We are

Career at

News at


Regulatory developments in 2017: new year, renewed challenges?

Key Facts

  • BaFin president states new regulatory challenges for 2017

  • Fintech regulation and security aspects, together with payment transaction solutions, now a central focus for regulatory bodies

  • Publication of the Basel IV installment of regulations expected in first quarter

  • Regulatory agenda requires further digitalization of the process landscape

  • High degree of legal and regulatory uncertainty forces institutions to adopt a flexible and short-term approach in implementing regulatory requirements


Agility – Motivation – Self-Responsibility

The New Year Reception of the Federal Financial Supervisory Authority (BaFin) on January 10 gave an indication of the regulatory agenda for 2017. During the event, BaFin’s president, Felix Hufeld, spoke of a year “full of tasks, demands and pressures”. This overview of the regulatory challenges makes his meaning clear.

Fig. 1: Excerpt of the regulatory agenda for 2017 (Source: COREinstitute)

Fintech regulations

2017 will be an important year for the future of the fintech ecosystem. The discussion papers published in 2016 by European supervisory bodies – the EBA, ECB, ESMA and FCA – will require this topic to be dealt with in greater depth. BaFin announced that it would be looking very closely at the regulation of fintechs, regtechs and distributed ledger technology (blockchain technologies) – and in the case of the latter, particularly crypto-currencies. On a European level, the “Task force on Financial Technology” (TFFT) set up by the EU Commission is planning to make general recommendations on fintechs. The publication of these suggestions is expected to occur in the first half of the year.

Money laundering

The deadline for implementing the fourth money-laundering directive (EU 2015/849)by June 26, 2017 will bring in its wake significant tightening up of the money laundering requirements for financial market players. Besides extending the scope of application of the guidelines – in particular, to include the trading platforms of the crypto-currency Bitcoin – those subject to the guidelines will now be required to set up an electronic transparency register.

In order to further reduce the risk of money laundering and the financing of terrorism, it is planned to increase the requirements for thorough checking of financial flows from third countries. Further- more, with the implementation of the money transfer regulations (EU 2015/847), requirements for payment service providers will become much more stringent in order to guarantee the implementation of international standards and allow criminal investigators adequate access to information. With its circular on video identification expected for the first quarter of 2017, BaFin intends to give greater detail on the intended users of the video identification process and what it will be required to achieve.

IT security

The implementation of the NIS directive (EU 2016/1148) on May 9, 2018 will create the first EU-wide regulations on cybersecurity. Although Germany already has its own statutory regulations in the form of the IT Security Act, it remains to be seen whether the implementation of the NIS directive will involve any need for adjustments to be made on a national level. Furthermore, clarification regarding finance market infrastructure(which forms part of critical infrastructure) can be expected in 2017 in the form of an amendment to the IT Security Act.

PSD II/Payments

A draft bill on the implementation of the Payment Service Directive II (PSD II) was published before Christmas 2016. It can be assumed that the EBA will use the remaining months till the middle of 2017 to publish the remaining guidelines and regulatory technical standards (RTS). In addition, the SEPA Credit Transfer Instant Scheme (SCTInst) is due to come into force. Its requirements are based on the SCT regulations, with the intention of making money transfers possible in under ten seconds in the form of Instant Payments.

Basel IV

The cancellation of the meeting of the Basel Committee originally scheduled for January 8 demonstrates the divergent views on the upcoming banking regulations within the BCBS. The purpose of the new reform is to reduce the complexity of internal risk models used within banks. It is intended as a consequence of this to make it easier to compare different institutions. One key subject of dispute is the significant increase in capital requirements for financial institutions in continental Europe. It is currently expected that the final version of the Basel IV regulations is due to be published in March 2017.

5th MaRisk Amendment, BAIT and other BaFin circulars

The 5th MaRisk Amendment [Minimum Requirements for Risk Management], the publication of which was anticipated in mid-2016, is now expected this quarter. Its main focus will be the implementation of the requirements of BCBS 239, additions and specifications of the requirements for externalization, and the requirement to create an appropriate risk culture.

Furthermore, it is expected that BaFin will publish the Banking Supervisory Requirements for IT (BAIT) in February, specifying the requirements of MaRisk in terms of technical concepts of supervision for the IT organization, IT infrastructure and IT security of a bank.

This list will be rounded off by MaGo – statutory regulatory requirements for business organization for insurance companies – due to be published in the second quarter of the year, KAMaRisk – minimum requirements for risk management in capital management companies – and a guide to interpreting the Risk Shield.

Further regulations

For the first time in 2017, agreements reached in 2014 to heighten international tax transparency will lead to automatic exchange of information on income relevant to taxation that is subject to a reporting obligation.

The implementation of the EGA guidelines for a robust remuneration policy(EBA/GL/2015/22), which was published as an extension of the CRD IV directive, was originally scheduled for the beginning of the year. BaFin currently plans to announce the change in the German Federal Law Gazette in February 2017. The regulations will then come into force this March.

From 2017 on, “other system-relevant banks”, or A-SRIs, will also be obliged to retain additional capital reserves. The size of the capital buffer required depends on size, economic significance for the German and European economies, the scope of the bank’s activities, and its linkages within the national financial system and beyond.

Rising to the challenge

Besides ongoing digitalization, 2017 will be dominated by IT security and the regulation of fintechs. Innovation should not be slowed down by regulation, nor is it the intention that established banks should be protected from their up-and-coming competitors. On the contrary, the regulator wishes to be seen as a driver of innovation for the processes of technical transformation within the financial ecosystem.

The market needs to understand the interconnected effects of the regulatory requirements it must meet. Looking ahead to the coming changes, the fact that some of the deadlines for implementation are very short – as seems likely with the money laundering directive – will create major challenges for those involved in financial markets, especially as it can be expected that some of the requirements will once again not be defined with sufficient granularity, or will not have reached their final form. That does not mean that people in the institutions should just sit back. It would be a mistake to put one’s head in the sand, because all the prospective and existing regulations have one thing in common – they require a (r)evolution in the IT process landscape in order to shape these demanding changes in an efficient way.

Once again, the regulatory challenges of 2017 show, to an ever greater extent, that banks can now only succeed in conforming to the regulations in time and on budget if they combine avideogile project management with flexible IT structures and proactive ongoing development of their IT security.