Germany: BaFin updates AML guidance

Written By

johannes wirtz Module
Johannes Wirtz, LL.M. (London)

Partner
Germany

As partner in our Finance & Financial Regulation Group in Frankfurt, I advise our national and international clients on banking regulatory issues and finance law.

timo foerster Module
Timo Förster

Associate
Germany

As an associate in our Finance & Financial Regulation Practice Group located in Frankfurt, I advise international and national clients on regulatory issues and finance law.

jonathan stoldt Module
Jonathan Stoldt

Associate
Germany

As an associate in our German Finance & Financial Regulation Group based in Frankfurt, I advise national and international clients on finance and regulatory matters.

The German Federal Financial Supervisory Authority (BaFin) regularly publishes updated interpretation and application guidelines for the implementation of anti-money laundering (AML) due diligence requirements and internal safeguards. These guidelines specify the legal requirements of the German Money Laundering Act (Geldwäschegesetz - GwG) for obliged entities in the financial sector and are intended to ensure that the relevant requirements are applied consistently.

BaFin had already launched a consultation in the summer of 2024 (see our client alert here). On 29 November 2024, BaFin published amendments to its interpretation and application notes on the GwG (see here). These revisions include more precise specifications and adjustments, particularly with regard to update deadlines. The updated guidance replaces the previous interpretation and application guidance and is addressed to all obliged entities under BaFin supervision.

Clarification on payment service agents and e-money agents

All companies supervised by BaFin fall under the scope of application of the GwG and are therefore covered by the guidelines. BaFin has made it clear that (payment services) agents and e-money agents are also fully covered by it. However, these are not subject to the obligation to appoint an anti-money laundering officer – such an officer only has to be appointed if explicitly ordered by BaFin.

Payment institutions and e-money institutions that are based in other EU countries and make use of the freedom of establishment to operate in Germany are obliged to notify BaFin of a central contact person upon request.

Risk analysis has been tightened

The scope and type of the obliged entity's business activities must be taken into account in the risk analysis. Obliged entities must have a precise knowledge of the risks associated with their customers, products and transactions and evaluate these accordingly. In doing so, they must take into account the risk factors listed in Annexes 1 and 2 of the GwG as well as information from the national risk analysis. Other sources of information may also be used to identify relevant risk factors.

It is of crucial to consider, identify and document both the risk factors for money laundering and those for terrorist financing separately. Terrorist financing can also come from legal sources, which is why corresponding typologies must be taken into account. Furthermore, a regular analysis of relevant sources of information and an ad-hoc assessment of current developments is necessary.

In order to assess the effectiveness of the implemented security measures when determining the residual risk, it is necessary to include them in the assessment. Obliged entities are obliged to assess the residual risk. This makes it possible to determine whether further action is needed. This may relate to the business activity, the general risk situation or the design of the security measures.

On the basis of the risk analysis, the obliged entities must develop and adapt suitable internal safeguards to prevent money laundering and terrorist financing. The effectiveness of the measures must be regularly reviewed and adjusted as needed. The measures are appropriate if they correspond to the specific risk situation of the obliged entity and adequately cover it.

Responsible management level for risk management in Germany

Every company must appoint a member of the management level who is responsible for setting up a proper risk management system. In the case of a branch of an institution based in another EEA country, BaFin now stipulates that the permanent representative under commercial law also performs the function of the responsible member of the management level under the GwG. Although there is no need to notify BaFin, the responsibility must be clearly documented.

Internal security measures and anti-money laundering officers

Obliged entities who are not required to appoint an anti-money laundering officer are still obliged to implement appropriate security measures. Companies that are required to appoint an anti-money laundering officer are obliged to define the officer's tasks, responsibilities and powers in writing. As a general rule, the anti-money laundering officer may not simultaneously serve as the data protection officer. However, exceptions are permitted under strict conditions. It must be ensured that the anti-money laundering officer has sufficient capacity to perform his or her duties in full. Conflicts of interest must be avoided.

