Update of the interpretation and application notes on the Money Laundering Act

In particular, the AuA was adapted to the following laws:

• Future Financing Act
• Whistleblower Protection Act
• Drafts of the Financial Crime Prevention Act and the Financial Market Digitalisation Act.

The provisions of the EU Money Laundering Directive have not been anticipated before their effective date of 10 July 2027.

The changes in the revised AuA essentially relate to the following areas:

Risk assessment: Differentiation between money laundering and terrorist financing

The Due Diligence Requirements clearly distinguish between money laundering and terrorist financing in the risk identification and assessment. While money laundering involves funds from illegal sources that are channelled into legal money cycles, terrorist financing often involves funds from legal sources that flow into criminal networks. Furthermore, the transaction volumes engaged in terrorist financing can be very small in some cases. Therefore, a differentiated consideration and assessment of the risks are necessary to develop targeted measures to combat both offenses.

Risk analysis: Presentation of the applied method

The obligated parties must document their risk analysis per Sec. 5 (2) GwG. To ensure the traceability of the risk analysis, it is now explicitly required that the methodology applied is also presented.

Integration of media reports in risk identification

Taking media reports into account per Sec. 5 (1) 2 GwG (so-called adverse media screening) is effectively mandatory via the AuA. This measure supplements the existing screening of politically exposed persons (PEP) and sanctions lists and is intended to provide additional evidence for transaction monitoring.

Proof of registration when identifying the beneficial owner

If the contracting party states that it is acting on behalf of one or more beneficial owners, the obliged entity must identify the beneficial owner(s). The so-called confirmation of receipt from the German Transparency Register does not constitute proof of registration within the meaning of Article 1(9)(a) of the amended 4th European Money Laundering Directive, as there is no guarantee that the data listed here will be entered in the Transparency Register.

Immediacy and completeness of the submission of a report according to Sec. 43 GwG

The AuAs refer to specific information from the Financial Intelligence Unit (FIU) or BaFin regarding the quality requirements for suspicious activity reports, whereby particular reference is made to the Joint Guidance of BaFin and the FIU dated 29 November 2024 on the terms 'immediacy' and 'completeness' of a suspicious activity report according to Sec. 43 GwG.

Enhanced due diligence requirements after filing a suspicious activity report

The application of enhanced due diligence requirements solely based on a suspicious activity report according to Sec. 43 (1) 1 no. 1 and 3 GwG are no longer necessary if no further anomalies occur after the report has been filed and the obliged entity has not received a response from the FIU within 21 calendar days. However, should new suspicious activities arise or the FIU report further operational analyses, the enhanced due diligence requirements must continue to be applied. The duration of the application is at the risk-based discretion of the obligated party.

However, the previous rules remain unchanged for reports of suspicious activity according to Sec. 43 (1) 1 no. 2 GwG that indicates terrorist financing. In such cases, the enhanced due diligence requirements must continue to be applied for at least six months, regardless of whether or not the FIU provides feedback.

Recommendation to inform in the event of an intended termination of the business relationship following a report of suspicious activity

Under the German GwG, obligated parties are required to report unusual or suspicious activities to take preventive action against money laundering and terrorist financing. The decision as to whether to continue or terminate a business relationship after reporting lies with the obligated party. The AuA clarifies that business relationships do not have to be terminated solely to investigate criminal offences, as this falls within the remit of the law enforcement authorities. In such cases, the authorities may request information from obligated companies. The AuA therefore recommends that the institutions inform the respective authority of the planned measure before deciding to terminate a business relationship.

Increased due diligence requirements in connection with debtors in the factoring business

The AuA also provides for more specific requirements for factoring providers. They make it clear that factoring institutions are not also released from the more stringent due diligence requirements under Sec. 5 (2) GwG when conducting creditworthiness analyses of debtors per Sec. 25k (2) Banking Act (KWG) if there is an increased risk of money laundering or terrorist financing.

Verification of the identity of natural persons

The identity of a natural person must be verified, Sec. 11 GwG. Acco rding to the Payment Identity Verification Ordinance (ZldPrüfV), original documents must be available to verify the identity.

When simplified due diligence requirements are applied, all the general due diligence requirements specified in Sec. 10 (1) GwG must be met. In particular this means that in cases of a potentially lower risk, the clarification or identification of a beneficial owner cannot be completely omitted, i.e. the obligation under Sec. 11 (5) GwG remains unaffected. However, the AuA now also permits the use of service IDs to verify a person's identity when fulfilling simplified due diligence requirements.

Permissibility of using PEP lists of service providers

The GwG does not specify the procedure to be used by the obligated parties to clarify the PEP status. According to the AuA, the following options, among others, should be considered to determine the PEP characteristic:

• Clarification of the PEP-status based on the customer's information
• Comparison with PEP-databases (system comparison)

As long as there are no concerns regarding the data quality or functionality of the service providers' databases, the use of the PEP lists obtained from them is permissible.

Periodic review of customer information

The periodic review of the up-to-date of customer information must now be carried out based on the due diligence applied instead of risk categories. This leads to a differentiated and appropriate review depending on the customer's risk profile.

Shortening the update cycles

One major change is the shortening of the update cycles for checking customer information. For customers to whom simplified due diligence applies, updates should be risk-appropriate, while for customers to whom enhanced due diligence applies, the interval between updates must not exceed one year. Customers who are subject to neither enhanced nor simplified due diligence must be reviewed at least every five years. The shorter update periods should help to strengthen money laundering prevention. Consequently, the obligated parties will have to engage with their customers more frequently.

Review of suspended transactions

Finally, the obligation to review suspended transactions per Sec. 46 GwG in the AuA is emphasised. After the third working day has passed, obliged entities are required to check whether further suspension is necessary. In the old version of the AuA, the review was only required if the obliged entity had a strong suspicion of money laundering or terrorist financing.

Documentation and reporting obligations regarding the anti-money laundering officer

The AuA is now demanding a written specification of the specific allocation of tasks between the anti-money laundering officer and his deputy. In the past, the AuA demanded immediate notification for the timely notification of the appointment or resignation. Now, a specification of what constitutes timely notification is being introduced. As a rule, this is deemed to have been provided if it is made at least two weeks before the commencement or termination of the activity.

Outsourcing of internal security measures

The AuA stipulates that the outsourcing of internal security measures per Sec. 6 (7) GwG always constitutes a material outsourcing within the meaning of Sec. 25b KWG, Sec. 26 ZAG, or Sec. 40 Securities Institutions Act (WpIG). In this respect, the obligated parties no longer have any discretion of their own when preparing or updating their risk analyses in this regard.

Mandatory requirement to set up a reporting office for whistleblowers

According to the AuA, the reporting office for whistleblowers within the meaning of Sec. 6 (5) GwG must be set up regardless of the number of employees at the institutions, in deviation from the Whistleblower Protection Act.

Regulations on crypto-asset transfers

Credit institutions, payment institutions, and e-money institutions must establish appropriate internal procedures to ensure compliance with the obligations under Regulation 2023/113 on money transfers (GTVO 2023) when they carry out or receive money transfers per Art. 3 (9) GTVO 2023 or crypto-value transfers per Art. 3 (10) GTVO 2023 (Sec. 25g (2) KWG, Sec. 27 (1) 4 ZAG). In addition to the existing rules for money transfers, the Money Transfer Ordinance has set out separate rules for transfers of crypto-assets since 30 December 2024.

The transition period has already expired

The new Foreign Trade and Payments Ordinance entered into force on 1 February 2025, replacing the previous version from October 2021.