Financial Sector Assessment Program-Anti-Money Laundering and Combating the Financing of Terrorism-Technical Notes

This paper sets out the findings and recommendations in the selected areas of Germany’s Anti- Money Laundering and Combating the Financing of Terrorism (AML/CFT) regime made in the context of the Financial Sector Assessment Program. It summarizes the findings of a targeted review of Germany’s money laundering offense, measures to ensure the transparency of legal persons, and the implementation of AML/CFT measures by banks with cross-border operations. According to the 2010 Mutual Evaluation Report, Germany is vulnerable to ML and FT for following reasons: its strategic location in Europe and large economy, open financial center, open borders, and strong international linkages.


This paper sets out the findings and recommendations in the selected areas of Germany’s Anti- Money Laundering and Combating the Financing of Terrorism (AML/CFT) regime made in the context of the Financial Sector Assessment Program. It summarizes the findings of a targeted review of Germany’s money laundering offense, measures to ensure the transparency of legal persons, and the implementation of AML/CFT measures by banks with cross-border operations. According to the 2010 Mutual Evaluation Report, Germany is vulnerable to ML and FT for following reasons: its strategic location in Europe and large economy, open financial center, open borders, and strong international linkages.

Executive Summary

This note sets out the findings and recommendations in selected areas of Germany’s anti-money laundering and combating the financing of terrorism (AML/CFT) regime made in the context of the Financial Sector Assessment Program (FSAP). It summarizes the findings of a targeted review of Germany’s money laundering (ML) offense, measures to ensure the transparency of legal persons,1 and the implementation of AML/CFT measures by banks with cross-border operations. This analysis is not an evaluation or assessment of the German AML/CFT system, and does not result in ratings of compliance with the AML/CFT standard, i.e., the Financial Action Task Force (FATF) 2012 40 Recommendations. Germany is expected to undergo a mutual evaluation (ME) by the FATF in 2021.

The last ME (conducted in 2009, with a report adopted by FATF in 2010) found that Germany had implemented an AML/CFT system that was broadly in line with the international standard, although deficiencies remained. Key deficiencies included shortcomings in the ML and terrorist financing (TF) offenses, the regime for the freezing of terrorist assets, suspicious transactions reporting requirements, some customer due diligence (CDD) measures applicable to financial institutions, as well as the lack of adequate transparency of beneficial ownership (BO) information of German legal persons.

Since then, Germany has introduced a significant number of reforms to enhance its AML/CFT regime. Legislative reform included amendments to: the Banking Act and the Anti-Money Laundering Act to improve CDD and suspicious transaction reporting requirements and AML/CFT supervision; the Criminal Code to strengthen the ML offense; and the Stock Corporation Act to immobilize bearer shares. New institutional arrangements, including for domestic cooperation and enhanced supervision for designated non-financial businesses and professions (DNFBP), have also been put in place. In light of the new requirements under the 2012 AML/CFT standard, Germany is currently conducting a national assessment of its ML and TF risks (NRA).

Germany notably strengthened its ML offense by criminalizing self-laundering in 2015. The offense appears to cover the conversion, transfer, concealment, disguise and acquisition of property with the knowledge that they are proceeds of crime. It does not cover possession and some aspects of the use of the proceeds of crime. However, under the international standard, countries may exclude these elements from their ML offense if the fundamental principles of domestic law prevent such criminalization, which appears to be the case in Germany.

Germany has also expanded the list of predicates offenses to ML but further minor improvements are necessary. Insider trading and market manipulation, counterfeiting and piracy of products are now predicate offenses. Tax crimes and some misdemeanors are predicate offenses to ML when they are undertaken on a commercial basis or by a member of a gang (as defined below). Tax crimes and misdemeanors committed by an individual that generate significant amounts of proceeds are not captured.

Measures have been taken to ensure the transparency of German legal persons that are in business relationship with banks, but not in other instances. Competent authorities have direct access to the information collected by banks on the beneficial owners of their corporate customers, through a data retrieval system populated by banks; however, they do not have similar access to information collected by non-banks and DNFBPs. While access to the data retrieval system is particularly useful, it is not sufficient to ensure adequate transparency in all cases.

Germany also improved its AML/CFT supervision regime. In particular, the Audit Report Regulation establishes a checklist for auditors and a requirement to assess compliance with specific AML/CFT obligations and implementation of enhanced AML/CFT audits when required. This provides a certain level of consistency between the work of the auditors and the Federal Financial Supervisory Authority‘s (BaFin) risk-based framework for AML/CFT supervision. BaFin, in its own analysis of ML and TF risks, also uses more fine-tuned risk weightings including assigning higher weightings for group-wide implementation of AML/CFT measures and correspondent banking. Guidance on the implementation of AML Act has been provided.

Notwithstanding these improvements, some German banks with cross-border operations have been subject to significant sanctions by foreign regulators for AML/CFT and sanctions violations with respect to their overseas operations. This indicates that there is a need to enhance implementation of the Audit Report Regulation requiring auditors to pay special attention to the banks’ risk assessments and applicable control measures, including correspondent banking risks. This would include, when warranted, BaFin’s review of auditors’ working papers. Enforcement of the existing administrative obligations that require banks and auditors to take into account group-wide cross-border risks in their risk assessments could also be strengthened. This is critical to safeguard BaFin’s continued reliance on audit reports and banks’ internal assessments for AML/CFT supervision. Enhanced efforts to complete the NRA will help the authorities better assess and understand the risks that originate from cross-border banking operations.

There is also a need to enhance banks’ group-wide risk management policies and controls at the parent level to identify, assess and mitigate ML/TF and related risks in overseas operations. Improvements are warranted in banks’ compliance and corporate governance frameworks, consolidated risk assessment and internal audit functions.

Enhanced supervisory synergies between the ECB’s prudential supervision and BaFin’s AML/CFT supervision of significant banks can be improved. These synergies may be particularly relevant in the context of joint onsite inspections. Additionally information exchange between ECB, BaFin and Bundesbank could be streamlined and enhanced in line with the cooperation and information-sharing framework that exists between BaFin’s prudential and AML/CFT supervisory departments/functions. BaFin’s AML/CFT supervisory staff is currently insufficient even though the proportion of entities per supervisor decreased from 200 in 2009 to about 124 in 2016.

Table 1.

Main Recommendations

article image


1. This Technical Note (TN) provides a targeted review of a few areas of the German AML/CFT system in the context of the FSAP. This review is undertaken on the basis of the Fund’s policy that requires timely and accurate AML/CFT input into every FSAP. It does not constitute not an assessment of Germany’s level of compliance with the AML/CFT standard, nor of its effectiveness in combating ML and TF; it does not include ratings of compliance and will not result in a Report on the Observance of Standards and Codes. Germany’s next assessment against the current AML/CFT standard is expected to be conducted by the Financial Action Task Force (FATF) in 2021.

2. Staff’s review focused mainly on Germany’s progress in strengthening its ML offense and AML/CFT supervisory framework, and in increasing the transparency of legal persons. In addition to a factual update on the main progress made since the last AML/CFT assessment conducted by the Fund and adopted by the FATF as Germany’s third mutual evaluation report (MER) in 2010, this note examines: the scope of the ML offense in light of the 2012 standard, focusing on Germany’s new self-laundering offense and coverage of predicate offenses to ML, in particular tax crimes; the framework for the access to BO information of legal persons; and the AML/CFT supervisory framework over banks with cross-border operations.

3. According to the 2010 MER, Germany is vulnerable to ML and TF for a number of reasons. These include its strategic location in Europe and large economy, open financial center, open borders and strong international linkages. The MER estimated that Germany had a large informal sector, and that the use of cash was high. It also estimated that crime in Germany generated some EUR 40 to EUR 60 billion (approximately $60–80 billion)3 per year (inclusive of tax evasion). Germany currently has the highest number of credit institutions and foreign branches in the European Union (EU). The large German commercial banks offer a variety of financial services, some with substantial presence abroad. Germany is also home to the sixth largest stock exchange in the world, the Frankfurt Stock Exchange (Frankfurter Wertpapierbörse). It has the largest banking sector in the euro area, with total assets of about EUR 7.85 trillion at the end of 2014, the insurance sector is sizeable, and the bank-insurance linkages are significant.

