BaFin Fit-and-Proper 2026: What Financial Institutions Need to Do Now

From January 2026, BaFin will tighten its fit-and-proper requirements. For banks, insurers, FinTechs, and asset managers, that means: deeper reviews, more documentation, and greater personal liability for management.

What is Fit-and-Proper?

The fit-and-proper assessment is a reliability and suitability check for people in key functions at financial institutions. Legal basis:

• § 25c KWG (German Banking Act) — for managing directors and supervisory board members

• § 25h KWG — continuous monitoring of employees in sensitive positions

• BaFin guidance note on managing directors — detailed requirements for qualification and reliability

• MaComp AT 7.2 & AT 9 — outsourcing and resource requirements

What changes in 2026?

The tightening brings three key changes:

1. Expanded review scope — no longer only managing directors, but also compliance officers, money laundering officers, and other key roles

2. Ongoing monitoring — a one-time check is no longer sufficient. Sanctions list screening at least weekly, PEP status continuously

3. Personal liability — managing directors are personally liable in the event of inadequate checks. This also applies retroactively to people hired before January 2026

Who is affected?

• Banks and savings banks

• Insurance companies and reinsurers

• Capital management companies

• Payment service providers and e-money institutions

• FinTechs with a BaFin license (KWG institutions, BaFin-authorized service providers)

• Financial investment intermediaries under § 34f GewO (with restrictions)

Which checks are required?

Before hiring (Pre-Employment):

• Identity verification under GwG § 12

• Qualification and certificate verification

• Criminal record extract / enhanced certificate of good conduct

• Sanctions list screening (EU, UN, OFAC)

• PEP screening under GwG § 1 para. 12

• Adverse media screening (reputational risks)

• Reference checks with previous employers

Ongoing (Post-Hire):

• Continuous sanctions list screening (at least weekly)

• Ongoing PEP status

• Adverse media monitoring

• Annual update of fit-and-proper documentation

Documentation requirements

BaFin checks compliance through event-driven and random audits. Each review must include:

• Results of all checks performed

• Timestamps and sources

• Documented consent of the candidate

• Assessment of the results by the institution

• Measures taken (hiring, rejection, conditions)

The retention period is at least 5 years.

Most common mistake: point-in-time instead of ongoing checks

Many institutions check employees only once at hiring — and never again after that. That is no longer enough from 2026 onward. Especially critical: PEP status and sanctions list hits can change (an employee suddenly becomes politically active, sanctions are expanded). Without ongoing monitoring, institutions are left exposed.

Fit-and-Proper in Switzerland, Austria, and across the EU

BaFin Fit-and-Proper is the German implementation of a European principle. The regulatory equivalents:

Switzerland — FINMA reliability and suitability assessment

The FINMA examines, in the licensing procedure for banks, securities dealers, insurers, and financial intermediaries, whether they provide the “guarantee of proper business conduct” (Art. 3 BankG, Art. 14 VAG, Art. 11 FinIG). The review covers the board, the board of directors, and members of management. The requirements are comparable to § 25c KWG — the difference lies in the procedures and documentation. A rejected reliability assessment can lead to the withdrawal of the licence.

Austria — FMA + BWG

The Financial Market Authority (FMA) carries out fit-and-proper assessments under the Banking Act (BWG), the Insurance Supervision Act (VAG), and the Securities Supervision Act (WAG). The requirements are aligned with the CRD and EBA guidelines. Special feature: managing directors must be assessed again when changing to a new FMA-regulated entity — not only upon first appointment.

EU-wide — EBA-ESMA Joint Guidelines + CRD VI

The EBA-ESMA Joint Guidelines on Suitability 2024 harmonize fit-and-proper requirements across the EU. With CRD VI, additional roles will be added to the review scope from 2026: CFO, Chief Risk Officer, Chief Compliance Officer, Heads of Control Functions. For multinational banks, that means a single review architecture must work across the EU.

What does a BaFin compliance failure cost?

BaFin imposes fines of up to €10 million or 5% of annual turnover, whichever is higher, for compliance deficiencies. Reputational damage is added if the review becomes public.

What to do now

1. Inventory: Which roles require fit-and-proper checks? Which checks are currently running?

2. Gap analysis: Where is ongoing monitoring missing? Where is the documentation incomplete?

3. Process update: Consent, screening, monitoring, and documentation as a clear workflow

4. Review automation: Manual screening is no longer scalable once you reach 50+ roles

How Indicium maps BaFin compliance

Indicium is designed for regulated industries:

• All pre-employment checks under § 25c KWG in one workflow

• Ongoing sanctions list and PEP monitoring

• BaFin-auditable documentation (audit trail, timestamps, sources)

• GDPR-compliant consent and deletion periods

• Integration into existing HR systems (SAP SuccessFactors, Workday, Personio)

You can find all compliance documents (DPA under Art. 28 GDPR, subprocessor list, TOMs) bundled at trust.indicium.ag.

Conclusion

2026 will make fit-and-proper an ongoing topic. Institutions that switch now to continuous, automated processes will reduce fine risk and personnel costs. Talk to us about your implementation.

Read more — related articles

• Fit-and-Proper KWG § 25c

• Fit & Proper assessment: BaFin requirements

• DORA Art. 28 third-party providers

• Sanctions list screening for companies

• Sanctions lists EU UN OFAC