On November 29, 2024, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”) published a new version of the general part of its Inter-pretation and Application Guidance on the German Money Laundering Act (“AuA 3.0” – German Version).
The last revision of the AuA dates back to October 2021. Since then, the nation has not only been overrun by a pandemic and a wave of AML-special audits. The European Union's four-part legislative package aimed at harmonizing and strengthening the fight against money laundering and terrorist financing has also been adopted. In addition to the establishment of an EU-wide Authority for Anti-Money Laundering and Countering the Financing of Terrorism (short: “AMLA”), which is due to commence its activities in Frankfurt am Main, Germany, this year, the European AML package also includes a revised version of the Transfer of Funds Regulation1, the new 6th Anti-Money Laundering Directive2 and – for the first time – a regulation on combating money laundering and terrorist financing (“AML-Regulation”)3. The latter is particularly exciting in that it will be directly applicable to (most) obliged entities from July 2027 and will therefore largely replace the current Money Laundering Act (Geldwäschegesetz, “GwG”). Obliged entities are therefore well advised to prepare for the upcoming changes in good time. However, according to BaFin, the AuA 3.0 now published are expressly not intended to anticipate the regulations that will apply in the future.
This briefing provides a brief overview of the most relevant changes of AuA 3.0 for registered and authorized fund managers4, which are to be applied from February 1, 2025. For ease of reference, the structure of this briefing is based on the structure of AuA 3.0.
The central element of anti-money laundering risk management is and remains the risk analysis. Its 5-stage structure also remains unchanged. However, as is so often the case, the devil lies in the detail and requires obligated parties to make some noticeable changes when preparing the next company's own risk analysis. The most important ones are briefly outlined below.
Risk Identification
One significant change is that from February 2025, a clear distinction must be made between the specific risks of money laundering and those of terrorist financing. As terrorist financing funds can also come from legal sources, relevant typologies must be observed, and relevant sources of information must be consulted regularly. In this respect, a comprehensible ad hoc analysis of current developments should also be carried out in a risk-appropriate manner. So far, only very few fund managers are likely to meet this requirement.
There has always been a wide range of information sources to be used to determine the individual, relevant risk factors. The AuA 3.0 now provide a good selection of these themselves, naturally with the disclaimer that this is by no means an exhaustive list. In addition, existing or yet to be acquired knowledge within the company (e.g. adverse media screening), the evaluation of suspected cases, the exchange of experience with other money laundering officers, etc. can also provide information on possible risk factors.
The requirements profile of BaFin in terms of the scope of risk identification is very high and should not be underestimated.
Risk Assessment
An important part of the risk assessment is (still) the analysis of the residual risk (taking into account already implemented security measures). It is not necessary to reduce the risk to zero. Rather, it is crucial that obligated parties are aware of the remaining residual risk and address it appropriately.
In contrast to the consultation version of the AuA, which still foresaw an obligation, it is now at the discretion of the responsible member of management (Section 4 (3) sentence 1 GwG) whether or not they wish to make the handling of the remaining residual risk the subject of a management resolution.
Documentation Obligation
In order to facilitate the traceability of the risk analysis, obligated parties must now also present the methodology used in each case. Any (ad hoc) changes to the risk analysis must be documented and approved by the responsible member of management immediately after completion. Depending on the scope of the risk analysis, BaFin also recommends the preparation of a Management Summary summarizing the main contents and changes to the risk analysis.
The comments on internal security measures have also been revised, although in many places these are merely editorial in nature. The most interesting substantive changes are briefly outlined below.
The Function of the Money Laundering Officer (MLO)
The specific tasks, responsibilities and powers of the MLO and its deputy must be defined in writing by the obligated parties. Unless explicit reference is made to deviations, the same requirements apply both to the MLO and its deputy.
By law, the MLO must carry out its activities domestically. The AuA 3.0 now stipulate that a deputy residing abroad is permitted, provided that the activity is carried out in Germany in the event of representation. As a rule, either the MLO or its deputy must at least have a command of the German language.
The requirements for avoiding conflicts of interest have also been tightened to a certain extent. For example, the MLO may not, in principle, act as an outsourcing officer for the outsourcing of the data protection officer or internal audit.
The obligation to carry out certain monitoring activities is probably not new to most money laundering officers. According to AuA 3.0, the object/objective, scope, responsibilities and due dates/frequencies of the individual monitoring activities must be set out in writing, for example in a control plan. The implementation and results of the monitoring activities and any need for action must be documented in a comprehensible manner.
Outsourcing of Internal Security Measures
Despite the explicit declaration by BaFin not to preempt the AML-Regulation, it does so in the context of the outsourcing requirements: Article 18 (6) of the AML-Regulation prohibits outsourcing to third parties domiciled in a high-risk country. This prohibition can now also be found in the AuA 3.0 and, contrary to the wording of the regulation, without any exceptions.