4. The MER found that Germany had a relatively strong AML/CFT framework, but called for further improvements. Amongst others, key deficiencies were identified in: the criminalization of both ML and TF; the regime for the freezing of terrorist assets; STR requirements; some customer due diligence measures applicable to financial institutions; the sanctions for non-compliance with AML/CFT requirements; and in the information available to the authorities on the beneficial owners of German legal persons.

5. Germany’s AML/CFT supervisory framework over banks was found to be generally sound though some deficiencies were identified. The MER notably highlighted a need for Germany to explicitly require financial institutions to pay particular attention to their branches and subsidiaries in EU or in the European Economic Area (EEA) member states that do not, or insufficiently, apply the FATF Recommendations. Recent sanctions imposed by foreign regulators on some German banks for noncompliance with their national requirements indicate a need to enhance enforcement of measures to require banks with cross-border activities to comply with section 25l (1) sentence 5 of the Banking Act (former section 25g of the 2008 Banking Act, which will be referenced in the following paragraphs).

6. Several factors, such as Germany’s established legal tradition, strong rule of law, stable political environment and low level of corruption, mitigate some of these risks. The ML typologies are nevertheless difficult to determine, and in 2012 and 2013, 39 percent of the suspicious cases transferred by the Financial Intelligence Unit (FIU) to specialized investigative agencies could not be linked to a specific predicate offense. The assessment of the ML/TF risks that Germany is currently conducting in implementation of the 2012 FATF standard should prove useful in reaching a better understanding of the current ML and TF risks and typologies.

7. Staff’s analysis is based on a range of material. Staff reviewed available information, including information submitted by Germany to the FATF on progress made since 2010, answers provided by the authorities to questions submitted by staff ahead of the FSAP mission, and discussions4 during a mission to Germany undertaken in February/March 2016.

Progress since the last Assessment

8. Since the 2010 MER, several amendments to the AML/CFT legislative and regulatory framework have been adopted to address some of the identified deficiencies. The third and last Follow-Up Reports (FURs)5 presented to the FATF highlighted that key legislative actions were taken including amendments to the following: the Criminal Code (Strafgesetzbuch, hereinafter CC); the Anti-Money Laundering Act (Geldwäschegesetz, hereinafter the AML Act); financial laws including the Banking Act (Kreditwesengesetz); and the Administrative Offenses Law. Germany also improved its oversight over DNFBPs by increasing the number of supervisory staff and with the Länder increasing their sanctions over supervised entities. However, the last FUR also noted that (at the time) self-laundering had still not been criminalized. Implementing guidelines and explanatory notes have also been issued and the framework for domestic cooperation greatly enhanced with the formation of several domestic coordination mechanisms, in particular the Forum for the Prevention of Money Laundering and Terrorist Financing, the Federal Government’s AML/CFT policy body, which is chaired by the Federal Ministry of Finance. In its National Action Plan following the 2013 G8-summit in Lough Erne, Germany committed to further strengthen its AML/CFT regime and related implementation measures, in particular with regard to information of company BO, and to undertaking an NRA.

9. Bearer shares have now been immobilized. The potential misuse of bearer shares was seen as a ML vulnerability in the MER. Amendments to the Stock Corporation Act (Aktiengesetz, hereinafter AktG) that entered into force on December 31, 2015 provides that bearer shares can only be issued if: (i) shares of the AkG are publicly listed; or (ii) the shares are immobilized (i.e., by requiring them to be held with a regulated financial institution or professional intermediary). Bearer shares not complying with these requirements are treated as nominative registered shares. Additionally, stock corporations (Aktiengesellschaften, hereinafter AGs) issuing registered shares will have to keep a shareholders’ register. These amendments constitute an important step towards increasing the transparency of German legal persons.

10. Germany is currently conducting a national ML and TF risk assessment (NRA). This is an important development, given that the identification, assessment and understanding of ML and TF risks are the corner stone of the current FATF standard. The NRA should ultimately assist the authorities in better targeting their resources and increasing the effectiveness of the German AML/CFT system.

11. As a member of the EU, Germany will need to transpose the Fourth EU Anti-Money Laundering Directive (4th Directive) in full by June 2017.6 The fourth Directive intends to bring the EU legal framework in line with the FATF 2012 standard, while taking into account the European Commission’s review of the implementation of the Third EU Anti-Money Laundering Directive. It notably includes measures to enhance the transparency of legal persons and arrangements, especially through the establishment of a central register of BO information. Germany is currently working on amendments to the AML Act aimed at establishing a new transparency register, which will include information on beneficial owners who are not yet identified in existing registers. These amendments are due to be completed by June 26, 2017.

12. Important progress was also made in strengthening the ML offense and in AML/CFT supervision. This progress is discussed in more detail below.

Money Laundering Offense

13. This section reports on the extent to which the ML offense meets the requirements of the AML/CFT standard. Effectiveness of the ML offense was not assessed.

A. The Money Laundering Offense and Self-Laundering

14. The 2010 MER found that the ML offense met some but not all the requirements of the standard. This was notably the case because self-laundering was not criminalized, two of the FATF-designated categories of offenses were not predicates to the ML offense, and legal persons could not be held criminally liable. All the physical elements required by the international standard were found to be criminalized by Section 261 of the CC but the ML offense did not apply to the laundering of proceeds of crime by the perpetrator of the predicate offense (i.e., self-laundering). In this respect, the assessors concluded that it was not established that the lack of criminalization of self-laundering was supported by principles that amount to fundamental principles of German law (which would have been acceptable under the standard) and, in particular, where the laundering activity did not simply amount to the mere possession or use, but also involved the transfer or the concealment and disguise through the financial system. Their conclusion was based on court rulings and discussions with practitioners.

15. On November 26, 2015, amendments to the CC entered into force, and made self-laundering a punishable offense under certain circumstances. This constitutes a significant development in Germany. More specifically, the following changes (highlighted in italics) to the exception of self-laundering were introduced in Section 261 (9) of the CC: “Whosoever is liable because of his participation in the antecedent act shall not be liable under subsections (1) to (5) above, either. Exemption from liability […]shall be excluded if the perpetrator or participant brings an object, which is a proceed of one of the unlawful acts named in subsection (1), second sentence, into circulation and, in doing so, conceals the unlawful origin of the object.” Having just been introduced in November 2015, this amendment has not been tested by the courts, and there are therefore no rulings that would clarify the scope of the new offense. The following review is therefore based on discussions with, and other material provided by, the authorities.

16. The self-laundering offense appears to cover the physical elements of conversion, transfer, disguising, concealing and acquisition of the proceeds of crime.7 According to the authorities, “bringing into circulation” is to be interpreted broadly and would cover any act by which: (i) the perpetrator relinquishes control of the object (proceeds of crime); (ii) a third person obtains control over it; and (iii) the perpetrator conceals the unlawful origin of the object. This last element is met when the perpetrator creates the impression of a legal origin when dealing with the object. It is not required that the perpetrator actively deceives someone. For example, the perpetrator of a predicate offense who: a) takes the proceeds of that offense and deposits them into an account in his/her name; b) places the proceeds into a family member’s account; or c) uses the proceeds to buy groceries or a car would be punishable under the new self-laundering offense. The rationale for the punishability of these acts is that by bringing proceeds into circulation, the perpetrator introduces the criminal proceeds into the legal economy, which affects the integrity of the financial system and may distort competition, i.e., a legal interest other than the interest harmed by the predicate offense. It is sufficient that the perpetrator brings the proceeds into circulation, e.g., by simply spending illegally obtained monies. Such acts are not covered and sanctioned by the punishment for the predicate offense itself, and may therefore be criminalized in addition to the predicate offense.

