1. Preliminary remarks

The entry into force of the German Act Implementing the Amending Directive on the Fourth EU Anti-Money Laundering Directive (Gesetz zur Umsetzung der Änderungsrichtlinie zur Vierten EU-Geldwäscherichtlinie) (Federal Law Gazette I of 19 December 2019, p. 2602) on 1 January 2020, has incorporated crypto custody business into the German Banking Act (Kreditwesengesetz – KWG) as a new financial service subject to the authorisation requirement. Undertakings conducting crypto custody business within the meaning of section 1 (1a) sentence 2 no. 6 of the KWG in Germany require prior written authorisation from BaFin under section 32 (1) of the KWG. Undertakings that were authorised to provide such services on the effective date are deemed to have provisionally received relevant authorisation under the conditions of the transitional provision of section 64y of the KWG.

For further information on this subject, we refer in particular to the following BaFin publications:

- Guidance notice – guidelines concerning the statutory definition of crypto custody business
- Guidance on interpreting section 64y of the KWG
- Guidelines on applications for authorisation for crypto custody business

Now that crypto custody business has been added to the list of financial services, institutions that conduct such business have been added to the group of obliged entities under the GwG.

The following guidelines are designed to provide newly obliged entities with an initial point of reference regarding their obligations under the GwG. Without claiming to be exhaustive, they are simply meant to raise awareness of individual relevant topics and provide answers to frequently-asked questions in advance.

For more information, please refer to the applicable Interpretation and Application Guidance in relation to the German Money Laundering Act published by BaFin, the First National Risk Assessment 2018/2019 (Erste Nationale Risikoanalyse 2018/2019 (NRA) – only available in German), the Subnational Risk Analysis 2019/2020 (Subnationale Risikoanalyse 2019/2020 (SRA 2.0) – only available in German), the guidelines issued by the European Banking Authority (EBA) and the publications of the Financial Action Task Force (FATF).

2. Obliged entities under the GwG

The GwG obliges economic agents operating in Germany to play an active part in preventing money laundering and terrorist financing. The persons and undertakings obliged to cooperate are referred to as obliged entities in section 2 (1) of the GwG. As financial services institutions, institutions that conduct crypto custody business are obliged entities within the meaning of section 2 (1) no. 2 of the GwG.

Those undertakings that are subject to the notional permission under section 64y of the KWG are deemed obliged entities under section 2 (1) no. 2 of the GwG as of 1 January 2020. It does not matter in this respect when the notification of intent is submitted or which stage of the authorisation procedure has been reached. In contrast, institutions that are not subject to the transitional provisions of section 64y of the KWG are only deemed obliged entities under anti-money laundering law once they have been granted authorisation.

3. Three pillars of money laundering prevention

The GwG comprises three key pillars for safeguarding the functioning of money laundering prevention in Germany: risk management, customer due diligence and suspicious transaction reporting. A central theme of money laundering prevention is a risk-based approach: not all undertakings require the same risk provisioning to protect themselves against money laundering and terrorist financing. The statutory requirements therefore vary depending on the respective risks.

a. Risk management

In accordance with section 4 of the GwG, obliged entities must have an effective risk management system in place that encompasses a risk analysis under section 5 of the GwG and internal controls and safeguards under section 6 of the GwG. A risk management system is effective if it incorporates all the obliged entity’s business activities, transparently taking into account the resulting individual risks, and if the internal safeguards thus derived are deemed adequate in respect of these risks.

Institutions that conduct crypto custody business must thus conduct a risk analysis to determine and assess the risks of money laundering and terrorist financing for their business. The risk analysis must take due account of the risk factors specified in Annex 1 and Annex 2 to the GwG. Due to the novel nature and complexity of the underlying technologies and the different degrees of anonymisation potential involved in crypto assets, the product risks are likely to take on particular significance. The risk analysis must be clearly documented and regularly reviewed to determine whether updates are necessary.

On the basis of their risk analysis, obliged entities must implement risk-adequate internal controls and safeguards pursuant to section 6 of the GwG. In addition to developing internal principles, procedures and controls (section 6 (2) no. 1 of the GwG) and carrying out reliability screening of employees (no. 5) and employee training (no. 6), this particularly includes appointing a money laundering officer and a deputy under section 7 of the GwG to be responsible for compliance with the provisions under anti-money laundering and counter terrorist financing law.

