BaFin’s new interpretation and application notes on the Anti-Money Laundering Act – a summary of the current draft consultation paper

1. General Information

The draft consultation paper contains a number of points that will need to be considered in the context of identification as part of the anti-money laundering audit and in the context of the revision of internal (compliance) policies.

In the draft consultation paper BaFin is setting out more detailed requirements for monitoring activities and documentation.

With regard to outsourcing, BaFin has now clarified that, in its opinion, the outsourcing of an internal security measure in accordance with Section 6 (7) GwG is always to be regarded as material outsourcing within the meaning of Section 25b KWG (German Banking Act), Section 26 ZAG (Payment Supervisory Act), Section 40 WpIG (Securities Institutions Act) or Section 32 VAG (Insurance Supervision Act).

The definition of the term “business relationship” within the meaning of Section 1 (4) GwG is also more clearly defined in the draft consultation paper. BaFin states that “even in the case of irregular contacts or in the case of a longer period between contacts, a business relationship is to be assumed if the overall circumstances justify this assumption“. This is the case, for example, “if a customer repeatedly utilises a certain service of an obligated party and it is foreseeable that this service will also be utilised in the future“. In this context, the question arises for account information and payment initiation services, among others, as to the point in time from which, according to BaFin, they should now be obliged to identify payment service users for anti-money laundering purposes. In practice, BaFin’s wording is likely to cause uncertainty among the relevant market participants. A more precise statement from BaFin in the consultation process would be preferable.

BaFin also clarifies that (mixed) financial holding companies are only subject to anti-money laundering obligations as part of their holding activities. The operational business, for example, is not likely to be covered unless this business itself triggers obligations under money laundering law.

In addition, the anti-money laundering exemption under Section 3 (2) GwG should also apply to subsidiaries of these listed companies if the parent company holds at least 75% (instead of more than 50% previously) of the capital shares or voting rights and there are no other beneficial owners.

1.1 Risk Analysis

BaFin adds in the draft consultation paper that all relevant units of the obliged entity must be included as part of risk management. Current statistical data with a standardised reporting date are important in this context.

To this end, it explicitly lists sources to be consulted that obligated parties must consider, including the guidelines of the European Banking Authority (“EBA“), the supranational risk analysis of the EU Commission, subnational risk analyses of BaFin, typology papers of the Financial Intelligence Unit(“FIU“) and international standards of the Financial Action Task Force.

With regard to checking whether the person to be identified is a politically exposed person, BaFin also explicitly refers to the list of Prominent public functions at national level, at the level of International Organisations and at the level of the European Union Institutions and Bodies regularly published by the European Commission. Persons holding these offices are also referred to as PePs.

Furthermore, BaFin clarifies that obliged entities must include negative media reports in the risk assessment, even without an explicit legal obligation (“adverse media screening“).

Overall, BaFin has expressed a large number of new points or clarifications that must be taken into account in the risk analysis process and for the internal security measures.

1.2 Inspection intervals

BaFin is now updating/shortening the review intervals for updating the risk analysis when applying simplified due diligence obligations to “risk-adequate” (previously up to 15 years), if neither enhanced nor simplified due diligence obligations need to be applied to 5 years (previously 10 years) and in the case of enhanced due diligence obligations to annually (previously after 2 years). These amended requirements must be implemented by the time the new EU Anti-Money Laundering Regulation comes into force on 10 July 2027.

With regard to the review of internal security measures, in accordance with section 6 (2) no. 7 GwG, BaFin has clarified that the audit frequency must be determined on a risk-oriented basis (previously annually). As before, all areas must be audited after three years.

BaFin expressly points out that decisions on residual risks remaining after the risk analysis must be taken on the management level of the obligated party. 

In addition, BaFin stipulates that the data collected for identification purposes must be verified on the basis of current (register) extracts (i.e. not older than four weeks when submitted).

1.3 Standard of Diligence

BaFin explicitly points out that reliefs of the Fiscal Code Application Decree on Section 154 AO are not transferable to the GwG, as the laws have different protective purposes.

1.4 Notifications

BaFin states that the establishment of a single internal reporting office is sufficient to fulfil the obligations under Section 6 (5) GwG, Article 21 (2) of Regulation (EU) 2023/1113 (GTVO 2023) and Section 12 (1) of the Whistleblower Protection Act. However, the prerequisite for that is that both confidential and anonymous reporting are possible.

In connection with the obligation to report money laundering suspicions, pursuant to Section 43 (1) GwG, BaFin refers to the constantly updated FIU guidelines and the specific information that must be taken into account when reporting suspicious transactions.

Reported transactions (Section 43 (1) GwG) may only be carried out with the approval of the FIU or the public prosecutor’s office or at the earliest after three business days without an interdiction having been issued. However, BaFin points out that it may be necessary to halt the transaction even after the three days have elapsed. Whether a transactions needs to be halted or not, must be examined by the obligated parties.

1.5 Money Laundering Officer (“GWB”)

For companies operating across borders, BaFin has clarified that the GWB must carry out its activities in Germany. A proxy based abroad is permitted if – when acting as proxy – it acts in Germany.

It is important to note that, in BaFin’s opinion, companies with fewer than 15 full-time equivalents must check whether the risk situation allows the appointment of a member of the management level as GWB. Previous deficiencies in the prevention of money laundering and terrorist financing are relevant in this context.

BaFin also emphasises that generally the GWB may not act as the outsourcing officer for the data protection officer or internal audit at the same time.

The appointment and dismissal of the GWB must be notified to BaFin at least two weeks prior to actual implementation. The duties, responsibilities and authorisations of the GWB and the proxy must be recorded in writing.

