Follow us

Follow us

From 1 February 2025, the updated Interpretation and Application Guidance on the German Money Laundering Act (Geldwäschegesetz, "GwG") from Germany's Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, "BaFin") (Auslegungs- und Anwendungshinweise, "AuA") shall apply. With this long-awaited update, which was first provided for consultation on 7 July 2024 and finally published in its updated version on 29 November 2024, BaFin aims to enhance the effectiveness of anti-money laundering and counter terrorism financing ("AML/CFT") measures and to promote a uniform application of the relevant legal provisions across all obliged entities under its supervision. This includes introducing new obligations, clarifying existing administrative practices, and to an extent preparing the financial sector for the upcoming changes mandated by the AML Package.1

Here are some key changes that banks and other financial services institutions should be aware of:2

1. Customer due diligence

Identification & Verification in Know Your Customer ("KYC") checks

  • ​​​BaFin has introduced new maximum periods for rolling review of KYC files pursuant to section 10 para. 1 lit. 5 GwG. These new requirements anticipate the update periods prescribed by Article 26 AMLR and must be implemented by the obliged entity until the AMLR comes into effect. While these periods are already standard practice for many international banks and financial service institutions, for others, updating all KYC files to the same review cycle until the time the AMLR comes into effect may be a tedious and lengthy process:
     

     

    Lower Risk Customers

    Regular Risk Customers

    Higher Risk Customers

    Old AuA

    Up to 15 years

    Up to 10 years

    Up to 2 years

    New AuA3

    Risk-based

    Up to 5 years

    Annually 

    AMLR4

    Up to 5 years

    Annually

     
  • Pursuant to section 12 para. 2 GwG, the obliged entity may verify a client's information, where the client is a legal entity, on the basis of certain corporate documents, such as commercial register excerpts.5 In its consultation draft, BaFin initially stated that documents used for verification should not be older than four weeks. BaFin has now extended this period to three months and clarified that the relevant period is from the date of issue of the extract to the first processing by the obliged entities (as opposed to the close of the KYC check), cf. 5.1.4.2. 
  • In section 6.2 AuA, BaFin clarifies that in addition to a driver's license or an electricity bill, it may also in principle be possible to use an official government or public body ID card to verify a person's identity in low risk cases. However, this should not be understood to mean that data points within the meaning of sections 10 para. 1 no. 1, 11 para. 4 no. 1 GwG do not have to be recorded in full for lower risk cases with government officials. Rather the means by which this data is verified can be adapted.
  • It is market practice to rely on databases offered in the market to determine, whether the client or its ultimate beneficial owner is a politically exposed person ("PEP"). This is generally accepted by BaFin, provided there are no concerns about the data quality or functionality of these databases. If a comparison is made against such PEP lists, obliged entities must ensure that the comparison is always performed using the latest lists provided by the service provider, cf. 5.4.2.

Ultimate Beneficial Owner ("UBO")

  • Pursuant to section 5.2.2.1, subsidiaries of stock exchange-listed companies are excluded from UBO identification requirements if the parent company holds more than 75% of the subsidiary's shares. Previously this exemption already applied to cases where the parent held only 50% of the respective shares.
  • Obliged entities shall now also identify the country of residence of the UBO based on a risk-based approach, in order to identify the conditions for applying enhanced due diligence ("EDD") in accordance with section 15 para. 3 no. 2 GwG, cf. 5.2.3.2.
  • To the relief of many obliged entities, the stipulations regarding notional beneficial owners (fiktiv wirtschaftlich Berechtigter) remain the same, cf. 5.2.2.2. In its consultation draft, BaFin had stipulated that all notional beneficial owners were to be identified. Presumably due to the strong backlash during the consultation period, as well as the significant organisational and economic impact of this change on obliged entities, the previous rule of generally identifying only one notional beneficial owner was retained.

2. RISK MANAGEMENT

As stated in a public statement,6 BaFin is increasingly focusing on the prevention of terrorist financing and considers it separately from combating money laundering.7 To clarify this distinction, the requirement to separate risk analyses for anti-money laundering and countering the financing of terrorism was formalized in the AuA. BaFin also clarified that obliged entities should use all relevant existing findings as well as a list of exemplary internal and external sources to assess its risks.8 It is at the discretion of the responsible member of the management level (Leitungsebene), to make the decision on how to deal with the residual risk the subject of a resolution by the entire management.9

The obliged entity shall document the methodology of their risk analysis.10 Following administrative practice, BaFin also clarifies that the risk analysis must be updated ad hoc, if there are any internal or external factors that could impact the risk analysis.11

3. OBLIGATIONS FOLLOWING THE FILING OF A SUSPICIOUS ACTIVITY REPORT

BaFin further clarified the requirements for (i) handling a suspicious transaction and (ii) the required due diligence measures following a suspicious activity report ("SAR").

  • Filing a SAR:12 As stipulated in section 46 para. 1 GwG, the so-called "duty to stand still" applies, meaning a transaction subject to a SAR may only be executed if the FIU or the public prosecutor's office has given its consent or if three working days have passed without a prohibition from either authority.

