a question: What is your value proposition, and what sets you apart from other players?
FinTech business models fall into four broad areas – Payment (alternative payment methods and crypto assets); Financing (lending, factoring, leasing, crowdfunding, Buy Now Pay Later); Wealth & Investment (broking, trading, robo-advisory); and Financial Wellbeing (budgeting, liquidity management, retirement provision, risk protection) – each carrying a materially different regulatory profile. Beyond these, further verticals include RegTech, infrastructure, InsurTech, and PropTech.
Financial Wellbeing has attracted particular focus. It encompasses the ability to manage day-to-day finances, absorb financial shocks, and build long-term financial security. It is also a cross-cutting concept: it traverses multiple FinTech segments and, with it, multiple regulatory frameworks.
The point of this classification is practical: the segment your business model sits in determines which regulatory framework governs your activities, which licences may be required, and which compliance architecture you must build. Getting the classification wrong at the outset creates costly corrections later.
One of the most important insights for FinTech founders is that the regulatory path is not binary – licensed or not – but a journey that evolves with the company's maturity.
The regulatory journey tracks development stages: Start-Up, Scale-Up, and Grown-Up. Early-stage FinTechs typically externalise regulated activities – embedding services via licensed partners such as banks, e-money institutions, or investment firms. Internalisation – acquiring one's own licence and building in-house compliance infrastructure – comes later, as product-market fit is established.
This is neither a binary question nor a one-way street. FinTechs may start with a partner model and only later internalise certain regulated functions – or an already-licensed entity may choose to externalise specific activities as it diversifies. The roadmap must remain flexible enough to accommodate these shifts.
Decisions about the operating model must be revisited at every significant product change, new customer segment, new geography, or new partner relationship – each can move the regulatory needle.
Once segment and operating model are clear, the task is mapping the applicable legal framework. In Germany – and at EU level – this analysis runs along two axes simultaneously.
The first axis is action-based: it maps regulation by the type of business activity. Payment services and e-money business fall under the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz [1], "ZAG"), with the Payment Services Directive 3 and Payment Services Regulation on the horizon. Banking business and financial services are governed by the Banking Act (Kreditwesengesetz [2], "KWG") and the Securities Institutions Act (Wertpapierinstitutsgesetz [3], "WpIG"). Brokerage of loans, insurance, and financial assets falls under the Trade, Commerce and Industry Regulation Act (Gewerbeordnung [4], "GewO") and the Crowdfunding Service Provider Regulation [6]. Debt collection is addressed by the Legal Services Act (Rechtsdienstleistungsgesetz [7], "RDG") and the Secondary Credit Market Act (Kreditzweitmarktgesetz [8], "KrZwMG").
The second axis is product-based: it maps regulation by the instrument or asset involved. Securities are governed by the Securities Trading Act (Wertpapierhandelsgesetz [9], "WpHG"), the WpIG, and Markets in Financial Instruments Regulation [10] ("MiFIR"). Crypto assets fall under the Markets in Crypto Assets Regulation [11] ("MiCAR"). Other asset classes involve the Asset Investment Act and the ECSP Regulation. Fund investments are governed by the Investment Code (Kapitalanlagegesetzbuch [12], "KAGB"), the Alternative Investment Fund Manager Directive [13] ("AIFMD"), and the UCITS-Directive [14] .
Most FinTech business models trigger analysis on both axes at once. A robo-advisory product, for example, raises questions about investment services regulation (WpIG) and about the nature of the instruments recommended (WpHG, MiFIR). Missing one axis is how regulatory exposure tends to be underestimated.
There is no regulatory sandbox in Germany, though the Federal Ministry for Economic Affairs and Energy is trialling one.[15] Germany operates a risk-based approach: BaFin assesses each business model on its concrete facts – the specific activities performed, the instruments involved, and the actual structure of the product and its distribution. A brand name or label carries no regulatory weight. What matters is the legal substance of what is being done.
Whether applying for an investment firm, payment services, banking, or other licence, BaFin's substantive requirements [16] cluster around four core pillars:
Minimum Capital (Mindestkapital). The threshold varies significantly by licence type, from EUR 20,000 under the ZAG to EUR 5 million under the KWG.
Directors (Geschäftsleitereignung). Directors of regulated entities shall be are fit and proper – professionally qualified and personally reliable. BaFin will scrutinise CVs, references, and any prior regulatory or criminal history.
Ownership control (Inhaberkontrolle). BaFin must understand who ultimately owns and controls the institution. Any person or entity holding a qualifying stake (typically 10% or more) is subject to an owner-control procedure, including due diligence into their fitness and financial soundness.[17] The clear recommendation: keep the cap table clean. Complex group structures, cross-participations, or opaque beneficial ownership chains generate extensive documentation requirements and can significantly prolong the procedure. Founders and investors should consider simplifying cap table structure before filing.
Governance (Geschäftsorganisation). The applicant must demonstrate a sustainable business plan and proper governance structures: a credible financial model, a risk management framework, compliance arrangements, conflict-of-interest mechanisms, and – where required – an internal audit function.
