AML/KYC Guide to Germany, the World’s Top Crypto Economy

Germany remains an attractive destination both for financial institutions and for virtual asset service providers (VASPs, or platforms providing services with cryptocurrency). Although some market participants consider the country too bureaucratic to do business in, the German government is taking necessary steps, such as promotion of the capital market digitalization and improvement of the tax framework, to keep the German capital market efficient and modernized.

Moreover, according to Coincub’s recent report, Germany has become the most attractive crypto economy in the world in Q3, 2022, as the country has a “favorable crypto outlook”, “clear crypto tax rules” and “transparent regulatory communications”.

However, both financial institutions and VASPs need to comply with strict BaFin anti-money laundering (AML) regulations, which carry stiff penalties for non-compliance. In 2021, online bank N26 was hit with a €5m ($5.2m) fine from BaFin for delayed suspicious activity reports relating to money laundering.

Read this guide to learn how to stay AML-compliant in Germany and keep customer onboarding smooth.

What is BaFin in Germany?

Field of responsibility

BaFin’s functions can be divided into two broad categories:

1. Protection of consumers. Ensuring that the market is stable, fair, and transparent in order to protect consumers from harm.
2. Control over organizations. Authorizing banks, financial service providers, insurance companies, and payment & e-money services to operate in Germany. 

The scope of BaFin’s supervision is vast and includes the following primary responsibilities:

• Licensing
• Conducting audits
• AML compliance supervision
• Gathering financial statements
• Making sure that the obliged entities meet their payment requirements
• Enforcement

To understand how BaFin works and its requirements, let’s go through the main laws governing the regulator’s activity:

The legal landscape

This is a breakdown of the main acts and regulations that BaFin enforces:

1. The Anti-Money Laundering Act in Germany (Geldwäschegesetz—GwG). All BaFin AML requirements, as well as administrative fines for non-compliance, stem from this law. It aligns with the 4th and 5th Anti-Money Laundering Directives that regulate AML compliance in all spheres of the European Union.
2. The Banking Act supervises financial institutions in the country.
3. The Insurance Supervision Act controls the activity of insurance companies. The law primarily protects the interests of  insured persons and makes sure that both the companies and clients fulfill their contractual obligations.
4. The Payment Services Supervision Act oversees payment service companies, such as credit and electronic money institutions.
5. The Investment Code controls the investment sphere—mainly investment funds offered by asset management companies.
6. The Criminal Code addresses various criminal offenses, defines money laundering and establishes penalties for the crime.
7. The Securities Trading Act oversees a broad scope of activities, from provision of investment services to financial reporting.

Here is a list of other regulations related to BaFin’s activity.

What are the AML requirements in Germany? 

BaFin requires a risk-based approach to money laundering and other financial crimes:

“Under section 4 of the GwG, the obliged entities must have an effective risk management system which covers risk assessment under section 5 of the GwG and internal safeguards under section 6 of the GwG. This obligation represents the core of a risk-based approach in relation to money laundering and terrorist financing.”

(Interpretation and Application Guidance)

According to the FATF, a risk-based approach means identifying, assessing, and understanding the money laundering and terrorist financing risk to which an entity is exposed, and taking the appropriate mitigation measures in accordance with the level of risk.

The approach involves the creation of a risk management system that includes risk assessment procedures and internal safeguards. When designing a risk management system, companies have to consider their business type, the product they offer, and the possible risks involved. For instance, the gambling sector is considered quite vulnerable to money laundering stemming from drug trafficking or other illegal sources, so gambling operators should have to implement stricter KYC and AML requirements.

BaFin demands that entities develop strict principles for detecting and preventing criminal activity. These include:

1. Applying general due diligence requirements. Due diligence measures must be applied before the establishment of any business relationship or implementation of a transaction. BaFin suggests three levels of due diligence checks: 

• Simplified Due Diligence (SDD)
• General Customer Due Diligence (often referred to as CDD)
• Enhanced Due Diligence (EDD).

While CDD requirements differ for natural and legal persons, SDD and EDD do not have such differentiation. A business must have a precise understanding of how it assesses clients as either “high-risk” or “low-risk” according to the high- and low-risk factors provided in the Annexes to the GwG. If a company is not sure how to assess a client, it can ask BaFin for help.

