In German folklore, a mythical half-goat, half-demon accompanies Saint Nicholas on his annual tour of homes every December 5. While Santa gives the good children their rewards, the chain-dragging Krampus seeks out the naughty children for punishment with a birch rod.
In modern Germany, Krampus has competition in the form of its banking regulator. For the last decade, the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht or BaFin) has had a special affinity for the country’s largest lender and financial institution, Deutsche Bank. BaFin has fined the bank multiple times, including €40 million in 2016 for Know Your Customer (KYC) violations. Since 2018, they have been in an ongoing feud over accusations of lacking anti-money laundering (AML) controls and threats of fines. BaFin has had an in-house monitor at the bank’s headquarters since 2018.
Companies looking to expand to Germany should take extra measures to remain in good graces when it comes to money laundering protections.
Taking precautions in Germany
Every year, criminals around the world launder billions of dollars — by some estimates, trillions — through banks, financial institutions, and a growing list of other business types. Fighting financial crimes and protecting the global economy is, itself, another billion-dollar business, and Germany is among the biggest spenders with an estimated $57 billion needed each year to adhere to AML regulations.
Instituting Know Your Customer (KYC) practices remains one of the best ways to combat bad actors. By taking steps from the outset to identify who is using accounts, where money is coming from and going, what the purpose is, and who is pulling the strings, banks and other companies on the front lines of finance can make it that much harder for illegitimate funds to enter the global economy. This not only protects the financial markets but also commerce, communities, and human lives.
KYC and AML requirements in Germany
In 1990, the European Union (EU) introduced the first of a series of AML laws to help reduce financial crimes by financial institutions in its member states. Germany, one of the founding members of the EU, has been especially adherent of these laws and they formed the basis of the German Anti-Money Laundering Act (Geldwäschegesetz or GwG), which passed in 1993 and was updated in 2003, 2008, 2011, 2014, and 2015.
The GwG is overseen by BaFin which, in turn, operates under the auspices of the Federal Ministry of Finance (Bundesministerium der Finanzen or BMF). The German government makes liberal use of its inter-agency partnerships with the Federal Criminal Police Office (Bundeskriminalamt or BKA) and the Financial Intelligence Unit (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit or BfDI) to monitor suspicious activities and investigate possible criminal activity.
Under the GwG, financial and adjacent businesses must verify a customer’s name, address, date of birth, place of birth, and nationality using documentary evidence.
Among the acceptable documents are a national identity card, passport, diplomatic passport, passport replacement papers, residential papers, and birth certificate.
Following on the heels of the fourth EU anti-money laundering directive approved in 2015, the newest Customer Due Diligence (CDD) measures require financial institutions to also identify and verify the identity of beneficial owners and politically exposed persons (PEPs), as well as establishing central registers for beneficial ownership information. The directive also mandated new measures to combat terrorist financing, such as requiring member states to freeze terrorist assets.
KYC and KYB challenges in Germany
KYC is specific to requirements impacting individuals using financial products; when the businesses are the direct customers, the process is often referred to as Know Your Business (KYB).
When it comes to due diligence requirements under KYB, Germany typically requires at least the following information:
Businesses with KYB obligations
While financial institutions, banks, and insurance companies are the focus of EU requirements for AML, the list of other obligated businesses is extensive, also including:
- Reinsurance companies
- Electronic and digital money institutions
- Holding companies
- Real estate agents
- Lawyers and legal advisors if they are involved in asset management, taxes, account openings, mergers and acquisitions, etc.
- Notaries
- Auditors
- Trustees
- Dealers, transporters, and storers of art
- Organizers of certain games of chance such as online gaming and other gambling that is not otherwise covered by permits
Customer Due Diligence
KYC measures are part of a series of risk assessments that banks and other entities complete as part of the Customer Due Diligence (CDD) process. If the customer is determined to be low risk for money laundering and other financial crimes after reviews and screenings are completed, the simplified due diligence processes outlined above will be sufficient for local regulators. If the risk is found to be elevated, for instance because a beneficial owner’s screening indicated concerns about geography, negative news, or a PEP, additional or enhanced due diligence will be required.