17. The “possession” and some aspects of “use” of the proceeds of crime are, however, not covered by the new offense as their criminalization would contravene a fundamental principle of German law. According to the authorities and the explanatory note to the Bundestag on the amendments, the possession or use of proceeds (e.g., keeping proceeds of crime for oneself and storing or hiding them away) are acts that would typically accompany the predicate offenses and, as such, are already covered and sanctioned by the conviction and punishment for the predicate offense. The authorities indicated that fundamental principles of German law, in particular the rule of law (“Rechtsstaatsprinzip” set out in Article 20, paragraph 3 of the German Constitution) and the prohibition to punish someone twice for the same act (i.e., the “ne bis in idem” principle set out in Article 103 paragraph 3 of the German Constitution) applies in these instances, because the possession and use do not harm a legal interest other than the one protected by the predicate offense. As a result, it is not possible to prosecute and punish someone for the same act or for a behaviour typically linked to a criminal act. For an act to be punishable under the self-laundering offense, it is necessary that this act violates a protected legal interest (“geschütztes Rechtsgut” as an aspect of the “Rechtsstaatsprinzip”) other than the one already covered by the predicate offense. The explanatory note also referred to a third principle, i.e., that there is “special competitive relationship that is consumptive in nature” between the acts that constitute ML and the predicate offense, and this relationship would always rule out punishment for self-laundering in those cases in which the perpetrator is already liable to punishment for the predicate offense. The conducts linked to theft and the use of stolen goods are good illustrative examples of the application of these fundamental principles of German law: according to the authorities, in light of the fundamental principles mentioned above, it is not possible to punish a thief for both stealing money, and keeping the money and hiding it in his/her home, because the punishment for theft is also deemed to sanction subsequent acts that are “socially accepted behaviours” (such as storing and hiding proceeds) where they do not infringe on any additional legal interest. If, however, the perpetrator uses the proceeds of crime and brings them into circulation (e.g., by buying groceries or a car or hides stolen money in a bank account), this constitutes a separate act, which would be punishable under the new provisions in the CC.

18. The authorities provided a legal opinion8 on the self-laundering provision and the application of the abovementioned fundamental principles. The legal opinion concluded that self-laundering (where a third party is not involved)9 is not punishable (page 2, paragraph 1) and in the concluding paragraph on page 65 paragraph 2, “whatever method ones chooses, all roads lead to exemption from punishment. No uniform principle of exemption from punishment emanating from immunity from criminal proceedings for instances in which perpetrators assist themselves after the fact can be justified by these means,” a view that is in some respects contradictory with some aspects of self-laundering that have been criminalized. According to the authorities, the fundamental principles did not prevent Germany from criminalising some aspects of self-laundering, but do prevent them from punishing the mere use and possession of the proceeds of crime. The exclusion of mere use and possession appears to be in line with the findings of paragraph 151 of the MER and the current standard.

B. Predicate Offenses to ML—in Particular Tax Crimes10

19. In 2010, Germany was found to have included most, but not all of the predicate offenses listed in the standard. Of the FATF-designated categories of predicate offenses, insider trading and market manipulation were included as predicate offenses but not criminalized (which rendered their inclusion moot), while counterfeiting and piracy of products were not covered. Assessors therefore recommended ensuring that these offenses be included as predicate offenses to ML.

20. Since then, Germany has expanded the range of predicate offenses to ML to include all FATF designated categories of offenses. Amendments to the CC in 2011 included insider trading, market manipulation, counterfeiting and piracy of products as predicate offenses to ML. In the MER 2010, it was also noted that some of the less serious offenses (misdemeanors) also constituted predicate offenses if certain aggravating circumstances were met. It is to be noted that the international standards provide that when deciding on the range of offenses to be covered as predicate offenses under each of the categories listed above, each country may decide, in accordance with its domestic law, how it will define those offenses and the nature of any particular elements of those offenses that make them serious offenses.

21. Tax crimes, while added to the FATF list of designated offense only recently, constitute predicate offenses to ML in Germany since 2001. The legal framework was further refined in this respect in 2007. The CC11 includes a range of tax crimes as predicate offenses. Professional or violent smuggling,12 tax evasion13 and receiving, holding or selling goods obtained by tax evasion in serious cases14 are predicate offenses to ML if committed on a commercial basis or by a member of a gang.15 16 According to authorities, the aggravating criteria ensure that the range of tax crimes that are included as predicate offenses are limited to serious tax offenses. The notion of an activity conducted “on a commercial basis” refers to the intent on the part of the offender to commit repeated offenses to procure an ongoing source of income of some magnitude and for some duration. Court rulings have determined in this respect that the first tax crime motivated by a pursuit of profit suffices to fulfil this condition;17 this aggravating criterion is thus to be interpreted narrowly as setting a low threshold. The amounts generated by the offense are irrelevant. Therefore, tax evasion committed by a gang (composed of individuals, or legal persons, or a mix of the two) or on a commercial basis is a predicate offense irrespective of the amount evaded. A gang is to be broadly defined as a group of persons formed, explicitly or implicitly, for the purpose of committing a number of autonomous and as yet unspecified acts of ML. Under the rulings by the Federal Court of Justice, a gang must be comprised of at least three people. Certain types of misdemeanours also constitute predicate offense to ML when committed on a commercial basis or by a member of a gang.

22. Tax crimes (as well as some of the misdemeanours mentioned above) may, however, generate large amounts of proceeds even in the absence of aggravating circumstances. These single events would normally qualify as “serious crimes” and, as such, should constitute predicate offenses to ML.

C. Conclusions and Recommendations

23. The recent criminalization of self-laundering strengthens the German ML offense. Read in light of the authorities’ explanations, the new offense appears to be in line with the standard. The interpretation of this new offense (and in particular of the notion of “bringing into circulation”) could, however, prove challenging, and would therefore benefit from clear court rulings.

24. Some offenses that should be considered as serious in light of the amounts of proceeds that they generate are not currently predicate offenses to ML. This is the case of tax evasion or some misdemeanors committed by individuals (as opposed to members of a gang) that generate significant amounts of proceeds. The 2010 MER recommended ensuring that the predicate offense for ML include a range of offenses in each category by removing the aggravating requirement that the predicate offense was committed to make a profit or by a member of a gang. Germany could also consider including, in the tax crimes and misdemeanors mentioned above, a reference to significant amount of proceeds of crime or a specific Euro threshold to ensure that all serious crimes within the FATF-designated categories of offenses constitute predicate offenses to ML in Germany.

AML/CFT Supervisory Framework over Banks

A. Background

25. The Single Supervisory Mechanism (SSM) comprising the ECB and the national competent authorities (NCAs)) entered into operation on November 4, 2014. The ECB directly supervises the significant institutions, which include 21 banking groups in Germany. The NCAs supervise the less significant institutions under the general oversight of the ECB.

26. AML/CFT supervision in individual member states does not fall under the SSM supervisory framework. The German national competent authority, i.e., BaFin, is in charge of AML/CFT supervision for both significant and less significant institutions. Nonetheless, the SSM-wide supervision does take into account AML/CFT as part of its governance and broader compliance assessment. SSM-wide framework provides for consolidated supervision of banks operating outside of Germany (whether in an EU member or non-member state) including on a sub-consolidated and solo institution basis but this does not cover AML/CFT specifically. BaFin and the Bundesbank receive consolidated annual accounts and other group-wide reports of banking groups, which contain inter alia assessments of AML/CFT compliance.

27. The ECB is required to cooperate with the German national authorities including with BaFin with respect to AML/CFT (SSM Regulation Recital 29). The ECB is not an AML/CFT supervisor but should have an understanding of ML/TF related risks for its overall understanding and supervision of risk. It is also concerned about financial crimes affecting banks and the applicable internal controls from a prudential perspective. Information on ML/TF risks available to the ECB is based on information provided directly by banks to the ECB and on BaFin’s and external auditors’ knowledge of institutional risk, as they are the front line AML/CFT supervisors.

28. BaFin is an operationally independent federal public authority subject to the oversight of the Federal Ministry of Finance. It is the lead prudential supervisor for about 1,974 credit institutions including branches and subsidiaries of foreign banks operating in Germany. It is also the sole designated supervisory authority for AML/CFT for the financial sector of Germany. Financial institutions under its supervision are mainly banks, insurance companies, securities firms, financial and payments services providers including money transfer firms. BaFin conducts AML/CFT supervision of all institutions under its jurisdiction through its Department for the Prevention of Money Laundering (DPML). In contrast to the prudential supervision the Bundesbank has no ongoing role in AML/CFT supervision. BaFin can apply sanctions for noncompliance with the AML/CFT legislation as well as sector-specific laws.