BaFin assesses all four pillars together. Weaknesses in any one will trigger requests for supplementary information, prolonging the process. Early and thorough preparation across all four is the most reliable way to manage the timeline.
A licence application under German law typically covers:
Application content covers: general information about the entity and its planned activities; a three-year business plan; full documentation of the directors, including professional experience and personal reliability; disclosure of all holders of qualifying shareholdings; proof of capital; and documentation of the organisational obligations, including risk management, compliance, conflicts of interest management, and IT security measures.
On timeline: preparation is "up to you" in BaFin's own framing – the application clock does not start until BaFin confirms the submission is formally complete. The statutory review period is then six months. In practice, accounting for preparation, pre-submission dialogue, and BaFin queries, total elapsed time typically runs to 12 to 24 months. Early, structured engagement with BaFin – including pre-application discussions – is the single most effective lever for managing the timeline.
On cost, the BaFin authorisation fee for an investment firm, as an example, is approximately EUR 6,000, with additional time-based fees of EUR 50 to 90 per hour for supplementary regulatory work and an annual levy of at least EUR 4,500. [18] Legal advisory costs are variable, and the quality of preparation is the principal determinant of both timeline and total cost.
A dimension that regularly adds complexity is the source of own funds (Mittelherkunft). BaFin takes a focused interest in understanding where the capital ultimately originates [19] – this is, among other things, an AML dimension: BaFin needs to be satisfied that the funds are clean and the ownership trail is transparent and verifiable. Where foreign investors are involved, this can require multiple iterations with BaFin, detailed documentation, and source-of-wealth evidence. Founders and investors should factor this into their planning timeline well in advance.
A licence marks the beginning of a regulatory relationship, not the end of it. Ongoing compliance spans four core areas:
Anti-Money Laundering. The primary German framework is the Money Laundering Act [20] (Geldwäschegesetz, "GwG"), implementing the Fifth AML Directive.
Data and IT. The GDPR [21] governs data protection. The Digital Operational Resilience Act [22] ("DORA"), applicable since January 2025, sets EU-wide requirements for ICT risk management, incident reporting, operational resilience testing, and third-party ICT risk management. BaFin's Banking Supervisory Requirements for IT ("BAIT") and equivalent sector-specific frameworks remain relevant alongside DORA at least in parts, as does a growing body of supervisory guidance on cloud outsourcing and algorithmic systems. Building a coherent IT [23] and cyber-resilience architecture requires mapping all of these requirements together.[24]
Even FinTechs that are not themselves directly regulated should expect DORA-grade requirements to be pushed down through the supply chain by their regulated partners. Cooperation agreements with banks, e-money institutions, and investment firms will increasingly reflect DORA's requirements on ICT risk management, incident notification, subcontractor oversight, and audit rights. Building operational resilience early is the right preparation – regardless of your own licence status.
Operations and Risk. The Capital Requirements Regulation [25], the Minimum Requirements for Risk Management [26] (Mindestanforderungen an das Risikomanagement, "MaRisk"), and the equivalent frameworks for payment institutions govern operational and risk management standards. Guidelines published by EBA, European Securities and Markets Authority ("ESMA") and European Central Bank ("ECB") layer further expectations on top.
Outsourcing. MaRisk, ZAG-MaRisk [27] (minimum requirements for the risk management of ZAG institutions), WpI-MaRisk [28] (minimum requirements for the risk management of investment firms), DORA, and ESMA Guidelines [29] together establish a dense set of requirements around how regulated entities manage relationships with service providers – including contract terms, audit rights, subcontractor oversight, and incident handling.
The EU framework offers two cross-border pathways: the European Passport [30], which allows a regulated entity authorised in one Member State to provide services across the EU – via a branch or on a purely cross-border basis; and passive freedom to provide services, where a customer approaches the firm from another jurisdiction without any active solicitation.
The clear message: no forum shopping. Choosing to licence in a jurisdiction purely because its regulatory environment appears more permissive – with the intention of passporting back into Germany or other stricter markets – is an approach European supervisory authorities have consistently scrutinised and challenged. Regulatory arbitrage is not a sustainable strategy.
Cross-border growth requires a genuine strategic decision – which entity, in which jurisdiction, provides which service, to which customers, through which channel – made on commercial and operational grounds, not on the assumption that a particular passport is a lighter-touch regulatory route.
The regulatory landscape continues to evolve rapidly. Three areas in particular deserve close attention.
AML reform. The EU AML Regulation [31] is expected to take effect from 10 July 2027, bringing a directly applicable, harmonised AML framework across all Member States. The new EU Anti-Money Laundering Authority will take on direct supervisory responsibility for certain higher-risk financial entities. For FinTechs currently operating under Member State-level AML frameworks, this represents a significant shift in the supervisory architecture.
IT and cyber-resilience. The framework continues to develop beyond DORA, with BaFin and European supervisory authorities publishing additional guidance on specific topics – including cloud services, algorithmic systems, and AI-based decision-making. Staying current with supervisory guidance, not just formal legislation, is an ongoing operational requirement.
