May 01, 2025
10 min read

The Essential AML/KYC Guide to Germany (2025)

Everything you need to know about Germany’s latest AML/KYC changes and how to stay compliant.

Germany remains an attractive destination for both financial institutions and virtual asset service providers (VASPs). However, as Germany and the EU are updating their anti-money laundering (AML) regulations, compliance with regulatory updates is essential for continued smooth operation in the country.

The German financial regulator BaFin, for example, recently updated its Interpretation and Application Guidance (AuA) on the Geldwäschegesetz (Money Laundering Act), coinciding with new EU-wide legislation. This constitutes Germany’s new approach to Know Your Customer (KYC) checks, risk management, and obligations to file Suspicious Activity Reports (SARs). 

Both financial institutions and VASPs must comply with strict BaFin AML regulations, which carry stiff penalties for non-compliance. In 2024, for example, BaFin fined Solaris SE €6.5m ($7m) for delayed SARs relating to money laundering.

What is the Money Laundering Act? 

The Geldwäschegesetz (GwG), known in English as the Money Laundering Act, is Germany’s primary AML legislation. The GwG implements the EU’s Anti-Money Laundering Directives (AMLDs) within the German legal framework It encompasses identifying suspicious activities, Customer Due Diligence (CDD), and how to report cases of potential money laundering or terrorist financing.

Highlights of the GwG include:

  1. Companies at risk of money laundering (such as financial institutions, real estate agents, and casinos) being obligated to verify customer identities, conduct risk assessments, and monitor transactions as part of CDD.
  2. Reporting any suspicion of money laundering via a SAR.
  3. Businesses needing to store customer and transaction data for a set period.
  4. Penalties for companies that fail to comply, such as heavy fines or criminal charges.

AuA guidance for the GwG has recently been updated to account for more scrutiny of virtual assets.

What is BaFin in Germany?

The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht or “BaFin”) is the German financial regulator.

BaFin’s functions can be divided into two broad categories:

  1. Protection of consumers. Ensuring that the market is stable, fair, and transparent to protect consumers from harm.
  2. Control over organizations. Authorizing banks, financial service providers, insurance companies, and payment and e-money services to operate in Germany. 

The scope of BaFin’s supervision is vast and covers these key responsibilities:

  • Licensing
  • Conducting audits
  • AML compliance supervision
  • Gathering financial statements
  • Making sure that the obliged entities meet their payment requirements
  • Enforcement.

In addition to more traditional financial sectors, BaFin now also supervises the regulation of virtual assets under the EU’s Markets in Crypto-Assets (MiCA) framework, implemented in 2024.

Suggested read: Markets in Crypto-Assets Regulation (MiCA) in the EU: Learn Who MiCA Impacts (2025)

What are the AML requirements in Germany? 

BaFin requires a risk-based approach to money laundering and other financial crimes:

According to the FATF, a risk-based approach means identifying, assessing, and understanding the money laundering and terrorist financing risk to which an entity is exposed, as well as taking the appropriate mitigation measures in accordance with the level of risk.

When designing a risk management system, companies have to consider their business type, the product they offer, and the possible risks involved. For instance, the gambling sector is considered quite vulnerable to money laundering stemming from drug trafficking or other illegal sources, so gambling operators should have to implement stricter KYC and AML requirements.

BaFin demands that entities develop strict principles for detecting and preventing criminal activity. These include:

  1. Applying general due diligence requirements. Due diligence measures must be applied before the establishment of any business relationship or the implementation of a transaction. BaFin suggests three levels of due diligence checks: 
  • Simplified Due Diligence (SDD)
  • General Customer Due Diligence (often referred to as CDD)
  • Enhanced Due Diligence (EDD).

While CDD requirements differ for natural and legal persons, SDD and EDD do not have this differentiation. A business must have a precise understanding of how it assesses clients as either “high-risk” or “low-risk” according to the high- and low-risk factors provided in the Annexes to the GwG. If a company is not sure how to assess a client, it can ask BaFin for help.

