Germany's Regulator Didn't Miss Wirecard. It Was Built to Look Away.

On 18 February 2019, Germany's financial regulator did something it had never done before in its history: it banned anyone from betting against a single company's stock.¹ The company was Wirecard, the payments firm that had just been crowned into the DAX 30, briefly worth more than €24 billion — more than Deutsche Bank.⁷ The people BaFin was protecting Wirecard from were the short-sellers and journalists pointing at a hole in the accounts. Sixteen months later that hole turned out to be €1.9 billion, money that, in Wirecard's own words, 'probably do not exist.'³ The regulator had aimed its one extraordinary weapon at exactly the wrong target.

The popular story is that BaFin was asleep — captured, lazy, nationalistically blind to fraud at its fintech champion. That story is comforting because incompetence is fixable: replace the people, fund the agency, problem solved. The real story is worse, because it was designed. Germany had decided, on paper, that its payments giant was not a financial company at all.

The official line was that BaFin failed to supervise Wirecard. The truth is that BaFin was legally forbidden from supervising the part of Wirecard that mattered, and everyone in the room had agreed to it.

A bank wrapped in a tech company, on purpose

Here is the mechanism almost everyone skips. Wirecard AG, the parent, was the entity processing payments around the world and reporting the profits that turned out to be fiction. Buried inside it was Wirecard Bank AG, a small, properly licensed German bank. BaFin's president later testified to the Bundestag that BaFin, the European Central Bank, and the Bundesbank had all agreed Wirecard was a technology company, not a financial services firm. The consequence of that single classification: BaFin could only regulate the little bank.⁴ The vast payments operation, the books, the imaginary escrow accounts — all of it sat in the parent, in the part of the structure no financial supervisor was empowered to open.

Think of it as a vault with a guard posted on the broom closet. The guard is real, diligent, doing exactly his job. The vault is three doors down, and his badge does not work on it. When critics later asked why the guard never looked inside the vault, the honest answer was not that he was lazy. It was that the building had been laid out so that no one with a key was responsible for the room where the money wasn't.

This is the thesis, and it is uncomfortable: BaFin missing Wirecard was less a failure of effort than a feature of architecture. Germany wanted a fintech champion and built a regulatory frame that let it treat one like software. The classification that made Wirecard exciting to investors was the same classification that made it invisible to the financial cop.

The watchdog that could fit in a conference room

Even the body nominally responsible for first checking the books had no chance. Germany's Financial Reporting Enforcement Panel — FREP — was the quasi-official watchdog meant to catch dodgy accounts at listed companies. It ran with about 15 employees and an annual budget of roughly €6 million.⁹ Fifteen people, against the entire universe of listed German firms and an accounting fraud built across multiple jurisdictions and forged bank confirmations. FREP did eventually conclude that Wirecard's accounts were inadequate — after the company had already filed for insolvency.⁹ A watchdog that barks only after the house has burned down is not a watchdog. It is a record-keeper.

And the auditors? EY signed Wirecard's books with clean, unqualified opinions every year from financial year 2009 through 2018, withholding its opinion only on 2019 — once the money refused to appear. Germany's accounting oversight body, APAS, later found EY's opinions 'objectively inaccurate,' with 'grave' and 'repeated' violations across the 2016–2018 engagements.⁶ Every external line of defense — auditor, accounting panel, financial regulator — was either looking at the wrong entity, understaffed past the point of meaning, or signing off on forgeries. The fraud did not slip through one crack. It walked through a corridor where every door had been left unlocked for a different reason.

They didn't just look away. They prosecuted the people looking.

Passive blindness is one thing. Wirecard's protection was active. When the Financial Times kept publishing on the accounting irregularities, BaFin's response was the short-selling ban — protecting the company from the market that was trying to price in the truth.¹ The regulator treated the bet against Wirecard as the threat to market integrity, rather than treating the company as the threat. This is the inversion at the heart of the story: the institution charged with finding fraud spent its energy suppressing the signal that fraud existed.

And it was not a German freelance. The popular telling frames the 2019 ban as a rogue national act against EU norms. In fact, on the very day it took effect, ESMA — the European Securities and Markets Authority — issued a formal positive opinion endorsing it.² Europe's own securities authority blessed the move to shoot the messenger. The deference ran higher still: Chancellor Angela Merkel testified to the Bundestag inquiry that she had lobbied Chinese officials on Wirecard's behalf during a 2019 trip, saying she had no reason at the time to suspect serious irregularities.⁸ When the chancellery is doing your business development and the EU regulator is silencing your critics, you are not a company that slipped past oversight. You are a company that oversight had adopted.

But wasn't this just a clever fraud that fooled everyone?

The fair objection is that Wirecard's fraud was genuinely sophisticated, and no system catches everything. That is partly true. The escrow accounts were supported by forged confirmation documents; banks named as custodians — BDO Unibank and the Bank of the Philippine Islands among them — said they were forgeries and that they had never held a Wirecard account at all.⁵ Even KPMG's special audit could not verify the majority of Wirecard's 2016–2018 profits, in part because the company and its partners would not cooperate.⁵ So yes: this was deliberate, well-built deception, not a clerical slip a sharper auditor would have spotted in an afternoon.

But the objection proves the point rather than rebutting it. Sophisticated frauds are exactly what supervisory architecture exists to catch, because they are precisely what individual diligence cannot. The forgeries worked not because they were undetectable but because no entity with the authority to demand the underlying truth was looking at the right company. A fraud thrives in the gap between who is responsible and who is empowered — and Germany had engineered that gap by deciding a payments firm was a tech firm. The deception was clever. The opening it walked through was institutional, and the institution made it.

Germany answered with the Act on Strengthening Financial Market Integrity, effective July 2021 — raising auditor liability, reforming audit committees, expanding BaFin's powers over listed-company accounts, and effectively dissolving the toothless FREP it had relied on.¹⁰ The fix is telling. It does not add more guards. It hands the existing guard a key to the vault. That is the admission buried in the reform: the problem was never that no one was watching Wirecard. It was that the people watching had been assigned the broom closet, on purpose, and then asked, after the fire, why they never smelled smoke. The most expensive blind spots are not the ones a regulator overlooks. They're the ones a regulator was built not to see.