On 11 December 2018, the German Federal Financial Supervisory Authority (hereinafter referred to as “BaFin”) published its Instructions for the Interpretation and Application of the German Anti-Money Laundering Act (hereinafter referred to as the “IIA”). The present version was preceded by a draft which BaFin published for consultation in March 2018 (hereinafter referred to as the “draft IIA”). The draft IIA was heavily criticised by some industry associations. In this article, we provide information on some of the key changes in the current version of the IIA compared to the draft IIA, particularly those relevant for FinTech companies. We also list some points where there were (unfortunately) no changes…
Background of the IIA
With IIA’s publication, BaFin fulfilled its statutory mandate pursuant to Section 51 para. 8 of the German Anti-Money Laundering Act (“AMLA”) to provide the obliged persons under the AMLA (hereinafter referred to as “AMLA obliged persons”) with instructions for interpretation and application to implement their obligations under anti-money laundering law.
The IIA only apply to AMLA obliged persons in the financial sector (i.e. in particular credit institutions, financial services institutions, payment institutions, e-money institutions, agents as defined in the Payment Services Supervision Act, e-money agents and e-money distribution points).
The IIA replace the previous interpretation notes prepared by financial sector associations in alignment with BaFin, parts of which have been obsolete anyway since the implementation of the 4th EU Anti-Money Laundering Directive on 26 June 2017. This applies in particular to the German Banking Industry’s interpretation and application notes of 1 February 2014 (hereinafter referred to as the “BI notes”).
The IIA are not a static document as they are continuously updated by BaFin. The current version of the IIA provide financial sector companies with guidance for the implementation of their anti-money laundering obligations and is therefore of essential importance to them.
Amendments to the IIA compared with the consultation version
Below you will find a summary of the main changes made to the current version of the IIA compared to the draft IIA. We also list some points of practical relevance where BaFin has not changed its opinion as expressed in the draft IIA, despite objections raised by the associations:
AMLA obligations of payment initiation and account information service providers
According to BaFin, payment initiation and account information service providers are, in principle, AMLA obliged persons. However, we are of the opinion that the new wording inserted on page 6 of the IIA shows that it is not necessarily BaFin’s view that the providers of the aforementioned services have to fulfil all anti-money laundering obligations. Unfortunately, however, it remains unclear under what conditions and to what extent BaFin would be prepared to grant relief to the providers of the aforementioned services in this area.
Design of the risk management and risk analysis processes
Paragraph II. 2. 2.1. of the draft IIA contained the requirement for AMLA obliged persons to take into account the FATF guidelines on the risk-based approach in various areas of the financial sector and the document of the Basel Committee on Banking Supervision “Solid Management of Risks in Connection with Anti-Money Laundering and Terrorism Financing” when designing their risk management and risk analysis processes pursuant to Sections 4 and 5 AMLA. This abstract reference, which would have led to ambiguities and interpretation difficulties, was deleted.
Exemption from the obligation to appoint an anti-money laundering officer
BaFin now clarifies on p. 21 of the IIA that, in principle, there is no exemption from the obligation to appoint an anti-money laundering officer as stipulated by Section 7 para. 2 AMLA for AMLA obliged persons with more than 15 employees, in corporate groups or in the case of cross-border corporate structures.
Outsourcing of internal security measures
A new provision was included which specifies that BaFin must be notified if internal security measures are outsourced pursuant to Section 6 para. 7 AMLA at least two weeks prior to the start of the planned outsourcing (p. 25 of the IIA).
No establishment of a new business relationship in case of a change in the beneficial ownership
The amended wording in the second paragraph under III. 4.1 on p. 26 of the IIA now makes it clear that the fact alone that there is a change in beneficial ownership of a contractual partner does not lead to a new business relationship being established (and hence such change does not (again) trigger the due diligence obligations under Section 10 AMLA).
