Newcomers to financial business have not always had an easy time in the past. For decades, established financial institutions have dominated the industry and shaped its business models. There have been gradual improvements in banking services, but not that many disruptive innovations over the last years.
This has changed since January 2018: The revised version of the Payment Services Directive (PSD2) will benefit customers in particular. Creative banking services enhance the customer experience, and a vibrant ecosystem of modern apps and original special services is growing and flourishing.
However, there is one small drawback from the perspective of young startups: many newcomers are overwhelmed by the complex challenges and diverse regulatory hurdles associated with PSD2 licensing. While the wealth of ideas in the development of new banking offerings gives many FinTech startups wings, it brings back the question of regulatory obligation on the ground of facts.
BaFin Authorisation is Mandatory as soon as Sensitive Data is Involved
Financial services are a complex business that is largely subject to regulation. Providers that access information or process account access data after approval by their customers via a banking API generally need authorisation from the Federal Financial Supervisory Authority (BaFin).
BaFin supervises and controls all areas of the financial system in order to protect customers. Anyone who wants to offer banking or financial services in Germany cannot avoid getting BaFin authorisation.
But which FinTech concepts are subject to regulation?
- Account Information Services (AIS): Numerous banks and FinTech startups have developed offerings in which they access their data at an account-managing institute on behalf of their customers via a banking API. Typical examples of this are multi-banking apps, account switching services and credit platforms.
- Payment Initiation Services (PIS): These are providers that execute transactions on the customer’s online banking account on their behalf. A banking API is again used to access the account managed at a financial institute. Examples of such offerings are abrapay or Lendstar.
In both cases, the respective providers process sensitive data which, pursuant to PSD2, is subject to regulation and therefore requires BaFin authorisation.
With the PSD2, the EU-Commission is strengthening consumer protection in payment transactions. At the same time, the directive that came into force on 13 January 2018 increases competition among payment service providers. We have summarised all the background to and details about PSD2 for you in this blog post.
BaFin Authorisation: A Challenge for many FinTechs
FinTech start-ups operating in this environment now require authorisation to provide payment initiation services as a payment institute or to register as an account information service. However, the requirements for approval are anything but trivial:
- An initial capital of 50,000 euros is required for payment initiation and account information services.
- The company management must prove their professional competence through their previous career, combined with practical experience and theoretical knowledge.
- Especially relevant for FinTech start-ups: BaFin also checks the reliability of the investors behind the scenes and can refuse approval in case of doubt.
- All applicants must provide detailed information on their business model, business plan, company organisation and corporate management.
- Another requirement is detailed process documentation that describes the handling of customer complaints and the management of crisis situations and IT security incidents.
- BaFin also requires full transparency and clean documentation for the security standards used by FinTechs in the processing of sensitive customer and account data.
The BaFin registration process is complex: several hundred pages of documents, a duration time of six months and costs that are difficult to estimate at the beginning of the process.
The BaFin fees themselves are quite manageable. In addition, however, there are usually expenses for attorneys and legal proceedings which, depending on the duration of the approval procedure, can quickly be many times the actual admission fee – and all this with an uncertain outcome.
Smarter Shortcut: Join a Licensed Provider
Instead of registering themselves, there is an interesting alternative for FinTech startups that cannot do without BaFin authorisation. While the independent authorisation request takes up valuable time and resources that start-ups do not have at the beginning of their careers, there is the possibility of joining a provider that already has appropriate authorisation.
Cooperating with such a provider enables FinTech start-ups to comply with all requirements without becoming subject to regulation themselves. This allows newcomers to avoid the complicated application procedure and enables them, both technically and contractually, to offer customers all services pursuant to the legal requirements of PSD2 right from the outset.