{"id":2563,"date":"2025-05-12T10:14:00","date_gmt":"2025-05-12T08:14:00","guid":{"rendered":"https:\/\/rp.pleeg-staging.de\/?post_type=news&p=2563"},"modified":"2025-06-17T18:47:28","modified_gmt":"2025-06-17T16:47:28","slug":"neue-bafin-auslegungs-und-anwendungshinweise-2025-ueberblick-zu-den-wichtigsten-aenderungen","status":"publish","type":"news","link":"https:\/\/rp.pleeg-staging.de\/eng\/news\/neue-bafin-auslegungs-und-anwendungshinweise-2025-ueberblick-zu-den-wichtigsten-aenderungen\/","title":{"rendered":"New BaFin interpretation and application notes 2025 \u2013 Overview of key changes"},"content":{"rendered":"

a) Scope and applicability<\/strong><\/h2>\n\n\n\n

The guidance applies to all obliged entities under BaFin supervision, including crypto asset service providers (CASPs) and specific issuers of asset-referenced tokens, as defined in MiCAR.\nNotably, the previous exemption for payment initiation service providers has been removed. These entities must now comply fully with the GwG, including general and enhanced due diligence, internal safeguards, and risk assessments.<\/p>\n\n\n\n

b) Risk analysis - restructured<\/strong><\/h2>\n\n\n\n

The risk analysis under \u00a7\u202f5 GwG is now divided into a clear four-step methodology:<\/p>\n\n\n\n

1. Inventory of business activities, customer base, products, and services \u2013 ideally illustrated (e.g. with tables or graphs).<\/p>\n\n\n\n

2. Risk identification using internal data and external sources (FIU typologies, EBA guidelines, FATF reports, EU supranational risk assessment).<\/p>\n\n\n\n

3. Gross and net risk assessment \u2013 gross before applying mitigation measures, net after, taking effectiveness into account.<\/p>\n\n\n\n

4. Definition of specific mitigation measures tailored to the business model.<\/p>\n\n\n\n

A separate assessment of money laundering and terrorist financing risks is explicitly required.\nThe methodology must be documented, and results summarised in a management summary.<\/p>\n\n\n\n

c) Internal safeguards<\/strong><\/h2>\n\n\n\n

aa) Obligation to implement the Funds Transfer Regulation (GTVO)<\/h3>\n\n\n\n

Financial sector entities \u2013 including banks, PSPs, and CASPs \u2013 must ensure compliance with the GTVO, effective 30 December 2024, as part of their internal safeguards.<\/p>\n\n\n\n

bb) Organisation and role of the MLRO<\/h3>\n\n\n\n

Appointment\/removal of the MLRO or deputy must be reported at least two weeks before the role begins\/ends.<\/p>\n\n\n\n

Responsibilities, powers, and any division of duties must be documented. A deputy may live abroad but must be available to act in Germany if needed.<\/p>\n\n\n\n

The MLRO must prepare a control plan with audit-proof documentation.<\/p>\n\n\n\n

cc) Internal whistleblowing unit<\/h3>\n\n\n\n

A single internal whistleblowing unit is sufficient to meet the requirements of the GwG, HinSchG, and GTVO.\nUnlike under HinSchG, this is mandatory regardless of staff size. Under GTVO, anonymous reporting must be enabled.<\/p>\n\n\n\n

dd) Outsourcing<\/h3>\n\n\n\n

BaFin confirms: outsourcing an internal safeguard under \u00a7\u202f6(7) GwG is always considered material outsourcing within the meaning of \u00a7\u202f25b KWG, \u00a7\u202f26 ZAG, \u00a7\u202f40 WpIG, or \u00a7\u202f32 VAG.\nOutsourcing to providers based in high-risk third countries is generally prohibited.<\/p>\n\n\n\n

d) Customer due diligence (CDD)<\/strong><\/h2>\n\n\n\n

aa) Indications of business relationships<\/h3>\n\n\n\n

A business relationship exists only if the contact is intended to be ongoing. Mere contract initiation is insufficient.\nThe specific circumstances matter: a short time frame may indicate continuity, but even irregular contacts may qualify.<\/p>\n\n\n\n

bb) Verification of customer information<\/h3>\n\n\n\n

All documents used for identification \u2013 not just ID cards, but also guardianship or birth certificates \u2013 must be checked in the original.\nThis creates new practical challenges for obliged entities.<\/p>\n\n\n\n

cc) Verification of company register extracts<\/h3>\n\n\n\n

Commercial register extracts (or equivalents) must be no older than three months at the time of first processing.\nFor foreign registers, equivalence with German registers must be assessed in advance \u2013 easy within the EU, more demanding for third countries.<\/p>\n\n\n\n

dd) Identifying beneficial owners<\/h3>\n\n\n\n

When a notification of discrepancy, doubt, or increased risk exists, entities must use various sources such as articles of association or shareholder lists.<\/p>\n\n\n\n