B. Consolidated AML/CFT Supervision of Banks and International Cooperation

29. Consolidated supervision of FIs is conducted under the SSM-wide framework for prudential purposes and also for AML/CFT as part of governance and broader compliance assessment. BaFin, or the ECB in case of significant institutions, establishes prudential colleges of supervisors in cases where it is responsible for the consolidated supervision of a group of institutions, a financial holding group or a mixed financial holding group. The aim of establishing colleges of supervisors is to ensure adequate cooperation with the competent authorities in the EEA, including EBA, and with the competent authorities in non-EEA states. These colleges are not specifically mandated to address AML/CFT issues and no AML/CFT colleges have been set up to date. However, the EBA is currently discussing measures to enhance cooperation between EU-AML/CFT supervisors and, in particular, the establishment of AML/CFT colleges is one of those measures. Within the EEA, the home supervisor is in charge of supervision of the parent company, companies of the same group within the domestic areas as well as branches abroad. The host supervisor is in charge of supervision of a subsidiary abroad. Therefore, within colleges of supervisors, the consolidating supervisor is capable of taking on board information submitted or obtained from host supervisors. Within this framework, AML/CFT issues can be shared among home and host supervisors even though colleges mainly deal with other prudential issues. Under the German Banking Act, BaFin can cooperate with other competent authorities including with supervisors within the EEA, with regard to AML/CFT. For less significant banks not covered under the SSM, BaFin has to inform all members of a prudential college on an ongoing basis about the relevant measures taken as part of its supervisory activities, including AML/CFT. The college takes the scope and nature of the cross-border operations of a bank or banking group into consideration that could in principle address ML/TF risk and compliance issues. Nevertheless, within the context of the above mentioned EBA initiative, the majority of AML/CFT supervisors (including BaFin) preferred the establishment of specific AML/CFT colleges.

30. BaFin, Bundesbank and other competent EEA authorities can share banking information. This includes disclosure of a group’s legal and organizational structure, management of the banking group, and information on adverse developments that could critically impair any member of the group. They can also share information on any enforcement measures that BaFin has taken under the Banking Act. Since AML/CFT legal violations can be sanctioned under the Banking Act, sharing of information can include AML/CFT issues, though no specific formal arrangements are in place to ensure consistent implementation. BaFin is proposing an MOU with the ECB that would cover AML/CFT matters.

31. BaFin and Bundesbank have entered into information sharing arrangements with foreign supervising authorities outside the EEA on a bilateral and multilateral basis through memoranda of understanding (MOUs). So far around 96 MOUs have been signed, which allow for cooperation on financial crimes including ML/TF. Under the Banking Act, prudential colleges of supervisors are established for institutions with cross-border operations. When BaFin is the home supervisor, it acts as the consolidating supervisor in the college. If there are subsidiaries or significant branches of institutions within the EEA or in third countries, it will also take part as host supervisor in colleges. Prudential colleges comprise EEA supervisors and third country supervisors depending on the group structure. The home and host supervisors have to agree on their supervisory program according to the risk assessment of the group. As the AML/CFT supervisor for German banks, the risk assessment can include ML/TF risks. Host supervisors can receive the AML/CFT audit reports of banks. Supervisor to supervisor cooperation also takes place through formal meetings with foreign regulators and can include AML/CFT issues.

32. BaFin conducts general prudential inspections on banks domiciled outside Germany, which are included in the consolidation, but its powers to obtain information are sometimes limited and do not cover AML/CFT. These inspections in particular focus on prudential risk management as well as the accuracy of the data supplied for consolidation purposes. This also applies to subsidiaries domiciled outside Germany, which are not included in the consolidation. BaFin may require information or conduct audits of banks and subsidiaries with domestic and cross-border operations, as well as of financial or mixed financial holding companies. However, the power to obtain information does not cover AML/CFT and is limited to monitoring the accuracy of the information and returns sent to BaFin for prudential consolidated supervision purposes. Nevertheless, BaFin indicates that it can require banks to provide it with information for AML/CFT purposes as it relates to their foreign branches or subsidiaries, and that it can order audits to be performed abroad.

C. Risk-Based AML/CFT Supervision Framework for Banks

33. The centerpiece of the German AML legislation is the AML Act. This Act is generally applicable to all obliged entities as defined in the Act including the financial sector as well as DNFBPs. However, some provisions only apply to specific obliged parties. The AML Act includes provisions on customer due diligence, recordkeeping, policies and internal controls, suspicious transaction reporting, responsibilities of competent authorities and sanctions. Other financial sector laws and regulations contain additional AML/CFT provisions for specific sectors such as for banks and insurance companies. These additional provisions take into account the specific risk situations of the respective institutions and their business activities. As indicated above, BaFin is inter alia, the designated AML/CFT supervisor for all banks operating in Germany.

34. BaFin relies mainly on external auditors to assess banks’ compliance with AML/CFT requirements. The Audit Report Regulation defines the scope of AML/CFT obligations of auditors when conducting the annual or targeted audits on behalf of BaFin but BaFin can also set the scope of auditors’ inspections when necessary. Annual audit reports cover both prudential and AML/CFT issues and with respect to the latter focuses mainly on banks’ AML/CFT policies and systems, including domestic and overseas banking operations. The audit reports are sent to BaFin’s DPML for analysis, which focuses on legal compliance and deficiencies in policies and systems. In addition, BaFin can conduct onsite inspections on its own or through auditors. Spot checks can also be conducted on banks based on their ML/TF risk rating. Other “targeted” bank inspections can be carried out on specific AML/CFT issues. Under the Banking Act, BaFin is authorized to instruct individual banks with respect to the scope of the external auditors’ work if it considers that the statutory scope needs refocusing or amending in individual cases. BaFin has a broad range of tools to deal with shortcomings including issuing orders and instructions to banks and can sanction banks or responsible individuals for compliance violations. This can involve dismissal of managers, fines and license revocation. Notwithstanding the positive role played by external auditors in BaFin’s supervision of German banks, BaFin should play a more active role in AML/CFT supervision to complement auditors’ reviews particularly in areas identified by the FSAP mission where auditors have not adequately covered compliance with AML/CFT requirements and other areas of supervision such as minimum risk management requirements, i.e., with the MaRisk Circular.

35. The Auditors Report Regulation establishes the scope of the external auditors AML/CFT review. According to section 29 (2) of the Banking Act, auditors are required to conduct annual audits with respect to compliance with the AML Act and relevant sections of the Banking Act. The Auditors Report Regulation, in particular section 27 and Annex 5, regulates this obligation and requires the auditor to make explicit assessments with regard to all issues mentioned in the Annex 5. Under the Regulation, auditors are required to conduct annual audits with respect to compliance with the AML Act and relevant sections of the Banking Act. However, for credit institutions whose balance sheet total EUR 400 million or less, such audit need only be conducted every two years, unless the risk situation requires a shorter audit cycle. The auditor must assess whether the risk analysis conducted by a bank is consistent with the actual risk situation. The audit must also describe and assess the adequacy of the internal measures to prevent ML/TF and fraud, and take into account the banks’ risk analysis and internal audit results. In particular, the auditors should review:

  • a. Internal policies, adequacy of business and customer related controls to prevent ML/TF and fraud.

  • b. Functions, competencies, systems and resources of the AML officer and his/her deputy. In the case of institutions, which are not subsidiaries within the meaning of the Banking Act, this applies to their subsidiaries and their foreign branches and subsidiaries.

  • c. Staff awareness and training on ML/TF and fraud methods especially those that are tasked with executing transactions and with initiating and establishing business relations.

36. The auditor must also assess to what extent the institution has complied with customer due diligence requirements, especially the enhanced due diligence in cases of increased risk. In addition, the report must state whether the requirement to keep records, as well as the obligation to record and report suspicious cases internally, are met. The auditors must also report whether application of internal controls or customer due diligence has been contractually outsourced by the institution to a third person or another enterprise.

37. Under section 25l of the Banking Act, banks are required to apply group-wide AML/CFT controls. In the case of branches and subsidiaries, the auditor must describe and assess to what extent the bank has implemented AML/CFT control measures in a uniform, group-wide basis. Auditors shall also assess compliance with AML/CFT requirements in a foreign state where they are stricter than in Germany. If the AML/CFT control measures required in Germany are not permitted or cannot be applied in a third country, the auditor must also report and assess to what extent the institution has implemented appropriate measures. This is done in order to ensure that subsidiaries and branches do not establish or continue any business relations or process any transactions there, and that they terminate any existing business relations. Auditors can visit overseas branches and subsidiaries in the conduct of their AML/CFT audit, but there is no specific requirement in the Audit Report Regulation to do so. External auditors do conduct overseas AML/CFT reviews often jointly with their local audit offices.

