01 Jul 2025
10 minute read

Understanding BaFin's New AML Guidelines

Following an extended consultation phase and multiple revisions, the updated Interpretation and Application Guidance (“AuA”) of the German Federal Financial Supervisory Authority (BaFin) on the German Anti-Money Laundering Act (GwG) have been in effect since March 2025.

The revised version introduces new requirements that trigger implementation needs for both existing and newly obligated entities, particularly regarding risk assessments, (enhanced) documentation obligations, and shortened deadlines for updating customer data.

In March 2025, the first additions were made, which specifically reflect the legislative expansion of the scope of obliged entities under Sect. 2 para.1 No. 2 GwG, which was introduced through the Financial Market Digitisation Act that came into force in December 2024. This primarily affects providers of crypto-asset services as well as certain issuers of asset-referenced tokens. In addition, requirements for enhanced due diligence in relation to transfers of crypto-assets to or from self-hosted addresses (Sect. 15a GwG) have been expanded.

The AuAs were amended again on July 2, 2025. The changes relate in particular to the notification of a new money laundering officer. The previous form is no longer to be used. The notification is now to be made electronically via the BaFin notification and publication portal, and an explanation of the registration and notification process can be found on the BaFin website.

BaFin has emphasised that these changes are not related to the EU-AML Package adopted in 2024, nor are they intended to pre-empt its implementation.

Risk Assessment

BaFin now specifies a list of minimum standards for information sources to be used in risk assessments. This aims to significantly reduce uncertainty and provides institutions with clearer guidance when preparing their risk analyses.

Risk assessments must be updated not only on a regular basis but also on an ad-hoc basis whenever necessary. Once finalised, the risk assessment must be presented without delay to the responsible member of the management board.

Separation of Money Laundering and Terrorist Financing Risks

The new guidance clarifies the differences between the treatment of money laundering and terrorist financing. While these topics have typically been addressed together, BaFin now highlights the significant differences between them, which justify separate analysis.

The enhanced distinction required in the risk assessment is likely to prompt many entities to revise their existing documentation. A clear separation between the two areas is now expected to ensure effective and targeted mitigation measures.

Organisational Requirements

BaFin does not accept the appointment of a money laundering reporting officer (MLRO) operating from abroad. While a deputy may be based outside Germany, the MLRO must be physically located within the country. However, the MLRO is not required to speak German, provided that the deputy has sufficient language skills and the lack of German proficiency does not delay the performance of statutory duties.

BaFin requires a functional separation between the MLRO and the institution’s executive management, unless the entity is particularly small (fewer than 15 FTEs).

The documentation requirements have also been tightened: all tasks, responsibilities, and powers of both the MLRO and the deputy must be recorded in writing. Actions taken must be documented in detail.

The appointment or removal of an MLRO or deputy must be reported to BaFin at least two weeks in advance. Late notifications will be considered as such.

Updating Obligations

New deadlines apply for updating customer data:

  • Customers subject to simplified due diligence: No specific deadline; updates must be risk-appropriate
  • Customers with medium risk: At least every 5 years
  • Customers with high risk: At least annually

The shortened update cycles, compared to BaFin’s previous administrative guidance, will increase operational efforts for many entities. To accommodate this, BaFin has extended the implementation deadline for these specific requirements to July 2027. All other provisions of the updated AuA must be applied starting February 2025, including the March 2025 additions.

Suspicious Activity Reporting

Changes have also been made to the rules on suspicious activity reporting. One such change concerns how customers are qualified after a suspicious activity report has been submitted. In future, instead of the previous three months, a period of 21 calendar days will apply from the submission of a suspicious activity report, during which the respective customer will be categorised as posing an increased risk, provided that no further anomalies occur that would necessitate increased due diligence obligations. However, this reduction in the deadline only applies to suspected cases of money laundering. For suspicious activity reports relating to terrorist financing, a period of 6 months is more appropriate for assuming an increased risk. Additionally, BaFin has altered the wording of the standstill period for submitting a suspicious activity report, changing it from a general rule to an exception. Transactions may now be carried out three days after a suspicious activity report has been submitted, unless there are clear indications of money laundering or terrorist financing.

Conclusion

The revised Interpretation and Application Guidance from BaFin introduce wide-reaching changes that require significant implementation efforts by affected institutions. The new requirements around risk assessments, expanded documentation obligations, and shorter customer data update intervals will necessitate substantial adjustments to existing processes.

 

Authors: Nadine Forstmann, Pelin Sentürk und Macide Sarican

Reach out

Nadine Forstmann

Nadine Forstmann

Counsel | Banking & Finance
+49 69 719188420
Pelin Sentürk

Pelin Sentürk

Associate | Banking & Finance
+49 211 8772 9176

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Recommendations

Banking | Deloitte Legal Germany

In banking supervisory law, we advise banks, savings banks, securities companies, payment service providers, FinTechs, outsourcing companies and unregulated companies with regulatory issues. Our services range from answering specific regulatory questions to transaction projects, such as permission and ownership control procedures, including taking over the communication with the regulatory authorities.
Service

Anti-Money Laundering Compliance | Transparency Register

Deloitte Legal provides comprehensive advice on all aspects of compliance with anti-money laundering obligations regarding the notification of beneficial owners to the transparency register, both for German and foreign companies.
Service

Financial Services | Banking & Finance

All participants in the financial services sector face increasing challenges due to this rigorous regulations and enforcement by national and international authorities. Deloitte Legal acquired not only a broad knowledge of the legal framework but also a deep understanding of the needs of the FSI.
Service

Anti-Money Laundering Compliance | Part 1: Overview of the new EU Anti-Money Laundering Regulation

EU-wide unified anti-money laundering and transparency requirements lead to a comprehensive expansion of the obligations of German and foreign companies to notify their beneficial owners to the German transparency register (Transparenzregister). In this first part of the series of articles, an overview of the new EU-AMLR is provided before going into more detail on selected key elements of the numerous new regulations in the following articles.