BaFin must be notified in advance of the appointment or dismissal of the money laundering officer and the deputy. The form provided on the BaFin website can be used for this purpose. Under section 7 (5) sentence 1 of the GwG, the money laundering officer must carry out their function in Germany. Under the Interpretation and Application Guidance in relation to the German Money Laundering Act, only those obliged entities that employ fewer than 15 full-time equivalents may appoint members of the executive level to be the money laundering officer or the deputy.

Section 6 (7) of the GwG provides an option for obliged entities to outsource internal controls and safeguards on the condition that they notify BaFin of this in advance, demonstrating that the criteria for prohibiting the engagement under section 6 (7) sentence 2 of the GwG are not fulfilled. If the function of the money laundering officer is outsourced, there must be a contact person within the company who is available to answer questions in connection with the outsourced function.

b. Customer due diligence

Section 10 (1) of the GwG defines the general due diligence requirements. These mainly include the following:

- identifying the contracting party and, where applicable, the person acting on their behalf (no. 1),

- clarifying whether the contracting party is acting on behalf of a beneficial owner and, if so, identifying the beneficial owner (no. 2),

- obtaining and evaluating information on the purpose and intended nature of the business relationship (no. 3),

- establishing whether the contracting party or the beneficial owner is a politically exposed person (“PEP”) (no. 4) and

- continuously monitoring the business relationship and updating the relevant documents, data and information (no. 5).

The obliged entities must fulfil these general due diligence requirements in accordance with section 10 (3) no. 1 of the GwG when establishing a business relationship. Section 10 (2) of the GwG stipulates that the specific extent of the measures taken under section 10 (1) nos. 2 to 5 of the GwG must be in accordance with the respective risk. In a likewise risk-oriented manner, it must be decided whether simplified due diligence requirements in accordance with section 14 of the GwG or enhanced due diligence requirements in accordance with section 15 of the GwG are to be fulfilled. If obliged entities are unable to fulfil their general due diligence requirements, they must also consider the legal consequences under section 10 (9) of the GwG (refrain from executing a relevant transaction or terminate a business relationship).

The procedure of identifying the contracting party is set out in detail in sections 11 to 13 of the GwG. With regard to the options of video identification procedures, please refer to BaFin Circular 3/2017 (GW).

Section 17 (1) to (4) of the GwG permits obliged entities to engage certain third parties to fulfil the general due diligence requirements under section 10 (1) nos. 1 to 4 of the GwG, also without a separate contractual basis. The responsibility for fulfilling the general due diligence requirements remains with the obliged entity, however.

In addition to these third parties, section 17 (5) to (9) of the GwG also allows the general due diligence requirements to be fulfilled by other suitable persons and companies. A delegation of this nature requires a contractual agreement. Such persons and companies may also be domiciled abroad (though not in high-risk third countries), but they must still fulfil the due diligence requirements in accordance with the applicable German legislation.

Unlike the outsourcing of internal controls and safeguards pursuant to section 6 (7) of the GwG (see above), the forms of outsourcing or delegation specified in section 17 of the GwG are not subject to notification requirements.

c. Suspicious transaction reporting

The reporting of suspicious matters pursuant to section 43 of the GwG is one of the main requirements under the GwG.

Suspicious transaction reports must be addressed to the Financial Intelligence Unit (FIU); obliged entities must register with the FIU in accordance with section 45 (1) sentence 2 of the GwG. It is mandatory to be registered with the FIU in order to file a suspicious transaction report. A registration requirement under section 59 (6) of the GwG irrespective of any suspicion will become applicable when the new information network of the FIU starts operating, but at the latest as from 1 January 2024. Reports must be submitted electronically in accordance with section 45 (1) sentence 1. The FIU has set up the “goAML Web” reporting portal for this purpose. For more information on the registration process and the reporting channel, please refer to the publications of the FIU.

Indications that a report must be filed under section 43 of the GwG, as well as guidance notes for the upstream assessment of the obliged entities to determine on a case-by-case basis whether matters are subject to the reporting requirement, are set out in the typology papers provided by the FIU and made available to obliged entities in the internal section of the FIU website – for each of the areas “anti-money laundering” and “terrorist financing”.

Under section 8 (1) sentence 1 no. 4 of the GwG, the obliged entity must record the reasons and a clear justification of the results of the assessment of matters regarding the reporting obligation under section 43 (1) of the GwG. In addition, these documents must be retained in accordance with section 8 (1) sentence 1 no. 4 of the GwG.