Learn about BaFin, the key anti-money laundering regulator in Germany, and what’s so special about AML regulations in the country.
Germany remains an attractive destination both for financial institutions and for virtual asset service providers (VASPs, or platforms providing services with cryptocurrency). Although some market participants consider the country too bureaucratic to do business in, the German government is taking necessary steps, such as promotion of the capital market digitalization and improvement of the tax framework, to keep the German capital market efficient and modernized.
Moreover, according to Coincub’s recent report, Germany has become the most attractive crypto economy in the world in Q3, 2022, as the country has a “favorable crypto outlook”, “clear crypto tax rules” and “transparent regulatory communications”.
However, both financial institutions and VASPs need to comply with strict BaFin anti-money laundering (AML) regulations, which carry stiff penalties for non-compliance. In 2021, online bank N26 was hit with a €5m ($5.2m) fine from BaFin for delayed suspicious activity reports relating to money laundering.
Read this guide to learn how to stay AML-compliant in Germany and keep customer onboarding smooth.
Name: Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin)
Role: Financial regulator
Year founded: 2002
BaFin’s functions can be divided into two broad categories:
The scope of BaFin’s supervision is vast and includes the following primary responsibilities:
To understand how BaFin works and its requirements, let’s go through the main laws governing the regulator’s activity:
This is a breakdown of the main acts and regulations that BaFin enforces:
Here is a list of other regulations related to BaFin’s activity.
BaFin requires a risk-based approach to money laundering and other financial crimes:
“Under section 4 of the GwG, the obliged entities must have an effective risk management system which covers risk assessment under section 5 of the GwG and internal safeguards under section 6 of the GwG. This obligation represents the core of a risk-based approach in relation to money laundering and terrorist financing.”
According to the FATF, a risk-based approach means identifying, assessing, and understanding the money laundering and terrorist financing risk to which an entity is exposed, and taking the appropriate mitigation measures in accordance with the level of risk.
The approach involves the creation of a risk management system that includes risk assessment procedures and internal safeguards. When designing a risk management system, companies have to consider their business type, the product they offer, and the possible risks involved. For instance, the gambling sector is considered quite vulnerable to money laundering stemming from drug trafficking or other illegal sources, so gambling operators should have to implement stricter KYC and AML requirements.
BaFin demands that entities develop strict principles for detecting and preventing criminal activity. These include:
While CDD requirements differ for natural and legal persons, SDD and EDD do not have such differentiation. A business must have a precise understanding of how it assesses clients as either “high-risk” or “low-risk” according to the high- and low-risk factors provided in the Annexes to the GwG. If a company is not sure how to assess a client, it can ask BaFin for help.
The obliged entity may engage third parties in order to fulfill the general due diligence requirements. Delegation requires a contractual agreement.
More information about the above measures can be found in BaFin’s Interpretation and Application Guidance. Since January 1, 2020, crypto assets have been considered financial instruments by BaFin. Therefore crypto businesses now fall under BaFin’s supervision and must comply with all AML and KYC requirements. BaFin cryptocurrency regulations can be found on the official website here.
There are several circumstances when a company needs to apply CDD:
Detailed BaFin’s CDD requirements may be found on the official website.
In terms of CDD, BaFin distinguishes between natural persons and legal persons.
For natural persons, the following should be collected
The client’s data can be extracted from a valid official document (passport or identity card, for instance) or an electronic proof of identity. An electronic scan of the presented ID document is enough to comply with recording and retention requirements.
Here are the requirements for legal persons:
The company’s commercial register or its equivalent can be used to gather the company’s information. For due diligence checks, BaFin requires entities to refer to the FATF’s list of high-risk countries and the EU Commission Delegated Regulation. Information on financial sanctions can be viewed on the Deutsche Bundesbank’s website.
Identity verification is a part of due diligence:
“As well as an appropriate check of specific identification documents presented physically pursuant to section 13 (1) no. 1 of the GwG in conjunction with section 12 (1) sentence 1 no. 1 and no. 5 of the GwG, verification may also be implemented by means of another suitable procedure whose level of security is equivalent to that of physical presentation of documents, section 13 (1) no. 2 of the GwG.”
BaFin suggests several methods for verifying a person’s identity, with video identification being a distinctive feature of the regulator.
Some of the video ident requirements are:
BaFin provides full details on the video identification procedure here.
BaFin’s video identification requirements can be confusing for business, tough for clients and therefore detrimental to onboarding. However, a reliable and compliant KYC platform can make this process smooth and pleasant.
Sumsub’s Video Identification solution is compliant with BaFin AML/KYC regulations in Germany and can offer an outstanding user experience. Get an all-in-one video KYC platform equipped with a dynamic user queue and compatibility with any device. Plus, our in-house operators can take over the entire process on demand.
Let’s start with simplified due diligence.
“Obliged entities that establish that, taking into account the risk factors specified in annexes 1 and 2, certain areas present only a small risk of money laundering or terrorist financing, particularly with regard to customers, transactions and services or products, are only required to fulfil simplified due diligence requirements. Before applying simplified due diligence requirements, obliged entities must ascertain that the business relationship or transaction actually entails a lower risk of money laundering or terrorist financing. For the demonstration of adequacy, section 10 (2) sentence 4 applies mutatis mutandis.”
