KYC and AML solutions are playing an increasing part in tackling money laundering in Germany. But are Germany’s strict regulatory requirements holding its financial services back? IDnow investigates.
Every year around €100 billion of laundered money circulates throughout the German economy.
Money laundering and other types of financial crime are rapidly growing problems that threaten the stability of the global economy. In fact, according to the United Nations, money laundering accounts for 2-5% of global GDP (around US$800 billion to US$2 trillion).
Regulations have long been in place to help prevent money laundering activities. These began with rules from the Financial Action Task Force (FATF) in the 1990s and have evolved and been adopted by many countries since then. As an EU member, Germany follows the European Parliament’s Anti-Money Laundering Directives (AMLD), which are implemented in German law through the German Anti-Money Laundering Act, known as Geldwäschegesetz (GWG).
Does Germany require KYC?
Oversight and regulation in Europe are handled at a country level, but there does tend to be a standard KYC practice. Check out our ‘3 KYC components every financial institution must follow’ blog to learn more. Read our blog to discover more about how KYC technology is being used to clean up the UK’s financial services sector. In Germany, BaFin is the regulatory body overseeing and enforcing financial institutions’ compliance with AML and KYC regulations.
Although AML and KYC compliance is a legal obligation, there are other important reasons why banks should adhere to compliance rules. Adhering to regulations helps protect banks and fintechs, and their customers from harm, and is likely to enhance the reputation and trustworthiness of the company in the process.
What is BaFin and the Geldwäschegesetz?
AMLD regulations were first introduced in 1991 and have passed through several iterations, each of which has offered improved regulation and coverage, alongside changes in criminal behavior and improvements in technology. The latest 5AMLD regulations and 6AMLD regulations were introduced in 2020 and 2021, and like the upgrades before them, made significant improvements, including a greater focus on Politically Exposed Person (PEP) screening, and sources of finance, while creating consistency and understanding across the EU.
In Germany, the GWG Act has been updated several times to reflect changes in AMLD regulations – most recently to reflect the new requirements for enforcement and punishment under 6AMLD.
The Germany regulatory body known as BaFin, (Bundesanstalt für Finanzdienstleistungsaufsicht), or the Federal Financial Services Authority, reports to the Ministry of Finance, and the Federal Government appoints its president.
BaFin’s responsibilities include AML and KYC but is also responsible for issuing licenses for financial institutions, controlling audits and financial statements, enforcing penalties for financial institutions, and protecting consumers.
What are the German KYC and AML requirements?
AML law in Germany is implemented through GWG, which covers all aspects of AML and KYC legal compliance, including:
- Definitions and scope of money laundering and AML activities, and obliged entities.
- Requirements for customer due diligence, risk assessment, and monitoring.
- Escalation and reporting of suspicious activity requirements.
- The involvement of the German Financial Intelligence Unit (FIU), responsible for analyzing and recording suspicious transactions. It also maintains a centralized database.
- Enforcement and criminal liability.
One area where country-specific regulations can differ significantly is the technical implementation of AML and KYC procedures. AMLD guides the required procedures and scope of AML and KYC, but does not specify the technologies to be implemented, or permitted levels of automation. This is left to the discretion of the national regulator.
BaFin takes a more conservative approach than other regulators, such as UK’s Financial Conduct Authority, by only allowing automated verification via video review, which requires a Qualified Electronic Signature (QES) and a small bank transfer as part of onboarding.
How to comply with KYC and AML regulations in Germany.
The GWG Act specifies a risk-based approach to AML. It requires the development of a risk management system and process.
Such processes must be embedded in the organizational infrastructure and followed by all relevant employees. BaFin gives instructions and requirements for staff training in AML, but it is left to organizations to decide on the best training format and timing.
Processes must also be in place for the escalation and reporting of suspicious customers and transactions – both internal and to authorities. In Germany, such cases must be reported to the Financial Intelligence Unit (FIU).
In terms of the KYC process, three main stages, or components, must be set up, which are standard in regulations across Europe:
- Identity Verification, or the Customer Identification Program (CIP). The first step in the KYC process is to prove that the customer is who they claim to be. This includes both individual and corporate customers.
- Customer Due Diligence (CDD). This takes verification one step further and aims to prove whether the financial institution can trust the customer. CDD is about defining a customer’s risk level, and to what extent they can be trusted.
- CDD includes AML screening to check that the potential client isn’t on any sanctions or Politically Exposed Persons (PEP) lists. Customer addresses can also be checked. Customers considered to be of higher risk will undergo further checks under Enhanced Due Diligence, which can include checking PEP, sanction and watchlists, and monitoring adverse media.
