Authorisation procedure in accordance with the ZAG | FinTech online course #17

Authorisation procedure in accordance with the ZAG | PayTechLaw | FinTech online course | sutthinon602

6In case you wish to carry out an e-money-business or to provide banking, payment, or financial services, you will in principle need an authorisation from the supervisory authority. Depending on the planned activity, the obligation to apply for such authorisation is based on different legal acts. For example, the obligation to apply for an authorisation for the provision of banking services is derived from the German Banking Act (“KWG”) and for carrying out an e-money business or for the provision of payment services from the Payment Services Supervision Act (“ZAG”). Using the example of the authorisation procedure in accordance with the ZAG, this article provides a brief overview of the requirements to be observed in an authorisation procedure.

The ZAG provides legal grounds for the following authorisation procedures:

  • Section 10 subsection 1 sentence 1 ZAG lays down the obligation to obtain an authorisation for the provision of payment services and Section 10 subsection 2 ZAG specifies which information and evidence need to be provided in the application.
  • Section 11 subsection 1 sentence 1 ZAG lays down the obligation to obtain an authorisation for carrying out an e-money business and section 11 subsection 2 ZAG specifies the information and evidence that need to be provided in the respective application.
  • In case a company only wishes to provide account information services within the meaning of section 1 subsection 34 ZAG, section 34 subsection 1 sentence 1 ZAG stipulates that a registration is sufficient. Section 34 subsection 2 sentence 2 ZAG then lays down which information and evidence are required for such registration.

The above-mentioned legal grounds are supplemented by ordinances. In particular, the Payment Services Supervision Act Notification Ordinance (“ZAGAnzV”) provides more detailed information on the requirements to be considered in the authorisation procedure. The Federal Financial Supervisory Authority (“BaFin”) applies in addition to national legal acts and ordinances, the European Banking Authority’s guidelines on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers (EBA/GL/2017/09) (“EBA Guidelines”). The EBA Guidelines specify the information, documents, and evidence to be submitted as part of the authorisation procedure for payment or e-money institutions. The BaFin provides overviews of the relevant laws, the associated ordinances and the EBA Guidelines under the following Link.

Planning an application for authorisation

Anyone who takes a look at the above-mentioned legal acts, ordinances and EBA Guidelines will notice that the granting of an authorisation is subject to specific requirements with regard to the organisation and finances of the company. These requirements not only have to be implemented but must also be documented in an appropriate form. It is therefore recommended that companies that intend to provide payment services or conduct an electronic money business should allocate sufficient time and capacity to identify and implement the legal requirements and to prepare the documentation required for an application.

In our view, the following points should inter alia be considered when planning and organising the application:

  • Which business model is planned? Are there any plans to expand the business model in the near future?
  • What authorisation is required for the provision of the planned services?
  • What are the legal requirements for the provision of the planned services? These include requirements for risk management processes and compliance management, capital requirements and personal requirements that CEOs, for example, must meet.
  • If the business model is to be implemented by an existing company, a check should be carried out based on the legal requirements to determine which requirements the existing company meets, and which gaps still exist. Can this existing company meet the legal requirements in the existing structure?

After this conception phase, appropriate implementation measures can be taken. The implementation measures include, among other things, measures to adapt the organisational and procedural structures but also the preparation of contracts, process descriptions and internal company instructions.

Preparation and submission of application documents

The application for an authorisation is a documentation and evidence that the company submitting the application (“Applicant”) will comply with the relevant legal requirements. The documentation and evidence provided by the Applicant must be truthful, complete, accurate and up-to-date. The level of detail of the documents should be proportionate to the size and internal organisation of the Applicant and to the nature, scope, complexity, and risk liability of the intended activity/activities subject to authorisation.

Two sets of these documents must be submitted to the BaFin. BaFin will decide within 3 months after receipt of the complete application documents or, in case of incompleteness, after submission of all information required for the decision,whether the authorisation will be granted or denied.

The authorisation procedure is subject to a fee. The legal basis for the fees is the Act on the Federal Financial Supervisory Authority (“FinDAG”) in conjunction with the Ordinance on the Charging of Fees and the Apportionment of Costs under the FinDAG (“FinDAGKostV”).

 

LINK TO THE HOMEPAGE OF THE FINTECH ONLINE COURSE

 

Cover picture: Copyright © Adobe/ sutthinon602

 



By continuing, you accept our privacy policy.
You May Also Like
A new era in IT security: a comparison of NIS2 and DORA 4
Read More

A new era in IT security: a comparison of NIS2 and DORA

As digitalization advances, companies and organizations are increasingly confronted with complex challenges around IT security and digital operational resilience. Within a few months, the European Union has adopted two important pieces of legislation to strengthen IT and cybersecurity, which will now come into force in the near future: the “Directive on measures for a high common level of cybersecurity across the Union” (NIS2) and the Digital Operational Resilience Act (DORA).
Read More