KWG Requirements for Banks: How the German Banking Act Shapes Compliance

Introduction

The Kreditwesengesetz (KWG) -- Germany's Banking Act -- is the foundational statute that governs the licensing, supervision, and organizational requirements for credit institutions and financial services institutions operating in Germany. Enacted in 1961 and amended more than 60 times since, the KWG defines who may conduct banking business in Germany, what capital and organizational standards they must meet, and how BaFin exercises its supervisory authority over them. Every bank operating in Germany, from the largest universal banks to specialized fintech credit institutions, must comply with KWG.

In 2026, the KWG continues to evolve alongside European regulatory developments. The Capital Requirements Regulation (CRR III) and Capital Requirements Directive (CRD VI), which transpose the final Basel III reforms into EU law, have introduced new capital and reporting requirements that interact directly with KWG provisions. Simultaneously, DORA has layered digital resilience requirements on top of the existing KWG organizational framework. For compliance teams, the challenge is not just understanding KWG in isolation but understanding how it connects to MaRisk, DORA, and the broader European regulatory architecture. This article provides that comprehensive view.

What Is the KWG?

The Kreditwesengesetz is Germany's primary banking supervision law. It establishes the legal framework within which BaFin and the Deutsche Bundesbank exercise supervisory authority over credit institutions (Kreditinstitute) and financial services institutions (Finanzdienstleistungsinstitute). The Act defines banking business (Bankgeschafte) in Section 1(1) and financial services (Finanzdienstleistungen) in Section 1(1a), creating the scope of entities subject to its requirements.

Under Section 32 KWG, any entity conducting banking business or providing financial services in Germany requires a license from BaFin. The licensing process involves demonstrating adequate initial capital, fit and proper management, a sound business plan, and appropriate organizational arrangements. BaFin may impose conditions on the license and has the authority to revoke it if the institution no longer meets the requirements.

The KWG grants BaFin extensive supervisory powers under Sections 6-6c. These include the authority to request information and documents, conduct on-site inspections, order the removal of managers who are not fit and proper, restrict business activities, and impose administrative fines. In the context of the Single Supervisory Mechanism (SSM), significant institutions are directly supervised by the European Central Bank (ECB), but BaFin retains supervisory responsibility for less significant institutions and acts as the national contact point for ECB supervision.

The Act has been substantially shaped by European legislation. The CRR (Regulation (EU) No 575/2013) and CRD (Directive 2013/36/EU), along with their successors CRR III and CRD VI, have been transposed into German law through amendments to the KWG and accompanying regulations. This means that KWG compliance for German banks is inseparable from compliance with the broader European prudential framework.

Key Requirements

Capital Requirements (Sections 10-10i KWG / CRR)

KWG Section 10 establishes that credit institutions must have adequate own funds (Eigenmittel). The specific capital requirements are primarily defined by the CRR, which prescribes minimum ratios for Common Equity Tier 1 (CET1) capital, Tier 1 capital, and total capital relative to risk-weighted assets. Under the CRR III reforms effective from 2025, the minimum CET1 ratio is 4.5%, the Tier 1 ratio is 6%, and the total capital ratio is 8%, before the addition of capital buffers.

KWG Sections 10c-10i implement the capital buffer framework: the capital conservation buffer (Section 10c), the institution-specific countercyclical capital buffer (Section 10d), the systemic risk buffer (Section 10e), and buffers for global and other systemically important institutions (Sections 10f-10g). BaFin sets the countercyclical buffer rate, which as of early 2026 stands at 0.75% for German exposures.

The large exposures regime under Section 13 KWG (implementing CRR Articles 387-403) limits the exposure a credit institution may have to a single client or group of connected clients to 25% of eligible capital. Reporting obligations for large exposures to BaFin and the Bundesbank are mandatory.

Organizational Requirements (Sections 25a-25e KWG)

Section 25a KWG is one of the most consequential provisions for day-to-day compliance. It requires credit institutions to have a proper business organization (ordnungsgemaessse Geschaftsorganisation), which must include adequate risk management, internal control systems, appropriate security measures for IT systems, and adequate documentation. This section is the legal basis for BaFin's MaRisk circular, which specifies the minimum requirements for risk management in detail.

