Use Case Banking · Arabellapark · ECB SSM + BaFin MaRisk + CSRD

Banking with Decision-Layer - UniCredit Bank GmbH (HVB) in Arabellapark under ECB SSM + BaFin MaRisk + CSRD

UniCredit Bank GmbH (HVB) in Arabellapark. ECB SSM direct supervision + BaFin MaRisk + CSRD ESG reporting. AI risk model governance + automated credit decisions under GDPR Art. 22. UK PRA SS1/23 parallel.

Workshop at Grindelberg All 7 use cases ←

Chapter 1 - Four Supervisory Regimes, One Decision-Layer

ECB SSM + BaFin MaGo + CSRD + GDPR Art. 22 - in one Decision Chain per banking decision.

UniCredit Bank GmbH (HVB, Arabellastraße 12, 81925 Munich-Bogenhausen, HVB Tower) is a Significant Institution under ECB SSM direct supervision. Balance sheet as Munich subsidiary of UniCredit Group (Milan). Plus BayernLB (Brienner Straße, Munich-Maxvorstadt) as the second Munich Significant Institution. Plus asset managers (Allianz Global Investors, DWS München, KGAL) under MiFID II + AIFMD supervision. UK parallel: UK Significant Institutions face PRA + FCA dual supervision - similar two-regulator depth.

Four parallel supervisory worlds per banking decision: ECB SSM with Joint Supervisory Team (JST) including BaFin / Bundesbank representatives, ICAAP / ILAAP, EBA / ECB stress tests, Basel IV implementation. BaFin MaGo + MaRisk with model governance + Use-Test obligation (MaGo entry into force 14.10.2025). CSRD ESG reporting per ESRS standards from FY 2024 with AI risk components for climate-risk modelling. GDPR Art. 22 on automated credit / credit-card decisions. UK parallel: PRA SS1/23 + Bank of England OpResil + FCA Consumer Duty + UK SDS - architecturally parallel to MaRisk + ECB SSM + CSRD.

Plus further regulation: MiFID II + AIFMD for asset managers (AGI, DWS). BaFin AML obligation for Anti-Money-Laundering decisions. EU AI Act Annex III Point 5(b) for creditworthiness assessment as high-risk (high-risk obligations from 2 August 2026 under current law, provisionally postponed to 2 December 2027 under the Digital Omnibus of 7 May 2026 with formal adoption still pending, while the fine regime is active since 02.08.2026). BayLDA AI Checklist from 24.01.2024 for the GDPR layer.

Decision-Layer split typically for banking decision: 45% RULES (KYC + AML + sanctions list match + eligibility + regulatory limits), 30% AI AUTONOMOUS (credit scoring, fraud-detection patterns, ESG scoring, AML anomaly detection), 25% HUMAN (rejections with significant effect + GDPR Art. 22 escalation, manual AML review on suspicious patterns, model validation audit sign-off).

Chapter 2 - Decision Record for an Automated Credit Card Decision

How a Munich banking decision satisfies the GDPR Art. 22 standard along the HmbBfDI precedent.

Anonymised decision record for a credit-card approval decision at a Munich Significant Institution. Direct reference to the Hanseatic File (Hamburg bank EUR 492,000 for missing GDPR Art. 22 architecture). Munich banking does it differently - with Decision-Layer.

KK-APP-2026-05-17-MUC-INT-0921

Standard credit-card application · application 17.05.2026 09:21:42 · applicant 38 years · Munich-Schwabing

Result Approved · GDPR Art. 15 reasoning prepared · audit trail persisted
  1. 01 REGEL

    Mandatory field validation + KYC

    Mandatory application fields complete (name, date of birth, address Munich-Schwabing, income documentation 6 months). Identity verification (VideoIdent). KYC status: active. Rule kyc_kk_v3.2.

    ✓ KYC verified
  2. 02 REGEL

    Age of majority + EU residency

    38 years, Munich-Schwabing (EU residency). Standard application, no special case. Rule elig_eu_v1.0.

    ✓ Eligibility OK
  3. 03 REGEL

    Sanctions check (OFAC, EU, BaFin)

    Applicant mapped against OFAC, EU, BaFin sanctions lists. Negative match. Rule sanctions_2025-09-12. UK clients: additional HMT sanctions list applies via same rule infrastructure.

    ✓ Negative
  4. 04 KI

    Income plausibility (model <code>income-est-v2.4</code>)

    Input: payroll records 6 months, industry, professional experience. Output: plausible in range EUR 6,500-9,200 net/month.