A direct inquiry with the customer is required \u2013 merely consulting registers or databases is not enough.\nWhether to collect additional data (e.g. country of residence) is to be decided risk-based.<\/p>\n\n\n\n

BaFin also clarifies: an acknowledgement from the Transparency Register is not proof of registration.<\/p>\n\n\n\n

ee) Politically exposed persons (PEPs)<\/h3>\n\n\n\n

Entities must independently determine whether a customer or beneficial owner is a PEP, even in addition to the official EU PEP list.<\/p>\n\n\n\n

ff) Ongoing monitoring<\/h3>\n\n\n\n

In factoring, all inflows and outflows must be continuously monitored.\nCASPs must use blockchain analysis tools and implement electronic transaction monitoring when exchanging crypto for fiat currency.<\/p>\n\n\n\n

gg) Shortened KYC data update intervals<\/h3>\n\n\n\n

Update intervals for customer information are now shorter:<\/p>\n\n\n\n

- Enhanced due diligence: annually<\/p>\n\n\n\n

- General due diligence: every 5 years<\/p>\n\n\n\n

- Simplified due diligence: risk-based<\/p>\n\n\n\n

hh) Self-hosted wallets: enhanced due diligence<\/h3>\n\n\n\n

For transactions to\/from self-hosted crypto addresses, entities must assess and mitigate ML\/TF\/sanctions risks under \u00a7\u202f15a GwG.\nBaFin allows flexibility (e.g. blockchain tools), but screenshots are not acceptable proof.<\/p>\n\n\n\n

e) Record-keeping obligations<\/strong><\/h2>\n\n\n\n

Digital copies of ID documents are permitted but must be created by the obliged entity itself.\nCopies provided by customers \u2013 even if previously verified in person \u2013 are not allowed.\nThe self-scanning must be audit-proof.<\/p>\n\n\n\n

f) Suspicious activity reports and due diligence<\/strong><\/h2>\n\n\n\n

A discrepancy report under \u00a7\u202f23a GwG does not in itself constitute a suspicious activity under \u00a7\u202f43 GwG.\nTherefore, no SAR obligation arises from it alone.<\/p>\n\n\n\n

When a SAR is submitted, enhanced due diligence applies (\u00a7\u202f15(2) GwG).\nIf no response from the FIU is received within 21 days, and no further risk is present, these enhanced measures may lapse \u2014 except for terrorist financing, where they must remain in place for at least six months.<\/p>\n\n\n\n

BaFin also clarifies the three-day rule under \u00a7\u202f46 GwG:\nAfter three working days, transactions must generally be released unless there is a formal prohibition or an overriding suspicion of money laundering or terrorist financing.<\/p>\n\n\n\n

Note: For a detailed analysis, see the article by our experts Markus Haufellner, Dr. Lars Haffke, and Emilie Heinrichs in BKR:\nHaufellner\/Haffke\/Heinrichs, \u201cCurrent developments in anti-money laundering law\u201d, Zeitschrift f\u00fcr Bank- und Kapitalmarktrecht (BKR), 2025, p. 392.<\/em><\/p>","protected":false},"author":2,"featured_media":2564,"template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"kategorie":[],"class_list":["post-2563","news","type-news","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/rp.pleeg-staging.de\/eng\/wp-json\/wp\/v2\/news\/2563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rp.pleeg-staging.de\/eng\/wp-json\/wp\/v2\/news"}],"about":[{"href":"https:\/\/rp.pleeg-staging.de\/eng\/wp-json\/wp\/v2\/types\/news"}],"author":[{"embeddable":true,"href":"https:\/\/rp.pleeg-staging.de\/eng\/wp-json\/wp\/v2\/users\/2"}],"version-history":[{"count":3,"href":"https:\/\/rp.pleeg-staging.de\/eng\/wp-json\/wp\/v2\/news\/2563\/revisions"}],"predecessor-version":[{"id":2567,"href":"https:\/\/rp.pleeg-staging.de\/eng\/wp-json\/wp\/v2\/news\/2563\/revisions\/2567"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rp.pleeg-staging.de\/eng\/wp-json\/wp\/v2\/media\/2564"}],"wp:attachment":[{"href":"https:\/\/rp.pleeg-staging.de\/eng\/wp-json\/wp\/v2\/media?parent=2563"}],"wp:term":[{"taxonomy":"kategorie","embeddable":true,"href":"https:\/\/rp.pleeg-staging.de\/eng\/wp-json\/wp\/v2\/kategorie?post=2563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}