38. Credit institutions must be assessed to determine to what extent they have complied with wire transfer requirements. The auditor must also report to what extent credit institutions have complied with their obligations pursuant to section 24c (1) of the Banking Act with respect to the recording of identification information in the account data retrieval system. In addition, the auditor must assess and report whether the enhanced CDD obligations in case of correspondent banking relationships are met and whether the risks resulting from those relationships are adequately addressed by the existing risk management and control measures.

39. BaFin has adopted a risk-based approach to AML/CFT supervision that is consistent with its approach to prudential supervision generally. Under this approach, the BaFin allocates the highest levels of AML/CFT supervisory attention to the banks exhibiting the highest levels of assessed ML/TF net risk as evidenced in particular by the information provided in the auditors’ reports. In order to assess the ML/TF net risk profile, financial institutions are first analyzed by the BaFin and rated (low, average or high) against five inherent risk criteria including: geographic location (high risk locations, including FATF country lists, media, or specific country events or information), scope of business (regional, national, international), products structure (high risk lines of business), customer structure (e.g., nonresidents, PEPs), and distribution structure (e.g., use of branches, brokers, e-banking). In essence, the inherent risks are quite similar to those contained in the FATF standard, which highlights: customers, products and services, geographic location and delivery channels. BaFin regularly informs (at least three times a year after FATF plenaries) financial institutions by circulars about updates of FATF’s public statement on countries with strategic deficiencies, and auditors also receive this information through their respective associations. They must take the circular into account for their audits.

40. The quality of banks’ AML/CFT measures and controls, as described in the audit reports, is assessed and rated by BaFin, based on several factors. These include the adequacy of internal controls, customer due diligence and compliance with other AML/CFT obligations. AML/CFT measures can be weighted differently e.g., the role of the Money Laundering Compliance Officer, transaction monitoring and understanding the customers’ business are assigned a higher weight in assessing net risk. The final net risk classification assigned by BaFin, which is based on an assessment of inherent ML/TF risk and quality of controls, range from 1A (low risk-high quality of controls) to 3D (high risk–low quality of controls). As a matter of supervisory policy, large significant banks are classified as high for ML/TF risk as well as those associated with specific. With regard to annual audits, BaFin does not have access to external auditors’ working papers, other than those related to special audits commissioned by BaFin, to directly verify the scope and depth of their AML/CFT audit review and reports.

41. BaFin’s prudential and AML/CFT supervisory strategy is broadly based on the risk ratings described above. These are:

  • a. Simplified basic supervision for low net risk entities.

  • b. Basic supervision for medium net risk entities.

  • c. Enhanced supervision for high net risk and significant entities.

42. BaFin’s assessment of ML/TF risk does not specifically include broader prudential elements. The DPML operates independently of prudential supervision but liaises with BaFin’s Prudential Supervisory Directorates to ensure they have an understanding of banks’ ML/FT net risk profile. This feeds directly into the prudential supervisors’ broader focus. According to the BaFin, prudential deficiencies could trigger an assessment by the DPML as to whether similar deficiencies exist in AML/CFT controls; but in general, prudential deficiencies do not have a direct effect on the analysis of the AML/CFT situation effectively implying two separate risk rating systems.

43. BaFin’s section in charge of AML/CFT supervision of banks (GW 2) has on average one supervisor responsible for up to 124 banks, which means each supervisor dedicating on average about 2-3 working days annually for each bank. BaFin’s DPML has a total of 110 staff, of which 40 are engaged in the data retrieval system. Only 13 staff are directly involved in ongoing AML/CFT supervision of credit institutions, which does not appear to be sufficient. The number of banks per full time DPML staff has declined from 150, in 2009, to 124, in 2016. For large systemically important banks the number of days dedicated by each supervisor may not be sufficient as these banks are classified as high risk. There are some 1,974 banks subject to its supervision. The section GW 2 is responsible for onsite and offsite activities and its supervisory activities mainly focus on the review of auditors’ reports. It can order special AML/CFT audits when necessary. Its staff can also accompany external auditors during their audits of banks and participate in about 25 onsite visits each year, including large banks. These statistics are consistent with the 2010 MER’s conclusions that Germany applies a “light” touch to AML/CFT supervision.

44. BaFin’s AML/CFT supervisory framework approach is mainly dependent on the work of the auditors including with respect to banks’ cross-border operations. The ability of the BaFin to effectively assess ML/TF risk exposures and the quality of bank ML/TF risk management and controls is mainly dependent on the quality of the content of auditors’ reports. Based on the 2010 MER, there was a wide variety in the scope and depth of analysis provided, especially with respect to the assessment of the CFT measures.

45. The number of onsite inspections in 2015 remained relatively the same as in previous periods. During 2015, all banks had external audits and there had been 33 targeted onsite visits in banks, 5 in branches of foreign banks and 20–25 audit accompaniments. Small sized institutions are also audited every year by external auditors; these reports are analyzed only once every 5–10 years as they are considered low risk. However, in these cases BaFin staff analyzes the Annex 5 list at least every two years and will also check the report if the list contains significant negative assessments. From 2012 through 2014, the number of AML/CFT reviews were 88, 26, and 28, respectively. The AML/CFT reviews of branches of foreign banks were 11, 64, and 8, respectively, for the same period. In addition, BaFin conducted the following targeted onsite examinations in banks focused on the account data retrieval system (section 24c of the Banking Act): 2011: 8; 2012: 10; 2013: 10; 2014: 1; 2015: 10). With respect to AML/CFT reviews of foreign branches and subsidiaries of German banks, BaFin carried out only three on-site AML/CFT inspections in 2014/2015, which is also insufficient.

46. Branches of financial institution domiciled in other EEA countries are not required by law to have annual audits and therefore do not provide external auditors’ reports to BaFin. To compensate BaFin applies supervisory measures to obtain information on their compliance with AML/CFT requirements. These measures include holding meetings with such branches on a rotating basis, supported by regular meetings with the foreign bank industry association at least annually. BaFin can also request that these branches provide it with the results of spot checks and internal audit reporting to the extent these cover AML/CFT requirements. In addition, BaFin can initiate targeted audits (described below) where there is reason to believe there are shortcomings, and receives information from the home EEA supervisors on a case-by-case basis.

47. Branches of German financial institutions operating abroad are included in consolidated prudential supervision and are subject to AML/CFT requirements (see section 25l of the Banking Act) and included in the annual external audits described above. Subsidiaries are also subject to this requirement even if not subject to consolidated supervision. The number of branches and subsidiaries of financial institutions outside Germany are not consolidated by BaFin but reported individually by banks.

48. The Audit Report Regulation and its Annex 5 requires auditors to review and rate compliance with AML/CFT measures and to take risk into account when reviewing the adequacy of control measures and obligations. Annex 5 of Audit Report Regulation requires auditors to review all the AML/CFT requirements set out in the AML Act and the AML/CFT provisions in the Banking Act. They require auditors to rate banks compliance with those requirements. BaFin regularly meets with external auditors to discuss AML/CFT issues and the quality of audit reports, particularly large and high risk rated banks, before, during and after audits. Part of the audit cycle planning involves an annual meeting with the association of auditors to share supervisory plans and expectations. Meetings with auditors with respect to small banks are conducted through auditor associations every two years. These arrangements with auditors should greatly facilitate BaFin’s own assessment of inherent ML/TF risk and better inform their risk-based supervisory strategy. When BaFin is not satisfied with the work of auditors, it can remove them using powers under the Banking Act. To date only a low number (3–4) of small audit firms have been disqualified from AML/CFT audits.

49. In the 2010 MER, Germany was rated largely compliant with former FATF Recommendations 22 and 23 regarding the application of AML/CFT measures in foreign branches and subsidiaries of German financial institutions, and AML/CFT supervision, respectively. With regards to Recommendation 22, scope limitations were cited and the following actions were recommended:

  • a. Introduce enforceable measures requiring all financial institutions to pay particular attention to branches and subsidiaries in countries that do not, or insufficiently, apply the FATF Recommendations.

  • b. Ensure that the provisions of section 25g (now section 25l)18 of the Banking Act apply to subsidiaries and branches located in EEA and EU states.