The GwG identifies several business and service types that require additional due diligence, including:
- Cash-intensive businesses
- Businesses in higher-risk geographies
- Businesses with unusual activities
- Businesses with complex ownership structures
- New and disruptive technology
- Businesses involving precious metals or gems; tobacco; and archeological or cultural, religious, or historically significant items
Privacy measures
Germany takes cultural pride in its commitment to protecting residents and their right to data privacy. The German Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG), approved in 2018, builds on the EU's General Data Protection Regulation (GDPR).
Under the BDSG, businesses in Germany must meet strict protocols when it comes to collecting, processing, storing, and disclosing the personal information belonging to their customers and users. These measures are further reflected in the GwG and KYC requirements, such as data storage, data deletion, and automated processing of data. For example, stored data must be deleted after five years under the law.
New verification methods in Germany
Germany is letting technology lead the way when it comes to AML. Video-based verification, electronic ID cards, and electronic signatures are the latest innovations.
Since 2017, BaFin has allowed banks and other entities to use real-time, encrypted video verification when face-to-face verification of identity is not possible, for example when individuals are seeking to open bank accounts but are unable to be physically present in a branch. This made complex transactions like buying a home seamless during the COVID-19 pandemic.
Electronic ID cards (eIDs) have been issued by the federal government since 2010 to all German citizens, and the cards have been available on mobile phones since 2021. The GwG further allows these IDs to be used for AML purposes. Since the stored data on the IDs encompasses the minimum standard requirements of KYC for individuals — legal name, date of birth, place of birth, residential address, and nationality — presenting an eID can fully validate an identity in many cases.
The electronic Identification, Authentication and Trust Services (eIDAS) regulation is a 2014 European Commission regulation that allows for electronic signatures, documentation, and authentication in and across EU member states.
Under eIDAS, a qualified electronic signature (QES) is acceptable as an equivalent for a handwritten signature for authorizing banking activity. A QES can only be issued by a qualified trust service provider. They can be used for a variety of banking needs, including cross-border account activity.
Looking ahead, the European Commission is actively working to increase cross-border acceptance of eIDs and other technology, which could be the next frontier for Germany, as well as artificial intelligence and biometric-based verification.
Penalties for non-compliance
Money laundering carries stiff penalties in Germany for both individuals and businesses.
Any individual found guilty with malicious intent could face anywhere from three months to five years in prison. If they are found to be working as part of a gang or commercial money laundering enterprise, the punishment can be doubled. Individuals who didn’t realize they were laundering or working with criminal funds may only face a fine or up to two years in prison or be spared completely from criminal liability if they voluntarily report their suspicions to authorities or if their actions result in stopping the crime or seizing the original stolen goods.
Individuals, such as executives who conceal ill-gotten gains from money laundering, can face additional sanctions, such as disqualification from holding that level of responsibility at a company for a period of time or permanently.
Companies can lose certain industry licenses locally or even internationally and they face stiff fines. Per the GwG, companies failing to comply with administrative AML regulations can face fines between €50,000 and €1 million, or twice the benefits gained from the crime. Negligent failures garner the highest fines. If a company is found to have systemic or serious failures, the fines can go up to €5 million.
Preparing for KYC and KYB compliance in Germany
Germany has one of the world’s largest economies, making it a target for financial crimes. Smart companies know to do their due diligence before rolling out new products or making significant business changes, they employ knowledgeable advisors who stay current on regulations and they create thorough but appropriate procedures and properly train their employees.
In 2023, BaFin officials praised German companies for making significant strides in protecting the country, but cautioned there is still work to do, specifically:
- Better AML risk assessments and thorough and appropriate follow-ups on the findings
- Responsible outsourcing and in-person vetting of third parties
- Careful innovation, including enforcing standards when partnering with technology companies
How Persona can help you handle KYC in Germany
Persona is recognized as a trusted partner for innovative and secure compliance solutions. Our identity platform provides the critical components needed to customize the KYC process and fit your exact onboarding and periodic review specifications. Choose which types of verifications and checks to implement, add fraud prevention, and integrate third-party data to make compliant and strategic decisions.
We also offer solutions for continuous monitoring for both AML compliance and fraud prevention. And Persona can securely store customer data, including users’ personally identifiable information (PII), to help stay GDPR and GwG compliant.
Start for free or get a demo today.