This post was originally published on this site.
Bitpanda prides itself on being one of the most regulated crypto exchanges in Europe. The Austrian firm — backed by investors including billionaire Peter Thiel and reportedly planning for a listing on the Frankfurt stock exchange this year — has promoted its services with the slogan “secure, regulated and real.”
But reporting by Süddeutsche Zeitung, WDR and NDR, in Germany, and profil magazine, in Austria, found that internal auditors of Bitpanda’s German-licensed subsidiary, Bitpanda Asset Management GmbH, raised red flags last year about the Berlin firm’s operations. The warnings came months after the subsidiary had assured Germany’s Federal Financial Supervisory Authority, or BaFin, it had addressed concerns raised by the regulator following a routine audit.
The new findings by media partners of the International Consortium of Investigative Journalists are part of The Coin Laundry, an ICIJ-led exposé into the lightly regulated crypto industry. They highlight regulators’ difficulties in holding crypto companies to the same customer care and risk management standards as banks and other traditional financial institutions.
According to internal company documents reviewed by the news outlets, BaFin first audited Bitpanda Asset Management in 2023, after the company received its German crypto trading license, and found more than a dozen violations, ranging from “minor” to “significant” and “serious.” These included inadequate information security and data storage systems, insufficient tests to identify and protect against cybersecurity threats, and poor monitoring of external service providers.
Months later, the company assured the agency that it had fixed most of the problems — actions that BaFin acknowledged, the news outlets reported. But internal auditors of Bitpanda’s German subsidiary found some of the issues were not resolved, and warned managers that a lack of documentation and cooperation by the company’s compliance department made it difficult to verify the claims made to the regulators.
“Attention is to be paid towards the current and ongoing non-compliance with regulatory requirements,” the auditors wrote in an English-language presentation reviewed by the news outlets. “The lack of documentation also leads to an audit impediment, which makes the company unexaminable.”
Nikolai Badenhoop, a legal expert at the Leibniz Institute for Financial Market Research, told ICIJ’s media partners that the warning was “very worrying” because the issues identified in the audits concerned the security of cryptocurrency and other assets that Bitpanda holds for its customers. “As a customer, I trust that my assets are kept safe there,” Badenhoop told WDR.According to European regulation, financial institutions, including virtual asset service providers, are required to secure their infrastructure and be prepared to manage and handle technical disruptions to protect virtual assets in their custody as well as customer data.
The issues were not limited to Bitpanda’s Berlin branch, the news outlets found. An internal memo reviewed by the reporters said that a separate 2024 audit by Bitpanda’s external auditor, KPMG Austria, found a lack of documentation at the exchange’s Vienna headquarters. It also found that two of Bitpanda’s shareholders and one board member had “inappropriate privileged” access rights to IT systems until they were revoked in 2025.
In an emailed response to ICIJ’s media partners, a Bitpanda spokesperson said that all the companies in the group go through “extensive controls and assessments” and “have consistently received an unqualified audit opinion.”
“As a fully regulated European financial institution, we are subject to regular regulatory and external audits, which we always pass without restrictions,” the spokesperson said in the German-language statement. “We work closely with the relevant supervisory authorities in Germany and abroad to continuously develop our processes.”
In late 2025, BaFin conducted another audit on Bitpanda’s German subsidiary but the outcome of it is not known, the news reports said. The company’s spokesperson did not answer questions about whether all the issues identified by external and internal auditors had been fixed. BaFin did not respond to requests for comment.