A (Very) Big Breakdown of BaFin’s Requirements For AML & KYC

Welcome to our new section of the blog, where Sumsub’s global legal team gives a detailed breakdown of financial, gambling and other regulators all over the world. Our first guide is dedicated to BaFin, a German financial regulator.

Enter your email address to get access to the full guide.

Name: Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin)
Role: Financial regulator
Country: Germany
Year Founded: 2002

The field of responsibility

BaFin’s functions can be broadly divided into two areas:

  1. Protection of consumers. BaFin ensures that the market is stable, fair, and transparent, in order to protect customers from any possible harm.
  2. Control over organizations. Banks, financial service providers, insurance companies, and payment & e-money services are not allowed to operate in Germany without authorization from BaFin. The scope of BaFin’s supervision is vast. Here are some of the regulator’s primary responsibilities:
  • Licensing
  • Conducting audits
  • AML compliance supervision
  • Gathering financial statements
  • Making sure that the obliged entities meet their payment requirements
  • Enforcement

To understand how BaFin works and what it requires from the obliged entities, let’s go through the main laws BaFin’s activity is based on.

The legal landscape

Here is our breakdown on the main acts and regulations that BaFin enforces.

  1. The Money Laundering Act (Geldwäschegesetz—GwG). All BaFin’s AML requirements, as well as administrative fines for non-compliance, come from this primary AML law in Germany. The Act aligns with the 4th and 5th Anti-Money Laundering Directives that regulate AML compliance in all spheres throughout the European Union.
  2. The Banking Act supervises financial institutions in the country. The Act protects people’s assets and the overall national economy from any threats that may occur in the banking and financial services sector.
  3. The Insurance Supervision Act controls the activity of insurance companies. The law primarily protects the interests of the insured persons and makes sure that both the company and the client fulfill their contractual obligations.
  4. The Payment Services Supervision Act oversees payment service companies, such as credit and electronic money institutions.
  5. The Investment Code controls the investment sphere—mainly the investment funds offered by asset management companies.
  6. The Criminal Code, addressing various criminal offenses, defines money laundering and establishes penalties for the crime.
  7. The Securities Trading Act oversees a broad scope of activities, from provisions of investment services to the monitoring of financial reporting. Furthermore, it is this act that outlines the responsibilities of BaFin.

Here is a list of other relevant regulations related to BaFin’s activity.

AML compliance requirements

“Under section 4 of the GwG, the obliged entities must have an effective risk management system which covers risk assessment under section 5 of the GwG and internal safeguards under section 6 of the GwG. This obligation represents the core of a risk-based approach in relation to money laundering and terrorist financing.”
(Interpretation and Application Guidance)

BaFin requires a risk-based approach to money laundering and other financial crimes. The approach involves the creation of a risk management system that includes risk assessment procedures and internal safeguards. By risks, BaFin understands the risks of money laundering and other financial crimes that entities face. When designing a risk management system, a company has to consider its type of business, the product it offers, and the possible risks involved. For instance, the gambling sector is considered quite vulnerable to the laundering of money that came from drug trafficking or other illegal sources, so gambling operators might have to implement stricter KYC and AML requirements for their businesses.

BaFin demands that entities develop strict principles of dealing with risks and detecting and preventing criminal activity. These principles and procedures have to be thoroughly recorded. Here are specific aspects of the program to consider:

  1. General Due diligence requirements. Due diligence measures must be applied before the establishment of any business relationship or implementation of a transaction. BaFin suggests three levels of due diligence checks: Simplified Due Diligence (SDD), general due diligence (often referred to as CDD), and Enhanced Due Diligence (EDD). While CDD requirements differ for natural and legal persons, SDD and EDD do not have such differentiation. A business must have a precise understanding of how it checks and assesses clients as “high-risk” or “low-risk” according to the high- and low-risk factors provided in the Annexes to the GwG. If a company is not sure how to assess a client, it can ask BaFin for help with the assessment.
  2. AML officer. BaFin requires businesses to appoint an AML officer and a deputy as contact persons between the company and the regulator. In short, the officer is responsible for compliance with BaFin in the prevention of financial crimes. Ongoing monitoring and reporting are also among the duties of the officer.
  3. Employee training. Companies under BaFin have to instruct all their employees about financial crimes and their prevention. The instructions can be provided in classrooms, through computer-based programs, or some other type of learning materials (for instance, the FATF’s publications). Companies can decide on the form and timing of such training. It is always recommended that the instructions be provided whenever there are any changes in BaFin’s practices or a new form of money laundering has appeared.
  4. Recording and retention. BaFin requires obliged companies to record and store results of due diligence checks (as well as various other reports) for five years, in order to provide the regulator with these records, if needed.
  5. Reporting. Reporting under BaFin includes suspicious activity and suspicious transaction reporting as well as other types of reports specific for each sector.

