BaFin has published an updated version of its application and interpretation notes on the Money Laundering Act for consultation.
Table of Contents
What are the AuA?
The supervisory authorities responsible for supervision should provide the obliged entities under their supervision with interpretation and application guidelines for the implementation of internal security measures and the fulfilment of due diligence obligations (Section 51 (8) GwG). In the AuA, BaFin specifies the legal requirements of the AMLA and interprets the legal requirements of the AMLA for the obliged entities (in a binding manner).
What has changed compared to the previous version?
There are changes in the following areas, for example:
Determination of money laundering obligations of insurance holding companies
The consultation draft introduces for the first time
- Insurance holding companies,
- Companies pursuant to Section 293 (4) VAG (domestic companies not subject to supervision under the VAG whose main activity is the acquisition and holding of direct or indirect participations in primary insurance or reinsurance companies or pension funds) and
- Companies that exercise a controlling influence over an insurance company within the meaning of the GwG or over a pension fund pursuant to section 236 para. 1 sentence 1 VAG
as obliged entities under money laundering law.
BaFin is thus anticipating a legislative expansion of the group of obliged entities in the insurance sector (PTL of 21 May 2024), which is pending at both national and EU level. The German legislator intends to make insurance holding companies and other VAG companies obliged entities under money laundering law with the draft law to improve the fight against financial crime (FKBG). Under the AML-R, insurance holding companies and mixed insurance holding companies are classed as financial institutions and are therefore per se obliged entities under money laundering law.
According to the consultation draft, insurance holding companies and the other VAG companies are only subject to the obligations under money laundering law with regard to the activities relevant to their status as obliged entities (i.e. in particular the holding of participations in CCs subject to money laundering law), unless they also have to fulfil obligations under money laundering law due to another obliged entity status. Insurance holding companies must register with BaFin, stating their respective status as obliged entities.
The main purpose of this is to close regulatory ranks and ensure uniform group supervision: According to Section 25l KWG (soon to be Section 2 (1) No. 2a GwG under the FKBG), financial holding companies and mixed financial holding companies are already obligated parties under money laundering law.
Mandatory adverse media screening
The consultation draft suggests that obliged entities must incorporate findings from media reports, primarily negative press, in particular as part of the risk assessment (both in the risk analysis and in the customer risk classification) (so-called adverse media screening).
There is no explicit legal obligation to conduct adverse media screening. However, BaFin already took the position at the beginning of February 2024 in the context of the prevention of terrorist financing that “screening customers using sanctions or high-risk country lists alone is not […] sufficient” and that “findings from media reports (adverse media screening)” must also be used. Similar positions can be found in the reports of the Financial Action Task Force (FATF) on the prevention of terrorist financing (p. 47) and the relevant guidelines (The ML/TF Risk Factors Guidelines, GL. 9.21 lit. b) of the European Banking Authority (EBA).
The draft consultation picks up on this and formulates the expectation that “further sources of information should be consulted” and that “every obligated party […] must use all knowledge available to them” – the prime example is the knowledge available or to be gained in the company “for example from media analyses“.
Update cycles
The previous update cycles for checking that the information collected on initial identification is up to date (Section 10 para. 1 no. 5 AMLA) will be significantly tightened. In future, the following update cycles will apply:
| AuA old version | AuA new version | |
| Low risk | up to 15 years | Risk-appropriate |
| Medium risk | up to 10 years | up to 5 years |
| High risk | up to 2 years | Annually |
To fulfil the new cycles, BaFin is granting a transitional period until the EU Anti-Money Laundering Regulation (AML-R) comes into force.
Clarifications for factoring providers, payment institutions and “crypto institutions”
In the Monitoring section, the AuA contain special requirements for institutions that provide factoring (see section 1 (1a) sentence 2 no. 9 KWG) as well as for payment and “crypto” institutions.
For institutions that provide factoring services, the AuA clarify that all incoming and outgoing payments must be monitored, regardless of whether a business relationship exists with the payment sender. The requirement is not new, as Section 25k (2) KWG already stipulates that institutions that provide factoring must “take appropriate measures to counter a recognisably increased risk of money laundering when accepting payments from debtors who were unknown when the framework agreement was concluded“. Accordingly, according to current administrative practice, such institutions were already expected to take appropriate account of the specific risks. The obligation to monitor incoming and outgoing payments (usually using the relevant software) was therefore already generally part of the security measures to counter the specific risks.
For payment institutions, the new version of the AuA stipulates that payment institutions may only provide payment services for merchants for the websites specified in the agreement and not for unknown websites. The AuA therefore stipulate that all websites for which payment services are provided must be specified in the payment services framework agreement.
For “crypto institutions”, the AuAs stipulate that the use of blockchain analysis software (or comparable software for non-DLT-based crypto assets) is mandatory. Further obligations apply to providers of crypto services that offer the exchange or re-exchange of crypto assets into fiat currency (and vice versa). Such institutions would have to use specific transaction monitoring systems.
What happens next?
There is an opportunity to comment on the draft until 9 August 2024. BaFin will then review the comments received and amend the draft AuA if necessary. The updated AuA will then be binding from January 2025.
What impact does the draft have on obligated parties?
The AuA stipulate bindingly how the provisions of the AMLA are to be interpreted. In fact, there are hardly any possibilities to deviate from the requirements. The obliged entities in the financial sector that are subject to BaFin supervision must therefore analyse what changes will result compared to the previous interpretation and adapt their processes accordingly. No transitional periods are envisaged, so it is advisable to prepare measures now.
