We are

Career at

News at


Regulatory system 2018f. - High point of the regulatory wave sets standards for the financial industry


  • Extensive regulatory requirements for financial service providers in 2018
  • Data protection, money laundering regulation (AML), risk management and supervisory architecture in the focus of the requirements
  • FinTechs and other financial service providers increasingly subject to regulatory requirements


From a regulatory point of view, 2018 is marked by a wealth of innovations and changes that have rarely been the case so far. However, the outlook for 2019 is expected to ease only slightly. Despite the diverse requirements, the focus in 2018 will be on data protection, money laundering regulation, risk management and the supervisory architecture of the institutions. In the following article we provide an overview in the sense of first guidance on these topics.


Figure 1: Upcoming regulatory projects focus on IT or require greater IT commitment from industry

Basic Data Protection Regulation (DSGVO) / ePrivacy Regulation

From 25 May 2018, the Basic Data Protection Regulation (BDPR) will apply. The BDPR essentially continues the previous basic principles of data protection law, but sets new priorities in the area of technical data security. The principles of "prohibition subject to permission", "data avoidance and data economy", "purpose limitation" and "transparency" also characterise the basic data protection regulation.

As a central principle of data protection, the guarantee of data security is also enshrined in law for the first time ever. Article 5 para. 1 lit. F i.V.m. Article 32 BDPR prescribes the appropriate consideration of the state of the art in the implementation of suitable organisational and technical measures - "encryption" of personal data is specifically prescribed. Also for the first time, the BDPR is sanction-proven for the effective enforcement of data protection; with fines of up to 4% of annual turnover or a maximum of EUR 20 million.

Originally, the ePrivacy Regulation was also due to enter into force on the same day. It specifies the BDPR in the area of electronic communications and extends the data protection regulation to so-called "over-the-top communication providers" (OTT) such as instant messaging. The ePrivacy Regulation is currently in the trilogue process and is unlikely to enter into force before May 2019.

Money laundering regulation

Although only the fourth Money Laundering Directive (Directive 2015/849/EU) found its final implementation in national law in July 2017, the EU Commission published a draft for an adaptation and further tightening of the money laundering requirements as early as mid 2016.

The focus of the upcoming regulatory reform is on further tightening the prevention of money laundering and terrorist financing, in certain cases lowering the reporting threshold for beneficial owners to 10 percent and increasing tax transparency.

In addition, providers of virtual currency exchanges and wallets are to be fully integrated into the scope of application of the Money Laundering Act. In addition, the limits for e-money products for which no identity verification of the consumer is required (in particular prepaid cards) are to be lowered once again.[1]

A final adoption by the EU Commission is expected at the beginning of this year.


Risk Management

Following the publication of the 5th MaRisk amendment and the final agreement on the reform package called "Basel IV" in the fourth quarter of 2017, beretis has set the first major pegs for the coming years, further detailing and updating of the risk management requirements is to be expected.

At the turn of the year 2018, for example, the so-called leverage ratio will be applied for the first time.[2]

With the entry into force of the ECB Regulation (EU) No. 2016/867 on 30 September 2018, also known as AnaCredit, there will be a significant increase in the granularity of data collection at the individual credit level. By order of the Bundesbank, German credit institutions are obliged to transmit the contractual partner master data as of 31 January 2018 and credit master data including dynamic credit data as of the reporting date of 31 March 2018.

With the publication of guidelines for checking the borrower's creditworthiness and assessing his solvency, which are scheduled for mid-2018, the EU Commission is extending and manifesting the guidelines on the handling of loans and in particular non-performing loans (NPLs) already published by the ECB in March 2017. The aim here is to accelerate the restructuring of bank balance sheets and to boost the granting of new loans.

The finalisation of the draft amendment to the Large Exposures and Million Loan Ordinance (GroMiKV) published by BaFIN in 2017 is expected in 2018; a large part of the legal amendments should therefore enter into force on 1 January 2019, while individual exemptions will most probably already be available on 1 January 2018.[3]

For 2018, the planned amendments to Directive 2013/36/EU - CRD IV - and Regulation 575/3013/EU - CRR - are also expected to become more concrete. These reform packages, known as CRD V and CRR II, are intended to include an adjusted standard procedure for counterparty risk, a fundamental review of the trading book and detailed additions to the total loss absorption capacity. Further issues such as the direct supervision and licensing of financial holding companies and a stronger emphasis on proportionality with regard to disclosure and reporting obligations for small and medium-sized financial institutions are currently still the subject of in-depth discussions. The implementation of these reforms is therefore not expected before 2019 and should include the implementation of the outstanding Basel IV requirements. This would result in far-reaching implementation deadlines beyond 2019 and 2020.

Supervisory Architecture

FinTech credit institutions

For the first quarter of 2018, the ECB expects to issue guidelines for FinTech credit institutions, the publication of which will define the specific requirements for FinTech credit institutions for the first time.

Of particular interest should be how the ECB intends to ensure the level playing field between banks and FinTechs and to what extent the ECB takes into account the focus on IT use inherent in the FinTech business model.

Extension of the SSM to include securities companies

In addition to FinTechs, a stronger focus of the regulator on so-called shadow banks and securities companies is expected. While banks are playing a declining role in the refinancing of companies due to the decline in interest rates and the banking crisis, alternative refinancing methods are becoming increasingly important.

Securities companies are of particular importance here, as these participants, as institutional investors, are one of the main addressees of share issues and thus form an important pillar for the stability of the financial markets.

The current proposals categorise securities companies as systemically relevant if they carry out bank-like activities (e.g. issuing or financial commission transactions) and have a balance sheet total of more than EUR 30 billion.


The much-cited "regulatory wave" is not coming to an end; on the contrary, it sees its peak so far in 2018. Although the regulatory agenda of European and national supervisory authorities proves that the important framework parameters have now been withdrawn, the finishing touches have yet to be applied.

Meanwhile, with increasing automation and data automation of business processes, the proportion of necessary technological transformations is also increasing exponentially.

New solution methods such as Reg- and LegalTechs and the use of new technologies should increasingly become the focus of decision-makers at financial institutions.

  • Solution approaches for ensuring the transparency of machine decisions in order to be able to provide accountability in a comprehensible and traceable manner
  • Use of deep learning on higher dimensional data and their combination in order to satisfy the complexity of the real world
  • The ability to select appropriate deep learning models for specific analysis needs in order to use artificial intelligence in a more differentiated way.

Progress in the application context of artificial intelligence shows that it is used in particular to further automate processes and to gain new insights from data analysis. The critical reflection of its own limits, in turn, draws attention to the fact that even experts are anything but naïve about this technology and its possible applications.