Since January 1, 2020, crypto assets are considered as financial instruments, so crypto businesses now fall under BaFin’s supervision and must comply with all AML & KYC requirements. See the full definition of crypto-custody business in the regulator’s guidance notice.

Further insights into these safeguards can be found in BaFin’s Interpretation and Application Guidance.

The obliged entity may engage third parties in order to fulfill the general due diligence requirements. Delegation requires a contractual agreement.

Customer Due Diligence (CDD) requirements

The due diligence requirements are recorded in the GWG. They include Customer Due Diligence (CDD), Simplified Due Diligence (SDD), and Enhanced Due Diligence (EDD). Here we start with CDD, the most common type of check.

There are several circumstances when a company needs to apply CDD:

  1. A new business relationship with a natural or legal person
  2. Transactions made outside the established business relationship, if these transactions are bigger than €15,000 or include a transfer of funds in an amount greater than €1,000
  3. Suspicious transaction potentially connected to money laundering or other crimes.
  4. Regular CDD for old clients, especially if something has changed in their circumstances (e.g., a change in ownership)

In terms of CDD, BaFin distinguishes between natural persons and legal persons.

Here is a list of the information to collect about natural persons:

  1. Name
  2. Date of birth
  3. Place of birth
  4. Residential address (or postal address in certain cases)
  5. Type, number, and issuing authority of a submitted ID document

A client’s data can be extracted from a valid official document (passport or identity card, for instance) or an electronic proof of identity. An electronic scan of the presented ID document is enough to comply with recording and retention requirements.

Here are the requirements for legal persons:

  1. Name of the company or trading name
  2. Legal form
  3. Commercial register number (if available)
  4. Address of the registered office
  5. Ownership, including the beneficial owner, and control structure
  6. Purpose of business (if not explicit)

The company’s commercial register or its equivalent can be used to gather the company’s information.

For due diligence checks, BaFin requires entities to refer to the FATF’s list of high-risk countries and the EU Commission Delegated Regulation. Information on financial sanctions can be viewed on the Deutsche Bundesbank’s website.

Identity verification procedures

“As well as an appropriate check of specific identification documents presented physically pursuant to section 13 (1) no. 1 of the GwG in conjunction with section 12 (1) sentence 1 no. 1 and no. 5 of the GwG, verification may also be implemented by means of another suitable procedure whose level of security is equivalent to that of physical presentation of documents, section 13 (1) no. 2 of the GwG.”
(Interpretation and Application Guidance)

Identity verification is a part of a due diligence check. BaFin suggests several methods for verifying a person’s identity, with video identification being a distinctive feature of the regulator.

  1. Electronic identity verification. This is a verification through the KYC & AML platforms that includes remote checking of ID documents.
  2. On-the-spot check of a qualified identification document. This is the situation when an individual personally presents a physical identity document for verification, usually a passport or birth certificate (for persons below 16 years of age).
  3. Electronic proof of identity. Holders of the German identity card over 16 years of age can use the card for verification purposes. Please refer to the Act on Identity Cards and Electronic Identification or the Residence Act for detailed information.
  4. Qualified electronic signature. When a person conducts a digital transaction, a qualified electronic signature can be used for identity verification purposes. The e-signature must be validated.
  5. Video identification procedure. Video identification, as a distinctive feature of ID verification in Germany, requires special attention. BaFin sets strict requirements on how video identification has to take place—from rules on verification of ID documents to the brightness of light in the person’s room. Here are some of the requirements:
  • Only trained employees can conduct the identification
  • Video identification has to take place in real-time and without interruptions
  • End-to-end encrypted channels for video chat must be applied to ensure safety and privacy
  • The quality of the image has to be good enough for the employee to check the provided ID document and its unique features, such as watermarks

BaFin provides full details on the video identification procedure here.

