The German Federal Financial Supervisory Authority (BaFin) regularly publishes updated interpretation and application guidance for the implementation of due diligence obligations and internal security measures under anti-money laundering law. The BaFin's guidance concretise the statutory requirements of the German Anti-Money Laundering Act (Geldwäschegesetz - GwG) for obliged entities in the financial sector and are intended to ensure uniform application of the relevant requirements.
On 9 July 2024, BaFin submitted a draft for further updating of the interpretation and application guidance for consultation (Consultation 06/2024 - Interpretation and Application Guidance on the German Anti-Money Laundering Act pursuant to Section 51 (8) Geldwäschegesetz - GwG, draft in German). The intention is to replace the previous guidance. Various clarifications and amendments to the guidance are planned. The planned amendments are related to the drafts currently in the legislative process to amend the German Anti-Money Laundering Act, for example through the Act on the Digitalisation of the Financial Market (FinmadiG – draft in German). The information now submitted for consultation anticipates the planned amendments. The new version of the guidance contains special provisions with regard to providers of crypto-asset services.
The scope of application of the guidance includes all entities subject to anti-money laundering regulations that are subject to supervision by BaFin. These are market participants in the financial sector such as banks, investment firms, e-money institutions and insurance undertakings. The consultation draft clarifies that in future, providers of crypto-asset services (CASPs) will also be subject to anti-money laundering obligations under BaFin supervision if they provide one or more MiCAR crypto-asset services (CAS), provided that this is not just advice on crypto-assets.
The scope of application should also include issuers of asset-referenced tokens within the meaning of MiCAR if they do not offer asset-referenced tokens to the public exclusively via a provider of crypto-asset services or do not apply for their admission to trading exclusively via a provider of crypto-asset services. BaFin makes no statements as to the extent to which the issuer of e-money tokens must identify the respective holders as customers (i.e. whether open transferability of e-money tokens is possible or only closed-loop systems).
Obligated entities within the meaning of the AML Act have various obligations that serve to prevent money laundering and terrorist financing. For example, obliged entities must have an appropriate and effective risk management system in place. Obligated entities must also fulfil certain general due diligence obligations under money laundering law, such as identifying the contractual partner before establishing business relationships or carrying out transactions (see also: VideoIdent for All - Draft Money Laundering Video Identification Ordinance). The general due diligence obligations must also be complied with outside of business relationships if crypto assets with an equivalent value of more than 1,000 euros are transferred. The general due diligence obligations also include the continuous monitoring of the business relationship.
In the draft update that has now been submitted, BaFin stipulates that the use of blockchain analysis software is essential for crypto service providers to monitor the business relationship on an ongoing basis. In particular, if the service involves the exchange of crypto-assets and FIAT currencies, the entire transaction monitoring should be carried out with the help of a dedicated IT system.
The instructions submitted for consultation provide for increased due diligence obligations for crypto-asset transfers with self-hosted addresses (so-called self-hosted or non-custodial wallets). This is in connection with the planned amendments to the Act on the Digitalisation of the Financial Market in implementation of the new version of the Transfer of Funds Regulation (Regulation (EU) 2023/1113). Special requirements for risk identification and risk minimisation are planned. Specific measures are also to be applied to distributed ledger technology. BaFin stipulates that, depending on the relevant risk, the use of blockchain analysis technology, questioning the customer about the origin and destination of the crypto-assets or the collection and verification of the identity of the owner of the hosted address may be considered as possible measures for risk identification. A combination of several measures may also be necessary.
According to the current planning status, the guidance provided for consultation is to apply from 1 January 2025.
This is currently a consultation version of the interpretation and application guidance, so adjustments are still to be expected. The final version depends not least on the further course of the legislative process to amend the German Anti-Money Laundering Act. In this context, BaFin emphasises that it does not anticipate future requirements. Nevertheless, financial market participants should already consider the currently planned amendments and monitor developments with a view to the ongoing legislative process. The need for adjustment should be identified at an early stage in order to prepare for the changes.
Finally, the interpretation and application guidance do not provide for a transitional period, meaning that they must be fully adopted with by all obligated entities from the day they become applicable. Although the notes are not legally binding, they are of considerable importance in supervisory practice.
With the kind support of Apostolos Mitsios (research assistant)