- Ongoing Monitoring. AML and KYC compliance is not just about checking new customers during onboarding. Financial institutions must have a program in place for ongoing KYC checks and monitoring. This can include further sanction and PEP checking and regular monitoring of transactions.
How to perform KYC and AML checks as a financial institution or fintech in Germany.
As most new banking customers in Germany are onboarded and verified digitally, the eKYC processes must follow regulatory guidance and feature the three main components described above.
Customer onboarding and identity verification involves collecting identity documents and checking their authenticity by ensuring the customer and document identity match. In processes that are fully or partially automated, this is increasingly taking place online.
CDD must be carried out for all new business relationships (whether this is a person or business). It must also be undertaken in several situations defined by BaFin, including for suspicious or large transactions (over €15,000) or with changes in customer circumstances.
Risk assessment procedures must be in place, and further EDD carried out, when the risk is determined to be high. Guidance from BaFin for factors triggering EDD includes:
- Identification of customer or company beneficial owner as a PEP
- Complex or suspicious transactions – including those that are unusual or have no apparent economic purpose
- Links or partnerships with a business identified as high risk or located in high-risk countries
BaFin sets several requirements for conducting EDD when necessary. These include involvement from senior management in approvals, enhanced monitoring, and further checks on sources of funds and company relationships.
There are some notable differences in KYC/AML checks under German regulations compared to other jurisdictions. Rules that financial institutions in Germany need to be aware of include:
Video-based verification. In 2014, Germany was one of the first jurisdictions to permit video onboarding. It is still considered the standard in Germany, as BaFin does not permit the use of artificial intelligence and biometric-based verification that other regulators (including the UK) do, but this is likely to change soon.
BaFin sets strict standards for video identification procedures, including the stipulation that video identification must take place in real-time, with no interruptions, using end-to-end encrypted channels. Other requirements include standards for video quality, lighting levels, and training of employees to conduct identification.
Use of QES and bank transfer. GWG regulations add an extra layer of protection to AML and KYC. When onboarding and verifying a new customer, a small bank transfer from a named German account must be used as verification support. This simplifies the process of opening additional accounts in Germany, while maintaining a high level of security.
Reading of ID cards using NFC. Although commonly used throughout the Nordics, the use of identity cards is almost nonexistent in the UK. In Germany, however, identity cards are rolled out to all German citizens, and can be used as a means of verification.
What trends and challenges for German KYC and AML practices are coming up?
AML and KYC processes and techniques have been continually improving since they were introduced to keep pace with changes in criminal behavior, and the regulatory requirements to combat them.
Technical solutions that make use of increasing degrees of automation will also continue to improve. Several European countries, including the UK, France, Belgium, Netherlands, and Spain now allow the use of artificial intelligence and machine learning-based methods of verification to check the authenticity of identity documents and biometric verifications of identity. Germany’s BaFin will likely follow suit.
In other sectors in Germany, change is already happening. In mid-2021, Bundesnetzagentur, the national regulator for Electricity, Gas, Telecommunications, Post, and Railways authorized the use of AI-based solutions for the verification of certain customers.
There is a likelihood that some of this will be addressed in EU-wide AML regulations (including the current draft EU regulation 910/2014), as the EU aims to bring different national AML regulations together to better address fraud and enforcement criteria.
Other trends likely to affect AML and KYC include growing privacy concerns in Europe. Any development and updating of GDPR regulations will likely impact data access and data collection and storage as part of customer verification and risk assessment.
Using IDnow for automated identity verification in Germany.
As a global leader in the identity verification industry, IDnow has been focused on improving KYC processes since 2014. To meet the recent shift to eKYC, IDnow has created a comprehensive suite of identity verification and document signing solutions to enable organizations to comply with the latest regulatory requirements, in Germany and elsewhere.
IDnow’s solutions have been designed to offer fully compliant identity verification in many jurisdictions – including Germany. VideoIdent was developed to be compliant with Germany’s early video-based verification regulations, while IDnow’s main product for customer onboarding and verification, AutoIdent offers full automated onboarding and verification solutions, with modular add-ons for increased functionality.
AutoIdent is available with several highly regulated use cases, such as in German financial services, and with functionality including supervised video verification, use of QES, and verification of existing bank accounts, it fully meets German GWG requirements.
While IDnow’s solutions have already received positive feedback from the German regulators that do allow more automation, they are also, of course, in full use in other jurisdictions. IDnow remains committed to make the connected world a safer place and is excited and optimistic about future enhancements in German financial markets.
Still want to learn more about AML and KYC? Have a look at our overview page on AML & KYC.
Content Manager at IDnow
Connect with Jody on LinkedIn
New German gambling regulation.