Germany BaFin ZAG License in 2026: PI and EMI Authorisation
A 2026 deep dive into the German Payment Services Supervision Act (ZAG): BaFin authorisation for PIs and EMIs, capital EUR 20k-EUR 350k, 9-15 month timeline, substance, DORA and the tier-1 German supervisory stamp.
BaFin and the ZAG framework
The Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG) is the German transposition of PSD2 and EMD2. It governs the authorisation and supervision of Payment Institutions and Electronic Money Institutions. The competent authority is the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin), supported by the Deutsche Bundesbank for prudential matters.
Germany is the largest economy in the EU and the single biggest end-market for payment services on the continent. A BaFin PI or EMI licence is a tier-1 stamp that carries weight with institutional clients, corporate customers and banking partners. The trade-off: BaFin is one of the slowest and most demanding EU supervisors.
Typical users of the German ZAG licence: corporate payment services, acquirers serving German retailers, card issuers for German cardholders, open-banking TPPs, and pan-European fintechs that need a German licence for B2B credibility.
Let's discuss your project and see how we can launch your German PI or EMI payment product together
Request demoScope: PI, EMI and "financial service institution"
ZAG covers PSD2 Annex I services and EMD2 e-money. Several activities that sit under payment licences in other jurisdictions remain under the separate Banking Act (KWG) in Germany, including deposit-taking, lending, securities brokerage, custody of financial instruments, and crypto custody. The ZAG and KWG interaction is a regular source of misclassification; expect BaFin to confirm the right licence at pre-application.
| Activity | Licence | Capital |
|---|---|---|
| Payment services (PSD2 Annex I) | ZAG PI | EUR 20k / 50k / 125k |
| E-money issuance and redemption | ZAG EMI | EUR 350k |
| Deposit-taking and lending | KWG credit institution | EUR 5M+ |
| Crypto custody | MiCA CASP (previously KWG §1(1a) sentence 2 no. 6) | EUR 125k (Class 2) |
| MiFID investment services | KWG / WpIG investment firm | IFR-driven |
Authorisation process and timeline
BaFin is the single point of contact. The authorisation file must be filed in writing, in German (most technical annexes accepted in English). The typical process has six phases.
- Pre-application engagement. Essential. BaFin has an industry contacts desk and expects a pre-filing discussion on business model, licence scope and capital plan.
- File preparation. Business plan (3-5 years), governance framework, organisational chart, AML/CFT manual aligned with German Geldwäschegesetz (GwG), risk and compliance manuals, ICT/DORA framework, outsourcing register, safeguarding plan, fit-and-proper files for directors and qualifying shareholders.
- Submission. In German, three copies per section 14 of AnzV. Filing fee typically EUR 10k to EUR 20k depending on scope.
- Substantive assessment. 3 months statutory from complete file, 9 to 15 months real end-to-end.
- Conditions precedent. Paid-up capital, safeguarding live, key staff on board, systems tested.
- Passporting. Notifications to host NCAs; services start after BaFin transmits the file (typically within 1 month).
End-to-end for a credible PI: 9 to 15 months. EMI: 12 to 18 months. BaFin's pace is the trade-off for its reputation.
Substance and governance: the German bar
- Management board (Geschäftsführung). At least two executive directors, one of them resident in Germany, both subject to individual BaFin approval (Geschäftsleiter approval).
- Supervisory board (Aufsichtsrat). Required for AGs; strongly recommended for GmbHs above a threshold.
- MLRO. Geldwäschebeauftragter appointed and registered with BaFin. Cannot be fully outsourced.
- Local staff. Meaningful local headcount in risk, compliance and operations. German-speaking at least in compliance and customer-facing roles.
- Real office. Physical premises in Germany, BaFin site visits.
- Outsourcing. MaRisk and DORA apply, with detailed outsourcing risk assessments and exit plans.
DORA and MaRisk
From 17 January 2025 DORA applies directly to BaFin-supervised PIs and EMIs. On top of DORA, BaFin enforces MaRisk (minimum requirements for risk management) and BAIT (banking supervisory requirements for IT). For smaller PIs proportional application applies, but expect documentation depth above the PSD2 baseline.
ICT incident reporting within 4 hours of detection, full 72-hour follow-up, threat-led penetration testing scaled to firm size, and third-party ICT register covering every critical provider.
PSD3 for German PIs and EMIs
PSD3 and PSR reached provisional agreement on 27 November 2025, with applicability expected mid-to-late 2027. German PIs and EMIs migrate to the unified "payment institution authorised to issue e-money" regime. BaFin has already indicated that PSD3 expectations (IBAN-name check, APP-fraud liability, safeguarding diversification, tighter substance) will be reflected in new authorisation files from 2026 onwards. See the PSD3 and PSR guide.
Ship a ZAG-licensed product with Crassula
Crassula provides the core-banking and compliance platform tuned to BaFin expectations: ledger and IBANs, card issuing, SEPA and SEPA Instant, KYC and AML aligned with GwG, safeguarding, MaRisk/BAIT/DORA ICT and BaFin-ready reporting. Useful for ZAG PI and ZAG EMI applicants, plus KWG credit institutions that add payment products.
FAQ
The Zahlungsdiensteaufsichtsgesetz, Germany's Payment Services Supervision Act. It transposes PSD2 and EMD2 and is the basis for BaFin authorisation of PIs and EMIs in Germany.
9 to 15 months end-to-end for a PI, 12 to 18 months for an EMI. Statutory clock is 3 months from a complete file; RFIs pause the clock.
Primarily in German. BaFin accepts technical annexes in English but the core file and meetings are in German. Budget for local legal counsel.
PI: EUR 20k (remittance), EUR 50k (PISP), EUR 125k (acquiring, issuing, transfers). EMI: EUR 350k. BaFin applies the PSD2 and EMD2 minima without discount.
Yes, since 17 January 2025. On top of DORA, BaFin enforces MaRisk and BAIT with proportional depth.
Crassula provides the ZAG-ready core: ledger, IBANs, cards, SEPA rails, KYC/AML, safeguarding, MaRisk/BAIT/DORA ICT and BaFin-ready reporting.
