a) Target group and application
The guidance applies to all obliged entities subject to BaFin supervision - including expressly providers of crypto asset services and certain issuers of asset-backed tokens (see corresponding MiCAR regulations). At the same time, the previous exemption for providers of payment initiation services has been cancelled. These are now subject - without restriction - to all obligations of the AMLA. In particular, they must therefore also implement general and enhanced due diligence obligations, internal security measures and risk analyses.
b) Risk analysis - restructured
The risk analysis in accordance with Section 5 GwG has been converted into a clearly structured four-step methodology:
1. inventory the specific business activity, customer structure, products and services - ideally with supporting illustrations (e.g. tables, graphics).
2. risk identification taking into account all internal information and external sources such as FIU typologies, EBA guidelines, FATF reports or the supranational risk analysis of the European Commission.
3. gross and net risk assessmentGross risks before the application of measures and net risks after the application of measures, taking into account their effectiveness.
4. derivation of concrete measures for risk management, tailored to the business model.
Particular emphasis is placed on the necessary Separate consideration of money laundering and terrorist financing risks. In addition, the chosen methodology must be documented and the results should in future be presented in a Management Summary be displayed.
c) Internal security measures
aa) Obligation to implement the GTVO
Obligated parties from the financial sector - in particular credit institutions, payment service providers and crypto asset providers - are now also obliged to ensure compliance with the Money Transfers Regulation (GTVO), which has been in force since 30 December 2024, in their internal security measures.
bb) Organisation and position of the anti-money laundering officer
The appointment or dismissal of the Anti-Money Laundering Officer (AMLO) and his/her deputy is usually two weeks before the start or end of the activity.
Tasks, authorisations and responsibilities are In writing as well as any division of labour with the deputy. The latter may live abroad, but must be active in Germany in the event of representation.
In addition, the GWB has a Control plan whose contents and results must be documented in an audit-proof manner.
cc) Internal reporting office (whistleblowing)
One only The internal reporting office fulfils the requirements of the AMLA, AMLA and GTVO. In contrast to the HinSchG, it is mandatory under the GwG regardless of the number of employees. Obligated parties under the GTVO must also enable anonymous reporting.
dd) Outsourcing
BaFin clarifies: The outsourcing of an internal security measure in accordance with Section 6 (7) GwG is always deemed to be Significant outsourcing within the meaning of § 25b KWG, § 26 ZAG, § 40 WpIG or as outsourcing of a important function and insurance activity in accordance with § 32 VAG. Outsourcing to service providers based in high-risk countries is generally not permitted.
d) Customer due diligence obligations
aa) Indications of business relationships
A business relationship is only established if the contact is intended to last for a certain period of time. A mere contract initiation is not sufficient. The circumstances of the individual case are decisive: a close temporal connection can speak in favour of permanence, but even irregular contacts can establish a business relationship in individual cases.
bb) Verification of customer information
BaFin clarifies: All documents used for identification - i.e. not only ID cards, but probably also care certificates or birth certificates - must be checked in the original. This presents obliged parties with new practical challenges.
cc) Verification of register extracts of legal entities
BaFin requires that extracts from the commercial register or equivalent documents be used to identify legal entities. not older than three months The date of initial processing by the obligated party is decisive. In addition, for foreign registers in advance their equivalence with German registers. While this is usually unproblematic within the EU, the review of third countries places new requirements on the obligated parties.
dd) Information on beneficial owners
BaFin requires that various sources such as articles of association or shareholder lists be used to clarify beneficial owners if there is an obligation to submit a discrepancy report, doubts about information or an increased risk of money laundering.
Simply consulting public registers or credit agencies is not sufficient for identification purposes. the survey must be carried out directly with the contractual partnerfor example through questioning. The obligated party must decide on a risk-based basis whether other data (e.g. country of residence) is collected in addition to the name.
BaFin also clarifiesA notification of receipt from the Transparency Register does not constitute proof of registration in the Transparency Register.
ee) Politically exposed persons (PeP)
The obligated parties must independent check whether a customer or beneficial owner is to be classified as a PeP - independently of or in addition to the official EU PeP list.
ff) Continuous monitoring
In factoring, all payment flows (incoming and outgoing payments) must be monitored continuously. Providers of crypto asset services must Mandatory use of blockchain analysis software and operate a computerised system for full transaction monitoring when exchanging crypto assets for fiat money.
gg) Shortened update periods for KYC data
The deadlines for updating customer information will be significantly shortened:
- For enhanced due diligence obligations: annually.
- For general due diligence obligations: every 5 years.
- For simplified due diligence obligations: risk-based.
hh) Self-hosted wallets: Increased due diligence obligations
For transactions from or to self-hosted crypto addresses, obliged entities must assess and minimise the risks of money laundering, terrorist financing and sanction evasion in accordance with Section 15a AMLA. BaFin provides for a broad scope of discretion in this regard - for example for the use of blockchain analysis tools. However, it is not permitted to simply use a wallet to check the wallet. Screenshot to be presented.
e) Retention obligations
Digital copies of identity documents are permitted, but must be provided by the obligated party. self-created be made. The filing of a copy provided by the customer - even in the case of prior on-site inspection - is not permitted. The self-production should be documented in an audit-proof manner.
f) Suspicious activity reports and due diligence obligations
A discrepancy report in accordance with Section 23a AMLA does not in itself constitute a suspicion within the meaning of Section 43 AMLA and therefore does not entail a duty to report suspicions.
In principle, enhanced due diligence obligations apply when submitting a suspicious activity report (Section 15 (2) AMLA). In the event of suspicion of money laundering or due to missing information on the beneficial owner, enhanced due diligence obligations may apply in accordance with 21 days are not applicable - provided the FIU does not provide feedback in accordance with Section 41 GwG and no further risks exist. In the case of terrorist financing, however, enhanced due diligence obligations must be applied for at least six months.
With regard to the standstill obligation (Section 46 GwG), BaFin now clarifies: After the expiry of the three working days the transaction is usually to be releasedprovided that no official prohibition exists and there is no suspicion of money laundering or terrorist financing.
For a detailed analysis, see the article by our experts Markus Haufellner, Dr Lars Haffke and Emilie Heinrichs in BKR (Haufellner/Haffke/Heinreichs, "Aktuelle Entwicklungen im Geldwäscherecht", Zeitschrift für Bank und Kapitalmarktrecht (BKR), 2025, 392).
Deutsch 
English (UK)