  1. Appointing an AML officer. BaFin requires businesses to appoint an AML officer and a deputy as contact persons for the regulator. Essentially, the officer is responsible for compliance with BaFin. Ongoing monitoring and reporting are also among their duties.
  2. Conducting employee training. Companies under BaFin have to instruct all their employees about financial crimes and their prevention. This can be done through classrooms, computer-based programs, or other learning materials (for instance, the FATF’s publications). Companies can decide on the form and timing of such training, but it is always recommended that the instructions be provided whenever there are any changes in BaFin’s practices or a new form of money laundering emerges.
  3. Recording and retention. BaFin requires companies to record and store the results of due diligence checks (as well as various other reports) for at least five years to provide to the regulator if needed.
  4. Reporting. This includes suspicious activity/transaction reporting.

The obliged entity may engage third parties in order to fulfill the general due diligence requirements. Delegation requires a contractual agreement.

Since January 1, 2020, crypto assets have been considered financial instruments by BaFin. Therefore crypto businesses now fall under BaFin’s supervision and must comply with all AML and KYC requirements. BaFin cryptocurrency regulations can be found on the official website here.

The recent updates to the AuA for 2025 cover

  • Greater clarification on AML obligations and frameworks for VASPs
  • Greater internal AML controls
  • Greater risk management obligations
  • Greater focus on politically exposed persons (PEPs)
  • Greater clarification to CDD.

Suggested read: The Three Stages of Money Laundering and How Money Laundering Impacts Business

The legal landscape

This is a breakdown of the main acts and regulations that BaFin enforces:

  1. The Money Laundering Act in Germany (Geldwäschegesetz—GwG). All BaFin AML requirements, as well as administrative fines for non-compliance, stem from this law. It aligns with the 4th, 5th, and 6th Anti-Money Laundering Directives that regulate AML compliance in all spheres of the European Union. Recent updates to this act reflect stricter AML enforcement and greater consideration of virtual assets. 
  2. The Banking Act supervises financial institutions in the country.
  3. The Insurance Supervision Act controls the activity of insurance companies. The law primarily protects the interests of insured persons and makes sure that both the companies and clients fulfill their contractual obligations.
  4. The Payment Services Supervision Act oversees payment service companies, such as credit and electronic money institutions.
  5. The Investment Code controls the investment sphere—mainly investment funds offered by asset management companies.
  6. The Criminal Code addresses various criminal offenses, defines money laundering and establishes penalties for crimes.
  7. The Securities Trading Act oversees a broad scope of activities, from provision of investment services to financial reporting.

Here is a list of other regulations related to BaFin’s activity.

Customer Due Diligence (CDD) requirements

Due diligence requirements are recorded in the GWG. They include Customer Due Diligence (CDD), Simplified Due Diligence (SDD), and Enhanced Due Diligence (EDD).

There are several circumstances when a company needs to apply CDD:

  1. Starting a new business relationship with a natural or legal person
  2. Completing transactions that fall outside an established contract “within the meaning of Article 3 no. 9 of Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141 of 5 June 2015, p.1) when the transfer of funds involves an amount of €1000 or more”
  3. Other transactions with a value greater than €15,000
  4. Suspicious transactions potentially connected to money laundering or other crimes
  5. Regular CDD for existing clients, if something has changed in the client’s circumstances (e.g., a change in ownership)

Detailed BaFin’s CDD requirements may be found on the official website.

BaFin renewed its guidelines for updating customer information effective from February 1, 2025. Customer information must now be updated at least every seven years for SDD, at least every five years for general CDD, and annually for EDD.

For CDD, BaFin distinguishes between natural persons and legal persons.

For natural persons, the following should be collected

  1. Name
  2. Date of birth
  3. Place of birth
  4. Residential address (or postal address in certain cases)
  5. Type, number, and issuing authority of a submitted ID document.

The client’s data can be extracted from a valid official document (passport or identity card, for instance) or an electronic proof of identity. An electronic scan of the presented ID document is enough to comply with recording and retention requirements.

Here are the requirements for legal persons:

  1. Name of the company or trading name
  2. Legal form
  3. Commercial register number (if available)
  4. Address of the registered office
  5. Ownership, including the beneficial owner, and control structure
  6. Purpose of business (if not explicit)

The company’s commercial register or its equivalent can be used to gather the company’s information. For due diligence checks, BaFin requires entities to refer to the FATF’s list of high-risk countries and the EU Commission Delegated Regulation. Information on financial sanctions can be viewed on the Deutsche Bundesbank’s website.

