AML Compliance Guidelines: Germany

Germany, a leader in entrepreneurship culture, is the engine of the EU economy. With its industrial power and financial strength, it drives the region. As the largest economy in the Union and third globally, Germany powers much of Europe’s innovation and growth.

Germany’s scale of global trade, open economy, advanced and complex financial system, booming real estate, and preference for cash, if left unguarded, create a fertile ground for money laundering, terrorist financing,, and sanctions evasion. To guard against those seeking to exploit vulnerabilities in its financial and economic system, Germany has implemented substantial anti-money laundering and counter-terrorism financing (AML/CFT) defenses.

Overview of the German AML Regulatory Framework

Germany’s robust AML/CFT strategy consists of a legal framework that incorporates EU Directives in its Money Laundering Act (GwG) and Criminal Code (StGB), further shaped by the international standards set by the Financial Action Task Force (FATF), and a supervisory framework steered by BaFin (Federal Financial Supervisory Authority) and German Financial Intelligence Unit (FIU). Whereas the Deutsche Bundesbank, Federal Office for Economic Affairs and Export Control (BAFA) and the newly established Central Office for Sanctions Enforcement (ZfS) are concerned with sanctions enforcement.

BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht)

Federal Financial Supervisory Authority, or BaFin, is the primary regulatory body overseeing financial institutions and ensuring compliance with Germany’s AML laws. BaFin has extensive powers such as issuing licenses, conducting inspections, and taking enforcement actions against non-compliant entities.

FIU – Zentralstelle für Finanztransaktionsuntersuchungen (ZFI)

Situated within the General Customs Directorate (Zollkriminalamt – ZKA), the German FIU is responsible for collecting and analyzing suspicious transaction reports related to terrorist financing and money laundering in Germany. The FIU then disseminates relevant intelligence to law enforcement agencies.

Money Laundering Act (Geldwäschegesetz — GwG)

The Money Laundering Act, known as “Geldwäschegesetz” (GwG) in Germany, is a set of laws and regulations designed to combat money laundering and terrorist financing. These regulations are in line with international standards and are intended to prevent illicit funds from entering the financial system.

Obliged Entities

As per section 2 of the German anti-money laundering Act, the following entities are obliged to combat money laundering and terrorism financing, AML/CFT compliance in Germany.

• Banks
• Digital Assets Services Provider
• Payment Institutions
• Credit Institutions
• Insurance Undertakings
• Insurance Intermediaries
• Financial Companies
• Agents, as defined inthe  Payment Services Supervision Act
• Asset Management Companies
• Lawyers and Legal Advisors
• Patent Notaries and Attorneys
• Auditors, Chartered Accountants, Tax Advisors And Authorised Tax Agents
• Trust and Company Service Providers
• Estate Agents
• Gambling, Betting and Lottery Operators
• Goods Traders (Commercial trade of goods which stand from everyday use or purchases due to their quality, value or price) and particularly include:
• Precious Metals such as Gold, Silver and Platinum
• Jewelry, Watches Clocks
• Precious Stones
• Works of Art and Antiques
• Motor Vehicles, Ships and Motor Boats and Aircraft
• Key AML Compliance Obligations

Risk Management

Obliged entities are required to have an effective risk management system that is suitable to the nature and size of their business. This risk management system consists of a risk assessment under section 5 and internal safeguards under section 6 of anti-money laundering act of Germany.

In particular, goods traders are required to have effective risk management systems if they make or receive cash payments of at least €10,000 in one transaction.

Risk Assessment

Section 5 of GwG requires obliged entities to perform an analysis for money laundering and terrorism financing act risks associated with their business activity. When performing risk analysis pay particular attention to national risk assessment as well as following risks:

Factors of potentially lower risk

• Customer risk factors (Public companies, Companies listed on regulated exchanges, Customer domiciled in lower risk jurisdiction)
• Product or service risk (low premium life insurance policies, insurance policy for pension schemes)
• Delivery channel risk (In-person)
• Geographical risks (Member states, third countries deemed to have effective AML monitoring)

Factors of potentially higher risk

• Customer risk factors (complex ownership structure, cash intensive businesses, person asset holding vehicle, customer resident in geographical area of higher risk)
• Products or services risk (Private banking products, products or services favoring anonymity)
• Delivery channel risk (non-face to face business relationship, payments received from unknown third parties)
• Geographical risk factors (Countries identified by FATF or similar bodies as lacking strategic deficiencies in their AML CFT systems, Countries subject to EU or UN sanctions or embargoes, countries known to have high corruption or other criminal activity)

Customer Due Diligence (CDD)

Institutions and persons, as detailed in section 2 (1), are required to:

• Identification and Verification: Identifying and verifying customers, including any representative acting on customer’s behalf as well as verifying if the representative is authorized by the customer.
• Beneficial Owner: Assessing if a customer is acting on behalf of a beneficial owner, if so, identifying and verifying the beneficial owner. If the customer is a legal entity identifying their ownership and control structure.
• Purpose of Business: Assessing the purpose and intended nature of the business relationship or obtaining further information from client where required
• PEP Identification: Determining if the customer or beneficial owner is a politically exposed person (PEP), a family member or a close associate of a PEP, through appropriate, risk based procedures.
• Ongoing Monitoring: Continually observe the business relationship and ensure all transactions are in line with the institution’s knowledge of the client, beneficial owner, their business activity and source of wealth, where applicable. Update relevant documents and information at appropriate intervals.

