The United Kingdom’s departure from the European Union has certainly earned its place in the history books for 2020. The fact that Brexit was already one of BaFin’s supervisory priorities across all Sectors in 2019 was due to the exit date, which had actually been planned for 29 March 2019. However, the British Parliament then postponed this to 31 October 2019; ultimately, the 2019 exit date became unrealistic.

A key focus for BaFin in 2019, as for so many others, was the ever-changing situation regarding Brexit, which finally came into force on 31 January 2020. This marked the start of the transitional phase, which is expected to run until 31 December 2020; until then EU law will, in principle, continue to apply to citizens and companies from and in the United Kingdom. The transitional phase could, at the United Kingdom’s request, be extended once by up to two years.

If the negotiators for the European Union and the United Kingdom fail to reach an agreement by year’s end, there could again be a no-deal scenario from the beginning of 2021. This is precisely the situation BaFin was intensively preparing for last year, issuing general administrative acts based on the following supervisory laws: the German Banking Act (Kreditwesengesetz – KWG), the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – VAG), the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG) and the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG). The provisions that would have enabled BaFin to order the continued application of certain rules to cross-border transactions in the short term would have mitigated the most severe consequences for the financial institutions supervised. Now that the withdrawal agreement has been ratified, however, BaFin no longer has the option of issuing such administrative acts.

This past year, BaFin provided assistance to those financial institutions that moved their offices to Germany or increased their presence in Germany in 2019. This included reviewing complex models in connection with the regulatory capital requirements.

Digitalisation – a key priority

In pursuing digitalisation as a priority area in 2019, BaFin continued advancing many developments from previous years. Following the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) in 2017 and the Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT – VAIT) in 2018, in 2019 it published the Supervisory Requirements for IT in Asset Management Companies (Kapitalverwaltungsaufsichtliche Anforderungen an die IT – KAIT) and expanded the VAIT to include a module on critical infrastructures. As of the beginning of 2019, the implementation of the digitalisation strategy of August 2018 is one of the main tasks of the new Digital Office.

In 2019, BaFin also analysed the numerous responses to its report “Big data meets artificial intelligence” (see expert article on the BaFin website dated 16 July 2018 ). In the light of its findings, it decided to deal more intensively with the detection of money laundering by means of big data and artificial intelligence (BDAI) and the BDAI technologies used in the financial sector, as well as to discuss the legal framework for data and platform providers at the European level.

One of the year’s key issues was IT security: banks notified BaFin of 286 IT incidents in payment transactions in 2019. On 14 September 2019, accompanied by extensive media coverage, the requirement for strong customer authentication based on the Second Payment Services Directive (PSD2) entered into force (see expert article on the BaFin website dated 23 October 2019 ). To avoid disruptions in e-commerce, BaFin will not object to any card payments effected online without strong customer authentication until 31 December 2020. Since the implementation of PSD2, BaFin has granted authorisation to 37 institutions on the basis of the revised law. Approximately 60% of these are IT-focused payment service providers; a key factor for their business model was the fact that the PSD2 requires banks to open their interfaces for services by third-party providers.