Although CDD is the check companies apply the most, there are some situations when the risk of coming across money laundering is low, so it is possible to conduct simplified due diligence and reduce the checking time. On the contrary, when the risk of encountering financial crimes is high, companies do more complex Enhanced Due Diligence. Let’s delve into the requirements for these two checks.

Simplified and Enhanced Due Diligence (SDD & EDD)

Let’s start with simplified due diligence.

Simplified Due Diligence (SDD)

“Obliged entities that establish that, taking into account the risk factors specified in annexes 1 and 2, certain areas present only a small risk of money laundering or terrorist financing, particularly with regard to customers, transactions and services or products, are only required to fulfil simplified due diligence requirements. Before applying simplified due diligence requirements, obliged entities must ascertain that the business relationship or transaction actually entails a lower risk of money laundering or terrorist financing. For the demonstration of adequacy, section 10 (2) sentence 4 applies mutatis mutandis.”
(The GWG, §14)

BaFin does not provide a specific list of information to collect in case of SDD. Instead, the regulator permits companies to reduce general due diligence requirements to whatever extent the company thinks is reasonable. However, SDD is rarely conducted, since it is possible to apply this simplified check only in cases where all lower-risk factors coalesce (the list of the factors can be found in Annex 1 of the GWG). Now let’s talk about the much more frequent Enhanced Due Diligence, which businesses have to apply whenever they come across even one single high-risk factor.

Enhanced Due Diligence (EDD)

“Obliged entities are to fulfil enhanced due diligence requirements if they find out, through a risk analysis or by taking into account the risk factors specified in annexes 1 and 2 in an individual case, that a higher risk of money laundering or terrorist financing may arise. The obliged entities determine the specific extent of measures to be taken in accordance with the respective higher risk of money laundering or terrorist financing. For the demonstration of adequacy, section 10 (2) sentence 4 applies mutatis mutandis.”
(The GWG, §15)

BaFin distinguishes the three most crucial factors of higher risk of money laundering and terrorist financing.

  1. PEP. If a contracting party or a beneficial owner of the client company is the Politically Exposed Person (PEP) or some close acquaintance, EDD must be applied.
  2. Complex or suspicious transactions. Businesses are to conduct EDD if the transactions their clients want to make are a) significantly large or complex; b) follow an unusual pattern; c) have no apparent economic purpose.
  3. Partnerships with businesses in the EU that pose a risk, or businesses located in the third-countries. EDD must be conducted when obliged entities, such as financial institutions, correspond with companies inside the EU that potentially pose a high risk of money laundering and terrorist financing, or with companies outside the EU.

Please see the full list of higher risk factors in Annex 2 of the GWG.

Here are the requirements for EDD that BaFin sets for these three most significant high-risk factors:

  1. PEP: a) a member of senior management has to approve a business relationship with the client company; b) checking the source of funds must be done; c) enhanced ongoing monitoring is needed.
  2. Complex or suspicious transactions: a) a company must conduct a thorough check of the transactions with regard to financial crimes; b) enhanced ongoing monitoring must be set up.
  3. Partnerships with businesses in the EU that pose a risk, or businesses located in the third-countries: a) a full check of the client company is to be conducted (including the nature of the business, reputation, established measures for preventing financial crimes, etc.); b) a member of senior management must approve a business relationship with the company; c) before establishing the business relationship, both sides must document their responsibilities for the fulfillment of EDD; d) the client company cannot have an account in a shell bank; e) the client company cannot make transactions via payable-through accounts.

For information on checking PEP, BaFin recommends referring to FATF’s guidance on PEP. FATF suggests different sourcing for monitoring of PEP from internet searches to government-issued PEP-lists and commercial databases.

Reporting requirements

BaFin supervises various types of reports, starting with a Suspicious Transaction Report (STR) that every entity is obliged to have on file, continuing on to reports that are specific to each sector.