    The updated AuA now specify that if three days pass without a prohibition, the transaction should, as a rule, be executed and should only be further suspended in exceptional cases if there are clear indications (klares Aufdrängen) of money laundering or terrorist financing.13 

    This update places a significant burden on obliged entities, particularly their money laundering reporting officers, as they must navigate between cases where there is a normal suspicion of money laundering or terrorist financing, where the transaction may be executed, versus cases where there are clear indications of money laundering or terrorist financing, where the transaction must continue to be suspended.

    Fortunately, the final AuA are less stringent than the consultation draft, which initially required obliged entities to critically assess and document the necessity and appropriateness (Erforderlichkeit und Angemessenheit) of further suspending a transaction beyond three days, following a risk-based approach.

    Diagram 1: Simplified scenarios following a SAR


 

* This scenario is not clearly stipulated in the AuA. However, sec. 46 para. 2 GwG clearly states that a transaction may be executed where the deferral is not possible or the deferral might obstruct the prosecution.

 

  • Due Diligence following a SAR: In the past, BaFin had already stipulated that whilst a business relationship does not necessarily need to be terminated following a SAR, a SAR is nonetheless an indication for a potentially higher risk, which should in principle trigger enhanced due diligence ("EDD"). 

    The revised AuA state that if no feedback is received from the FIU within 21 calendar days of the SAR, the obliged entity has the possibility to once again apply less stringent due diligence. However, if a reported activity is subject of a further operational analysis by the FIU a higher risk is to be assumed and it is up to the risk-based discretion of the obliged entity to decide on the duration of the application of enhanced due diligence obligations.14

    The AuA also state that in cases of suspected terrorist financing, EDD shall be applied for at least 6 months after the SAR or a subsequent enquiry by the FIU.15

    Please see the chart below, where we have simplified the different scenarios. Please note that the requirements set out above do not dispense obliged entities from their obligation to apply further due diligence measures based on a risk-based approach if there are additional indications of money laundering or terrorist financing.

    Diagram 2: Measures to take following a SAR

 

 

 

 

1. The AML Package refers to a comprehensive set of regulations and directives adopted by the EU to harmonize AML/CFT rules, including the 6th AML Directive, the AML Regulation, and the establishment of the AML Authority (AMLA) to oversee compliance and enforcement. The AML Package was adopted by the European Parliament on 24 April 2024. The AML Package includes the AMLA Regulation (EU) 2024/1620, the AML Regulation (EU) 2024/1624 ("AMLR"), and the 6th AML Directive (EU) 2024/1640, all adopted on 31 May 2024. The Regulation on Money Transfer Information (EU) 2023/1113, initially part of the AML Package, was adopted earlier on 31 May 2023 and lays down rules on information accompanying transfers of funds and certain crypto-assets.

2. Please be advised that not all changes of the AuA have been flagged in this document. Additional modifications, particularly those pertaining to specific obliged entities and/or business areas (e.g. cryptocurrency or factoring) have been added to the revised AuA. Please refer to the AuA for all changes.

3. See section 5.5.2 AuA.

4. Article 26 para. 2 AMLR sets out that the rolling review shall take place annually for higher risk clients and latest every five years for all other client relationships. Article 33 AMLR specifies that in case of lower risk clients, the obliged entity may reduce the frequency of customer identification updates. We anticipate that the regulatory technical standards will specify the maximum time period for lower risk client relationship, cf. recital 78 AMLR.

5. Please refer to section 12 para. 2 GwG for the specific stipulations.

6. BaFin, Terrorismusfinanzierung: Präventionsmaßnahmen zunehmend im Fokus, 6 February 2024.

7. See section 2.2.2 AuA.

8. See section 2.2.2 AuA.

9. See section 2.2.3 AuA.

10. See section 2.3 AuA.

11. See section 2.3 AuA.

12. On the same day as the AuA, BaFin together with the Financial Intelligence Unit ("FIU") published a guidance regarding the terms immediacy (Unverzüglichkeit) and completeness (Vollständigkeit) of a SAR. Please refer to this link.

13. See section 10.8.1 AuA.

14. See section 10.11.1 AuA.

15. See section 10.11.2 AuA.

Article tags

AML CFT BaFin Due Diligence KYC SAR PEP Ultimate Beneficial Owner

Related categories

Enforcement Regulatory Corporate Crime Fraud Germany Reporting Money Laundering

Key contacts

Kai Liebrich photo

Kai Liebrich

Managing Partner, Germany, Germany

View profile
Dr Timo Bühler photo

Dr Timo Bühler

Partner, Germany

View profile
Sophia Peter photo

Sophia Peter

Associate, Germany

View profile
Thorben Schlingmann photo

Thorben Schlingmann

Associate, Germany

View profile

Disclaimer

The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.

Kai Liebrich Dr Timo Bühler Sophia Peter Thorben Schlingmann