BaFin publishes updated interpretation and application guidance on the German Anti-Money Laundering Act and instructions for suspicious activity reports

On 29 November 2024, the German Federal Financial Supervisory Authority (BaFin) published its revised interpretation and application guidance (Guidance) on the German Anti-Money Laundering Act (Geldwäschegesetz – GwG) . This updated version of the Guidance will take effect on 1 February 2025. At the same time, instructions agreed with the Financial Intelligence Unit (FIU) on the concepts of promptness and completeness in suspicious activity reports were published.

Background

The update is based on the money laundering package adopted at EU level in early 2024, which substantially harmonises the legal requirements for preventing money laundering and terrorism financing – see more details in our newsletter of 22 January (article in German). Although the relevant legal acts came into force in June and July of this year, their application dates vary. While Regulation (EU) 2023/1113 (TFR 2023) will apply from 30 December 2024, the provisions of Regulation (EU) 2024/1620 (AML/CFT Regulation) will, with a few exceptions, apply directly from 1 July 2025, while Regulation (EU) 2024/1624 (EU Anti-Money Laundering Regulation) will only apply directly from 10 July 2027; the recast Directive (EU) 2015/849 (AMLD) must be transposed into national law by 10 July 2027.

BaFin is using the upcoming legal changes as an opportunity to align its Guidance with future EU law requirements, clarify certain points, and make editorial adjustments.

Key updates in the revised Guidance are summarised below:

Addressees and changes to obligated parties

Since the addressees of the Guidance and the status as an obligated party under the Anti-Money Laundering Act are determined by the Act itself, BaFin has only limited flexibility to make changes. It makes use of this by removing any restriction of the applicable Anti-Money Laundering Act obligations for payment initiation service providers from the new Guidance. It also emphasises that the obligations under the Anti-Money Laundering Act apply in full to agents and e-money agents, with the exception of the general requirement to appoint an anti-money laundering officer.

Extended risk management requirements

The Guidance specifies requirements for risk analysis including the requirement that the risk factors of money laundering on the one hand and terrorism financing on the other should be considered, determined and documented separately. In addition, the requirements for internal security measures are specified. The Guidance states that credit institutions, payment institutions and e-money institutions must set up appropriate internal procedures to ensure compliance with the obligations arising from the TFR 2023, in particular the new requirements for the transfer of crypto-assets.

Anti-money laundering officer

It is clarified that the deputy anti-money laundering officer may work abroad, provided that it is guaranteed that they will carry out their activities in Germany if they need to step in for the main officer. The anti-money laundering officer does not necessarily need to speak German; it may be sufficient for their deputy to be able to speak German, provided this does not lead to delays in carrying out the anti-money laundering officer’s statutory duties.

At least for credit institutions, the specification of the anti-money laundering officer’s duties in the Guidance should require few practical adjustments, as it is already common practice to record the subject matter, scope, responsibilities and frequency of the individual monitoring activities of the Anti-Money Laundering Act requirements in writing, in a monitoring plan for example.

Whistleblowing

The Guidance provides new explanations regarding whistleblower requirements under the Anti-Money Laundering Act, the German Whistleblower Protection Act (Hinweisgeberschutzgesetz) and the TFR 2023. Although the requirements of the various statutes can be integrated by setting up a single internal reporting office, the validity of requirements which differ in some details must be noted. While section 6(5) of the Anti-Money Laundering Act provides for confidential reporting, Article 32(2) of the TFR 2023 requires an option for anonymous reporting.

Shorter deadlines for updating for customer data

A significant change in the updated Guidance concerns updating customer data.The maximum periods for updating customer data (fifteen years for customers subject to simplified due diligence obligations and ten years for customers subject to ‘normal’ due diligence obligations) have been removed. In accordance with Article 26(2) of the EU Anti-Money Laundering Regulation, there is no maximum period for the first customer group but a risk-appropriate update instead, while for the second customer group the time interval between customer information updates should be a maximum of five years. For customers subject to enhanced due diligence obligations, the maximum permissible interval between updates is shortened from two years to one year.

The significance of these changes in the Guidance and the resulting pressure to take action is put into perspective by the fact that the requirements must be implemented from the date the EU Anti-Money Laundering Regulation comes into force, i.e. from 10 July 2027. Of course, institutions ought to prepare their processes for the new requirements now to avoid an almost unmanageable backlog of necessary updates in 2027.