Payments regulation. The EU's proposal for Payment Services Directive 3 [32] and Payment Services Regulation [33] package is expected to reshape the European payments landscape materially once formally adopted and implemented. FinTechs whose product architecture depends on PSD2 [34]-derived design choices – around open banking, account access, or liability allocation – should monitor this development closely and assess its implications for their current and planned structures in good time.
Across all three areas, the firms that will adapt most successfully are those that have invested in the right structural foundation: a clear regulatory perimeter, well-documented partner arrangements, a scalable compliance architecture, and a management team that treats regulatory developments as strategic inputs rather than administrative events.
A regulatory roadmap is not about being over-lawyered. It is about building the infrastructure that makes everything else possible: credible partner relationships, investable governance structures, and a product your customers can trust. The earlier that infrastructure is in place – even in minimal, scalable form – the faster FinTechs can grow.
These findings were gathered during HoFT Berlin’s Scale-Up Academy Class of 2025 in the Regulation & Compliance Module. This article is for general information purposes only and does not constitute legal advice. Specific regulatory assessments depend on the individual product design, contractual structure, and operational implementation of each business model.
Sources:
[1] Partner, Banking & Finance, Schalast Law | Tax, https://www.schalast.com/de/rechtsanwaelte/frankfurt/Simon_Waldbroel.php [01.06.2026].
[2] https://www.gesetze-im-internet.de/zag_2018/ [29.05.2026].
[3] https://www.gesetze-im-internet.de/kredwg/ /[29.05.2026].
[4] https://www.gesetze-im-internet.de/wpig/ [29.05.2026].
[5] https://www.gesetze-im-internet.de/gewo/ [29.05.2026].
[6] https://eur-lex.europa.eu/eli/reg/2020/1503/oj [29.05.2026].
[7] https://www.gesetze-im-internet.de/rdg/ [29.05.2026].
[8] https://www.gesetze-im-internet.de/krzwmg/BJNR19B0B0023.html [29.05.2026].
[9] https://www.gesetze-im-internet.de/wphg/ [29.05.2026].
[10] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02014R0600-20251123 [29.05.2026].
[11] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02023R1114-20240109 [29.05.2026].
[12] https://www.gesetze-im-internet.de/kagb/ [29.05.2026].
[13] https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A02011L0061-20260416 [29.05.2026].
[14] https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A02009L0065-20260416 [29.05.2026].
[15] Announcement by the Federal Ministry for Economic Affairs and Energy from 16.01.2025, https://www.bundeswirtschaftsministerium.de/Redaktion/EN/Dossier/regulatory-sandboxes.html [29.05.26].
[16] For further details, please see BaFin’s guidelines, https://www.bafin.de/DE/unternehmen-maerkte/erlaubnis-registrierung/fintech/schritte-erlaubnis/schritte-erlaubnis_node.html [29.05.2026].
[17] For further details, please see BaFin’s guidelines on beneficial ownership, https://www.bafin.de/DE/unternehmen-maerkte/aufsicht/alle-unternehmen/inhaberkontrollverfahren/inhaberkontrollverfahren_node.html [01.06.2026].
[18] In order to estimate the costs incurred by BaFin’s assessment, please see the special fees regulation of the Federal Ministry of Finance on Financial Services Supervision: https://www.gesetze-im-internet.de/findagebv/index.html#BJNR407700021BJNE000806131 [01.06.2026].
[19] As stated in BaFin’s guidance on the interpretation and application of the German Money Laundering Act, BaFin verifies the source of the funds: https://www.bafin.de/SharedDocs/Downloads/DE/Auslegungsentscheidung/dl-ae-auas-2025-gw.html?nn=150446 [01.06.2026].
[20] https://www.gesetze-im-internet.de/gwg_2017/ [01.06.2026].
[21]: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A02016R0679-20160504 [01.06.2026].
[22] https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng [01.06.2026].
[23] https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1710_ba_BAIT.html [01.06.2026].
[25] https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A02013R0575-20260101 [01.06.2026].
[26]https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_06_2024_MaRisk_pdf_BA.pdf?__blob=publicationFile&v=2 [01.06.2026].
[27] https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_0724_ZAG_MaRisk.pdf?__blob=publicationFile&v=6 [01.06.2026].
[28] https://www.bafin.de/SharedDocs/Downloads/DE/Konsultation/2025/dl_kon_15_2025_Rundschreiben_MaRisk.pdf?__blob=publicationFile&v=1 [01.06.2026].
[30] For further details, please see BaFin’s remarks: https://www.bafin.de/DE/unternehmen-maerkte/erlaubnis-registrierung/ewr-drittstaaten/europaeischer-pass/europaeischer-pass_node.html [German-only; 01.06.2026].
[31] https://eur-lex.europa.eu/eli/reg/2024/1624/oj/eng [01.06.2026].
[32] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52023PC0366 [01.06.2026].
[33] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52023PC0367 [01.06.2026].
[34] Second Payment Services Directe availabe at: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A02015L2366-20250117 [01.06.2026].
.png%3F2026-02-04T12%3A23%3A42.414Z&w=3840&q=75){kind=logo}