The Essential AML/KYC Guide to Germany (2025)
Everything you need to know about Germany’s latest AML/KYC changes and how to stay compliant.
Everything you need to know about Germany’s latest AML/KYC changes and how to stay compliant.
Germany remains an attractive destination for both financial institutions and virtual asset service providers (VASPs). However, as Germany and the EU are updating their anti-money laundering (AML) regulations, compliance with regulatory updates is essential for continued smooth operation in the country.
The German financial regulator BaFin, for example, recently updated its Interpretation and Application Guidance (AuA) on the Geldwäschegesetz (Money Laundering Act), coinciding with new EU-wide legislation. This constitutes Germany’s new approach to Know Your Customer (KYC) checks, risk management, and obligations to file Suspicious Activity Reports (SARs).
Both financial institutions and VASPs must comply with strict BaFin AML regulations, which carry stiff penalties for non-compliance. In 2024, for example, BaFin fined Solaris SE €6.5m ($7m) for delayed SARs relating to money laundering.
The Geldwäschegesetz (GwG), known in English as the Money Laundering Act, is Germany’s primary AML legislation. The GwG implements the EU’s Anti-Money Laundering Directives (AMLDs) within the German legal framework It encompasses identifying suspicious activities, Customer Due Diligence (CDD), and how to report cases of potential money laundering or terrorist financing.
Highlights of the GwG include:
AuA guidance for the GwG has recently been updated to account for more scrutiny of virtual assets.
The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht or “BaFin”) is the German financial regulator.
BaFin’s functions can be divided into two broad categories:
The scope of BaFin’s supervision is vast and covers these key responsibilities:
In addition to more traditional financial sectors, BaFin now also supervises the regulation of virtual assets under the EU’s Markets in Crypto-Assets (MiCA) framework, implemented in 2024.
Suggested read: Markets in Crypto-Assets Regulation (MiCA) in the EU: Learn Who MiCA Impacts (2025)
BaFin requires a risk-based approach to money laundering and other financial crimes:
According to the FATF, a risk-based approach means identifying, assessing, and understanding the money laundering and terrorist financing risk to which an entity is exposed, as well as taking the appropriate mitigation measures in accordance with the level of risk.
When designing a risk management system, companies have to consider their business type, the product they offer, and the possible risks involved. For instance, the gambling sector is considered quite vulnerable to money laundering stemming from drug trafficking or other illegal sources, so gambling operators should have to implement stricter KYC and AML requirements.
BaFin demands that entities develop strict principles for detecting and preventing criminal activity. These include:
While CDD requirements differ for natural and legal persons, SDD and EDD do not have this differentiation. A business must have a precise understanding of how it assesses clients as either “high-risk” or “low-risk” according to the high- and low-risk factors provided in the Annexes to the GwG. If a company is not sure how to assess a client, it can ask BaFin for help.
The obliged entity may engage third parties in order to fulfill the general due diligence requirements. Delegation requires a contractual agreement.
Since January 1, 2020, crypto assets have been considered financial instruments by BaFin. Therefore crypto businesses now fall under BaFin’s supervision and must comply with all AML and KYC requirements. BaFin cryptocurrency regulations can be found on the official website here.
The recent updates to the AuA for 2025 cover:
Suggested read: The Three Stages of Money Laundering and How Money Laundering Impacts Business
This is a breakdown of the main acts and regulations that BaFin enforces:
Here is a list of other regulations related to BaFin’s activity.
Due diligence requirements are recorded in the GWG. They include Customer Due Diligence (CDD), Simplified Due Diligence (SDD), and Enhanced Due Diligence (EDD).
There are several circumstances when a company needs to apply CDD:
Detailed BaFin’s CDD requirements may be found on the official website.
BaFin renewed its guidelines for updating customer information effective from February 1, 2025. Customer information must now be updated at least every seven years for SDD, at least every five years for general CDD, and annually for EDD.
For CDD, BaFin distinguishes between natural persons and legal persons.
For natural persons, the following should be collected
The client’s data can be extracted from a valid official document (passport or identity card, for instance) or an electronic proof of identity. An electronic scan of the presented ID document is enough to comply with recording and retention requirements.
Here are the requirements for legal persons:
The company’s commercial register or its equivalent can be used to gather the company’s information. For due diligence checks, BaFin requires entities to refer to the FATF’s list of high-risk countries and the EU Commission Delegated Regulation. Information on financial sanctions can be viewed on the Deutsche Bundesbank’s website.
BaFin suggests several methods for verifying a person’s identity, with video identification being a distinctive feature of the regulator.
BaFin provides full details on the video identification procedure here.
BaFin’s video identification requirements can be confusing for business, tough for clients and therefore detrimental to onboarding. However, a reliable and compliant KYC platform can make this process smooth and pleasant.
Sumsub’s Video Identification solution is compliant with BaFin AML/KYC regulations in Germany and can offer an outstanding user experience. Get an all-in-one video KYC platform equipped with a dynamic user queue and compatibility with any device. Plus, our in-house operators can take over the entire process on demand.
Let’s start with simplified due diligence.