BaFin does not provide a specific list of information to collect in case of SDD. Instead, the regulator permits companies to reduce general due diligence requirements to whatever extent the company thinks is reasonable. However, SDD is rarely conducted, since it is possible to apply this simplified check only in cases where all lower-risk factors coalesce (the list of the factors can be found in Annex 1 of the GWG). Now let’s talk about the much more frequent Enhanced Due Diligence, which businesses have to apply whenever they come across just a single high-risk factor.
“Obliged entities are to fulfil enhanced due diligence requirements if they find out, through a risk analysis or by taking into account the risk factors specified in annexes 1 and 2 in an individual case, that a higher risk of money laundering or terrorist financing may arise. The obliged entities determine the specific extent of measures to be taken in accordance with the respective higher risk of money laundering or terrorist financing. For the demonstration of adequacy, section 10 (2) sentence 4 applies mutatis mutandis.”
BaFin distinguishes the three red flags of money laundering and terrorist financing.
PEP. If a beneficial owner of the client company is a Politically Exposed Person (PEP) or some close acquaintance, EDD must be applied.
Complex or suspicious transactions. Businesses are to conduct EDD if the transactions their clients want to make are
a) significantly large or complex;
b) follow an unusual pattern;
c) have no apparent economic purpose.
Partnerships with EU businesses that pose high risk or businesses located in third-countries:
EDD must be conducted when obliged entities, such as financial institutions, correspond with companies inside the EU that potentially pose a high risk of money laundering and terrorist financing, or with any companies outside the EU.
Please see the full list of higher risk factors in Annex 2 of the GWG.
These are the requirements for EDD that BaFin sets for the three high-risk factors above:
a) a member of senior management has to approve a business relationship with the client company;
b) the source of funds has to be checked;
c) enhanced ongoing monitoring is needed.
a) the company must conduct a thorough check of suspicious transactions with regard to financial crimes;
b) enhanced ongoing monitoring must be set up.
a) a full check of the client company is to be conducted (including the nature of the business, reputation, established measures for preventing financial crimes, etc.);
b) a member of senior management must approve the business relationship with the company;
c) both sides must document their responsibilities for the fulfillment of EDD before establishing the business relationship;
d) the client company cannot have an account in a shell bank;
e) the client company cannot make transactions via payable-through accounts.For information on checking PEPs, BaFin recommends referring to the FATF’s guidance.
BaFin supervises various types of reports, starting with the Suspicious Transaction Report (STR), continuing on to reports that are specific to each sector.
“(1) If facts exist which indicate that property is related to money laundering or terrorist financing, the supervisory authority reports these facts to the German Financial Intelligence Unit without delay. (2) Subsection (1) applies mutatis mutandis to authorities responsible for supervision of the stock, foreign exchange and financial derivatives markets.”
One of the main functions of BaFin is to stop financial crimes, and entities falling under BaFin’s supervision are obliged to help the regulator fulfill this function. Therefore, businesses have to report any suspicious activities or transactions when:
The company must submit the STR even when it is unsure whether the contracting party’s activity constitutes something suspicious. Furthermore, the company does not have to conduct any investigation—it has just to provide BaFin with some explanation about why they think the activity is abnormal. It is not recommended to contact and question the contracting party in order to not alert it to arising suspicions.
Here is what’s important to keep in mind when submitting an STR:
Person in charge of the submission: the AML officer.
Authority to submit to: the Financial Intelligence Unit (FIU) for detection and prevention of money laundering and terrorist financing (businesses should not ask the FIU for any preliminary review of the report).
Means of submission: electronically, through the “goAML” system (companies need to register on the “goAML” web portal to access the system and file the report).
Time: as soon as the suspicious activity has been detected.
Now that we’ve gone through the STR requirements, let’s clear up the reporting requirements specific to the following sectors: financial, insurance, and market.
There are several reports that financial institutions must submit to BaFin:
Some entities, such as investment service companies, must report all on-exchange and off-exchange dealings in financial instruments. More information can be found in the Banking Act.
Entities should not underestimate the importance of recording and storing data, since they often face external audits.
Data to record:
a) information collected through due diligence checks, including results of risk assessment;
b) STR and other reports;
c) virtual IBANs that credit institutions issue to payment service providers.
Recording requirements: BaFin permits making copies of checked documents ( and storing them in digital form.
Retention period: The entire video identification process must be recorded and retained by the obliged entity for at least five years, but no longer than ten years.
Obliged entities may use personal data solely for the prevention of money laundering and terrorist financing. Entities must also ensure the security of any stored data.
BaFin ensures that businesses use suitable prevention systems to protect themselves from money laundering and terrorist financing. However, failing to comply with BaFin may result in:
The regulator imposes administrative fines for breaches in compliance, such as failures in establishing a risk management system, retention of records and reporting requirements. For serious or systematic violations, a company can receive a fine of up to €1 million or up to twice the economic benefit derived from the breach. In particularly serious cases, penalties of up to €5 million can be imposed.
As more and more businesses move online, BaFin now focuses on information security and compliance with BAIT (Supervisory Requirements for IT in Financial Institutions).
These are some helpful materials for a better understanding of BaFin AML requirements:
According to Section 261 of the German Criminal Code (StGB), money laundering involves:
Yes. According to the FATF, Germany faces significant money laundering and terrorist financing risks.
Yes. German “Know Your Customer” (KYC) requirements are based on tEuropean provisions. Financial institutions and VASPs operating in Germany are obliged to conduct the KYC procedure on their customers.
Yes, it can be described as such, since it is a supervisory body working to ensure the stability and integrity of the German financial system.