  • c. Ensure that uniform standards are applied in the three principal sectors (banking, insurance and investment firms).

  • d. Implement an enforceable obligation for banks and investment firms to inform German supervisory authorities immediately when a foreign branch or subsidiary (including those in EEA states) is unable to observe appropriate AML/CFT measures.

50. With respect to Recommendation 23 (and some elements of Recommendation 17 on sanctions), the MER highlighted that although branches of German financial institutions were included in consolidated supervision, subsidiaries were not covered.19 The main recommendations made to address the deficiencies identified in the MER with respect to supervision included:

  • a. Ensure that members of the (supervisory) Board of Directors are explicitly subject to appropriate administrative fines for failure to supervise managers responsible for compliance.

  • b. Introduce legal provisions that explicitly allow the BaFin to dismiss managers and members of (supervisory) Boards of Directors for AML/CFT violations.

  • c. Review the adequacy of the frequency with which the high-risk institutions are subject to on-site inspection by the BaFin and the consequential impact on resources.

  • d. Address the issue of guidance on audit report quality as a priority with the auditing organizations in the cooperative banking sector.

  • e. Ensure that Länder authorities are sufficiently aware of their AML/CFT supervisory responsibilities and apply sufficient resources to supervise insurance intermediaries.

51. Some measures have been taken to address the abovementioned supervisory deficiencies identified in the MER. With respect to Recommendation 22, the authorities indicated their intention to amend section 25l of the Banking Act to implement the fourth EU-Anti-Money Laundering Directive. In particular, it will address the need for also paying “special attention to branches/subsidiaries in EU or EEA states and the obligation to notify in case of implementation failures in EU or EEA states.” The authorities also stated that BaFin analyzed 2012 audit reports to review compliance with section 25g (now section 25l) of the Banking Act, which resulted in BaFin ordering sixteen financial institutions to be audited for AML/CFT. Under these orders, auditors were required to review and report on whether German financial institutions have specific problems with the application of AML/CFT control measures by their foreign branches and subsidiaries consistent with section 25l. Additionally the auditors were to review and report on the implementation of formal group-wide AML/CFT internal controls and programs.

52. The audit reviews above showed that some German financial institutions had practical and legal problems in implementing section 25l of the Banking Act. These stem from restrictions imposed by data protection rules in certain countries, difficulties in the identification of the beneficial owners and unsatisfactory documentation of controls. BaFin reports that access to information has improved since the MER but there are still some cases where access to bank files is barred in which case it tries to get information from host supervisors. Except in occasional circumstances, host supervisors are not (legally) required to share their ML/TF risk assessment systems and methodologies, the results of risk assessments and institutional risk profiles of banks operating in their jurisdictions. This is a significant limitation. BaFin states that in practice they regularly do so at least when it requests such information.

53. BaFin reports that since the MER it has paid special attention to the group-wide application of AML/CFT programs when evaluating the annual audit reports but that it has not identified major deficiencies. Notwithstanding, German banks in some cases still encounter restrictions with respect to group-wide information exchange due to strict data protection rules in some countries. To the extent that such restrictions still limit the parent bank from obtaining information on ML/TF risks, statistics, and data on unusual or suspicious activities, etc. the auditors and by extension BaFin may not in such cases be able to obtain timely and sufficient information to conduct individual and consolidated bank ML/TF risk assessments and institutional ML/TF risk profiles. This could limit its ability to formulate appropriate supervisory strategies and plans based on risk.

54. Measures have been taken to address Recommendation 23 deficiencies identified in the MER. The authorities indicated that the fit and proper requirement for supervisory boards of investment management companies is now regulated under section 18 (4) of the Investment Act and checks are executed by BaFin on a regular basis. The AML/CFT Audit Report Regulation was revised in June 2015 to reflect changes in the AML Act and the Banking Act implemented in recent years. This included minor amendments to Annex 5 of the Regulation.

55. BaFin’s risk-based approach that was in effect at the time of the last MER has been recalibrated to include certain elements such as changes to the weightings applied to risk assessment factors. In particular, the underlying basis for BaFin’s analysis and the rating of each institution’s ML/TF net risk has been broadened since the last MER and in particular for an institution’s risk regarding “Group-wide Compliance,” “Correspondent Banking Relationships,” and “Internal Controls” have been increased from a multiplier of 1 to 3 (the multipliers are 1, 3, 6). The risk-based approach also applies to consolidated AML/CFT supervision and in particular of financial institutions with cross-border operations (see Sections A and B above). This approach establishes ML/TF risk profiles based on the net risk assessment for each institution.

56. BaFin obtains general information on banks’ correspondent account relationships from audit reports but banks are not required to inform BaFin on the ML/TF risk situation in countries where the respondent banks are located, including in offshore centers. However, BaFin expects those risks to be integrated into the banks’ risk analysis, which is provided to BaFin. Recently, some German correspondent banks have been severing correspondent relationships with a large number of overseas respondent banks suggesting that they represent unacceptable levels of ML/TF and/or legal compliance risk. This phenomenon occurring in many other countries may be prompted partly by severe sanctions applied by foreign authorities to a number of correspondent banks.

57. With respect to cross-border supervision, BaFin can coordinate with foreign supervisors, from within the EEA and third countries, on AML/CFT issues under powers granted to it by the Banking Act. With respect to third countries, BaFin has cooperated inter alia, with competent authorities of the U.S., Singapore, and the U.K. For instance, a special audit was undertaken in 2015 on the group-wide application of AML/CFT measures in coordination with the U.K. supervision authorities. Another audit on compliance with AML/CFT obligations will be conducted in coordination with the Russian Federation authorities. In addition, BaFin engages with foreign regulators with respect to AML/CFT investigations and enforcement action taken against German subsidiaries operating abroad. When necessary, BaFin can participate on its own or with special audits to carry out targeted examinations to review group-wide deficiencies and compliance with AML/CFT obligations.

58. Whenever German banks are sanctioned abroad, foreign supervisors inform and provide BaFin with relevant information. This information is shared with the respective bank auditors and provides the basis for reviewing AML/CFT systems and controls of the affected institutions. A key BaFin concern is the possible impact of such sanctions on the safety and soundness of banks from a prudential point of view. So far, German authorities have not applied any sanctions on banks for non-compliance with national provisions in relation to sanctions applied against them in other countries. BaFin however has taken other supervisory measures such as requiring banks to report to BaFin on measures taken by the affected banks. No industry-wide review or action has reportedly been taken to address this issue suggesting a need for a more proactive supervisory response.

59. Since the MER, BaFin has increased the number of staff that participate in special audits. In recent years, some German banks have been heavily sanctioned by foreign supervisors for national AML/CFT violations.20 BaFin takes these cases into account as part of its ongoing AML/CFT supervisory activities but no specific supervisory action was reported by BaFin with respect to, e.g., conducting group-wide audit/inspection reviews and the application of specific supervisory measures to deal with deficiencies in banks’ cross-border operations. Nonetheless, BaFin states that if it discovers AML/CFT deficiencies and cases of non-compliance by overseas branches and subsidiaries of German banks, it can inform foreign supervisors to enable them to take appropriate action. BaFin can also take measures to address such deficiencies.

60. Recent violations and sanctions imposed on German banks in other countries raise issues about the adequacy of group-wide and cross-border ML/TF risk management and controls and their supervision, including the role of external auditors. The risk-based approach to AML/CFT supervision and the bank’s group-wide risk analysis described above should take ML/TF threats and risk management practices in foreign branches and subsidiaries more into account, regardless of section 25l sentence 5 of the Banking Act (which requires compliance with foreign AML/CFT provisions that go beyond German law), and regardless of whether the legal violations in third countries do not give rise to breaches of German or European law.

61. Information obtained by BaFin on suspicious transaction reports (STRs), in support of its risk-based supervision, is limited. BaFin states that it gets general information on compliance with the obligation to report suspicious transactions from audit reports and from the FIU and/or the Police. BaFin has been informed about concrete cases of non-compliance with the reporting requirement by banks from law enforcement agencies (LEAs) responsible for investigating the reported cases. In the past, it received STR information from some banks routinely but in 2016, BaFin informed banks to only report STR information to it if it related to significant or very serious suspected wrongdoing. STRs represent an important source of information to assess the effective implementation of AML/CFT policies and processes as well as banks’ monitoring and reporting systems. To enhance the use of STR related information, the relationship between the FIU and BaFin should be strengthened, e.g., through more frequent and formalized contact and sharing of information on the quantity and quality of STRs. BaFin meets with at least one of the regional police forces once a year or more to discuss STR and typologies issues while meetings held with other LEAs are ad hoc.

