BaFin’s AML/CFT Guidelines Feb 2025

Report Name: Interpretation And Application Guidance For The Money Laundering Act (GwG)
With Effect From: 01 February 2025
Region: Germany
Agency: Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin))

BaFin’s Updated AML/CFT Guidance: Key Changes Financial Institutions Must Know for 2025

Germany’s Federal Financial Supervisory Authority, BaFin, has finalized its long-awaited update to the Interpretation and Application Guidance (Auslegungs- und Anwendungshinweise, “AuA”) on the German Money Laundering Act (Geldwäschegesetz, “GwG”). Effective from 1 February 2025, these changes aim to enhance the effectiveness of anti-money laundering (AML) and counter-terrorism financing (CFT) measures while ensuring a uniform application of the law across all regulated entities.

The updated guidance introduces new obligations, clarifies existing administrative practices, and prepares the financial sector for the upcoming AML Package reforms. Below, we break down the key changes that banks and financial institutions need to be aware of to ensure compliance.

1. Stricter Customer Due Diligence (CDD) Requirements

KYC Review Periods

BaFin has introduced new maximum periods for the rolling review of KYC files, aligning them with the upcoming AML Regulation (AMLR). While many international banks already follow these practices, others may face challenges in updating their KYC files to meet the new review cycles before the AMLR takes effect.

Verification of Legal Entities

For legal entities, documents such as commercial register excerpts can be used for verification. Initially, BaFin proposed that these documents should not be older than four weeks, but this has been extended to three months from the date of issue. This change provides more flexibility for financial institutions.

Identity Verification for Low-Risk Cases

In low-risk scenarios, institutions can now use government-issued ID cards for identity verification, alongside traditional documents like driver’s licenses or utility bills. However, all required data points must still be recorded, ensuring compliance with the GwG.

Politically Exposed Persons (PEPs)

Financial institutions can rely on third-party databases to check if a client or their beneficial owner is a PEP. However, they must ensure these databases are up-to-date and reliable. If a PEP is identified, enhanced due diligence (EDD) measures must be applied.

Ultimate Beneficial Owner (UBO) Identification

Exemptions for Listed Companies: Subsidiaries of stock exchange-listed companies are now exempt from UBO identification if the parent company owns more than 75% of the shares (up from the previous 50% threshold).

Country of Residence: Institutions must now identify the country of residence of the UBO to determine if EDD is required under section 15 para. 3 no. 2 GwG.

Notional Beneficial Owners: The rules for identifying notional beneficial owners remain unchanged, meaning only one such owner needs to be identified. This clarification comes as a relief to many institutions, as BaFin had initially proposed stricter requirements during the consultation phase.

2. Enhanced Risk Management Practices

Separate Risk Analyses for AML and CFT

BaFin now requires financial institutions to conduct separate risk analyses for AML and CFT. This reflects the growing focus on terrorist financing as a distinct risk area. Institutions must use all relevant findings and internal/external sources to assess risks effectively.

Documentation and Updates

The methodology for risk analysis must be clearly documented. Additionally, risk analyses must be updated ad hoc if there are any changes in internal or external factors that could impact the institution’s risk profile.

Management Responsibility

The management level (Leitungsebene) is responsible for deciding how to handle residual risks, ensuring that decisions align with the institution’s risk appetite and regulatory requirements.

3. New Rules for Handling Suspicious Activity Reports (SARs)

“Duty to Stand Still”

When a SAR is filed, the transaction in question cannot proceed unless:

1) The Financial Intelligence Unit (FIU) or public prosecutor consents, or

2) Three working days pass without a prohibition from these authorities.

After three days, the transaction should generally be executed unless there are clear indications of money laundering or terrorist financing. This places a significant burden on money laundering reporting officers (MLROs), who must carefully assess each case.

Enhanced Due Diligence (EDD) After a SAR

If no feedback is received from the FIU within 21 calendar days, institutions may revert to standard due diligence.

If the FIU conducts further analysis, EDD must continue based on the institution’s risk assessment.

For suspected terrorist financing, EDD must be applied for at least six months after the SAR or any follow-up inquiry by the FIU.

Conclusion

BaFin’s updated guidance represents a significant step forward in strengthening Germany’s AML/CFT framework. While these changes aim to create a more robust and consistent regulatory environment, they also place additional compliance burdens on financial institutions.

Read the details here.

Read about the product: Transact Comply

Empower your organization with ZIGRAM’s integrated RegTech solutions – Book a DemoChina’s AML Law Revision