Guarantee agreement as a business relationship within the meaning of Section 1 para. 4 AMLA
It remains the case that, contrary to its previous administrative practice, BaFin regards a guarantee agreement as a business relationship within the meaning of Section 1 para. 4 AMLA. As a consequence, the due diligence obligations of Section 10 AMLA must also be fulfilled with regard to a guarantor (cf. p. 32 of the IIA).
Legal representative as “acting person” within the meaning of Section 10 para. 1 no. 1 AMLA
Despite considerable criticism from the financial sector, BaFin maintains its view that a legal representative of a legal entity is also considered an “acting person” within the meaning of Section 10 para. 1 no. 1 AMLA (see p. 32 of the IIA). This means that any such representative (e.g. the managing director of a German limited liability company, GmbH), when acting on behalf of an AMLA obliged person and establishing a business relationship for the person they represent (e.g. the GmbH), must be identified in accordance with the provisions applicable to the identification of natural persons (e.g. by presenting an identity card or by way of video identification).
Application of simplified due diligence obligations if the contracting party is an AMLA obliged person
With regard to the obligation to clarify and identify the beneficial owner pursuant to Section 10 para. 1 no. 2 AMLA, BaFin is of the opinion (as it was before) that the provisions of the simplified due diligence obligations can be applied if the customer is itself an AMLA obliged person (e.g. a payment institution), see p. 38 of the IIA. This statement is, for example, relevant for payment institutions or e-money institutions which safeguard funds received from payment service users or e-money holders when providing payment services or e-money business through the use of a trustee (collective) account.
Recording of one (1) fictitious beneficial owner sufficient
If it is not possible to identify a beneficial owner within the meaning of Section 3 AMLA for a contractual partner who is not a natural person, the legal representative, managing director or partner of the contractual partner will be deemed the beneficial owner pursuant to Section 3 para. 2 sentence 5 AMLA (so-called fictitious beneficial owner). According to BaFin, if there are several fictitious beneficial owners of a contractual partner, it is generally sufficient to record one (1) fictitious beneficial owner (see p. 46 of the IIA).
For domestic customers, a third party domiciled abroad has to apply German anti-money laundering law
BaFin maintains its view that it is not permitted to rely on a third party domiciled abroad for the fulfilment of due diligence obligations regarding customers domiciled in Germany by applying foreign law. In this case, the third party domiciled abroad needs to adhere to the due diligence obligations of the German Anti-Money Laundering Act (see p. 67 of the IIA). This view presents difficulties, especially with regard to the digital and international business models of FinTech companies.
No prohibition of sub-outsourcings
The draft IIA contained the rule that third parties within the meaning of Section 17 paras. 1 – 4 AMLA, who are used by an AMLA obliged person to carry out its due diligence obligations, may not further transfer the performance of these obligations to a sub-contractor. BaFin deleted this prohibition of sub-outsourcings from the current version of the IIA.
Strict rules for transferring identification data
BaFin did not delete the strict rules regarding the transfer of identification data (see p. 68 f. of the IIA). This includes the use of identification data collected by a third party at an earlier point in time to fulfil the AMLA obliged person’s own identification obligations. This interpretation will have an adverse effect on the flexibility of the digital and international business models of FinTech companies.
The IIA clarify some of the questions which came up as a result of the implementation of the 4th EU Anti-Money Laundering Directive and the amendment of the AMLA. However, what presents somewhat of a problem is the fact that the level of detail of the IIA is lower than in the previous BI notes and also that it contains considerably fewer practical examples. The IIA also do not specifically address the (usually digital) business models of payment institutions, e-money institutions or (other) FinTechs. Despite the existence of the IIA, AMLA obliged persons therefore still need to apply their own “interpretation efforts” to assess how, in view of their business model, they can implement the anti-money laundering provisions as practicably as possible while complying with the rules. From the point of view of the FinTech sector, it also has to be critically noted that the interpretation of the anti-money laundering provisions made by BaFin in the IIA (in particular with regard to the use of third parties to fulfil the anti-money laundering due diligence obligations) creates some high hurdles in some cases for the digital and international business models of FinTech companies.
Cover picture: Copyright © fotolia /sdecoret