BaFin and German Fintech in 2026: Regulatory Reality, N26, Solaris, and the Lessons Learned
BaFin's stricter fintech enforcement has reshaped the German fintech landscape. N26's regulatory issues, Solaris's restructuring, and what compliant operations require in 2026.
BaFin — the German Federal Financial Supervisory Authority — has been the most-watched fintech regulator in Europe through 2022-2026, driven by a combination of the Wirecard scandal (which substantially reshaped the agency), the aggressive enforcement actions against N26 (Germany’s largest neobank), and the broader sector restructuring at Solaris and other banking-as-a-service providers. The cumulative effect has been a German fintech landscape that is meaningfully more cautious than the 2018-2021 expansion phase suggested, with operating fintechs that have built compliance discipline as a primary capability rather than a tactical afterthought.
For fintechs operating in Germany or planning entry, the practical regulatory reality matters.
The post-Wirecard reset#
The 2020 Wirecard collapse — a German payments-processor that was reporting €1.9 billion in cash that didn’t exist — produced the most consequential financial-supervision reset in modern German history. BaFin was widely criticized for failing to detect or act on warning signs. The reform agenda that followed has reshaped how the agency operates:
- Operational restructuring with the addition of focused units for fintech, crypto, and emerging technology supervision.
- Increased staffing with particular emphasis on technical capability.
- Stricter posture on operational risk at supervised entities.
- More aggressive use of enforcement powers including operational restrictions on supervised entities.
The result is a BaFin that is materially more interventionist than the pre-Wirecard agency. The trajectory has been welcomed by markets but has produced friction with fast-moving fintechs.
N26 and the operational-restriction precedent#
N26 has been the most-public case study. The neobank — once Europe’s most-valuable fintech at $9B valuation — has been under BaFin operational restrictions since 2021. The restrictions originated in BaFin’s findings around N26’s anti-money-laundering (AML) controls and customer onboarding processes.
The operational impact has been substantial:
- Growth caps limiting N26’s new customer acquisition to capped numbers per month.
- Mandated remediation including the hiring of specific compliance leadership.
- Special audits funded by N26 and conducted by BaFin-approved firms.
- Public regulatory dialogue with formal supervisory communications producing public-record findings.
The financial impact on N26 has been material — the lost growth has been valued in the hundreds of millions. The strategic impact has been larger: every German fintech (and every European fintech entering Germany) now plans for AML and operational risk capability before scale, not after.
Solaris and the BaaS reshape#
Solaris (formerly solarisBank) was the leading banking-as-a-service provider in Germany — a banking license that fintechs could embed in their products. The 2022-2024 period produced substantial regulatory action on Solaris, including:
- Capital requirements increases.
- Stricter customer due diligence requirements for fintechs using Solaris’s license.
- Operational restrictions in some product categories.
- Strategic restructuring including layoffs and product portfolio changes.
The cumulative effect has been a German BaaS landscape that is more cautious. The remaining BaaS providers — Solaris itself in restructured form, plus Sutor Bank, Aion Bank, and several others — operate with more conservative posture.
What German fintechs require for compliance#
For a fintech operating with or applying for a BaFin license, the substantive obligations include:
Capital requirements — the specific tier (full banking license, e-money institution, payment institution) determines capital, but all are non-trivial.
Operational risk capability — documented risk assessment, controls testing, internal audit, with regulator-required engagement.
AML/CFT capability — proportionate to risk, but the post-Wirecard expectation is substantial. Risk-based KYC, transaction monitoring, SAR filing with FIU.
Outsourcing oversight — if you outsource to vendors (cloud, processing, customer support), BaFin expects formal vendor risk management with appropriate contractual provisions.
Recovery and resolution planning for full banks.
Internal Capital Adequacy Assessment Process (ICAAP) for banks.
Information security — increasingly prescriptive under BaFin’s BAIT (Banking Supervisory Requirements for IT) and the parallel KAIT for capital management, ZAIT for payment institutions.
Cloud usage — specific guidance on cloud architecture, residency, and exit-strategy planning.
Reporting — extensive prudential, AML, and operational reporting on defined cadences.
The aggregate compliance work is substantial. The German market is profitable enough — and large enough — to support the cost, but it is genuinely demanding.
What’s working — and what isn’t#
Working: Traditional bank-anchored fintech distribution. Partnerships between fintechs and major German banks (Commerzbank, Deutsche Bank, the savings banks) have produced successful product launches with the bank handling the regulatory anchor.
Working: Specialized fintechs in specific verticals. Payment processing (Adyen has substantial German operations), accounting and SMB tools (Lexware, Sage), and certain B2B fintechs have operated with less BaFin friction.
Working but harder: Consumer-facing neobanks. N26 has had its difficulties; the broader category has been quieter than the 2018-2021 expansion suggested.
Not yet working: Crypto. The German crypto framework under BaFin is one of the more developed in Europe, but the substantive crypto fintech activity has been smaller than the framework would suggest.
The pan-European context#
Germany is the largest EU market but not the only one. The “passporting” principle allows licensed entities in one EU member state to operate across the EU. Many fintechs entering Germany choose to obtain Lithuanian, Maltese, or Irish licensing first, then passport into Germany. BaFin’s posture toward passported entities operating in Germany has been firm — full BaFin scrutiny of passported entities is the routine pattern.
The EU’s revised PSD2 (PSD3, expected operational 2026-2027) will tighten payment-services regulation across the EU. The MiCA framework for crypto-assets is operationally significant.
What’s coming in 2026 and 2027#
Three things to watch:
N26’s path forward — the operational restrictions trajectory will determine whether N26 can resume growth at pace.
PSD3 and PSR — the revised EU payment services framework will affect every payment-services entity operating in Germany.
MiCA implementation — crypto-assets regulation under MiCA is now in full effect; BaFin’s crypto-licensing pipeline is significant.
Where pdpspectra fits#
Our fintech engineering and regulatory work spans Europe. We work with fintechs on platform engineering, regulatory architecture, and the compliance discipline that German operations require.
Related reading: the Japan stablecoin framework post, the India fintech stack post, and the Brazil fintech post.
German fintech is real and demanding. Talk to our team about your strategy.