Suspicious transaction report (STR)

“(1) If facts exist which indicate that property is related to money laundering or terrorist financing, the supervisory authority reports these facts to the German Financial Intelligence Unit without delay. (2) Subsection (1) applies mutatis mutandis to authorities responsible for supervision of the stock, foreign exchange and financial derivatives markets.”
(The GWG, §43)

One of the main functions of BaFin is to stop financial crimes; the entities that fall under BaFin’s supervision are obliged to help the regulator fulfill this function. To do so, businesses have to report any suspicious activities or transactions, and file an STR. There are two main situations when companies are required to submit a report:

  1. Detection of any malicious activity
  2. The contracting party does not want to disclose whether it conducts business on behalf of a beneficial owner

The company must submit the report even when it is unsure whether the contracting party’s activity constitutes a suspicious one. Furthermore, the company does not have to conduct any investigation—it has just to provide BaFin with some explanation about why they think the activity is abnormal. It is particularly not recommended to contact and question the contracting party, in order to avoid alerting it to hide the evidence.

Here is our breakdown on the essentials of submitting the STR:

Person in charge of the submission: the AML officer.
Authority to submit to: the Financial Intelligence Unit (FIU) for detection and prevention of money laundering and terrorist financing (businesses should not ask the FIU for any preliminary review of the report).
Means of submission: electronically, through the “goAML” system (companies need to register on the “goAML” web portal to access the system and file the report).
Time: as soon as the suspicious activity has been detected.

Now that we’ve gone through the STR requirements, let’s clear up the reporting requirements specific to the following sectors: financial, insurance, and market.

Other reporting requirements for financial institutions

There are several reports that financial institutions must submit to BaFin:

  1. Annual reports
  2. External audit reports
  3. Balance sheets
  4. Major changes report (including, for instance, significant changes in the management board)
  5. Exposures and loans of more than €1 million

Some entities, such as investment service companies, must report all on-exchange and off-exchange dealings in financial instruments. More information can be found in the Banking Act.

Recording and retention requirements

Entities should not underestimate the importance of recording and storing data, since they often face external audits and must provide the data wherever asked.

Data to record: a) information collected through due diligence checks, including results of the risk assessment; b) STR and other reports; c) virtual IBANs that credit institutions issue to payment services providers. 
Recording requirements: BaFin permits making copies of checked documents (for instance, of a passport) and storing them in digital form. This recording of scans is sufficient to meet the recording and retention requirements.
Retention period: five years. After the period has expired, all data must be destroyed without delay.

Obliged entities may use personal data solely for the prevention of money laundering and terrorist financing. Also, entities must ensure the security of any stored data.

Penalties for non-compliance

BaFin ensures that all supervised businesses use suitable prevention systems to protect themselves from money laundering and terrorist financing. However, failing to comply with BaFin may result in fines, license termination, seizure of assets, and even criminal liability.

The regulator imposes administrative fines for breaches in compliance, such as failures in establishing the risk management system, failures in the retention of records and reporting requirements breaches. For serious or systematic violations, a company can receive a fine of up to €1 million or up to twice the economic benefit derived from the breach. In particularly serious cases, penalties up to €5 million can be imposed.

Due to the COVID-19 pandemic and the resulting increase in the online services, BaFin now focuses on information security and compliance with BAIT (Supervisory Requirements for IT in Financial Institutions).

Useful Resources

Here are some helpful materials for a better understanding of BaFin’s requirements for AML & KYC compliance.

  1. BaFin’s official website not only provides insights into the regulator’s work but also contains articles and guidelines on compliance as well as full texts of all relevant legislation.
  2. Interpretation and Application Guidance describes AML obligations under BaFin in relation to the GWG and other laws.
  3. The FATF Recommendations on AML/CFT may also be useful since Germany is a part of the Financial Action Task Force.

Sign up for our Newsletter

Thank you for subscribing to our newsletters.

A (Very) Big Breakdown of BaFin’s Requirements For AML & KYC

We are always happy to help you in case of any questions.

Feel free to contact us at [email protected]

Thanks for contacting us!

We will get in touch with you shortly.

Be up and running in minutes.

Questions? Schedule some time to talk with one of our experts.

This contact form is available only for logged in users.