Section 25b KWG governs outsourcing. Credit institutions that outsource activities and processes must ensure that the outsourcing does not impair the orderly conduct of business, the ability of BaFin to exercise supervisory oversight, or the institution's risk management capabilities. Material outsourcing arrangements must be notified to BaFin and are subject to specific contractual requirements.

Section 25c KWG defines the duties of the management board (Geschaftsleiter), including the requirement that all members must be fit and proper (fachlich geeignet und zuverlassig), that the board must collectively possess adequate knowledge and experience, and that the institution must have clear governance arrangements.

BaFin Reporting Obligations (Various KWG Sections)

German banks face extensive reporting obligations under the KWG. These include:

• Financial reporting (Section 25 KWG): Monthly and quarterly balance sheet statistics submitted to the Bundesbank.
• Capital adequacy reporting (Section 10 KWG / CRR): Quarterly COREP reports on own funds and capital ratios.
• Large exposures (Section 13 KWG): Reporting of exposures exceeding 10% of eligible capital.
• Liquidity reporting (CRR Articles 411-428): LCR and NSFR reports.
• Notifications (Sections 24-24c KWG): Mandatory notifications for management changes, significant shareholding changes, outsourcing arrangements, and other material events.
• Annual audit (Section 26 KWG): Annual audit by an external auditor, who must prepare a report (Prufungsbericht) for BaFin covering the institution's compliance with KWG requirements.

The volume and frequency of reporting requirements has increased significantly in recent years. BaFin and the Bundesbank collect data through the BaFin reporting portal (Meldeplattform) and the XBRL-based reporting framework for prudential data.

Fit and Proper Requirements (Sections 25c-25d KWG)

Members of the management board must demonstrate reliability (Zuverlassigkeit) and professional qualification (fachliche Eignung) under Section 25c KWG. BaFin assesses fit and proper status at the time of appointment and may reassess it at any time during the manager's tenure. The supervisory board (Verwaltungs- oder Aufsichtsorgan) is subject to similar requirements under Section 25d KWG, including collective suitability, the establishment of risk, audit, and nomination committees, and independence requirements.

Relationship to MaRisk, DORA, and Other Frameworks

KWG Section 25a provides the statutory basis for MaRisk, which is BaFin's most detailed supervisory circular for risk management in banks. MaRisk specifies the requirements of Section 25a in granular detail across its AT (Allgemeiner Teil -- general part) and BT (Besonderer Teil -- specific part) modules. Any bank complying with MaRisk is fulfilling its KWG Section 25a obligations.

The relationship between KWG and DORA is particularly important in 2026. DORA Article 1(2) states that it applies to the entities listed in its Article 2, which includes credit institutions as defined in CRR Article 4(1)(1) -- the same entities regulated under KWG. DORA's ICT risk management requirements (Articles 5-16) create obligations that overlap with and in some cases supersede the IT-related requirements previously addressed through BAIT (Bankaufsichtliche Anforderungen an die IT) and MaRisk AT 7.2 (technical and organizational resources). BaFin has indicated that BAIT will be withdrawn as DORA's implementing technical standards take full effect, but MaRisk remains in force for non-ICT risk management requirements.

KWG's outsourcing requirements under Section 25b align with DORA Article 28 on ICT third-party risk management. However, DORA introduces additional requirements such as the register of ICT third-party providers (Article 28(3)) and the critical ICT third-party provider oversight framework (Articles 31-44) that go beyond what KWG Section 25b requires. Banks must comply with both sets of requirements.

ISO 27001 certification supports the IT security requirements embedded in KWG Section 25a and detailed in MaRisk AT 7.2. While ISO 27001 is not legally required, many German banks pursue certification to demonstrate compliance with the "state of the art" (Stand der Technik) standard referenced in these provisions.

Compliance Automation with Matproof

KWG compliance generates continuous documentation requirements across capital management, organizational governance, outsourcing, and reporting. The annual audit under Section 26 KWG alone requires the institution to present comprehensive evidence of compliance across all KWG requirements, and auditors increasingly expect this evidence to be systematic and traceable rather than compiled ad hoc.

Matproof automates the evidence collection and monitoring processes that underpin KWG organizational compliance. The platform maps KWG Section 25a requirements -- as specified through MaRisk -- to specific controls and evidence items. It continuously monitors whether required controls are in place: Are access controls and IT security measures properly configured? Are outsourcing arrangements documented and monitored? Are governance structures maintained as required?