2. Payment

A payment institution also establishes business relationships within the meaning of the GwG by concluding contracts for technical services such as issuing or acquiring processing, as these services are directly related to the provision of payment services requiring authorisation. However, this clarification raises the question of whether BaFin intends to establish a new criterion of “close connection to payment services requiring authorisation” for the assumption of the term business relationship. BaFin also points out that institutions from other EEA countries that are established in Germany through agents or e-money agents must submit notifications to the FIU for suspicious transactions with a domestic connection and the agents must register in the goAML portal. As part of the ongoing monitoring obligation, payment institutions must ensure that the payment services are provided exclusively for the contractually agreed websites and not for non-contractually agreed websites (Section 10 para. 1 no. 5 GwG in conjunction with Section 27 para. 1 sentence 2 no. 5 ZAG) when providing payment services for merchant customers.

3. Factoring

Furthermore, in connection with factoring transactions, reference is made to the ongoing duty to monitor payments by debtors under the factoring relationship, even if there is no direct business relationship between the factoring institution and the debtors. However, if there is a contractual relationship between the factoring institution and the debtors, as in the case of reverse factoring, the factoring institution must also apply the general due diligence obligations of Section 10 (1) GwG to the debtors.

In addition, the factoring institution’s waiver of a creditworthiness analysis regarding the debtors (in accordance with Section 25k (2) KWG) does not release it from the fulfilment of the enhanced due diligence obligations in accordance with Section 5 (2) GwG if an increased risk of money laundering or terrorist financing is recognisable. The factoring institution must pay attention to recognisably increased risks even without the information from the creditworthiness analysis. BaFin does not specify when such increased risks are apparent. Such a risk could be considered for the debtors if the framework agreement contains references to elements listed in Annex 2 of the GwG.

4. Crypto assets

4.1 Extension of the obligated parties

With the application of Regulation (EU) 2023/1114 (MiCA) and the supplementary German implementation by the Financial Market Digitalisation Act (FinmadiG – currently still in government draft form), there is also a new group of obliged entities within the meaning of Section 2 para. 1 no. 2 GwG. In future, “providers of crypto asset services and issuers of asset-backed tokens” will also be listed there. Exceptions are made to service providers that exclusively offer advice on crypto assets within the meaning of Art. 3 para. 1 no. 16 h) MiCA. Regarding issuers of asset-referenced tokens (“ART“), the obligated entity status also requires that the ART are not offered to the public exclusively via a provider of crypto-asset services or that their admission to trading is not applied for exclusively via a provider of crypto-asset services. Background to this is that in such cases, the provider of crypto-asset services is already an obliged entity itself and thus, requirements of money laundering law are fulfilled.

4.2 Adjustments to the GwG due to the new Money Transfers Ordinance

The draft consultation paper explicitly mentions additional obligations arising from the amended Funds Transfer Regulation (Regulation (EU) 2023/1113) from 30 December 2024, which contains its own rules for the transfer of crypto assets.

The establishment of a permanent business relationship or, outside of business relationships, certain transactions (e.g. money transfers of €1,000 or more) can trigger due diligence obligations under money laundering law in accordance with Section 10 (3) GwG. The transfer of crypto assets with an equivalent value of at least €1,000 also triggers due diligence obligations under money laundering law (Section 10 para. 3 no. 2 GwG). The Financial Market Digitisation Act (FinmadiG) adapts the wording to the MiCA. In future, crypto asset transfer will be relevant instead of the transfer as such. For the definition of a crypto asset transfer, reference is made to the adapted Funds Transfer Regulation. The draft consultation paper on the AuA, which still refers in part to a “transfer”, should also be adapted here. In BaFin’s opinion, the current price of the crypto assets concerned at any provider of crypto asset services authorised in Germany can be used to determine the equivalent value of a crypto asset transfer. This can also be the trading institution itself. “Current” is the price at the time the transfer is carried out (draft consultation paper, p. 37).

4.3 Increased due diligence obligations

Finally, the draft consultation paper (p. 77) takes up the new provision planned by the FinmadiG in section 15a GwG-E on enhanced due diligence obligations for crypto asset transfers with self-hosted addresses. For the definition of “self-hosted addresses”, reference is again made to the Funds Transfer Regulation (Art. 3 No. 20). This refers to a distributed ledger address that has no connection to a) a provider of crypto services or b) an entity located outside the Union that provides services comparable to those of a provider of crypto services. Obligated parties that carry out such crypto asset transfers must identify and assess the risks under money laundering law and take appropriate measures to minimise these risks. Section 15a para. 2 GwG lists possible risk minimisation measures. These include the collection, verification and storage of the identity of the beneficiary or principal as well as the beneficial owner of the self-hosted address, measures to determine the origin and destination of the crypto assets to be transferred as well as the increased, continuous monitoring of these transactions and the business relationship associated with these transactions.

5. Outlook

The draft consultation paper contains a large number of clarifications, but also a number of additions to previous administrative practice as well as adjustments to amendments to the GwG that have already been made and those planned by the FinmadiG. In particular, obliged entities must adapt their risk analysis and internal security measures in accordance with the new BaFin requirements. For providers of crypto asset services, the draft consultation paper contains specific requirements for crypto asset transfers in accordance with the provisions of the GwG as well as the intended provision in Section 15a GwG-E on increased due diligence obligations for transfers to self-hosted addresses.

Comments on the draft consultation paper can be submitted until 9 August 2024, after which BaFin will review the draft of the interpretation and application notes on the GwG and amend if necessary. The updated interpretation and application guidelines for the GwG will be binding from January 2025.

Ideally, obligated parties should already be familiarising themselves with the draft consultation paper to implement any process adjustments by this time.