2. Appointing an AML officer. BaFin requires businesses to appoint an AML officer and a deputy as contact persons for the regulator. In short, the officer is responsible for compliance with BaFin. Ongoing monitoring and reporting are also among their duties.
3. Conducting employee training. Companies under BaFin have to instruct all their employees about financial crimes and their prevention. This can be done through classrooms, computer-based programs, or other learning materials (for instance, the FATF’s publications). Companies can decide on the form and timing of such training, but it is always recommended that the instructions be provided whenever there are any changes in BaFin’s practices or a new form of money laundering emerges.
4. Recording and retention. BaFin requires companies to record and store the results of due diligence checks (as well as various other reports) for five years  in order to provide the regulator if needed.
5. Reporting. This includes suspicious activity/transaction reporting.

The obliged entity may engage third parties in order to fulfill the general due diligence requirements. Delegation requires a contractual agreement.

More information about the above measures can be found in BaFin’s Interpretation and Application Guidance. Since January 1, 2020, crypto assets have been considered financial instruments by BaFin. Therefore crypto businesses now fall under BaFin’s supervision and must comply with all AML and KYC requirements. BaFin cryptocurrency regulations can be found on the official website here.

Customer Due Diligence (CDD) requirements

Due diligence requirements are recorded in the GWG. They include Customer Due Diligence (CDD), Simplified Due Diligence (SDD), and Enhanced Due Diligence (EDD).

There are several circumstances when a company needs to apply CDD:

1. Starting a new business relationship with a natural or legal person
2. Completing transactions that fall outside an established contract “within the meaning of Article 3 no. 9 of Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141 of 5 June 2015, p.1) when the transfer of funds involves an amount of €1000 or more”
3. Other transactions with a value greater than €15,000
4. Suspicious transactions potentially connected to money laundering or other crimes
5. Regular CDD for existing clients, if something has changed in the client’s circumstances (e.g., a change in ownership)

Detailed BaFin’s CDD requirements may be found on the official website.

In terms of CDD, BaFin distinguishes between natural persons and legal persons.

For natural persons, the following should be collected

1. Name
2. Date of birth
3. Place of birth
4. Residential address (or postal address in certain cases)
5. Type, number, and issuing authority of a submitted ID document

The client’s data can be extracted from a valid official document (passport or identity card, for instance) or an electronic proof of identity. An electronic scan of the presented ID document is enough to comply with recording and retention requirements.

Here are the requirements for legal persons:

1. Name of the company or trading name
2. Legal form
3. Commercial register number (if available)
4. Address of the registered office
5. Ownership, including the beneficial owner, and control structure
6. Purpose of business (if not explicit)

The company’s commercial register or its equivalent can be used to gather the company’s information. For due diligence checks, BaFin requires entities to refer to the FATF’s list of high-risk countries and the EU Commission Delegated Regulation. Information on financial sanctions can be viewed on the Deutsche Bundesbank’s website.

Identity verification procedures

Identity verification is a part of due diligence:

“As well as an appropriate check of specific identification documents presented physically pursuant to section 13 (1) no. 1 of the GwG in conjunction with section 12 (1) sentence 1 no. 1 and no. 5 of the GwG, verification may also be implemented by means of another suitable procedure whose level of security is equivalent to that of physical presentation of documents, section 13 (1) no. 2 of the GwG.”

(Interpretation and Application Guidance)

BaFin suggests several methods for verifying a person’s identity, with video identification being a distinctive feature of the regulator.

1. Electronic identity verification. This is verification performed through online KYC & AML platforms that includes remote checking of ID documents.
2. On-the-spot check of a qualified identification document. This is when an individual presents a physical identity document for verification, usually a passport or birth certificate (for persons below 16 years of age).
3. Electronic proof of identity. Holders of a German identity card over 16 years of age can use it for verification purposes. Please refer to the Act on Identity Cards and Electronic Identification or the Residence Act for detailed information.
4. Qualified electronic signature. When a person conducts a digital transaction, a qualified electronic signature can be used for identity verification purposes. The e-signature must be validated.
5. Video identification procedure. Video identification, or videoident, is a distinctive feature of ID verification in Germany and requires special attention. BaFin sets strict requirements on how video identification has to take place.

