Wirecard: How a $25 Billion German Fintech Built Its Fraud on Banking Partnerships That Didn't Exist

The Fintech That Europe Was Proud Of — Until It Wasn't

Wirecard was, for several years, one of the most celebrated technology companies in Europe. Founded in Germany in 1999, it built a payments processing business that grew rapidly through the 2000s and 2010s, eventually displacing Commerzbank from the prestigious DAX 30 index — the benchmark of Germany's 30 largest publicly traded companies — in 2018. At its peak, the company carried a market capitalization of approximately $25 billion. Its CEO, Markus Braun, was profiled as a visionary. Its stock was a favorite of institutional investors who believed Germany had finally produced a fintech champion capable of competing with the global giants.

In June 2020, Wirecard disclosed that €1.9 billion — approximately $2.1 billion — that was supposed to be sitting in escrow accounts at two Philippine banks did not appear to exist. The banks in question, BDO Unibank and Bank of the Philippine Islands, issued statements confirming they had no relationship with Wirecard. Within days, Wirecard filed for insolvency. Braun was arrested. COO Jan Marsalek, who had managed the fraudulent network, fled Germany and is believed to be living under Russian protection. The entire edifice of Europe's most admired fintech had been built, at least in part, on partnerships that never existed.

The Third-Party Acquirer Structure: How Fake Partners Create Real Revenue

To understand Wirecard's fraud, you need to understand a legitimate business structure it exploited: third-party acquiring. In the payments industry, a payment processor sometimes cannot directly service clients in certain geographies or regulated sectors — online gambling, adult content, certain pharmaceutical categories — so it works through local third-party payment processors who act as intermediaries. The third-party acquirer handles the regulatory relationship and local banking infrastructure; the parent company receives a revenue share.

Wirecard used this structure, known internally as the Third Party Acquiring (TPA) business, to account for a significant and growing portion of its reported revenues. The TPA segment was supposedly operated through partner companies in Dubai (Al Alam Solutions), Singapore (PayEasy Solutions), and the Philippines. These partners were supposedly processing enormous volumes of payments on Wirecard's behalf and holding the resulting cash — the €1.9 billion — in escrow accounts at Philippine banks.

The problem, as the Financial Times's investigative team began documenting as early as 2015, was that these partner companies showed very few signs of conducting business at the scale Wirecard was reporting. Al Alam Solutions operated from a small office with a handful of employees. PayEasy Solutions had similarly modest physical operations. The revenues attributed to the TPA network were wildly disproportionate to the visible infrastructure of the companies supposedly generating them.

Wirecard's response to these concerns, sustained over five years, was to accuse the Financial Times of market manipulation and to hire KPMG for a special audit that it then used to claim independent validation of its accounts. The KPMG special audit, released in April 2020, in fact confirmed that Wirecard had failed to provide adequate documentation for the TPA revenues — a conclusion that Wirecard's communications team managed to spin into a headline suggesting vindication. Three months later, the €1.9 billion was confirmed to not exist.

EY's Decade of Failure: The Auditing Partnership That Certified a Fiction

Ernst and Young served as Wirecard's auditor for ten consecutive years, from 2009 through 2019. In each of those years, EY certified that Wirecard's financial statements presented a true and fair view of the company's financial position. The €1.9 billion in phantom escrow accounts was signed off on for multiple consecutive years.

The specific audit failures that allowed this to continue have been documented in detail by German parliamentary investigations. EY did not independently verify the escrow balances with the custodian banks until 2019 — and when it finally did, in 2020, the banks denied the accounts existed. For years prior, EY had accepted confirmation documents that, investigators concluded, were fabricated by Wirecard employees and presented as bank confirmations.

The trust that a Big Four audit firm extends to its client — the reasonable professional assumption that documents provided by management are authentic — was systematically exploited. Wirecard's management knew that an auditor operating within normal professional parameters would not independently verify every document it was given. The fraud was engineered around that assumption.

EY has faced significant legal and regulatory consequences. Shareholders and creditors filed lawsuits seeking billions in damages. German financial regulator BaFin — which had itself been embarrassingly credulous about Wirecard, going so far as to ban short-selling of Wirecard shares in 2019 and referring the Financial Times to prosecutors — also came under investigation for its supervisory failures. In 2022, Germany's audit oversight body issued a formal sanction against EY's German firm. Investigations and litigation remain ongoing.

Jan Marsalek and the Intelligence Community Angle

The Wirecard story has a dimension that distinguishes it from ordinary corporate fraud. Jan Marsalek, the COO who managed the TPA partnership network and who is widely believed to have been the principal architect of the fraud's operational components, had relationships with intelligence services that have never been fully explained.

Marsalek reportedly had connections to both Russian and Austrian intelligence, and evidence suggests he used Wirecard's corporate infrastructure — private jets, cash-intensive operations, relationships in opaque jurisdictions — in ways that went beyond ordinary business. After fleeing Germany in June 2020 with approximately 24 hours' notice before an arrest warrant was issued, Marsalek surfaced in Russia and has remained there, apparently under protection that has prevented extradition.

This dimension of the case has led some investigators to conclude that Wirecard was not merely a corporate fraud but a hybrid criminal-intelligence operation — that the third-party partner network served purposes beyond revenue fabrication. That remains a contested and partly classified area of the investigation, but it adds a layer of complexity to a fraud that was already remarkable for its scale and duration.

The Supervisory and Regulatory System That Failed Entirely

Wirecard's collapse exposed systemic failures at every level of Germany's financial oversight infrastructure. BaFin, the federal financial regulator, had received multiple warnings about Wirecard's accounting — from short-sellers, from journalists, from financial analysts — and responded by investigating the short-sellers rather than the company. Its decision to impose a short-selling ban in 2019 was unprecedented in German regulatory history and, in retrospect, served primarily to protect the fraud by suppressing market signals.

The Wirecard Inquiry Committee of the German Bundestag spent two years documenting these failures. Its final report concluded that BaFin had been "captured" — not through explicit corruption but through the institutional tendency to defer to a company that had been held up as a national champion. The regulatory relationship had become a kind of partnership in reputation, where BaFin's credibility was partly invested in Wirecard's success, which made aggressive scrutiny feel like self-harm.

What Wirecard Teaches About Partnership Due Diligence in Financial Services

The Wirecard fraud was sustained by a network of professional relationships — auditors, regulators, banking partners, institutional investors — each of which extended a degree of trust that, in isolation, seemed reasonable, but collectively created a system in which no one was actually verifying the underlying reality.

For any company evaluating a fintech or financial services partner, Wirecard establishes a clear checklist. Revenue that flows through third-party intermediaries in opaque jurisdictions requires independent verification, not document acceptance. Custodial account balances require direct confirmation from the custodian, not from the client. An auditor's clean opinion is not a substitute for understanding the mechanics of how a company actually makes money.

The €1.9 billion that was supposed to be in the Philippines was not lost. It was never there. The partnerships that were supposed to be generating it were either fictional or far smaller than reported. And the professionals — auditors, regulators, analysts — whose job it was to verify these things extended instead the one thing that a fraud of this sophistication is specifically engineered to exploit: trust.

In partnership contexts, trust is the cost of entry. Verification is the price of survival.