a) Scope and applicability
The guidance applies to all obliged entities under BaFin supervision, including crypto asset service providers (CASPs) and specific issuers of asset-referenced tokens, as defined in MiCAR. Notably, the previous exemption for payment initiation service providers has been removed. These entities must now comply fully with the GwG, including general and enhanced due diligence, internal safeguards, and risk assessments.
b) Risk analysis - restructured
The risk analysis under § 5 GwG is now divided into a clear four-step methodology:
1. Inventory of business activities, customer base, products, and services – ideally illustrated (e.g. with tables or graphs).
2. Risk identification using internal data and external sources (FIU typologies, EBA guidelines, FATF reports, EU supranational risk assessment).
3. Gross and net risk assessment – gross before applying mitigation measures, net after, taking effectiveness into account.
4. Definition of specific mitigation measures tailored to the business model.
A separate assessment of money laundering and terrorist financing risks is explicitly required. The methodology must be documented, and results summarised in a management summary.
c) Internal safeguards
aa) Obligation to implement the Funds Transfer Regulation (GTVO)
Financial sector entities – including banks, PSPs, and CASPs – must ensure compliance with the GTVO, effective 30 December 2024, as part of their internal safeguards.
bb) Organisation and role of the MLRO
Appointment/removal of the MLRO or deputy must be reported at least two weeks before the role begins/ends.
Responsibilities, powers, and any division of duties must be documented. A deputy may live abroad but must be available to act in Germany if needed.
The MLRO must prepare a control plan with audit-proof documentation.
cc) Internal whistleblowing unit
A single internal whistleblowing unit is sufficient to meet the requirements of the GwG, HinSchG, and GTVO. Unlike under HinSchG, this is mandatory regardless of staff size. Under GTVO, anonymous reporting must be enabled.
dd) Outsourcing
BaFin confirms: outsourcing an internal safeguard under § 6(7) GwG is always considered material outsourcing within the meaning of § 25b KWG, § 26 ZAG, § 40 WpIG, or § 32 VAG. Outsourcing to providers based in high-risk third countries is generally prohibited.
d) Customer due diligence (CDD)
aa) Indications of business relationships
A business relationship exists only if the contact is intended to be ongoing. Mere contract initiation is insufficient. The specific circumstances matter: a short time frame may indicate continuity, but even irregular contacts may qualify.
bb) Verification of customer information
All documents used for identification – not just ID cards, but also guardianship or birth certificates – must be checked in the original. This creates new practical challenges for obliged entities.
cc) Verification of company register extracts
Commercial register extracts (or equivalents) must be no older than three months at the time of first processing. For foreign registers, equivalence with German registers must be assessed in advance – easy within the EU, more demanding for third countries.
dd) Identifying beneficial owners
When a notification of discrepancy, doubt, or increased risk exists, entities must use various sources such as articles of association or shareholder lists.
A direct inquiry with the customer is required – merely consulting registers or databases is not enough. Whether to collect additional data (e.g. country of residence) is to be decided risk-based.
BaFin also clarifies: an acknowledgement from the Transparency Register is not proof of registration.
ee) Politically exposed persons (PEPs)
Entities must independently determine whether a customer or beneficial owner is a PEP, even in addition to the official EU PEP list.
ff) Ongoing monitoring
In factoring, all inflows and outflows must be continuously monitored. CASPs must use blockchain analysis tools and implement electronic transaction monitoring when exchanging crypto for fiat currency.
gg) Shortened KYC data update intervals
Update intervals for customer information are now shorter:
- Enhanced due diligence: annually
- General due diligence: every 5 years
- Simplified due diligence: risk-based
hh) Self-hosted wallets: enhanced due diligence
For transactions to/from self-hosted crypto addresses, entities must assess and mitigate ML/TF/sanctions risks under § 15a GwG. BaFin allows flexibility (e.g. blockchain tools), but screenshots are not acceptable proof.
e) Record-keeping obligations
Digital copies of ID documents are permitted but must be created by the obliged entity itself. Copies provided by customers – even if previously verified in person – are not allowed. The self-scanning must be audit-proof.
f) Suspicious activity reports and due diligence
A discrepancy report under § 23a GwG does not in itself constitute a suspicious activity under § 43 GwG. Therefore, no SAR obligation arises from it alone.
When a SAR is submitted, enhanced due diligence applies (§ 15(2) GwG). If no response from the FIU is received within 21 days, and no further risk is present, these enhanced measures may lapse — except for terrorist financing, where they must remain in place for at least six months.
BaFin also clarifies the three-day rule under § 46 GwG: After three working days, transactions must generally be released unless there is a formal prohibition or an overriding suspicion of money laundering or terrorist financing.
Note: For a detailed analysis, see the article by our experts Markus Haufellner, Dr. Lars Haffke, and Emilie Heinrichs in BKR: Haufellner/Haffke/Heinrichs, “Current developments in anti-money laundering law”, Zeitschrift für Bank- und Kapitalmarktrecht (BKR), 2025, p. 392.
Deutsch 
English (UK)