Some of the video ident requirements are:

• Only trained employees can conduct the identification
• Video identification has to take place in real-time and without interruptions
• End-to-end encrypted channels for video chat must be applied to ensure safety and privacy
• The quality of the image has to be good enough for the employee to check the provided ID document and its unique features, such as watermarks

BaFin provides full details on the video identification procedure here.

Simplified and Enhanced Due Diligence (SDD & EDD)

Let’s start with simplified due diligence.

Simplified Due Diligence (SDD)

“Obliged entities that establish that, taking into account the risk factors specified in annexes 1 and 2, certain areas present only a small risk of money laundering or terrorist financing, particularly with regard to customers, transactions and services or products, are only required to fulfil simplified due diligence requirements. Before applying simplified due diligence requirements, obliged entities must ascertain that the business relationship or transaction actually entails a lower risk of money laundering or terrorist financing. For the demonstration of adequacy, section 10 (2) sentence 4 applies mutatis mutandis.”

(The GWG, §14)

BaFin does not provide a specific list of information to collect in case of SDD. Instead, the regulator permits companies to reduce general due diligence requirements to whatever extent the company thinks is reasonable. However, SDD is rarely conducted, since it is possible to apply this simplified check only in cases where all lower-risk factors coalesce (the list of the factors can be found in Annex 1 of the GWG). Now let’s talk about the much more frequent Enhanced Due Diligence, which businesses have to apply whenever they come across just a single high-risk factor.

Enhanced Due Diligence (EDD)

“Obliged entities are to fulfil enhanced due diligence requirements if they find out, through a risk analysis or by taking into account the risk factors specified in annexes 1 and 2 in an individual case, that a higher risk of money laundering or terrorist financing may arise. The obliged entities determine the specific extent of measures to be taken in accordance with the respective higher risk of money laundering or terrorist financing. For the demonstration of adequacy, section 10 (2) sentence 4 applies mutatis mutandis.”

(The GWG, §15)

BaFin distinguishes the three red flags of money laundering and terrorist financing.

PEP. If a beneficial owner of the client company is a Politically Exposed Person (PEP) or some close acquaintance, EDD must be applied.

Complex or suspicious transactions. Businesses are to conduct EDD if the transactions their clients want to make are

a) significantly large or complex;

b) follow an unusual pattern;

c) have no apparent economic purpose.

Partnerships with EU businesses that pose high risk or businesses located in third-countries:

EDD must be conducted when obliged entities, such as financial institutions, correspond with companies inside the EU that potentially pose a high risk of money laundering and terrorist financing, or with any companies outside the EU.

Please see the full list of higher risk factors in Annex 2 of the GWG.

These are the requirements for EDD that BaFin sets for the three high-risk factors above:

1. PEP:

a) a member of senior management has to approve a business relationship with the client company;

b) the source of funds has to be checked;

c) enhanced ongoing monitoring is needed.

2. Complex or suspicious transactions:

a) the company must conduct a thorough check of suspicious transactions with regard to financial crimes;

b) enhanced ongoing monitoring must be set up.

3. Partnerships with businesses in the EU that pose a risk, or businesses located in third-countries:

a) a full check of the client company is to be conducted (including the nature of the business, reputation, established measures for preventing financial crimes, etc.);

b) a member of senior management must approve the business relationship with the company;

c) both sides must document their responsibilities for the fulfillment of EDD before establishing the business relationship;

d) the client company cannot have an account in a shell bank;

e) the client company cannot make transactions via payable-through accounts.For information on checking PEPs, BaFin recommends referring to the FATF’s guidance.

Reporting requirements

BaFin supervises various types of reports, starting with the Suspicious Transaction Report (STR), continuing on to reports that are specific to each sector.

Suspicious transaction report (STR)

“(1) If facts exist which indicate that property is related to money laundering or terrorist financing, the supervisory authority reports these facts to the German Financial Intelligence Unit without delay. (2) Subsection (1) applies mutatis mutandis to authorities responsible for supervision of the stock, foreign exchange and financial derivatives markets.”