For the question of whether the activity performed by a third party is a notifiable outsourcing or merely an external procurement, the AuA 3.0 wording refers to the provisions of Section 10 of BaFin Circular 01/2017 (WA), which is generally only applicable to authorized fund managers. The decision and its reasons must be documented.
If obliged entities use multi-client service providers, for example for the function of the MLO and/or its deputy, they must ensure from now on that such service providers have adequate resources available to fulfill their duties.
Whistleblowing
Fund managers are obliged to set up an internal reporting office under both the GwG and the German Whistleblower Protection Act (Hinweisgeberschutzgesetz, “HinSchG”). Fortunately, BaFin not only clarifies in the AuA 3.0 that the establishment of only one reporting channel is sufficient for both legal regimes, but also that Sections 8 to 10 and 13 to 18 of the HinSchG apply to the whistleblower channel to be established under the GwG.
A mixture of editorial, clarifying and substantive amendments5 can also be found in customer due diligence obligations.
More Frequent Update Cycles
The documents, data or information used by the obligated parties to fulfill their customer due diligence obligations must be updated periodically and, if required, ad hoc. BaFin has drastically shortened the cycles for the periodic updating obligation:
IMPORTANT: Even though the AuA 3.0 will generally apply from February 1, 2025, the new update periods only have to be implemented by the obliged entities when the new AML-Regulation comes into force, i.e. from July 10, 2027.
No Recording of “All” Fictitious Beneficial Owners
The GwG stipulates that the so-called fictitious beneficial owner must be recorded in certain constellations. If several persons fulfill this requirement, it was generally sufficient to record only one person. The consultation version of the AuA 3.0 published in the summer provided for all fictitious beneficial owner to be recorded instead. Fortunately, however, this was not included in the final AuA 3.0. The previous practice will therefore continue unchanged, so that the recording of one fictitious beneficial owner is generally sufficient.
Notes on Lists of Politically Exposed Persons (PeP)
BaFin's reference to the PeP list published by the European Commission, which can be accessed on its website, is also of clarifying nature. Persons who hold the public offices listed therein are considered politically exposed persons. However, it would be too easy for normal legal practitioners to rely solely on the long-awaited list. BaFin therefore explicitly clarifies that the publication of this list is not intended to restrict the scope of application of Section 1 (12) no. 1 GwG, which defines the term “politically exposed person”. In plain language, this means that positions that are not on the list can also make their holder a politically exposed person. It is therefore not possible to rely on the list alone. It merely provides a good starting point.
Most obliged entities are likely to use corresponding databases for PeP and sanctions list screening anyway. In principle, this also indicates the appropriate fulfillment of the corresponding obligations under anti-money laundering law. However, the indicative effect does not apply if there are concerns regarding the data quality or functionality of the database used. In addition, obliged entities must always ensure that the comparison against PeP lists is carried out using the current lists provided by the service provider.
Obtaining Transparency Register Extracts
If the contractual partner to be identified is not a natural person, Section 12 (3) sentence 2 GwG generally requires an excerpt from the Transparency Register to be obtained. Alternatively, proof of registration can also be obtained. It was rumored that this meant the notification of receipt issued as part of the registration with the Transparency Register. BaFin has now rejected this view and at the same time clarified that there is no scope of application for this alternative - at least in Germany.
Even if the number of suspicious activity reports submitted to date by most fund managers is likely limited, this is a key component in the fight against money laundering and terrorist financing.
Consideration of Publications
BaFin has therefore included a detailed reference to the technical information provided in the internal section of the Financial Intelligence Unit (“FIU”) right at the beginning of the relevant section in the AuA 3.0. Special mention is made here of the key point papers on the determination of circumstances that do not trigger a reporting obligation as well as the joint guidance notes of BaFin and FIU on the terms “promptness” (Unverzüglichkeit) and “completeness” (Vollständigkeit) of a suspicious activity report pursuant to Section 43 GwG.
General Clarifications
Clarifications include the fact that the submission of a discrepancy report in accordance with Section 23a (1) GwG does not automatically trigger the submission of a suspicious activity report and that the submission of a suspicious activity report in accordance with Section 43 (1) GwG does not automatically result in the termination of the business relationship.
Updates for Feedback Concepts
Whether obliged entities have to apply enhanced due diligence obligations to a customer after submitting a suspicious activity report now depends on the reason for the suspicious activity report:
The revised AuA 3.0 pose significant challenges for companies subject to BaFin supervision. Fund managers should carefully analyze the extent to which they need to revise their internal measures to prevent money laundering and terrorist financing.
While most of the changes are of editorial nature or reflect existing administrative practice and therefore do not require any immediate action, certain new accentuations entail important adjustments. These could make it necessary to revise the internal organization and processes.
It is therefore recommended that fund managers familiarize with the new AuA 3.0 to recognize the specific need for action and implement it in good time.
In addition, it is essential to continuously develop compliance structures to meet the constantly growing regulatory requirements in the prevention of money laundering and terrorist financing. This area will continue to develop dynamically in the coming years.