The platform's cross-framework mapping is particularly valuable for KWG compliance because of the extensive overlap with DORA, MaRisk, and ISO 27001. Evidence collected for DORA's ICT risk management requirements simultaneously satisfies the technology-related aspects of KWG Section 25a. Documentation of the risk management framework for MaRisk compliance also serves as evidence for the KWG Section 26 annual audit. This eliminates the fragmentation that typically occurs when banks manage each regulatory requirement through separate processes.

Matproof stores all compliance data in German data centers with full EU data residency, meeting the data sovereignty expectations that BaFin applies to supervised institutions. For banks subject to Section 25b outsourcing requirements, the platform's EU-hosted architecture avoids the regulatory complexity that arises when compliance tools process supervisory data outside the EU.

Implementation Roadmap

Phase 1 (Weeks 1-3): Regulatory Mapping. Create a comprehensive map of all applicable KWG requirements, organized by section. Identify which requirements are addressed through MaRisk, which through DORA, and which remain standalone KWG obligations. This mapping forms the foundation for all subsequent compliance activities.

Phase 2 (Weeks 4-6): Control Assessment. Evaluate existing controls against the regulatory map. For each KWG requirement, determine whether an adequate control exists, whether it is documented, and whether evidence of its effectiveness is collected. Focus particularly on Section 25a organizational requirements and Section 25b outsourcing arrangements, as these are the areas most frequently cited in BaFin findings.

Phase 3 (Weeks 7-10): Automation and Integration. Deploy automated evidence collection for controls that can be monitored electronically. Connect the compliance platform to IT infrastructure, HR systems, and governance documentation repositories. Configure automated alerts for control failures or documentation gaps.

Phase 4 (Weeks 11-14): Audit Preparation. Prepare for the Section 26 annual audit by generating a structured evidence package from the compliance platform. Conduct an internal review to identify any remaining gaps. Brief the external auditor on the evidence structure and the automated monitoring approach.

Ongoing: Continuous Compliance. Maintain automated monitoring and evidence collection year-round. Update the regulatory map as KWG amendments, MaRisk updates, and DORA implementing standards are published. Conduct quarterly internal reviews and report compliance status to the management board as required by MaRisk AT 4.4.2.

FAQ

How does KWG interact with the EU Capital Requirements Regulation (CRR)?

KWG and CRR work together as complementary parts of the German banking regulatory framework. CRR, as a directly applicable EU regulation, prescribes the detailed capital requirements, liquidity ratios, and large exposure limits. KWG provides the national legal framework for licensing, supervision, enforcement, and organizational requirements that complement CRR. Where CRR grants national options or discretions, these are exercised through KWG provisions. For example, CRR defines the capital ratio calculations, while KWG Section 10c-10i implements the national capital buffer framework.

What happens if a bank violates KWG requirements?

BaFin has a range of enforcement tools available. Under Section 46 KWG, BaFin can issue instructions to the institution to restore compliance, restrict business activities, or prohibit distributions to shareholders. Under Section 49 KWG, BaFin can impose administrative fines of up to EUR 5 million per violation. In serious cases, BaFin can revoke the banking license under Section 35 KWG. BaFin can also require the removal of managers who are found to be not fit and proper under Section 36 KWG. In practice, BaFin typically issues findings and sets remediation deadlines before escalating to formal enforcement measures.

Is MaRisk legally binding?

MaRisk is a BaFin circular (Rundschreiben), not a law or regulation. Technically, it represents BaFin's administrative practice and interpretation of KWG Section 25a. However, it is treated as effectively binding in practice. BaFin auditors and Section 26 external auditors assess compliance against MaRisk requirements, and failure to meet them results in supervisory findings. Courts have consistently upheld BaFin's authority to enforce MaRisk requirements as a specification of the legal obligations under KWG Section 25a.

How do DORA and KWG overlap for IT requirements?

DORA Articles 5-16 establish ICT risk management requirements that substantially overlap with the IT requirements previously addressed through BAIT and MaRisk AT 7.2. BaFin has indicated that BAIT will be withdrawn, with DORA taking precedence for ICT-related requirements. However, KWG Section 25a's general organizational requirement remains in force, and MaRisk's non-ICT risk management requirements continue to apply. In practice, banks should use DORA as the primary reference for ICT risk management and MaRisk for broader operational risk management, with KWG Section 25a as the overarching statutory foundation.