(The GWG, §43)

One of the main functions of BaFin is to stop financial crimes, and entities falling under BaFin’s supervision are obliged to help the regulator fulfill this function. Therefore, businesses have to report any suspicious activities or transactions when:

1. They detect any malicious activity
2. The contracting party does not want to disclose whether it conducts business on behalf of a beneficial owner

The company must submit the STR even when it is unsure whether the contracting party’s activity constitutes something suspicious. Furthermore, the company does not have to conduct any investigation—it has just to provide BaFin with some explanation about why they think the activity is abnormal. It is not recommended to contact and question the contracting party in order to not alert it to arising suspicions.

Here is what’s important to keep in mind when submitting an STR:

Person in charge of the submission: the AML officer.

Authority to submit to: the Financial Intelligence Unit (FIU) for detection and prevention of money laundering and terrorist financing (businesses should not ask the FIU for any preliminary review of the report).

Means of submission: electronically, through the “goAML” system (companies need to register on the “goAML” web portal to access the system and file the report).

Time: as soon as the suspicious activity has been detected.

Now that we’ve gone through the STR requirements, let’s clear up the reporting requirements specific to the following sectors: financial, insurance, and market.

Other reporting requirements for financial institutions

There are several reports that financial institutions must submit to BaFin:

1. annual reports
2. external audit reports
3. balance sheets
4. major changes report (including, for instance, significant changes in the management board)
5. exposures and loans of more than €1 million

Some entities, such as investment service companies, must report all on-exchange and off-exchange dealings in financial instruments. More information can be found in the Banking Act.

Recording and retention requirements

Entities should not underestimate the importance of recording and storing data, since they often face external audits.

Data to record:

a) information collected through due diligence checks, including results of  risk assessment;

b) STR and other reports;

c) virtual IBANs that credit institutions issue to payment service providers.

Recording requirements: BaFin permits making copies of checked documents ( and storing them in digital form. 

Retention period: The entire video identification process must be recorded and retained by the obliged entity for at least five years, but no longer than ten years.

Obliged entities may use personal data solely for the prevention of money laundering and terrorist financing. Entities must also ensure the security of any stored data.

Penalties for non-compliance

BaFin ensures that businesses use suitable prevention systems to protect themselves from money laundering and terrorist financing. However, failing to comply with BaFin may result in: 

• fines
• license termination
• seizure of assets
• criminal liability

The regulator imposes administrative fines for breaches in compliance, such as failures in establishing a risk management system, retention of records and reporting requirements. For serious or systematic violations, a company can receive a fine of up to €1 million or up to twice the economic benefit derived from the breach. In particularly serious cases, penalties of up to €5 million can be imposed.

As more and more businesses move online, BaFin now focuses on information security and compliance with BAIT (Supervisory Requirements for IT in Financial Institutions).

Useful resources

These are some helpful materials for a better understanding of BaFin AML requirements:

1. BaFin’s official website not only provides insights into the regulator’s work but also contains articles and guidelines on compliance as well as full texts of all relevant legislation.
2. Interpretation and Application Guidance describes AML obligations under BaFin in relation to the GWG and other laws.
3. The FATF Recommendations on AML/CFT may also be useful since Germany is part of the Financial Action Task Force.

FAQ

• What is considered money laundering in Germany?

  According to Section 261 of the German Criminal Code (StGB), money laundering involves:

  • money or other assets which are the proceeds of an offense
  • proceeds intentionally concealed, disguised, procured
  • the offender’s awareness that the assets are the proceeds of an offense and acts with intent in this respect

• Are risks of money laundering high in Germany?

  Yes. According to the FATF, Germany faces significant money laundering and terrorist financing risks.

• Does Germany require KYC?

  Yes. German ‘Know Your Customer’ (KYC) requirements are based on tEuropean provisions. Financial institutions and VASPs operating in Germany are obliged to conduct the KYC procedure on their customers.

• Is BaFin like the SEC?

  Yes, it can be described as such, since it is a supervisory body working to ensure the stability and integrity of the German financial system.