The so-called interpretation and application guidelines – dubbed AuA in German (Auslegungs- und Anwendungshinweise) – are the consolidated guidance of an Anti‑money laundering (AML) authority on its view of the German Money Laundering Act (the GwG). While AML risks in the German financial market are centrally supervised by the Federal Financial Supervisory Authority (BaFin), competence in the German non-financial sector market is scattered between many local and state-level AML authorities.
To secure a harmonized interpretation of the GwG all authorities overseeing dealers in goods, real estate brokers and further non‑financial entities, AML regulators across Germany issue a common AuA - which is in many ways similar to BaFin’s version. However, the AuA for non-financial sector entities did so far not allow for Know Your Customer (KYC)‑checks by means of video identification – a common practice in the financial industry for many years. Instead, obliged entities had to either physically meet their business partners or make use of a limited list of other services, such as the German Postal PostIdent-procedure.
The competent AML authorities at state- and municipal level now published a revised version of the non-financial sector AuA in mid-June 2023, finally allowing video identification and addressing further practical issues.
I. Target audience of the amendments
The common AuAs for non-financial sector entities apply to a broad range of obliged entities subject to German AML requirements. These include, among others:
- dealers in goods (anyone selling goods commercially) and art brokers (including auctioneers and galleries),
- certain insurance intermediaries, and
- real estate agents, when commercially brokering the conclusion of purchase, lease or rental agreements.
II. What is video identification?
Many people who have opened a bank account in the past years have come across video identification in one way or another. Neo banks and other digital platforms have made extensive use of the option of remotely identifying their customers, especially during COVID lockdowns.
Obliged entities must carry out customer due diligence measures which include the identification of the customer. The data provided by the customer must be verified based on official documents, such as identity cards. Easily done on-site, but much riskier in the digital world. On-site the employee verifying the identity can inspect the official document’s safety marks, compare the photo with the person, and also be sure the person to be identified is existing. In the digital world, it is more complex, especially considering the enormous potential of artificial intelligence for so-called deep fakes.
III. Which requirements must be met concerning video identification?
To ensure an equal level of protection for video identification of a customer, the procedure must fulfill certain strict requirements. For the financial sector, the AuA do not specify these requirements themselves but rather reference the requirements stipulated by BaFin in its Circular 3/2017. This circular has now been declared applicable for the non-financial sector.
In essence, these requirements are:
- Trained employees: Video identification may only be carried out by appropriately trained employees of the obliged entity or of a third party to which the obliged entity outsourced the KYC procedure. At the very least, the employees in question need to be familiar with the features of the documents permitted in the video identification procedure, the common counterfeiting possibilities, and the relevant anti-money laundering and data protection regulations.
- Premises: The procedure must take place in a room separated from the other business rooms of the obligated entity and accessible only for certain persons.
- Consent: At the beginning, the customer must give his/her consent to the data processing.
- Technical and organizational requirements: Mechanisms must be used in the allocation of identification processes to employees to counteract the predictable allocation of cases and thus the resulting possibility of manipulation.
- Real-time: Video identification must be carried out in real time and without interruption. For the audio-visual communication between the staff member and the person to be identified only end-to-end encrypted video chats are permitted.
- Validity and plausibility checks: Obliged entities must ensure that the data that they have obtained during the KYC measure is valid and plausible. This includes an automated calculation of the check digits contained in the machine-readable zone, a cross-comparison of the information contained therein with the information in the field of view of the ID document as well as a comparison with other features of the ID document must be carried out.
Not every obliged entity will be able to fulfil these granular requirements in-house and instead be required to rely on external service providers if it intends to identify its customers remotely. A broad range of such providers already offers their services to the financial sector. Those providers will likely start providing their services to non-financial sector entities, too.
By fully adopting the BaFin circular, the AuA for non-financial sector entities inherit some of its shortcomings. For example, the BaFin circular prohibits a further delegation of the customer due diligence measures from the service providers to a third party. Making it legally impossible to e.g. engage external call centers, but requiring the service provider to carry out the video identification in-house. This will typically result in higher costs of the video identification.
The reference to the BaFin circular also begs the question whether future amendments of Circular 3/2017 will automatically apply to non-financial sector entities that want to rely on video identification measures.
IV. Impact of these changes In practice
The newly established legitimacy of video identification measures is a significant improvement for non-financial sector obliged entities that provide their services online. Platforms that deal in art or real estate or carry out insurance brokerage activities, for example, can now rely on a well-established administrative practice. This move will provide certainty to the obliged entities that want to rely on video identification in the course of their activities. An ID card and a smartphone can now be sufficient for customers to confirm their identity across a broad range of sectors. A personal journey to the local post office (for the so-called PostIdent) is no longer necessary. This represents a considerable convenience for customers.
However, the AuA update allowing VideoIdent for certain non-financial sector entities comes at a time at which the procedure is already under heavy scrutiny. BaFin has been warning about the misuse of VideoIdent by criminals for some time already and referred to the technology in a recent evaluation as a bridge technology, acknowledging its shortcomings. Advancing artificial intelligence and deep faked videos will further question the legitimacy of VideoIdent as a KYC measure, as a recent report published by the European Union Agency for Cybersecurity has shown.
V. Other amendments
The changes to the AuA are not limited to the introduction of video identification for non-financial sector entities. The amendments also contain further clarifications; noteworthy are in particular the following points:
The AuA now expressly clarify that private equity funds (PEs) may qualify as financial institutions and are, therefore, to be considered as obliged entities and subject to AML requirements. PEs will be supervised by local and state-level AML authorities. Financial holding companies, on the other hand, are subject to AML supervision by the BaFin.
The AuA also clarify that in addition to the contracting party (which is likely to be a legal entity), the GwG also requires the identification of the persons acting on behalf of the contracting party - for example, a managing director of a limited liability company, but also the simple messenger. The AuA now clarify that a person acting on behalf of the contracting party does not have to be identified if he or she does not fulfil a "risk-relevant function" in the conclusion or execution of the contract. This exception requires a subordinate function within the scope of the business conduct, such as the mere handling of correspondence.