Do You Need An Authorization? The Questions Every FinTech Must Answer

1. Introduction

Few questions in financial regulation carry more practical consequence than whether a given business model requires an authorization. For established financial institutions, the licensing framework is familiar terrain. For fintechs, technology companies, startups entering financial services, and businesses expanding into regulated activities, the answer is frequently unclear; the cost of getting it wrong can be existential.

The difficulty is structural. Financial regulation was designed around stable, well-defined business models. The emergence of new business models such as robo-advice, platform-based lending, and neo-banks has created a landscape where technological innovation consistently outpaces regulatory categorization. Many modern business models do not map neatly onto any single licensed activity; others touch the boundaries of multiple regulatory frameworks simultaneously. Recent regulatory developments, such as MiCAR, PSD3/PSR, and the AI Act, have further blurred these boundaries, increasing the number of business models that sit in genuinely contested regulatory territory.

This uncertainty makes the assessment of licensing requirements both more important and more difficult. It cannot be resolved by intuition, by reference to what competitors appear to be doing, or by a casual review of the regulatory perimeter. It requires a structured, documented analysis, and in most cases a combination of approaches that together provide a defensible basis for the conclusions reached. This article sets out the three principal approaches available to businesses seeking to assess their business model, examines the strengths and limitations of each, and explains why a combined methodology represents the appropriate standard of care.

2. The Stakes: Consequences of Operating Without an Authorization

Operating a regulated financial activity without the required authorization is not a minor regulatory infringement. In Germany, conducting regulated business activities without the required authorization constitutes a criminal offense under the financial services and capital markets regulation including the German Banking Act (KWG), the German Securities Institutions Act (WpIG), the German Investment Code (KAGB), the Securities Trading Act (WpHG), and the Payment Services Supervision Act (ZAG).

The principal consequences of unlicensed operation include:

• Regulatory enforcement: Supervisory authorities have broad powers to order the immediate cessation of unlicensed activities, appoint a liquidator, and wind down the business, without prior warning and without a prior finding of criminal liability.
• Civil law consequences: Contracts concluded in the course of unlicensed regulated activities may be void or voidable; in addition, operating without the required authorization may constitute a breach of contract. Both grounds expose the business to claims for restitution and damages.
• Personal liability of management: Managing directors and board members may face personal criminal and civil liability.
• Reputational damage: Supervisory authorities publish enforcement actions publicly. Notification of unlicensed operation can be permanently damaging, particularly for businesses seeking to build trust with clients and investors.
• Financing and investment documentation: A finding of unlicensed operation will typically trigger material adverse change clauses and may render representations and warranties in financing and investment agreements incorrect, with significant downstream consequences.

These consequences apply regardless of intent. Good faith may mitigate criminal exposure and reduce civil liability in certain circumstances, but it does not eliminate the fundamental consequences for the business or its management.

3. Three Assessment Approaches

Three principal approaches are available to businesses seeking to determine whether their activities require regulatory authorization. Each has a distinct function, a different risk-reduction profile, and specific limitations. A robust licensing assessment will draw on at least two of the three.

3.1 Benchmarking Against Peers

Benchmarking involves assessing the licensing position of comparable businesses in the same or similar markets. By examining which authorizations peers hold, which exemptions they rely on, and how they describe their regulatory status in public filings, a business can form a preliminary view of the likely regulatory categorization of its own activities.

Benchmarking has genuine value for a preliminary assessment: it can quickly identify the principal regulatory frameworks in play and surface the range of approaches taken by market participants. However, it is never sufficient as a standalone analysis. Several limitations are fundamental.

• Analytical error and its consequences. A peer’s licensing assessment may simply be wrong: plain human error in legal analysis is not uncommon, particularly in novel regulatory territory. That error can then propagate through a market, as other businesses follow what appears to be settled practice without scrutinizing the underlying reasoning. Compounding this is the risk of misjudging comparability: business models that appear similar often differ in legally material ways (e.g. the handling of client funds, the degree of discretion exercised, the nature of client relationships) that are not visible from public information.
• Jurisdictional differences. Benchmarking against peers operating in other jurisdictions provides limited guidance. Transposition of EU Directives into national law produces variations that are frequently underestimated. Jurisdictions outside of the EU have even less informational value.
• No legal protection. Following a peer's approach provides no legal protection if that approach is subsequently found to be incorrect. Supervisory authorities assess each case on its own facts.

Benchmarking is best understood as a first filter: useful for orientation, but incapable of providing the substantive basis for a licensing decision.

3.2 Legal Analysis by Qualified Counsel

A structured legal analysis is the foundation of any serious authorization assessment. It involves a systematic examination of the business model against the relevant statutory definitions and regulatory criteria, with a view to determining whether the activities in question fall within the scope of one or more authorization categories. That analysis can be conducted by a qualified in-house legal team or by external counsel, and the distinction matters.

A properly conducted legal analysis will identify all applicable laws and regulations; assess whether the specific activities satisfy the relevant statutory definitions; consider available exemptions and carve-outs; address the interaction between frameworks where multiple regimes may apply; and document the conclusions in a written opinion, memorandum, or other form of formal assessment. In-house counsel with the requisite expertise is well-placed to conduct or lead this analysis, particularly where the team has deep familiarity with the business model and prior engagement with the regulatory framework.