Clarification and identification of beneficial owners

The new explanations in the Guidance on dealing with beneficial owners introduce changes to collective trust accounts that appear to be particularly relevant in practice. Although it has long been acknowledged that credit institutions could maintain collective trust accounts for payment institutions or e-money institutions with which they could fulfil their obligations under section 17 of the German Payment Services Regulation Act (Zahlungsdiensteaufsichtsgesetz – ZAG), the relief for the account-holding credit institutions was limited to simplified due diligence obligations for the customers of the payment institutions or e-money institutions. Now, with reference to the explanatory memorandum to the recent amendment to section 1(21) of the Anti-Money Laundering Act, it is stated that in such cases, the end customers are generally not to be recorded as beneficial owners because the principles for correspondent banking business should apply. However, it should be remembered that a risk assessment in individual cases can also justify special due diligence obligations in domestic correspondent banking business. In addition, the Guidance points out that the obligations arising from the BaFin general disposition ordering data to be saved in a file system pursuant to section 24c(1) of the German Banking Act (Kreditwesengesetz – KWG) in connection with the issuing of virtual IBANs still apply. As this general disposition also stipulates recording the end customers, the practical simplifications of the changes made could be qualified.

Special features for factoring

The new Guidance also addresses particularities of the factoring business. Firstly, the Guidance includes what was already known from the joint interpretation and application guidance of the DFV and BFM for factoring companies from 2012, namely that the institution typically does not maintain a contractual relationship with the debtors (unlike in the case of reverse factoring) and therefore does not have to fulfil the general due diligence obligations of section 10(1)(1)-(4) of the Anti-Money Laundering Act. However, it is then clarified that the obligation to continuously monitor business relationships in accordance with section 10(1)(5) of the Anti-Money Laundering Act also covers payments from debtors. Furthermore, the necessity of increased due diligence obligations in accordance with section 25k(2) of the Banking Act is also highlighted in the event that the institution waives credit checks on debtors and does not know them, provided that increased money laundering risks are identifiable. However, there is no explanation of how this should work in practice.

Special features for crypto-asset transfers

Business-specific features are also addressed for crypto-asset transfers. With reference to the new obligations in the TFR 2023, it is stated that the use of dedicated software is essential to meet these requirements with a corresponding number of transactions. This is also emphasised once again in the comments on ongoing transaction monitoring in accordance with section 10(1)(5) of the Anti-Money Laundering Act.

Changes to the system for reporting suspicious activity

The Guidance on reporting suspicious activity under Section 43 of the Anti-Money Laundering Act begins by referencing recent interpretation aids. These aids define circumstances that do not trigger a reporting obligation and outline the supervisory authority’s expectations regarding the promptness and completeness of suspicious activity reports. The clarification that a discrepancy report in accordance with section 23a of the Anti-Money Laundering Act is not the same as the necessity to submit a suspicious activity report should prove helpful for institutions.

The Joint Guidance published at the same time by BaFin and the FIU clarifies that in the event of a suspicion pursuant to section 43(1) of the Anti-Money Laundering Act, the suspicious activity report must be submitted on the same working day or the next working day at the latest, unless more time is needed to gather background information and to describe the business relationship and transaction so that the suspicious activity report can be understood and analysed by the FIU. It is also clarified that obligated parties may further clarify the facts if certain anomalies have been recognised but have not yet reached the (low) threshold for suspicion laid down in section 43(1) of the Anti-Money Laundering Act.

In line with previously communicated expectations, BaFin emphasises in the Guidance that although a transaction may generally be authorised after the third working day following the submission of a suspicious activity report, provided that no prohibition has been issued by the competent authority, the institution may need to continue to suspend the transaction if there are indications of money laundering or terrorism financing. Although this may be compatible with the wording of section 46(1) of the Anti-Money Laundering Act (‘may be carried out at the earliest’), in view of increasingly critical case law, the risk of the account being blocked for too long is shifted to the obligated parties in a questionable manner.

The Guidance also revises an institution’s obligations after submitting a suspicious activity report. If, for example, it does not receive any feedback within 21 calendar days that the report has been earmarked for further analysis in accordance with section 43(1) sentence 1 no. 1 and no. 3 of the Anti-Money Laundering Act, it will not be mandatory to apply enhanced due diligence obligations from that point onwards. However, institutions are to apply enhanced due diligence obligations to the customer concerned for a period of at least six months, even without feedback from the FIU, in the event of a report of suspected terrorism financing.

Miscellaneous

Additional changes serve as clarifications and integrate into the Guidance what BaFin had previously communicated in other contexts. For instance, it is emphasised that notwithstanding the provisions on simplified due diligence obligations, the documents used to verify the data collected in accordance with section 12 onwards of the Anti-Money Laundering Act must be available in the original, unless an exception is permitted by law.

Conclusion

The new Guidance presents significant challenges for obligated parties subject to BaFin oversight. These entities should carefully analyze their specific business operations to determine whether and to what extent internal measures to prevent money laundering and terrorist financing need to be adjusted. While many changes reflect mere editorial revisions or codifications of existing administrative practices – requiring no immediate action – in other areas, the Guidance introduces important new priorities that may require adjustments to internal organization.

Institutions are therefore strongly advised to review the new Guidance in detail and assess whether modifications to their compliance frameworks are required. The updated Guidance serves as a reminder that AML/CTF compliance remains a highly dynamic and evolving field, with no indication that this pace of change will slow anytime soon.