BaFin updates AML guidance

The German Financial Services Supervisory Authority, BaFin, has published a revised version of its interpretation and application guidance (Auslegungs- und Anwendungshinweise, AuAs) on the German Anti-Money Laundering Act (Geldwäschegesetz, GwG). The AuAs reflect BaFin’s administrative practice in relation to the application of the GwG. While the AuAs are, strictly speaking, not legally binding, they are considered to have a de-facto binding effect. Therefore, changes to the AuAs may generally have a significant impact on financial institutions.

The below is an overview of five key changes:

1. Money laundering reporting officer (MLRO): Obliged entities are required to appoint an MLRO, who is – by law – required to carry out his/her activities in Germany. The interpretation of this requirement has often been the subject of debates in practice, as BaFin had previously recognised that the MLRO function can be outsourced to foreign parent undertakings or head offices.
   • BaFin has now clarified that the “appointment of the deputy MLRO abroad is permitted as long as the deputy carries out his/her activities in Germany when deputising”. 
   • BaFin arguably continues to permit a delegation of the MLRO function to a foreign parent undertaking. This delegation is now expressly classified as outsourcing.
2. Re-KYC: Compared to other EU AML supervisors, BaFin has in the past taken a comparatively lenient approach to updating KYC information. In light of the upcoming stricter requirements of the European Anti-Money Laundering Regulation (AMLR – see our extensive navigator), the Re-KYC cycles are now increased significantly as follows:
   • Low risk clients: risk adequate intervals (used to be after 15 years);
   • Normal risk clients (i.e. neither low nor high risk): up to five years (used to be after ten years); and
   • High risk clients: every year (used to be after two years).
3. Suspicious activity reporting (SARs): Obliged entities are required to notify the Financial Intelligence Unit (FIU) immediately after becoming aware of facts that may indicate money laundering. Certain triggers for SARs and subsequent obligations have now been clarified:
   • BaFin has published separate guidance on SAR reporting, clarifying among others the deadlines for reporting and the critieria for the completeness of SARs. 
   • BaFin has also clarified that an inconsistency notice to the transparency register (section 23a GwG) relating to the relevant ultimate beneficial owner does not automatically trigger the necessity to file a SAR.
   • Section 46(1) GwG states that obligated entities are only allowed to carry out a transaction “at the earliest” on the third working days after submission of the SAR. This has now been clarified by BaFin, following a number of court decisions in this respect. In principle, obliged entities shall now carry out a transaction after the end of the third working day following the SAR, unless the FIU or the public prosecutor’s office has prohibited the transaction. 
4. Outsourcing: BaFin has clarified that the delegation of internal safeguards as defined in section 6 GwG (such as the appointment of an MLRO or the assessment of the reliability of employees) always qualifies as the outsourcing of a critical/important function. Banks in particular will, therefore, need to comply with the additional requirements stipulated by the EBA and BaFin’s MaRisk in this respect. BaFin has also confirmed that the delegation of tasks and activities to the parent undertaking or head office qualifies as outsourcing.
5. Branches: For branches of EU firms, it has previously not been fully clear who should act as the “member of the management body responsible for AML”. Such branches have a permanent representative and not a full management body. BaFin has now clarified that the permanent representative of the branch shall be the member of the management body responsible for AML.