Simplified Due Diligence (SDD)
BaFin does not provide a specific list of information to collect in case of SDD. Instead, the regulator permits companies to reduce general due diligence requirements to whatever extent the company thinks is reasonable. However, SDD is rarely conducted, since it is possible to apply this simplified check only in cases where all lower-risk factors coalesce (the list of the factors can be found in Annex 1 of the GWG). Now let’s talk about the much more frequent Enhanced Due Diligence, which businesses have to apply whenever they come across just a single high-risk factor.
BaFin distinguishes the three red flags of money laundering and terrorist financing.
a) significantly large or complex;
b) follow an unusual pattern;
c) have no apparent economic purpose.
EDD must be conducted when obligated entities, such as financial institutions, correspond with companies inside the EU that potentially pose a high risk of money laundering and terrorist financing, or with any companies outside the EU.
Please see the full list of higher risk factors in Annex 2 of the GWG.
These are the requirements for EDD that BaFin sets for the three high-risk factors above:
a) A member of senior management has to approve a business relationship with the client company;
b) The source of funds has to be checked;
c) Enhanced ongoing monitoring is needed.
a) The company must conduct a thorough check of suspicious transactions with regard to financial crimes;
b) Enhanced ongoing monitoring must be set up.
a) A full check of the client company is to be conducted (including the nature of the business, reputation, established measures for preventing financial crimes, etc.);
b) A member of senior management must approve the business relationship with the company;
c) Both sides must document their responsibilities for the fulfillment of EDD before establishing the business relationship;
d) The client company cannot have an account in a shell bank;
e) The client company cannot make transactions via payable-through accounts.For information on checking PEPs, BaFin recommends referring to the FATF’s guidance.
Suggested read: What Is Crypto KYC and Why Do Exchanges Need It in 2025?
BaFin aligns with European Union reporting guidelines. Submitting Suspicious Transaction Reports (STRs) is a cornerstone of German AML reporting, and companies must report any transactions suspected of ties to money laundering or terrorist financing. There are also sector-specific reports, such as for the finance and insurance sectors.
One of the main functions of BaFin is to stop financial crimes, and entities falling under BaFin’s supervision are obliged to help the regulator fulfill this function. Therefore, businesses have to report any suspicious activities or transactions when:
The company must submit the STR even when it is unsure whether the contracting party’s activity constitutes something suspicious. Furthermore, the company does not have to conduct any investigation—it has just to provide BaFin with some explanation about why they think the activity is abnormal. It is not recommended to contact and question the contracting party so as not to alert it to arising suspicions.
Here’s what to keep in mind when submitting an STR:
Person in charge of the submission: the AML officer.
Authority to submit to: the Financial Intelligence Unit (FIU) for detection and prevention of money laundering and terrorist financing (businesses should not ask the FIU for any preliminary review of the report).
Means of submission: electronically, through the “goAML” system (companies need to register on the “goAML” web portal to access the system and file the report).
Time: as soon as the suspicious activity has been detected.
There are several reports that financial institutions must submit to BaFin:
Some entities, such as investment service companies, must report all on-exchange and off-exchange dealings in financial instruments. More information can be found in the Banking Act.
Entities should not underestimate the importance of recording and storing data, since they often face external audits.
Data to record:
a) Information collected through due diligence checks, including results of risk assessment. Records may include video and audio recordings made to fulfill due diligence requirements.
b) Detailed transaction information, which includes CDD data and transaction date/time, amount, currency type, account numbers, and payment method.
c) STR and other reports.
Recording requirements: BaFin permits making copies of checked documents (and storing them in digital form.
Retention period: The entire video identification process must be recorded and retained by the obliged entity for at least five years, but no longer than ten years. After this period, all records, including video identification records, must be destroyed.
Obliged entities may use personal data solely for the prevention of money laundering and terrorist financing. Entities must also ensure the security of any stored data.
BaFin ensures that businesses use suitable prevention systems to protect themselves from money laundering and terrorist financing. However, failing to comply with BaFin may result in:
The regulator imposes administrative fines for breaches in compliance, such as failures in establishing a risk management system, retention of records and reporting requirements. For serious or systematic violations, a company can receive a fine of up to €1 million or up to twice the economic benefit derived from the breach. In particularly serious cases, penalties of up to €5 million can be imposed.
As more and more businesses move online, BaFin now focuses on information security and compliance with BAIT (Supervisory Requirements for IT in Financial Institutions).
These are some helpful materials for a better understanding of BaFin AML requirements:
According to Section 261 of the German Criminal Code (StGB), money laundering involves disguising assets derived from unlawful activities such as fraud and drug trafficking. In other words, it is the act of integrating “dirty money” into the legitimate financial system to make it seem clean.
Yes. German ‘Know Your Customer’ (KYC) requirements are based on European provisions. Financial institutions and VASPs operating in Germany are obliged to conduct KYC procedures on their customers.
In terms of objectives, Germany’s BaFin is comparable to the Securities and Exchange Commission (SEC) in the US, as they are supervisory bodies established to maintain integrity in their financial systems. However, they differ due to the legal and regulatory frameworks in the respective countries.