Unidentified Payment Services as a Risk Factor

Payment services regulation is complex and, due to its numerous exemptions, often difficult to navigate. This creates significant challenges where companies do not realise that aspects of their business model may constitute payment services subject to authorisation requirements. Particularly when it comes to operational businesses, financial regulatory requirements can easily be overlooked. Activities that appear to be insignificant ancillary services from a commercial perspective may, in legal terms, fall squarely within the scope of payment services requiring authorisation under the German Payment Services Supervision Act (ZAG) – with potentially severe consequences, including criminal liability for managing directors if no BaFin licence has been obtained. We help clients identify and avoid such pitfalls at an early stage.

Timing as a Risk

In practice, concerns about previously unrecognised payment services often arise at particularly unfavourable moments. For example, doubts may emerge during a new financing round when a potential investor challenges the business model as part of the due diligence. Similar issues can arise in established businesses – such as when, after an auditor change, questions are raised during the annual audit regarding the lawfulness of the business model, potentially putting the issuance of the audit opinion at risk.

Prevention Rather Than Crisis Management

Many conflicts can be avoided if risks are identified and addressed early. Our advice therefore focuses on a preventive analysis of business models to identify and classify potentially critical structures. We assess not only whether payment services are being performed, but also whether statutory exemptions or exceptions recognised by BaFin’s administrative practice apply. Early clarity protects against subsequent regulatory intervention and creates legal certainty.

Structural Vulnerabilities

The typical risk of unidentified payment services lies in the fact that, from the company’s perspective, they often appear merely as peripheral aspects of the business model. Structures are particularly vulnerable where payments between third parties are routed through the company (“payment triangle”) or where the company provides its own payment instruments. Common examples include services that allow remuneration for third-party intermediary activities, or (online) marketplaces that offer ancillary escrow-type services to support contract execution. Risks may also arise within group structures – for instance, where a subsidiary handles incoming and outgoing payments centrally for the entire group. While such additional services may seem operationally insignificant, they can have substantial regulatory consequences – including the potential prohibition of the entire business model by BaFin.

Risks and Consequences

The consequences of unnoticed payment services can be significant. In addition to administrative fines and criminal liability for managing directors, companies face civil claims and supervisory measures up to and including the prohibition of business operations.

Business Model Analysis as a Preventive Measure

We of course assist companies in crisis situations. More effective, however, is preventing risks from arising in the first place. Early analysis and careful classification of the business model make it possible to fully utilise regulatory leeway. In many cases, licensing requirements can be avoided before they ever become an issue.

Other topics