Identity verification procedures

BaFin suggests several methods for verifying a person’s identity, with video identification being a distinctive feature of the regulator.

  1. Electronic identity verification. This is verification performed through online KYC & AML platforms that includes remote checking of ID documents.
  2. On-the-spot check of a qualified identification document. This is when an individual presents a physical identity document for verification, usually a passport or birth certificate (for persons below 16 years of age).
  3. Electronic proof of identity. Holders of a German identity card over 16 years of age can use it for verification purposes. Please refer to the Act on Identity Cards and Electronic Identification or the Residence Act for detailed information.
  4. Qualified electronic signature. When a person conducts a digital transaction, a qualified electronic signature can be used for identity verification purposes. The e-signature must be validated.
  5. Video identification procedure. Video identification, or videoident, is a distinctive feature of ID verification in Germany and requires special attention. BaFin sets strict requirements on how video identification has to take place.

BaFin provides full details on the video identification procedure here.

BaFin’s video identification requirements can be confusing for business, tough for clients and therefore detrimental to onboarding. However, a reliable and compliant KYC platform can make this process smooth and pleasant.

Sumsub’s Video Identification solution is compliant with BaFin AML/KYC regulations in Germany and can offer an outstanding user experience. Get an all-in-one video KYC platform equipped with a dynamic user queue and compatibility with any device. Plus, our in-house operators can take over the entire process on demand.

Simplified and Enhanced Due Diligence (SDD & EDD)

Let’s start with simplified due diligence.

Simplified Due Diligence (SDD)

BaFin does not provide a specific list of information to collect in case of SDD. Instead, the regulator permits companies to reduce general due diligence requirements to whatever extent the company thinks is reasonable. However, SDD is rarely conducted, since it is possible to apply this simplified check only in cases where all lower-risk factors coalesce (the list of the factors can be found in Annex 1 of the GWG). Now let’s talk about the much more frequent Enhanced Due Diligence, which businesses have to apply whenever they come across just a single high-risk factor.

Enhanced Due Diligence (EDD)

BaFin distinguishes the three red flags of money laundering and terrorist financing.

  1. PEP. If a beneficial owner of the client company is a Politically Exposed Person (PEP) or a close acquaintance, EDD must be applied.
  2. Complex or suspicious transactions. Businesses are to conduct EDD if the transactions their clients want to make are:

a) significantly large or complex;
b) follow an unusual pattern;
c) have no apparent economic purpose.

  1. Partnerships with EU businesses that pose high risk or businesses located in third-countries.

EDD must be conducted when obligated entities, such as financial institutions, correspond with companies inside the EU that potentially pose a high risk of money laundering and terrorist financing, or with any companies outside the EU.

Please see the full list of higher risk factors in Annex 2 of the GWG.

These are the requirements for EDD that BaFin sets for the three high-risk factors above:

  1. PEP:

a) A member of senior management has to approve a business relationship with the client company;

b) The source of funds has to be checked;

c) Enhanced ongoing monitoring is needed.

  1. Complex or suspicious transactions:

a) The company must conduct a thorough check of suspicious transactions with regard to financial crimes;

b) Enhanced ongoing monitoring must be set up.

  1. Partnerships with businesses in the EU that pose a risk, or businesses located in third-countries:

a) A full check of the client company is to be conducted (including the nature of the business, reputation, established measures for preventing financial crimes, etc.);

b) A member of senior management must approve the business relationship with the company;

c) Both sides must document their responsibilities for the fulfillment of EDD before establishing the business relationship;

d) The client company cannot have an account in a shell bank;

e) The client company cannot make transactions via payable-through accounts.For information on checking PEPs, BaFin recommends referring to the FATF’s guidance.

Suggested read: What Is Crypto KYC and Why Do Exchanges Need It in 2025?

Reporting requirements

BaFin aligns with European Union reporting guidelines. Submitting Suspicious Transaction Reports (STRs) is a cornerstone of German AML reporting, and companies must report any transactions suspected of ties to money laundering or terrorist financing. There are also sector-specific reports, such as for the finance and insurance sectors.

