/f/118211/3840x3840/da24e483db/06-straight-forward.png)
From Regulatory Intervention to a Certified Company: Where Unzer Stands in 2026
Dr. Max Steiger, Chief Compliance and Governance Officer
The past few years have been a period of intense regulatory scrutiny and profound transformation for Unzer. Today, Unzer is structurally repositioned, with systems and processes that meet high international standards.
At the same time, we recognize that the past continues to shape perceptions. That makes it all the more important to transparently explain what has actually happened since 2021 – and what structural and cultural changes have emerged as a result.
What happened in 2021 – and how we responded
When I joined Unzer in 2021, it quickly became clear that the existing governance structures did not consistently meet the requirements of a robust control environment – or my own expectations. We therefore began overhauling key structures, particularly by introducing the three-lines-of-defense model commonly used in the banking industry.
Shortly thereafter, a special audit by Federal Financial Supervisory Authority (BaFin) at Unzer subsidiary Unzer E-Com GmbH confirmed deficiencies in compliance structures and anti-money laundering controls. As a result, a special supervisory mandate was imposed.
The situation was clear. What mattered was how we responded. Our focus was on systematically addressing the identified weaknesses and structurally rebuilding the organization. Initial measures had already been launched; the audit added clarity and momentum to the transformation.
What followed was a fundamental reset of the company: a complete rebuild of the compliance organization, investments of more than €27 million in systems, processes, and personnel, new leadership structures, and robust internal controls.
In October 2024, BaFin fully lifted the special supervisory mandate at Unzer E-Com. Since then, Unzer has returned to regular supervision – with significantly strengthened structures and a clear focus on sustainable development.
Transformation across the entire organization
Structures, software, and processes are essential components of compliance – but they are not enough. What truly endures is a corporate culture that doesn’t just control integrity, but lives it. That is why we have deliberately developed both dimensions at Unzer.
At the core today is a unified compliance management system with clearly defined responsibilities, group-wide policies, and transparent structures. A key element is the consistent implementation of the three-lines-of-defense model across the entire company – not just in отдельных areas.
The first line of defense is the commercial organization. We fundamentally redesigned the onboarding process, introducing clear exclusion criteria, transparent ethical guidelines, and integrated controls to identify and manage risks early.
The second line of defense includes compliance, risk management, and information security. Clear governance structures, defined processes, and reporting lines ensure that risks are not only identified but actively managed. A risk committee supports this work at a higher level, complemented by significant investments in monitoring systems, transaction controls, and sanctions screening.
The third line of defense is Internal Audit. It independently reviews the effectiveness of the first two lines and ensures that defined standards are consistently upheld. In parallel, all employees receive regular training in compliance, information security, anti-money laundering, and data protection. Because rules alone are not enough – people must not only know what is allowed, but understand what is right.
External validation: ISO certifications for compliance and information security
A major milestone was reached in April 2026: Unzer was certified under two internationally recognized standards – ISO 37301 for its compliance management system and ISO 27001 for its information security management system.
These certifications are more than formal accolades. They represent independent external confirmation that the structures we have built meet international requirements.
ISO 37301 stands for a systematic and effective compliance management approach – one that identifies risks, ensures adherence to rules, and embeds responsible conduct throughout the organization. ISO 27001 demonstrates that sensitive data and systems are protected through clearly defined security processes, regular risk assessments, and continuous improvement.
In the payments industry – where highly sensitive data is handled every day – these standards are a cornerstone of trust. At the same time, certifications are not an endpoint. They commit us to maintaining these standards and continuously improving them.
Integrity is created by people, not systems
For me personally, one aspect remains decisive – one that cannot be captured by certifications: corporate culture.
Structures and technologies create the foundation. But lasting change only happens when integrity becomes an integral part of everyday behavior – through clear accountability, open communication, and a speak-up culture in which every voice is heard.
Leadership must set the tone. Compliance begins at the top – not as a control function, but as a mindset. No system, no matter how well designed, can replace responsible leadership.
This is the path we will continue to follow at Unzer – not because regulation demands it, but because we believe that trust in payments is never a given. It must be earned every single day.
About Dr. Max Steiger
Dr. Max Steiger is Chief Compliance and Governance Officer at Unzer, where he oversees compliance, anti-money laundering, information security, and ESG (environmental, social, and governance) across the group. Previously, he spent nearly 20 years in senior compliance roles at Deutsche Bank. Since 2024, he has been a member of the executive committee of the German Association of Payment and E-Money Institutions (bvzi).