    Confidence 0.94 · threshold 0.85

    ✓ Plausible
  5. 05 REGEL

    SCHUFA threshold check

    SCHUFA score 95 (scale 0-100). Threshold for standard card: min. 90. Rule schufa_v4.1. UK equivalent: Experian / Equifax UK score with parallel threshold logic.

    ✓ OK
  6. 06 KI

    Behaviour score (model <code>behavior-score-v1.7</code>)

    Input: application frequency across all banks (24 months), banking behaviour in application flow. Output: Risk Indicator 0.42.

    Confidence 0.91 · threshold 0.85

    ✓ Low Risk
  7. 07 REGEL

    Anti-discrimination pre-check (AGG + BayLDA Checklist)

    Statistical parity against previous-year approval quota (gender, age, residency, nationality). Applicant (38 years, Munich-Schwabing, German) within tolerance corridor. BayLDA AI Checklist protection goal Fairness satisfied. Rule agg_baylda_v3.2 (based on AGG - German Equality Act; UK equivalent: Equality Act 2010 Sec. 13-15 + FCA Consumer Duty fair-value test).

    ✓ Within corridor
  8. 08 MENSCH

    Approval at confidence > 0.85 = auto-approval (no human stop)

    All confidence scores above threshold, Risk Indicator low, bias check OK. Auto-approval path. On any rejection or confidence < 0.85: human mandatory (case handler sign-off). For this application: no human escalation. GDPR Art. 22 allows auto-decision when clearly documented + challenge right prepared. UK parallel: FCA Consumer Duty allows auto-decision under the same conditions plus 'good outcomes' test.

    ✓ Auto-approval
  9. 09 REGEL

    GDPR Art. 15 + Art. 22 challenge path preparation

    Per decision record an automated reasoning is generated with: model versions used, input criteria (anonymised), confidence scores, decision path. Challenge path with deadline (1 month), escalation to case handler, right to manual re-assessment. Hamburg Hanseatic File lesson directly implemented: no automated reject without reasoning generation. Rule dsgvo_art22_v1.4.

    ✓ Challenge path ready
  10. 10 REGEL

    Audit trail persist (BaFin MaGo + ECB SSM + GDPR + EU AI Act)

    Complete decision record persisted: model versions, input hashes, confidence scores, Use-Test logging (MaGo requirement), bias-check values, GDPR Art. 22 auto-decision status. 1-click export for BaFin MaGo format, ECB JST inspection view, GDPR data-subject view, EU AI Act Art. 12 logging. Rule audit_bafin_ecb_v1.4. UK clients: same export covers PRA SS1/23 + FCA Consumer Duty audit views.

    ✓ Audit trail persisted

Chapter 3 - Workshop at Munich Urban Colab or at HVB/BayernLB

Engineering from Hamburg, workshop at Arabellapark or in Maxvorstadt.

Engineering head office Hallerstraße 8 Hamburg. Munich workshop on-site. HVB Tower (Arabellastraße 12, Bogenhausen) or BayernLB (Brienner Straße, Maxvorstadt) or Munich Urban Colab as neutral ground. Separate rooms for CRO session (model risk manager workshop), Compliance / DPO briefing, works-council session, ECB JST preparation demo. Workshop under EUR 10,000. For UK-headquartered groups (HSBC, Barclays with German subsidiaries): workshop in English with remote bridge to UK head office.

Banking workshop pattern: Day 1 = stakeholder mapping (CRO + Head of Model Risk Management + Compliance + DPO + works council). Day 2 = Decision-Layer demo with banking use cases (credit-card approval, credit scoring, AML detection, fraud patterns, ESG scoring). Day 3 = ECB SSM / BaFin MaGo audit-trail integration + mock JST inspection with Use-Test workflow + GDPR Art. 22 workflow along the Hamburg bank lesson.

Integration with banking IT: the Decision-Layer integrates with core banking systems: HVB uses the UniCredit Group stack (internal systems), BayernLB uses OSPlus by Finanz Informatik (Sparkassen Group standard). Plus credit-scoring platforms (FICO, Experian, SCHUFA), AML tools (NICE Actimize, SAS AML, Oracle Financial Crime Compliance), ECB / EBA reporting suites (AxiomSL, BearingPoint Abacus). Source code of the adapters goes with the repository handover to the bank - no vendor lock-in.

