Austrian FMA Annual Report 2025: Fines, Priorities, and What Changes in 2026

Austria's Financial Market Authority (FMA) imposed EUR 9.4 million in administrative fines in 2025, on its own figures — the highest level since the authority was created in 2002, and 41% higher than in 2024. 287 proceedings were concluded, 198 of them with sanctions. Add 14 licence withdrawals, three of them in crypto and securities services.

These numbers are not just statistical filler. They mark the end of a supervisory era in which the FMA was regarded as a relatively mild European authority, and the start of a tougher sanctions regime — against the backdrop of MiCA, full transposition of the sixth anti-money-laundering directive and growing political sensitivity to financial crime. For Austria's fintech scene and for German providers operating in Austria, the shift has practical consequences that are barely discussed in public yet.

Key priorities in 2025 at a glance

FMA activity in 2025 was dominated by a manageable set of themes.

MiCA licensing and transition management: MiCA entered its final stage on 30 December 2024. By May 2026, the FMA reports 18 crypto-asset service providers (CASPs) fully licensed in Austria, with 31 applications still pending. 14 providers previously registered with the FMA exited during the transition — because they could not, or would not, meet the capital and compliance requirements. Bitpanda, the largest domestic provider, received its MiCA licence in March 2026. Trade Republic, which operates in Austria under its German BaFin licence, benefits from the EU passport and is not directly affected by Austrian licensing.

AML supervision: the FMA conducted 38 full AML inspections in 2025, a 27% increase on 2024. Focus areas were banks with high non-resident exposure, payment service providers with crypto links, and asset managers with clients from high-risk jurisdictions. Six of the 14 licence withdrawals in 2025 were AML-driven.

Investor protection and distribution practices: 43 market-surveillance procedures concluded in 2025, 31 of them for inaccurate or misleading investment advertising. Particular focus: the sale of complex certificates to retail customers, opaque cost structures in robo-adviser offers, and the rising number of influencer-driven securities recommendations made without a legal basis.

The largest individual fines of 2025

The FMA publishes sanction decisions anonymously, but the magnitudes allow informed inferences about the institutions concerned. Several cases stood out quantitatively in 2025.

The largest single fine — EUR 2.3 million — fell on an Austrian credit institution for systematic shortcomings in customer due diligence under the FM-GwG. Over several years, identification and verification processes for a sizeable cohort of existing clients had not been properly executed — a classic finding by large-bank standards, showing that the FMA has calibrated its benchmark to European norms.

A second fine of EUR 1.7 million hit an asset manager for breaches of MiFID II suitability duties. Retail clients were recommended complex investment products without the required suitability assessment being documented.

The third notable fine — EUR 980,000 — went to a crypto-asset service provider that continued operating in the MiCA transition phase without sufficient own funds. The provider was subsequently forced to cease activity.

In our view, the distribution shows a notable shift: where the FMA was historically seen primarily as a supervisor of small and mid-sized securities firms, the majority of larger fines in 2025 hit institutions with balance sheets above EUR 1 billion. The thesis that Austrian large banks in Vienna are treated more leniently than German large banks in Frankfurt no longer holds in 2026.

Structural changes

Several developments will reshape the supervisory regime in 2026 and 2027.

First, the establishment of the EU Anti-Money Laundering Authority (AMLA): the new European supervisor, headquartered in Frankfurt, takes up its work in 2026. For selected cross-border credit institutions it will assume direct AML supervision — currently a national-authority task. Austrian banks with material foreign business (Raiffeisen Bank International, Erste Group, UniCredit Bank Austria) are expected to fall under direct AMLA supervision. For the FMA, that implies a reallocation of supervisory resources to smaller institutions and specialist service providers.

Second, DORA implementation: the EU Digital Operational Resilience Act has been fully applicable since January 2025. 2025 was the first year of ongoing FMA supervision in this area; the first sanctions for DORA breaches are expected in 2026. Particularly relevant for fintechs relying on German or US cloud infrastructure: documentation and control requirements are significantly more demanding than many providers initially built into their compliance programmes.

Third, tougher sanctions for MiFID II breaches: in January 2026, the FMA clarified in a supervisory practice note that repeated minor breaches of distribution documentation will henceforth be assessed cumulatively as systemic shortcomings. That ends the previous practice of treating individual breaches as isolated incidents.

FMA versus BaFin

The comparison with Germany's supervisor is instructive. The BaFin imposed around EUR 56 million in administrative fines in 2025 by its own figures — six times more than the FMA, against a supervisory perimeter roughly ten times larger. Per supervised institution, the two authorities are running in similar territory.

At the level of supervisory philosophy, key differences remain.

The FMA traditionally operates principles-based and relies more heavily on dialogue with supervised institutions. Since the post-Wirecard reforms, the BaFin is more rules-based and sanctions more mechanically. That gap has narrowed but remains visible.

The FMA has a stronger sector specialisation through its divisional structure (banking, insurance, securities, pension funds). The BaFin has worked more integratively since the 2022 reform.

The FMA has a substantial head start in crypto supervision — it was one of the first EU regulators to register crypto-service providers, from 2019 onwards. The BaFin has only structurally caught up with MiCA.

What fintechs should take away from the report

For fintechs with Austrian exposure, the FMA's annual report yields five practical conclusions.

First: MiCA licensing is no longer an optional compliance topic in 2026, but a hard market-entry threshold. Providers operating without a MiCA licence risk having their authorisation withdrawn over the next twelve months.

Second: AML compliance is tightening quantitatively and qualitatively. Anyone not yet invested in a professional transaction-monitoring system should do so in 2026 — the EUR 80,000-300,000 investment depending on business size is insurance against fines that can quickly run several multiples higher.

Third: the influencer and affiliate marketing models of many brokers and crypto providers are coming under pressure. The FMA clarified in two 2025 cases that indirect payment for securities recommendations also constitutes promotional content legally — with all attendant duties.

Fourth: DORA compliance is the next big compliance project for 2026. Cloud outsourcing contracts, incident-reporting processes and resilience tests need to be documented in a structured way.

Fifth: for German providers operating in Austria via the EU passport, the FMA is a watchful reader. Complaints from Austrian customers are forwarded to the home regulator, but simultaneously documented — and frequent repetition can draw the attention of the home regulator itself.

Implications for the Bitpanda IPO story

The FMA's growing supervisory intensity has a direct strategic implication for the valuation of the forthcoming Bitpanda IPO. Anyone with a full MiCA licence and several years of clean compliance record has a hard-to-reproduce regulatory moat. Bitpanda and a handful of competitors are in that position in 2026. Most new entrants will find the licensing process costly and slow — which structurally protects incumbents.

In our view, the FMA's tightening is a stability signal for investors rather than a risk. Anyone invested in a provider that comes under FMA scrutiny had a problem anyway. Anyone invested in a provider with a clean supervisory record benefits from the higher entry barrier for competitors. Regulation produces moats — and moats produce margins.

To trace the practical consequences of the MiCA priority, see MiCA in practice: what changed for DACH investors in 2026. For the strategic context of the Austrian fintech landscape, our Bitpanda IPO analysis is the immediate next step. And bank shareholders looking to understand the macroeconomic implications of tighter supervision will find them in our June 2026 ECB meeting preview.