Where external counsel is engaged, the analysis carries an additional layer of accountability that internal teams structurally cannot provide: professional liability concentrates minds on analytical rigor, and an external opinion typically commands greater weight with supervisory authorities, investors, and auditors than an internal memorandum. For novel or genuinely contested licensing questions, external counsel is not merely a supplement; it is the appropriate standard of care. In all cases, the quality of the analysis depends heavily on the accuracy of the business model description on which it is based. Changes to the business model after an opinion is issued (in product design, client onboarding, fund flows, or contractual structure) may affect the conclusions and should prompt an updated review.

3.3 Interaction with Supervisory Authorities

Direct engagement with the relevant supervisory authority is the third available approach, and one that is underutilized by many businesses. In Germany (BaFin and the Deutsche Bundesbank), dedicated licensing inquiry units and structured pre-application processes are available. BaFin is the primary competent authority for authorization proceedings; the Deutsche Bundesbank plays a complementary role in ongoing prudential supervision. More broadly, most supervisory authorities are willing, on the basis of a sufficiently detailed description of the business model, to engage on authorization questions. In practice, however, particularly on genuine borderline cases, the nature and usefulness of any informal response will depend heavily on how the inquiry is framed and prepared. Businesses should not assume that a substantive answer will be forthcoming as a matter of course.

Any response from a supervisory authority will typically be framed with the caveat that the authority is not providing legal advice and that its view is not binding. That caveat should not be misunderstood. The primary value of supervisory engagement lies not in obtaining a definitive answer, but in the documented record of good-faith interaction it creates. A well-documented inquiry, in which the business model was accurately described and any response recorded, is a significant indicator that management has satisfied its duty of care. It demonstrates that the institution sought regulatory guidance and creates a factual record relevant to any subsequent enforcement assessment.

Supervisory interaction is particularly valuable where the legal analysis identifies genuine uncertainty. Financial regulation contains provisions whose application to novel business models is unsettled, and where competent external counsel may reach different conclusions. In such cases, seeking the view of the relevant authority is both prudent and appropriate. Any interaction with supervisory authorities should be well-prepared and professionally conducted; an unprofessional approach can create complications for later licensing procedures.

4. Combining the Three Approaches

The three approaches are not alternatives; they are complementary. Benchmarking serves as the initial orientation: it identifies the regulatory landscape, surfaces the approaches taken by market participants, and frames the questions to be addressed in the legal analysis. It should inform the scope of the analysis, not replace it.

Legal analysis, whether by in-house counsel or external advisors, provides the substantive foundation that benchmarking cannot. Unlike benchmarking, it produces a professionally accountable, documented conclusion grounded in statutory analysis. Unlike supervisory interaction, it supplies the analytical rigor and documented reasoning that informal regulatory feedback alone does not deliver. It should be treated as a non-negotiable element of the assessment process.

Supervisory interaction adds a further layer of assurance, particularly where the legal analysis identifies areas of genuine uncertainty or where the business model is genuinely novel. There are cases in which the combination of all three approaches will still leave residual uncertainty. In such cases, the business must make a considered judgment about whether to proceed, seek a formal ruling, restructure the model to place it clearly outside the regulatory perimeter, or apply for an authorization as a precautionary measure. That judgment is more defensible, both legally and commercially, when it is based on a thorough, documented process. Where genuine uncertainty persists after exhausting all three approaches, the conservative course is to apply for an authorization or seek a formal ruling; the cost of doing so is almost always lower than the cost of getting it wrong.

5. Practical Considerations

Timing. Licensing questions should be addressed before a business model is launched. Post-launch assessments create pressure to reach conclusions that justify an existing state of affairs rather than conclusions that are objectively correct and create substantial liability and reputational risks. In practice, licensing assessments should be initiated at the product design stage, reviewed before commercial launch, and updated whenever there is a material change to the business model or the regulatory framework.

Documentation. The licensing assessment should be documented. A written legal opinion, memorandum or other form of formal assessment together with a record of the business model description on which it was based, any supervisory correspondence, and any subsequent updates, constitutes the evidence that management acted diligently. In the event of a regulatory inquiry, the ability to produce a contemporaneous, substantive analysis of the licensing question is a significant mitigating factor.

Ongoing review. A licensing assessment is not a one-time exercise. New laws and regulations, such as MiCAR, PSD3/PSR, and the AI Act, require a renewed assessment. Institutions should have a process in place for monitoring regulatory developments and triggering a review when relevant changes occur.

6. Conclusion

The question of whether a business model requires a regulatory authorization is one of the most consequential legal questions a business can face. The consequences of an incorrect answer (criminal liability, regulatory enforcement, civil claims, reputational damage) are severe and, in some cases, irreversible. This is not a question for informed guesswork, and it cannot be satisfactorily resolved by looking at what competitors appear to be doing.

The appropriate standard of care requires a structured, documented process that combines benchmarking as an initial orientation tool, substantive legal analysis by qualified counsel as the foundation, and, where appropriate, direct engagement with the relevant supervisory authority to test conclusions and create a record of good-faith interaction. Each approach has a distinct function; none is sufficient on its own.

The investment required to conduct this assessment properly is modest relative to the cost of getting it wrong. Supervisory authorities in Germany and across the EU, including BaFin and the Deutsche Bundesbank, have consistently demonstrated a willingness to engage constructively with businesses that approach them in good faith, with a well-prepared description of their model and a genuine interest in understanding the applicable framework. That engagement, supported by rigorous legal analysis by qualified counsel, is the right starting point for any business whose activities touch the boundaries of regulated financial services.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.