Hanseatic File lesson for banking: the Hamburg bank case (HmbBfDI EUR 492,000 October 2025 for GDPR Art. 12, 15, 22) is mandatory reading for Munich banking. Link: Hanseatic File. Munich banking does it differently: every automated reject with GDPR Art. 15 reasoning generation. Every AI decision with an audit trail per human-in-the-loop escalation path. UK parallel: ICO + FCA enforcement on credit refusals follows the same pattern - named decisions plus reasoning, no silent automated rejection.

Related use cases

Frequently asked questions

Which Munich banking players does this spoke address?
UniCredit Bank GmbH (HVB, Arabellastraße 12, 81925 Munich-Bogenhausen, HVB Tower in Arabellapark) - largest Munich bank, part of UniCredit Group (Milan). Plus: Münchner Bank eG, Stadtsparkasse München, Bayerische Landesbank (BayernLB, Brienner Straße - directly in Munich-Maxvorstadt). Plus asset managers: Allianz Global Investors (AGI), DWS München, KGAL. For UniCredit Bank GmbH applies: ECB SSM direct supervision (Significant Institution), BaFin as National Competent Authority, Bundesbank for monetary policy. UK parallel: UK banks (Barclays, HSBC, Lloyds, NatWest) face PRA SS1/23 model risk management + Bank of England OpResil + FCA Consumer Duty - architecturally parallel to ECB SSM + BaFin MaRisk.
What is ECB SSM and how does it apply to HVB?
The Single Supervisory Mechanism (SSM) is EU banking supervision run by the ECB for Significant Institutions (balance sheet > EUR 30 bn or top 3 in the country). UniCredit Bank GmbH qualifies, so a Joint Supervisory Team (JST) with BaFin and Bundesbank representatives oversees it. Supervision spans capital and liquidity adequacy (ICAAP/ILAAP), EBA and ECB stress tests, and Basel IV implementation, including AI risk-model governance. The Decision-Layer audit trail supports JST inspections through documented model validation, Use-Test and backtesting records. UK banks face the PRA SREP under the same architecture, with a named regulator instead of the ECB.
How is BaFin MaRisk + MaGo covered in banking with the Decision-Layer?
MaRisk (Mindestanforderungen an das Risikomanagement) and the new MaGo (in force 14.10.2025) tighten model governance and the Use-Test obligation - a model must actually be used, validated and backtested, not just documented. For AI risk models (credit scoring, anti-money-laundering, fraud detection), each model decision needs an audit trail with model version, input hash, confidence score and Use-Test logging. The Decision-Layer carries exactly that, with DPO and CRO sign-off paths at validation audits. The UK PRA SS1/23 model risk management framework demands the same validation and governance evidence.
What does CSRD ESG reporting mean for a Munich bank?
CSRD (EU 2022/2464) requires large banks to report ESG data per ESRS standards from FY 2024 (reported 2025). HVB reports via UniCredit Group consolidation. The data has to be captured across the credit and securities portfolios as well as the bank's own operations, on top of EU Taxonomy reporting. Where AI components drive ESG scoring (for example climate-risk modelling of the credit portfolio), they become an EU AI Act Annex III candidate, so the Decision-Layer documents the ESG data sourcing, model assumptions and override records. The UK equivalents are TCFD, the UK Sustainability Disclosure Standards and PRA SS3/19 Climate Risk.
How is GDPR Art. 22 covered on automated credit decisions?
Automated credit decisions (consumer loan, credit-card approval) fall under GDPR Art. 22 as automated individual decisions with significant effect. For AI scoring the applicant must be told about the logic, its significance and their right to challenge. The Hamburg bank case 2025 (HmbBfDI EUR 492,000 - see Hanseatic File) shows the consequence of skipping that architecture. In the Decision-Layer, rules handle eligibility, KYC and sanctions, AI handles scoring at the confidence threshold, and a human is mandatory below 0.85 confidence or on any rejection with significant effect - with GDPR Art. 15 reasoning generated per decision record. UK GDPR Art. 22 and FCA Consumer Duty 2023 demand the same, framed as 'good outcomes'.

Schedule workshop at Grindelberg

3-day discovery: Day 1 process analysis, Day 2 Decision-Layer mapping, Day 3 use-case prioritisation. Concrete deliverable.

Schedule meeting

Discovery workshop below EUR 10,000. Pilot fixed price discussed after the workshop.

← Back to overview: AI Agents Hamburg (7 use cases)