BaFin Hits N26 With €9.2m Fine Over Ongoing Anti-Money Laundering Breaches

Germany’s Federal Financial Supervisory Authority, BaFin, has levied a €9.2 million fine against N26 Bank SE, citing systemic and repeated shortcomings in the digital bank’s anti-money laundering controls. The penalty, which became legally effective in May 2024, follows an earlier €4.25 million fine imposed in 2021 for comparable violations, reinforcing concerns that the fast-growing fintech has struggled to resolve long-standing compliance weaknesses. BaFin’s intensified supervision has also included the appointment of a special monitor to oversee corrective measures, underlining the regulator’s assessment that the deficiencies identified are both serious and structural. The enforcement action sends a clear message that rapid expansion cannot come at the expense of effective financial crime prevention, particularly in the fintech sector.

Central to BaFin’s action were repeated breaches of German anti-money laundering legislation. The €9.2 million administrative fine was imposed after the regulator found that N26 had consistently submitted suspicious activity reports to the Financial Intelligence Unit with significant delays throughout 2022. Timely reporting is a fundamental pillar of the global AML framework, as late filings can seriously impair law enforcement’s ability to trace illicit funds and disrupt criminal operations. BaFin’s findings indicate that N26’s compliance systems failed to keep pace with its rapid customer growth, resulting in weaknesses in core safeguards. Beyond delayed reporting, a special audit conducted in 2024 uncovered broader and more serious organizational shortcomings, particularly in the areas of risk management and the structuring of the bank’s lending operations. These failures also constituted breaches of the German Banking Act (KWG). Taken together, the historic and more recent violations point to entrenched problems in maintaining a business organization capable of meeting regulatory obligations in the fight against financial crime, prompting BaFin to intensify its supervisory intervention and impose restrictive measures.

The German Banking Act grants BaFin wide-ranging authority to address organizational and compliance failures at supervised institutions. Under Section 25a of the KWG, banks are required to establish and maintain a proper business organization, including effective risk management and internal control systems designed to identify, assess and manage all material risks, such as those linked to money laundering. Where BaFin determines that an institution’s organizational framework is inadequate, it is required to act. In N26’s case, this included appointing a special representative, a measure explicitly предусмотрed under the KWG, tasked with monitoring the implementation of remedial steps and reporting directly to the regulator. BaFin also imposed additional capital requirements to reflect the heightened risk profile arising from deficiencies in the bank’s organization, serving both as a buffer against potential losses and as a financial incentive to remedy the issues. In parallel, the regulator enforced targeted business restrictions, including a ban on new mortgage lending in the Netherlands and on the securitization of claims from that business, thereby limiting risk exposure in areas where weaknesses had been identified.

The difficulties encountered by N26 offer a cautionary example for the wider fintech industry, highlighting the tension between aggressive growth strategies and the need for robust compliance frameworks. Digital banks typically face elevated AML risks due to rapid customer onboarding, high transaction volumes and cross-border activity. At N26, expansion clearly outstripped the development of corresponding control systems, leading to a volume of suspicious activity that overwhelmed existing reporting processes. Scaling operations without adequate investment in advanced, automated and well-resourced financial crime controls created vulnerabilities that could be exploited by criminal actors. The case illustrates that while technology enables scale and speed, responsibility for safeguarding the integrity of the financial system—through effective customer due diligence, transaction monitoring and prompt reporting—rests squarely with the institution. Regulators are increasingly scrutinizing whether firms are deploying technology not only to grow their customer base, but also to strengthen real-time financial crime detection and prevention.

BaFin’s broad and layered response provides a model for regulatory intervention in cases of systemic compliance failure within digital banking. The measures imposed require N26 to comprehensively strengthen its anti-financial crime framework and establish a business organization that meets regulatory standards. This includes allocating significant resources to both staffing and technology within the compliance function, an effort N26 has publicly acknowledged by disclosing investments exceeding €80 million. Priority areas include improving customer identification procedures, upgrading transaction monitoring systems to more effectively detect suspicious patterns, and materially reducing delays in the submission of suspicious transaction reports. The presence of a special representative ensures ongoing, independent oversight of these remediation efforts and gives BaFin direct visibility into the bank’s progress in closing compliance gaps. Ultimately, this mechanism is intended to drive a lasting shift in culture, placing regulatory compliance on equal footing with growth ambitions and ensuring full adherence to the German Money Laundering Act and the KWG.

By fLEXI tEAM