Germany’s financial regulator, BaFin, has rarely been so visible. In 2025, the watchdog imposed some of its largest fines to date — not just for failures in anti-money-laundering controls, but for broader organisational and governance breaches that go to the heart of what “effective compliance” means. The year was bookended by two headline actions: a €23 million penalty against Deutsche Bank in February, and a record-setting €45 million fine against J.P. Morgan SE in November.
Taken together, the Deutsche Bank and J.P. Morgan cases encapsulate the state of compliance in Europe’s largest economy. They show a regulator unwilling to tolerate procedural weakness and increasingly willing to test its powers. They also highlight the limits of reactive compliance. In both cases, the institutions had already begun remediation when the fines were imposed, yet BaFin proceeded regardless, judging that accountability for past failings could not be offset by future improvements.
As AMLA takes shape and the EU’s new AML regulation comes into force, BaFin’s 2025 enforcement record will likely be remembered as the bridge between national supervision and the next era of European-wide accountability.
The Deutsche Bank case: Organisational lapses under scrutiny
In February 2025, BaFin fined Deutsche Bank AG €23.05 million for three separate regulatory offences. Each offence stemmed from a different part of the bank’s business — derivatives trading, investment advice, and retail banking.
The largest element, at €14.8 million, related to Deutsche Bank’s sale of currency derivatives in Spain. According to BaFin, the bank breached its organisational requirements under the German Securities Trading Act by taking too long to investigate alleged infringements and implement corrective measures. The Spanish National Securities Market Commission had already opened proceedings, and BaFin concluded that Deutsche Bank failed to put in place appropriate internal arrangements to accelerate remediation.
A further €4.6 million fine targeted the bank’s Postbank division for disregarding the obligation to record investment advice given over the phone. Temporary exemptions during the COVID-19 pandemic had lapsed, yet Postbank failed to reintroduce electronic recording. BaFin viewed this as a basic failure of compliance discipline.
Finally, a €3.65 million fine addressed Postbank’s repeated non-compliance with the German Payment Accounts Act, which requires banks to assist consumers who switch accounts. BaFin found that applications for account switching were either delayed or ignored altogether, breaching the duty to ensure smooth consumer transitions.
Deutsche Bank accepted the fine and noted that it was fully provisioned, meaning the financial impact would be contained. But for the regulator, BaFin was not merely targeting AML breaches; it was enforcing across the entire spectrum of governance failures from customer treatment to cross-border sales oversight.
The J.P. Morgan case: A record fine for systemic AML failings
Nine months later, BaFin’s enforcement arm struck again, this time at the heart of Germany’s financial-crime framework. J.P. Morgan SE, the Frankfurt-based European arm of the US banking giant, was fined €45 million for what the regulator called “systemic failures” in money-laundering prevention.
Between October 2021 and September 2022, the bank had failed to submit suspicious transaction reports (STRs) without undue delay. Under the German Money Laundering Act, financial institutions must report any suspicion of money laundering or terrorist financing immediately to the Financial Intelligence Unit (FIU). In J.P. Morgan’s case, BaFin found that this core obligation was routinely breached.
The regulator described the failings as organisational, not isolated, a sign that the bank’s internal escalation and reporting mechanisms were structurally deficient. By emphasising the word “systematic,” BaFin also triggered a higher penalty threshold: under the law, fines for systemic breaches can be linked to a company’s overall turnover, allowing them to reach unprecedented levels.
At €45 million, it was BaFin’s largest fine in history, overtaking the previous record set by Deutsche Bank in 2015 of €39 million.
J.P. Morgan sought to draw a line under the issue. The bank noted that the fine related to historical findings and that the timing of its reports “did not impede any investigations.” It also stated that since 2021 it had overhauled its systems and tripled its financial-crime compliance staff. For BaFin, however, the point was not whether investigations were hindered but whether the statutory process had been followed. Compliance, in its view, is measured by timeliness and governance, not by outcome.
Two banks, one lesson: the cost of non-compliance is growing
The contrast between these two cases is instructive. Deutsche Bank’s offences spanned operational and conduct risk, reflecting the regulator’s expectation that large financial groups maintain coherent compliance across business lines. J.P. Morgan’s breach, by contrast, was narrowly focused but cut deeper into the core of financial-crime prevention.
In Deutsche Bank’s case, BaFin targeted slowness and fragmentation: the failure to coordinate investigations, restore normal recording procedures, and ensure consumer-facing processes were properly governed. The lesson was that disorganisation is itself a compliance offence. For J.P. Morgan, the lesson was precision: that even delays in filing reports can constitute a systemic breach. The regulator viewed lateness as equivalent to non-compliance, setting a benchmark for the rest of the sector.
The scale of the fines also tells its own story. J.P. Morgan’s €45 million penalty was almost double Deutsche Bank’s, reflecting both the gravity of AML deficiencies and the application of turnover-based calculation under the German Money Laundering Act. But in substance, BaFin’s message was the same: whether the lapse concerns derivatives or suspicious activity reports, the standard of compliance is absolute.
Other enforcement and emerging priorities
The J.P. Morgan and Deutsche Bank cases dominated headlines, but they were part of a broader pattern. Throughout 2025 BaFin issued smaller fines across the financial sector for failures in record-keeping, reporting, and consumer-protection obligations. In October, it sanctioned individuals for failing to notify issuers under the Securities Trading Act. It also intensified inspections of payment institutions and crypto-asset service providers, reflecting the high-risk profile of those sectors.
BaFin signalled a tougher stance in 2025 and beyond through published priorities and guidance, including ‘Risks in BaFin’s Focus 2025’ and updated Money Laundering Act interpretation notes; it also imposed record and high-profile fines such as €45m on J.P. Morgan SE and €23.05m on Deutsche Bank. AML is no longer treated as a self-contained discipline but as part of a continuum encompassing governance, operational resilience, and customer conduct. This approach foreshadows the structure of the upcoming European AML authority.
The AMLA era begins
By the end of 2025, Germany’s enforcement framework was already aligning with the European Union’s new anti-money-laundering regulation, which will become directly applicable across all member states by mid-2027. The creation of AMLA — headquartered in Frankfurt — marks the most significant reform of European financial-crime supervision in decades.
BaFin will remain Germany’s national supervisor, but AMLA will oversee the largest cross-border financial institutions directly and set common technical standards for all member states. BaFin has publicly stated that it is working closely with AMLA to ensure seamless cooperation and data sharing, particularly around suspicious-transaction reporting and FIU coordination.
For firms operating in Germany, this means heightened scrutiny on two fronts: domestic supervision by BaFin and EU-level oversight by AMLA. The message for compliance teams is unmistakable. The period between now and 2027 will not be one of leniency or transition; it will be one of accelerated enforcement and harmonisation.