Identifying Beneficial Owner

Under the section 3 of GwG, a beneficial owner is

• A natural person who ultimately owns (25% share capital) or controls (25% voting rights) the counteracting party, or exercise control directly or indirectly in a equivalent manner
• A natural person who ultimately instructs execution of a transaction or establishment of a business relationship

In particular, indirect control is deemed to exist if a natural person has dominant influence over one or more associations holding the aforementioned percentage of shares. If the identity of the beneficial owner can’t be established even after extensive investigations, the legal representative, beneficial owner is assumed to be the managing partner or partner of the contracting party.

Due Diligence Must be Conducted

• Establishing a Business Relationship: Anytime a new business relationship is formed.
• Transactions Beyond Set Threshold:
  • For transactions exceeding EUR 15,000, or cumulative transactions suspected to be linked reaching this amount.
  • This also applies to transfers outside of an existing business relationship exceeding EUR 1,000, referencing Regulation (EC) No 1781/2006.
• Suspected Illegal Assets: If there are signs that a property is a result of a crime, or intended for money laundering, or terrorist financing.
• Doubts about Information: If there’s uncertainty about completeness and correctness of identification data of a client, beneficial owner or representative of the client.

Risk based Approach (RBA)

Extent of due diligence measures adopted by an obliged entity must correspond with the risks of money laundering and terrorist financing associated with a particular customer, business relationship or transaction.

When evaluating the risks the obliged entities should take into account at least the following risks:

1. the purpose of the account or the business relationship,
2. the level of assets deposited by the customer or the size of the transactions carried out
3. the regularity or the duration of the business relationship.

Obliged entities should be able to justify that the extent of due diligence measures adopted is appropriate to the ML/TF risks when requested by the competent authorities.

Simplified Due Diligence

Obliged entities can apply simplified due diligence if they determine that only low ML/TF risks are present in certain areas. When determining the ML/TF risks, obliged entity must consider risks associated with products or services offered, delivery channel used, customer types, and geographical connections. These simplified measures include:

• Reducing the application general due diligence measures to an appropriate extent
• In particular, it allows relaxed verification than those mentioned in sections 12 and 13 of GwG
• Monitoring business relationship and transactions to an extent which allows detecting any change in risk profile of the customer
• Simplified due diligence measures are not applicable if there’s information suggesting that a specific transaction or business relationship isn’t low-risk in terms of money laundering or terrorist financing.

Enhanced Due Diligence (EDD)

In scenarios where there’s a potential for higher risk of money laundering or terrorist financing, institutions and individuals governed by this Act must implement additional risk-appropriate enhanced due diligence measures. Some scenarios of high risk situations include:

• Where a client or beneficiary is a PEP, a family member or close associate of PEP
• Where a client or beneficiary whether natural or legal is domiciled in a high-risk third country list of EU
• If a transaction is complex, unusually large or lacks any apparent economic reason

If a high ML/TF risk situation is identified, obliged entity should at least take the following measures:

• Obtaining senior management approval for continuing or commencing business relationship
• Establishing the source of funds involved in business relationship or transaction
• Enhanced ongoing monitoring of the business relationship or transactions

Politically Exposed Persons (PEPs)

• Institutions and individuals must adopt appropriate risk-based procedures to determine if the contracting party or beneficial owner is a PEP, an immediate family member, or close associate of such a person.
• Under GwG, a PEP is defined as any person who is or who has been entrusted with a high-ranking prominent public function at international, European or national level
• Public offices below the national level typically aren’t seen as having prominent public functions unless they hold political significance comparable to national level roles.
• Due diligence in this context encompasses:

1. a) Obtaining senior management approval to a business relationship
2. b) Measures to identify the origin of assets or property involved
3. c) Continuous enhanced monitoring of the business relationship

• If the PEP status of a party is only known after the establishment of the business relationship, superior approval is needed for its continuation.
• Obliged entities should continue to apply EDD measures 12 months after a PEP ceases to hold the position or until such period the obliged entity deems necessary based on the assessed risks.

Resporting

Obliged entities are required to file a suspicious activity report with the financial intelligence unit (FIU) immediately after they become aware of the facts which indicate:

• The funds are derived from a criminal activity categorized as a predicate offence for money laundering
• A transaction or an asset is related to terrorist financing
• A customer has failed to fulfill his obligation to disclose to an obligated entity the fact he/she intends or is acting on behalf of a beneficial owner.

