BaFin Fit and Proper 2026: What Financial Institutions Need to Do Now
From January 2026, BaFin is tightening its fit-and-proper requirements. For banks, insurers, FinTechs, and asset managers, that means deeper checks, more documentation, and greater personal liability for management.
What is Fit and Proper?
The fit-and-proper assessment is a reliability and suitability check for people in key functions at financial institutions. Legal basis:
Section 25c KWG (German Banking Act) — for managing directors and supervisory board members
Section 25h KWG — continuous monitoring of employees in sensitive positions
BaFin guidance note for managing directors — detailed requirements for qualifications and reliability
MaComp AT 7.2 & AT 9 — outsourcing and resource requirements
What changes in 2026?
The tightening introduces three key changes:
Expanded depth of review — no longer just managing directors, but also compliance officers, anti-money laundering officers, and other key roles
Ongoing monitoring — a one-time check is not enough. Sanctions list screening at least weekly, PEP status on an ongoing basis
Personal liability — managing directors are personally liable if checks are inadequate. This also applies retroactively to people hired before January 2026
Who is affected?
Banks and savings banks
Insurance companies and reinsurers
Asset management companies
Payment service providers and e-money institutions
FinTechs with a BaFin license (KWG institutions, BaFin-authorized service providers)
Financial investment intermediaries under Section 34f GewO (with limitations)
Which checks are required?
Before hiring (Pre-Employment):
Identity verification under GwG Section 12
Qualification and certificate verification
Criminal record extract / enhanced certificate of conduct
Sanctions list screening (EU, UN, OFAC)
PEP screening under GwG Section 1(12)
Adverse media screening (reputational risks)
Reference checks with previous employers
Ongoing (Post-Hire):
Continuous sanctions list screening (at least weekly)
Ongoing PEP status
Adverse media monitoring
Annual update of fit-and-proper documentation
Documentation requirements
BaFin reviews compliance through cause-based and random audits. Every check must include:
Results of all checks carried out
Timestamps and sources
Documented consent from the candidate
Assessment of the results by the institution
Actions taken (hiring, rejection, conditions)
The retention period is at least 5 years.
Most common mistake: point-in-time instead of ongoing checks
Many institutions check employees only once at hiring — and never again after that. That will no longer be sufficient from 2026 onward. Especially critical: PEP status and sanctions list hits can change (an employee suddenly becomes politically active, sanctions are expanded). Without ongoing monitoring, institutions are exposed.
Fit and Proper in Switzerland, Austria, and across the EU
BaFin fit and proper is the German implementation of a European principle. The regulatory equivalents:
Switzerland — FINMA suitability assessment for responsible persons
In the licensing process for banks, securities dealers, insurers, and financial intermediaries, FINMA reviews whether there is “a guarantee of proper business conduct” (Art. 3 BankA, Art. 14 ISA, Art. 11 FinIA). The board, the administrative board, and members of the executive management are assessed. The requirements are comparable to Section 25c KWG — the differences lie in the procedures and documentation. A rejected suitability assessment for responsible persons can lead to the withdrawal of the license.
Austria — FMA + BWG
The Financial Market Authority (FMA) carries out fit-and-proper assessments under the Banking Act (BWG), the Insurance Supervision Act (VAG), and the Securities Supervision Act (WAG). The requirements are aligned with CRD and EBA guidelines. Special feature: managing directors must be reassessed when they change to a new FMA-regulated institution — not just upon initial appointment.
EU-wide — EBA-ESMA Joint Guidelines + CRD VI
The EBA-ESMA Joint Guidelines on Suitability 2024 harmonize fit and proper across the EU. With CRD VI, additional roles will be added to the review scope from 2026: CFO, Chief Risk Officer, Chief Compliance Officer, and Heads of Control Functions. For multinational banks, that means one consistent review architecture must work across the EU.
What does a BaFin review failure cost?
For compliance deficiencies, BaFin imposes fines of up to €10 million or 5% of annual turnover, whichever is higher. There is also reputational damage if the review becomes public.
What you need to do now
Inventory: Which roles require a fit-and-proper check? Which checks are currently running?
Gap analysis: Where is ongoing monitoring missing? Where is the documentation incomplete?
Process update: Consent, checks, monitoring, and documentation as a clear workflow
Review automation: Manual checks are no longer scalable once you have 50+ roles
How Indicium maps BaFin compliance
Indicium is built for regulated industries:
All pre-employment checks under Section 25c KWG in one workflow
Ongoing sanctions list and PEP monitoring
BaFin-auditable documentation (audit trail, timestamps, sources)
GDPR-compliant consent and deletion periods
Integration with existing HR systems (SAP SuccessFactors, Workday, Personio)
You can find all compliance documents (DPA under Art. 28 GDPR, subprocessor list, TOMs) bundled at trust.indicium.ag.
Conclusion
In 2026, fit and proper will become an ongoing topic. Institutions that switch now to continuous, automated processes will reduce fine risk and personnel costs. Talk to us about your implementation.
Nabil El Berr