D. Conclusions and Recommendations

62. Notwithstanding the improvements in AML/CFT supervision, in recent years some banks have been subject to multi-million dollar sanctions by foreign authorities for violations with their national AML/CFT requirements and international sanctions obligations with respect to their overseas operations. Although this was not linked with general failures regarding correspondent-relationships, the increased sensitivity regarding ML/TF risks (and potential sanctions in cases of non-compliance with AML/CFT requirements), has resulted inter alia, in the closure of many correspondent accounts and a reassessment of institutional risk tolerance and country risk. BaFin has been closely engaged with the affected banks and foreign authorities on this matter.

63. The sanctions against German banks by foreign authorities indicate an urgent need to strengthen the supervision of banks’ global AML/CFT risk management practices, legal compliance in host countries, and the effectiveness of supervision by BaFin in this area. In this regard, a better understanding of these issues could assist in identifying areas for improvement in the supervision of banks’ foreign operations:

Institutional Issues

  • a. Need for enhanced group-wide risk management policies and controls at the parent level to identify, assess and mitigate ML/TF and related risks in overseas operations.

  • b. Insufficient updating of information on host country risks and applicable due diligence of host countries and foreign clients, including respondent banks. .

  • c. Limited flow of information from overseas branches and subsidiaries in specific countries on country and client risks, which would limit consolidated risk assessment at the head office level. Country level secrecy and confidentiality restrictions may contribute to this limitation in certain cases.

  • d. Need for enhanced group-wide compliance and internal audit functions at head office and country level.

  • e. Institutional culture that was less risk averse.

  • f. Absence of risk information at the country level to make proper risk assessments, such as the lack of a national risk assessment.

  • g. Insufficient supervisory resources and an apparent need to reassess work of auditors, including enhanced review of their working papers when appropriate.

Supervisory Issues

  • a. Absence of a national risk assessment (NR) in Germany that includes foreign/country sourced risks to support institutional and supervisory risk assessments, as well as AML/CFT audits. Germany is currently conducting an NRA.

  • b. Need to effectively monitor of auditors’ reviews with respect to ML/TF risk assessments for consistency with BaFin’s risk-based framework to AML/CFT supervision.

  • c. Limited supervisory information on risks faced by banks in their foreign operations. BaFin mainly relies on the assessments made by external auditors who take into account internal risk assessments of banks which may not sufficiently address cross-border risks. (See Institutional Issues above).

  • d. Unclear yet how, after the NRA is completed, how risk information will be fed into the AML/CFT audit review process on which BaFin relies significantly for AML/CFT supervision.

  • e. Insufficient AML/CFT supervisory staff in BaFin light of the proportion of entities per supervisor even though the ratio has decreased somewhat since 2009.

  • f. Fragmented prudential (ECB) and AML/CFT (BaFin) supervision for significant banks. While the current arrangements benefits significantly from interagency interaction, e.g., joint supervisory teams and information sharing arrangements, it may limit the synergies that derive when prudential and AML/CFT supervision/onsite inspections are conducted by the same supervisor, as occurs for smaller banks.

64. The enhancement of the risk based AML/CFT supervisory framework over banks with cross-border operations is recommended. Authorities are recommended to expedite their efforts to complete the NRA that includes an assessment of the risks that originate from foreign countries where German banks operate. The Audit Report Regulation that requires auditors to take risk into account and to comprehensively assess compliance with AML/CFT requirements should be closely monitored for effective implementation to ensure the comprehensiveness of the risk assessment and management by individual banks. Given BaFin’s main reliance on audit reports for its supervisory risk assessments, the review of the quality of audit reports is critical in this regard.

65. Banks’ group-wide risk management policies and controls at the parent level to identify, assess and mitigate ML/TF and related risks in overseas operations should be enhanced. Improvements are also warranted in banks’ compliance and corporate governance frameworks, consolidated risk assessment, internal audit functions. Any restrictions on the sharing of information within a banking group should be resolved to ensure comprehensive understanding of group-wide ML/TF risks.

66. BaFin’s approach to supervision of SIs is little changed since the creation of the SSM. Opportunities for enhancing supervisory synergies between the ECB’s prudential supervision and BaFin’s AML/CFT supervision of significant banks should be explored. These synergies may be particularly relevant in the context of joint onsite inspections. Additionally, information exchange between ECB and BaFin should be streamlined, enhanced and more explicitly formalized in line with the framework between BaFin’s prudential and AML/CFT supervisory departments/functions in the sharing and the exchange of AML/CFT related information. BaFin should also further explore how it can further benefit from ECB’s onsite supervision plans to conduct work associated with AML/CFT, including through external auditors, which would benefit both organizations (ECB/BaFin). This would also strengthen information sharing. BaFin’s AML/CFT supervisory staff should be increased due to the persistent high proportion of entities per supervisor.

Transparency of Legal Persons

67. This section reports on measures taken to enhance transparency of legal persons and in particular access to, and availability of, BO information of legal persons. It briefly describes the main types of legal persons existing in the Germany and summarizes the main findings of the 2010 MER. It then focuses on access to basic and BO information of the legal persons most common in Germany, and concludes with some recommendations.21

A. Background

68. The most common types of legal persons in the Germany are the limited liability company (Gesellschaft mit beschränkter Haftung hereinafter GmbH) and the AG. The GmbH includes a sub-category, namely the business company with limited liability that only requires a minimum share capital of one euro. AGs include both listed and unlisted corporations. There are (based on non-official estimates) about 1.15 million GmbHs and more than 15,000 AGs (about 530 listed on stock exchanges) operating in Germany.

69. The MER found that Germany did not have sufficient measures to prevent the misuse of legal persons for ML and TF purposes. In particular, it noted that: (i) there were no mechanisms in place to ensure timely access to information on the control and beneficial owners of legal persons other than the mechanisms available for publicly listed AGs; and (ii) there was no transparency over non-publicly listed corporations that issue bearer shares, and over private foundations.

B. Mechanisms for Transparency of the GmbH and AG

70. There are three ways for the authorities to obtain BO information. The first is by accessing information collected by reporting entities, which is facilitated in the case of banks by the existence of the data retrieval system established pursuant to section 24C of the Banking Act; the second is by requesting information from the legal person itself on the basis of courts orders; and the third is consulting company registers.

Access to BO information collected by banks through the Data Retrieval System

71. Germany’s data retrieval system is a useful tool that greatly facilitates access by competent authorities to some basic and BO information held by banks. It is an online information system housed in an interface within BaFin and the central tax authorities. It is populated by credit institutions on the basis of the client’s information they gather, including the BO information. The information available in the data retrieval system includes: the account number, opening and closing dates, account holders and authorized person’s names and birthdates and the beneficial owner’s name and (if known) address. The information can be accessed by competent authorities22 without alerting the relevant banks or their customers. The competent authorities have real time access to bank account information (i.e., the information is provided with a couple of hours).

72. Information from the data retrieval system cannot be used as evidence. Competent authorities can however use this information as a basis to gather further evidence either by compelling the bank or by accessing the information directly from the legal person or the registers. Competent authorities can also compel non-banks and DNFBPs to provide BO information.

73. The authorities make frequent use of the data retrieval system. The following are the number of times the data retrieval system has been accessed by the Financial Intelligence Unit (FIU), the Federal Police, and other police agencies. The FIU and law enforcement the mission met found the data retrieval system a useful tool in identifying beneficial owners (see Table 1).

Table 2.

Data Retrieval System—Access to Information by Competent Authorities

article image

74. The current data retrieval system is populated with information from banks23 only. There is no similar mechanism that would facilitate access to information collected by non-bank financial institutions and DNFBPs. According to the authorities, this does not prevent them from obtaining BO ownership information. Pursuant to the AML Act, all financial institutions and DNFBPs enumerated in the Act are obliged to obtain BO information and to keep records on all BO information gathered. The records may be stored on an image recording or other data storage medium, and the stored data must be made readable when required. In addition, according to the authorities, most natural and legal person in Germany are likely to need a bank account in Germany, and, as a result, are likely to be part of a bank’s customer due diligence process during which the beneficial owner is identified and the information verified. Therefore, in practice, the data retrieval system is, according to the authorities, likely to have comprehensive coverage. Considering the utility of the current data retrieval system, a similar mechanism populated by reporting entities other than credit institutions would nevertheless prove helpful.