AML Compliance for Crypto Assets Service Providers (CASP)

Following the introduction of MiCAR, CASPs must obtain licensing and authorization from the relevant authorities before commencing operations. While applying for a license, inter alia, CASP must submit a description of internal controls, policies and procedures to ensure compliance with AML/CFT laws as well as a description of the risk assessment framework to manage ML/TF risks. The phased implementation of the MiCA Regulation is set to conclude by December 30, 2024. CASPs are obligated to ensure their clients, beneficial owners, counter-parties (payer/beneficiary), and beneficiary institutions are not targets of restrictive measures, sanctions or part of criminal activities. Sanctions and AML Screening can help CASP in effectively fulfilling their obligations under AML/CFT and sanctions regulations in order to avoid financial penalties and reputational damages.

Sanctions Compliance in Germany

The German legal framework for sanctions is detailed in Foreign Trade and Payments Act (Außenwirtschaftsgesetz – AWG). The German Federal Bank (Deutsche Bundesbank) is the competent authority for implementation of financial sanctions (freezing of assets) and is authorized to conduct onsite examinations or request additional information or documents in this regard. Moreover, the German Federal Office of Economics and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle or BAFA) is responsible to ensure compliance with economic sanctions (related to import and export of goods or services).

Restrictions on assets and financial transactions are imposed in Germany under the following regulations:

• EU Restrictive measures adopted by EU council decisions (EU Sanctions)
• UN Security Council Resolutions (UN Sanction)
• Temporary Individual Interventions (Domestic or Unilateral Sanctions)

Any person who contravenes any provisions of the AWG could face penalties for administrative and criminal offense. Section 17 and 18 outlines penalties for criminal offences which are punishable by up to 10 years imprisonment whereas section 19 contains provision for administrative offences which are punishable by a fine up to a maximum of EUR 500,000.

Sanctions Compliance Guidelines and Best Practices

The German Central Bank’s guidelines for the financial sector provide a detailed outline to develop an effective sanctions compliance program by taking in account specific needs of certain industries. In addition, European Banking Authority (EBA) guidelines for sanctions are also directly applicable in Germany if not explicitly excluded. Some best practices provided in these guidelines include:

Governance Framework and Training:

Define roles, responsibilities and functions of the senior management, senior staff and other employees. Provide training and awareness to staff to ensure they’re aware of their roles, responsibilities, functions and are adequately equipped to perform their functions.

Sanctions risk exposure assessment:

An effective risk assessment should be able to demonstrate the extent to which each business area is exposed to sanctions or vulnerable to circumvention of sanctions.

By taking in account product and services risk, delivery channel risk, customer risks and geographical risks, it should enable to identify and understand:

• Which sanctions regimes apply to the business
• Likelihood of breaching sanctions
• Impact of sanctions breaches

Internal controls and Procedures:

Implement appropriate techniques, procedures and methods in all business areas and processes affected by financial sanctions that match updated sanctions risk exposure. These controls, policies and procedures should at least include:

• screening new customers or beneficiaries or related parties
• screening transactions (payer, beneficiaries, or other persons involved in any transaction)
• screening existing customer on periodic bases and ad-hoc bases
• screening customers in the event of any additions or changes to sanctions lists
• reviewing potential matches and reporting and any true matches to competent authorities

IT Based Screening Systems

Institutions/enterprises are expected to adopt IT based sanctions screening systems or other procedures — suitable to the operational needs, risk levels and type of business activity — in order to facilitate immediate freezing or blocking of assets, transactions, securities or accounts in the event of new or any existing listings to ensure compliance with financial sanctions.

Internal Audit

Perform internal audits and reviews on regular internals to ensure business activities and processes are effectively compliant with financial sanctions and incorporate any updates recommended.

Documentation

Document policies, procedures and compliance activities related to financial sanctions. Ensure the documentation is up to date and available for review by the authorities.

Supply Chain Act Compliance in Germany

The Supply Chain Due Diligence Act (Lieferketten Sorgfaltspflichtgesetz – LkSG) deals with the obligations of the German organizations to respect human rights in the global supply chain. It outlines corporate due diligence obligations of the German enterprises with at least 1,000 domestic employees. The Federal Office for Business and Export Control (BAFA) is the competent authority with extensive powers to monitor, examine and enforce compliance with the obligation under LkSG. The Supply Chain Act strengthens human rights such as right to fair wage, occupational safety and health, forming workers or trade unions as well as protection against child labour, forced labour, slavery, discrimination, land grabing and environmental crimes.

Supply Chain Act outlines clear due diligence obligations which require companies to:

• Establish a risk management system
• Determine in-house responsibilities
• Conduct periodic risk analyses
• Submit and public policy declaration
• Outline preventive measures to avoid violations of human rights-related and environmental obligations
• Define remedial actions (for identified violations)
• Establish a complaint procedure
• Document and report supply chain risk management

If an enterprise fails to apply due diligence obligations mandated by the Supply Chain Act, BAFA is authorized to impose administrative penalties. These penalties can reach up to fine as high as 8 million euros or 2% of the annual global turnover — a fine based on annual turnover is only applicable to companies with an annual turnover of more than 400 million euros.