Suspicious transaction report (STR)

One of the main functions of BaFin is to stop financial crimes, and entities falling under BaFin’s supervision are obliged to help the regulator fulfill this function. Therefore, businesses have to report any suspicious activities or transactions when:

  1. They detect any malicious activity
  2. The contracting party does not want to disclose whether it conducts business on behalf of a beneficial owner

The company must submit the STR even when it is unsure whether the contracting party’s activity constitutes something suspicious. Furthermore, the company does not have to conduct any investigation—it has just to provide BaFin with some explanation about why they think the activity is abnormal. It is not recommended to contact and question the contracting party so as not to alert it to arising suspicions.

Here’s what to keep in mind when submitting an STR:

Person in charge of the submission: the AML officer.

Authority to submit to: the Financial Intelligence Unit (FIU) for detection and prevention of money laundering and terrorist financing (businesses should not ask the FIU for any preliminary review of the report).

Means of submission: electronically, through the “goAML” system (companies need to register on the “goAML” web portal to access the system and file the report).

Time: as soon as the suspicious activity has been detected.

Other reporting requirements for financial institutions

There are several reports that financial institutions must submit to BaFin:

  1. Annual reports
  2. External audit reports
  3. Financial statements
  4. Major changes report (including, for instance, significant changes in the management board)
  5. Exposures and loans of more than €1 million

Some entities, such as investment service companies, must report all on-exchange and off-exchange dealings in financial instruments. More information can be found in the Banking Act.

Recording and retention requirements

Entities should not underestimate the importance of recording and storing data, since they often face external audits.

Data to record:

a) Information collected through due diligence checks, including results of risk assessment. Records may include video and audio recordings made to fulfill due diligence requirements.

b) Detailed transaction information, which includes CDD data and transaction date/time, amount, currency type, account numbers, and payment method.

c) STR and other reports.

Recording requirements: BaFin permits making copies of checked documents (and storing them in digital form. 

Retention period: The entire video identification process must be recorded and retained by the obliged entity for at least five years, but no longer than ten years. After this period, all records, including video identification records, must be destroyed.

Obliged entities may use personal data solely for the prevention of money laundering and terrorist financing. Entities must also ensure the security of any stored data.

Penalties for non-compliance

BaFin ensures that businesses use suitable prevention systems to protect themselves from money laundering and terrorist financing. However, failing to comply with BaFin may result in: 

  • Fines
  • License termination
  • Seizure of assets
  • Criminal liability

The regulator imposes administrative fines for breaches in compliance, such as failures in establishing a risk management system, retention of records and reporting requirements. For serious or systematic violations, a company can receive a fine of up to €1 million or up to twice the economic benefit derived from the breach. In particularly serious cases, penalties of up to €5 million can be imposed.

As more and more businesses move online, BaFin now focuses on information security and compliance with BAIT (Supervisory Requirements for IT in Financial Institutions).

Useful resources

These are some helpful materials for a better understanding of BaFin AML requirements:

  1. BaFin’s official website not only provides insights into the regulator’s work but also contains articles and guidelines on compliance as well as full texts of all relevant legislation.
  2. Interpretation and Application Guidance (AuA) describes AML obligations under BaFin in relation to the GWG and other laws.
  3. The FATF Recommendations on AML/CFT may also be useful since Germany is a member of the Financial Action Task Force.

FAQ

  • What is considered money laundering in Germany?

    According to Section 261 of the German Criminal Code (StGB), money laundering involves disguising assets derived from unlawful activities such as fraud and drug trafficking. In other words, it is the act of integrating “dirty money” into the legitimate financial system to make it seem clean.

  • Does Germany require KYC?

    Yes. German ‘Know Your Customer’ (KYC) requirements are based on European provisions. Financial institutions and VASPs operating in Germany are obliged to conduct KYC procedures on their customers.

  • Is BaFin like the SEC?

    In terms of objectives, Germany’s BaFin is comparable to the Securities and Exchange Commission (SEC) in the US, as they are supervisory bodies established to maintain integrity in their financial systems. However, they differ due to the legal and regulatory frameworks in the respective countries.

AMLFinancial InstitutionsGermanyKYCPenaltiesReportingRisk-Based ApproachVirtual Assets