Furthermore, the ongoing monitoring of the anti-money laundering officer is being tightened. The anti-money laundering officer is obliged to document all monitoring activities and, if necessary, to forward these to the management level or the supervisory body. However, the anti-money laundering officer may use third parties for monitoring. His task is to verify the appropriateness and effectiveness of the monitoring activities of the third party. The third party is obliged to inform the anti-money laundering officer appropriately and in a timely manner. If the position of anti-money laundering officer is outsourced, the outsourcing company is obliged to ensure that the outsourcing company has adequate resources. Outsourcing to a third party in a high-risk third country is not permitted.

Regulation of crypto-asset transfers from customers

In principle, the thresholds in the GwG are specified in euros. In the case of the transfer of crypto assets, it has been clarified that the current price of the respective crypto asset of any institution authorised in Germany may be used.

It is noteworthy at first glance that, compared to the consultation version of mid-2024, the entire section on enhanced due diligence requirements for crypto-value transfers with self-hosted addresses in accordance with Section 15a GwG was not included in the final version. However, this is because the current version of the GwG does not provide for a Section 15a GwG. This should be added to the GwG by the Financial Market Digitalisation Act (Finanzmarktdigitalisierungsgesetz - FinMadiG). The new elections will at least delay the adoption of the Financial Market Digitalisation Act.

Additions to collective accounts and correspondence relationships

The new BaFin guidance specifies the option of applying simplified due diligence for certain omnibus accounts when determining the beneficial owner. CRR credit institutions and financial institutions can enter into contractual correspondent relationships without having to register the merchant customers as beneficial owners. Appropriate measures must be taken for cross-border and domestic correspondent relationships with increased risk. The risk assessment may vary from account to account.

Amendments to internal reporting offices and whistleblowing

The GwG requires the establishment of an internal reporting office and a whistleblowing system. Obliged entities are obliged to ensure that their employees and comparable persons can report violations of anti-money laundering regulations confidentially. This includes the possibility of anonymous reporting, in particular for certain obligated entities.

The establishment of an internal reporting office is mandatory for all obliged entities and is not dependent on the number of employees. A single reporting office can meet the requirements of various legal regulations as long as it allows for both confidential and anonymous reporting. These measures serve to ensure that violations can be effectively reported and prosecuted without revealing the identity of the whistleblowers.

Enhanced due diligence in factoring

For unknown debtors, for whom creditworthiness analyses are not carried out, factoring institutions are obliged to apply enhanced due diligence measures if increased money laundering risks are identified. The fact that creditworthiness analyses are not carried out cannot be used as a reason to reduce money laundering prevention measures. When accepting payments from debtors, factoring institutions are obliged to pay particular attention to recognisable risks and to take appropriate measures based on a comprehensive risk analysis.

The principles of the Fiscal Code cannot be transferred to the GwG

Pursuant to section 154 of the German Fiscal Code (Abgabenordnung - AO), the tax authorities are entitled to grant relief with regard to identification and recording. However, the standard is not intended to interfere with the prevention of money laundering and terrorist financing, but rather to facilitate the examination of tax circumstances. BaFin makes it clear that the application of the principles of the AO to the GwG is not permissible due to the different normative purposes.

Outlook

BaFin's latest amendments to the guidelines illustrate its ongoing efforts to strengthen money laundering prevention and to adapt to current developments in the financial sector. The special mention of (payment services) agents and e-money agents in relation to the scope of application of the guidelines, as well as the tightening of the risk analysis and internal security measures, are essential steps to increase the effectiveness of anti-money laundering regulations.

BaFin intends to apply the updated guidance from 1 February 2025. The guidelines do not provide for a (further) transitional period. Obliged entities should therefore prepare themselves to comply with the amended requirements from February 2025. Although the guidelines are not legally binding, they are given considerable weight in supervisory practice.

With the kind assistance of Alexander Grünewald, (student assistant) Bird & Bird Frankfurt am Main – Finance & Financial Regulation

Latest insights

More Insights
Curiosity line pink background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

Update on recent UK data protection guidance in the financial services space

3 minutes Dec 19 2024

Read More
Colourful building

FinTech Features December 2024

Dec 18 2024

Read More