BaFin’s Bitpanda Bombshell: Vienna’s MiCA Hub Puts Austria’s FMA Under the Compliance Microscope

A BaFin special audit has found 16 deficiencies at Bitpanda’s German subsidiary, including serious weaknesses in risk management, IT and outsourcing. Yet Bitpanda’s home regulator, Austria’s FMA, is simultaneously building a MiCA “crypto hub” in Vienna – licensing Bitpanda and other high-risk players – with Austrian lawyer Oliver Stauber among the key architects.

Key Facts

• German watchdog BaFin conducted a special audit of Bitpanda Asset Management GmbH (BAM), Bitpanda’s licensed German subsidiary, in 2023 – roughly a year after granting its licence.
• The audit report listed 16 deficiencies: five “severe”, four “significant”, six “medium” and one minor – mainly in risk management, IT and outsourcing, all core areas for investor protection.
• BAM had outsourced key functions, including crypto custody and KYC, back to Bitpanda group entities in Vienna – raising structural questions that reach beyond Germany.
• Internal auditors later flagged information-security weaknesses, poor documentation and a lack of regulatory expertise – findings echoed in ICIJ’s “Coin Laundry” cooperation.
• Despite this, Bitpanda GmbH in Vienna obtained a full MiCA CASP licence from the Austrian FMA in April 2025 and now sits at the centre of an emerging Vienna MiCA hub.
• The same FMA co-signed a joint paper with France’s AMF and Italy’s Consob in September 2025 warning about jurisdiction shopping and calling for ESMA to directly supervise major CASPs.
• Vienna is now home to MiCA licences for KuCoin EU, Bitpanda, Bybit, AMINA and others – with former Bitpanda Chief Legal Officer Oliver Stauber playing a prominent role in KuCoin’s licence and now Bitget’s EU MiCA push, alongside advisory work by EY Law.

Short Analysis

From a pure compliance perspective, the Bitpanda case is a stress test for how Europe’s new MiCA regime interacts with traditional prudential supervision.

BaFin’s special audit of BAM did not quibble about minor paperwork; it attacked the heart of the control framework – risk governance, IT security and the oversight of outsourced functions, many of which led straight back to Vienna. Internal auditors added their own red flags about information-security controls and regulatory know-how inside the organisation. Bitpanda insists that all deficiencies have been remedied. But the very pattern – aggressive expansion, outsourcing to group entities, and post-hoc remediation – is exactly what MiCA was supposed to bring under tighter, harmonised control.

That is where Austria’s FMA enters the frame. As Bitpanda’s home supervisor, the FMA is now MiCA gatekeeper not just for Bitpanda, but for a growing list of CASPs using Vienna as their EU launchpad. KuCoin EU, Bybit EU, AMINA and others have chosen Austria as their passporting hub – a fact proudly highlighted by industry press and the firms themselves. At the same time, the FMA publicly complains – together with AMF and Consob – that national regulators struggle to supervise global platforms and that only ESMA-level oversight can prevent regulatory arbitrage.

You cannot have it both ways. If Vienna markets itself as a high-standard MiCA hub while licensing exchanges that foreign regulators have criticised or penalised, the FMA must be able to demonstrate tangible, intrusive supervision – not just well-phrased position papers.

The human factor matters, too. Former Bitpanda CLO Oliver Stauber, who oversaw group legal and licensing during the period when BAM’s structures were being built, is now the go-to MiCA frontman for other large exchanges – first KuCoin EU, now Bitget EU – with EY Law prominently advising on MiCA authorisations. Formally, there is nothing illegal about a “MiCA-as-a-service” career path. Substantively, it raises a sharp question: is Austria exporting regulatory expertise – or importing other people’s unresolved risks and enforcement histories into the EU single market?

For investors and counterparties, the answer will depend less on speeches and more on the next inspection reports – this time with the FMA’s name on the letterhead.

Call for Information

FinTelegram invites current and former employees of Bitpanda, BAM, KuCoin EU, Bitget EU, EY Law and other Vienna-based CASPs, as well as regulators and service providers with insight into MiCA licensing and supervision, to contact us confidentially via Whistle42.com. Documents, internal risk reports and correspondence relating to BaFin findings, FMA MiCA approvals or “Vienna hub” structuring are of particular interest.