Access to BO Information held by Legal Persons and Registers

75. Registration is a required step for GmbH, the AG to acquire legal personality and registration information is publicly available. The same applies to associations and cooperatives. Public foundations are created by or on the basis of statutes while private foundation on the basis of founding documentation and the recognition by the relevant supervising authorities, generally the Federal state authorities (Länderbehörden).

76. Basic information obtained and made available to the public by legal persons differs. For GmbH, the publication information includes the company's name, domicile, business purpose, amount of share capital, date of execution of its articles of association, identity of its managing directors, including their signing authorities and a domestic business address. Regarding the list of shareholders, the GmbHs are required to submit a list of shareholders to the registry and to keep it updated throughout the company’s life cycle. Directors of GmbHs and notaries have a duty to submit updated lists to registry and are subject to a coercive fine. The AG is regulated by the Stock Corporation Act that includes its basic regulation powers. If publicly listed, the AGs are regulated by the Securities Trading Act and the Securities Acquisition and Takeover Act. The notarized articles of association of the AGs has the name, registered office, objects and its registered capital. All listed AGs are required to disclose publicly all enterprises which hold more than one fourth of the shares of that AG (section 20 of the German Stock Corporation Act). Listed AGs are required to fulfill transparency requirements set out in the Securities Trading Act which apply to changes in 3, 5, 10, 15, 20, 25, 30, 50, or 75 percent of shares.

77. An AG that issues registered shares is required to keep a share-register within the company with shareholders being required to provide accurate information. The share register is not publicly available but competent authorities may access such information by the necessary search or administrative orders. Shareholders may be requested by the company to provide BO information and non-disclosure of this information can lead to the shareholder’s voting rights being precluded but this BO information is not publicly available. Only listed shareholders are legally recognized and entitled to vote—a self-enforcing mechanism to ensuring updating of list of shareholders. Details of initial shareholders are provided upon application for registration and the share register contains their name, date of birth and place of residence of shareholders as well as quantity or share numbers and nominal value of shares, where applicable.

78. Competent authorities can also access available BO information in company registers;24 however, legal persons are not required to obtain BO information. Where a legal person’s structure involves several levels of legal persons, competent authorities can access and trace ultimate beneficial owner of the legal persons if the shareholder is an entity registered in the company registers. If the shareholder is legal person registered abroad and the BO information is not available in the data retrieval system, BO information will need to be obtained from abroad through international cooperation. Foreign requests for BO information in both mechanisms would be channeled through the appropriate domestic competent authority, i.e., BaFin, the central tax authority or the Ministry of Justice, unless the information is available in public registers (i.e. the commercial and business registers).

Timeliness of Access

79. Information in the data retrieval system and registers is made available in a timely manner. According to the authorities, information in the data retrieval system is made available within two or three hours. Information in company registers is publicly available online25 and can be downloaded without delay. Basic and BO information collected by reporting entities other than banks are not accessible within similarly short timeframes.

C. Conclusions and Recommendations

80. BO information is readily accessible though some weaknesses remain. BO information collected by credit institutions is available in the data retrieval system in a timely manner. When available, basic information can also be requested from legal persons, and retrieved from the company registers. Neither method is, however, sufficient to ensure adequate transparency in all cases. Information collected by reporting entities other than banks may be difficult to obtain in practice. While information may be obtained from the legal persons themselves, the latter are not specifically required to collect information on their beneficial owners. Finally, while readily available, information in the company registries does not necessarily include BO information in all instances.

81. It is recommended that Germany ensures greater access to BO information. Germany is notably encouraged to require legal persons to obtain and maintain information on their beneficial owners, and to ensure that competent authorities have timely access to that information. Germany’s plan to implement the fourth Directive by setting up a new register which will include information on beneficial owners who are not yet registered on existing registers should also prove useful.


The FATF Recommendations transparency requirements covers legal persons and legal arrangements; however only legal persons are covered in this note.


This Technical Note was prepared by Cecilia Marian and Gustavo Manual Vasquez, both Legal Department.


$45.57–68.36 billion as at April 4, 2016.


The mission met with officials from the Ministry of Finance, BAFIN, Ministry of Justice, the Financial Intelligence Unit and representatives from the private sector.


FATF: “3rd Follow-Up Report, Mutual Evaluation of Germany—June 27, 2014


Directive (EU) 2015/849 of the European Parliament and of the Council of May 20, 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC—Official Journal of the European Union (L 141/73).


The ML offense includes commission of the physical elements of conversion, transfer, disguising, concealing and acquisition of the proceeds of crime. In this regard paragraphs 138 and 139 of the MER sets out the coverage of the physical elements in the CC.


Expert legal report by University Professor Dr. Christian Schroder at Martin Luther University Halle-Wittenberg, holder of a Chair for Criminal and Procedure Laws, Head Capital Market Criminal Law Unit (report commissioned by the Ministry of Justice).


The author presumes a narrow definition of self-laundering i.e., where self-laundering does not mean money laundering in which third parties are also active (page 11, paragraph 19).


The focus on tax crimes is based on the fact that the FATF 2012 Recommendations introduced a new requirement on countries to ensure that tax crimes are predicate offenses to ML.


Section 261 (1) sentence 2 of the CC.


Section 373 of the Fiscal Code—Abgabenordnung.


Section 370 of the Fiscal Code.


Sec. 374 para 2 Fiscal Code.


The tax evasion offense under section 370 of the Fiscal Code covers a range of direct and indirect taxes including the following: income tax; inheritance tax; gift tax; withholding tax; beer tax; liquor tax; energy tax; business tax; real estate transfer tax; land tax; coffee tax; capital gains tax; motor vehicle tax; race betting tax; lottery tax; sparkling wine tax; import turnover tax; alcopops tax; VAT; corporation tax; beverage tax; aviation tax; insurance tax; second home tax; tobacco tax; duties; casino tax; withholding tax.


By a member of a gang” is the literal translation of the criteria “von einem Mitglied einer Bande,” which is mentioned in section 261 and several other sections of the German CC. In this context, it refers to a group of persons formed for the purpose of committing a number of autonomous and as yet unspecified acts of ML.


(Federal Court of Justice, Neue Zeitschrift für Strafrecht 1995, pp. 85; Federal Court of Justice, Neue Juristische Wochenschrift 1996, pp. 1069).


Section 25l now requires credit institutions to develop and implement group-wide compliance measures in particular in relation to due diligence and record keeping requirements and internal safeguards over their subordinated undertakings and branches. The senior managers shall be responsible for implementing this. Where measures to be implemented are not permissible or actually feasible in a non-EEA state in which the undertaking is domiciled, the superordinated undertaking or the parent undertaking must ensure that business relationships are not established or maintained n or should transactions be conducted in this non-EEA state. If a business relationship already exists, this relationship must be terminated.


2010, MER, para. 823, pp. 196.


AML/CFT sanctions imposed by U.S., South African, and United Arab Emirates regulators on some German banks’ foreign branches for failure to comply with their national AML/CFT requirements.


Limited liability companies, stock corporations, associations, foundations and cooperatives exist in Germany. At the time of the FSAP, the authorities could not establish if any particular type of legal person or arrangement is more vulnerable to ML and TF; however, given that GmbHs and the AGs are the most significant type (in terms number) of legal person or arrangement operating in Germany, they would appear to be most vulnerable to abuse. This discussion does not seek to assess Germany against the relevant standards (FATF Recommendations 24 and 25) in their entirety, but to discuss only the situation with respect to the main corporate structures used.


Competent authorities include supervisory agencies, authorities or courts responsible for providing international judicial assistance in criminal cases, and authorities responsible for the prosecution and punishment of criminal offenses.


Banks referred to as credit institutions in the German Banking Act include deposit business, credit business, discount business, the purchase and sale of financial instruments (which includes foreign exchange, money market, derivatives) in the credit institution’s own name for the account of others, safe custody business.


These include common register portal of the German federal states, the German Company Register or the Bundesanzeiger (Federal Gazette).