AML/CFT Compliance in Germany: BaFin, GwG, and the 2026 Regulatory Landscape
Germany's AML/CFT regime sits at a turning point. The Federal Financial Supervisory Authority (BaFin) has spent 2025 imposing record fines while preparing institutions for the EU's Anti-Money Laundering Authority (AMLA), now operational in Frankfurt. The €45 million penalty against J.P. Morgan SE in November 2025 set a new high-water mark for the consequences of late suspicious activity reports. For any institution licensed in Germany, or considering it, the rulebook has become tighter, more codified, and more actively enforced than at any point since the GwG was first enacted.
Key Facts at a Glance
- Primary regulator
- BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht)
- Primary AML law
- Geldwäschegesetz (GwG) - Money Laundering Act
- Banking law
- Kreditwesengesetz (KWG) - Banking Act
- Criminal offence
- Section 261 StGB (Criminal Code)
- FIU
- FIU Germany at the Customs Investigation Bureau (goAML platform)
- EU supervisor
- AMLA (operational July 2025, direct supervision from 2026, HQ Frankfurt)
- Current guidance
- BaFin AuA (effective 1 February 2025)
- Coming legislation
- EU AMLR (2024/1624) applies 10 July 2027
The Regulatory Landscape
Germany's AML/CFT framework is layered. At its core sits the Geldwäschegesetz (GwG), the federal Money Laundering Act, which transposes successive EU directives and codifies obligations for some sixty categories of obliged entity, from credit institutions to crypto-asset service providers, lawyers, real estate agents, and high-value goods traders. Banking-specific AML requirements are reinforced through the Kreditwesengesetz (KWG), particularly Section 24c which compels credit institutions to maintain a centralised account data filing system accessible to BaFin and the Financial Intelligence Unit. The criminal limb sits in Section 261 of the Criminal Code (StGB), which since the 2021 reform abandoned the predicate offence concept and now treats proceeds of any criminal activity as potentially within scope.
Above this national architecture, the European framework has been substantially rebuilt. The Sixth Anti-Money Laundering Directive (EU) 2024/1640 is in force, the EU Anti-Money Laundering Regulation (AMLR) (EU) 2024/1624 will apply directly from 10 July 2027, and the revised Transfer of Funds Regulation (EU) 2023/1113 has applied since 30 December 2024. The new EU Anti-Money Laundering Authority, AMLA, took up operations in Frankfurt on 1 July 2025 and will assume direct supervision over selected cross-border financial institutions from 2026. For German firms this means two parallel supervisors during the transition period, with BaFin remaining the day-to-day authority for most institutions.
Domestically, Germany established the Federal Office for Combating Financial Crime (Bundesamt zur Bekämpfung von Finanzkriminalität, or BBF) in 2024, designed to consolidate anti-money laundering supervision, sanctions enforcement, and the FIU under a single federal roof. The BBF builds out gradually, but its existence signals a shift away from the fragmented federal-state structure that international evaluators, including the FATF, repeatedly criticised in past mutual evaluations.
BaFin's Updated AuA Guidance
On 29 November 2024, BaFin published its revised Auslegungs- und Anwendungshinweise (AuA), the Interpretation and Application Guidance issued under Section 51(8) GwG. The new version took effect on 1 February 2025 and pulls forward many requirements that the EU AMLR will eventually impose, giving institutions a head start but also tightening expectations immediately.
Three changes deserve particular attention. First, BaFin introduced new maximum periods for the rolling review of KYC files under Section 10(1)(5) GwG, anticipating the cycles set out in Article 26 of the AMLR. Institutions that have historically reviewed standard-risk files only every five or seven years will need to compress those cycles considerably. Second, under Section 12(2) GwG, BaFin clarified expectations for the age of corporate verification documents - the consultation draft proposed a four-week maximum, which proved controversial; the final version permits longer periods where justified by the risk profile, but the direction of travel is clear. Third, the Joint Guidance issued with the FIU clarifies that suspicious activity reports under Section 43(1) GwG must reach the FIU on the same working day or, at the latest, the next working day, unless additional time is genuinely required to compile background. The "duty to stand still" under Section 46(1) GwG continues to apply: a transaction subject to a SAR may be executed only if the FIU or the public prosecutor consents, or if three working days pass without a prohibition.
Customer Due Diligence and KYC
German CDD obligations follow the familiar EU template but with several national specificities. Identification of natural persons under Section 11 GwG requires verified data on full name, place and date of birth, nationality, and a residential address, captured before the establishment of any business relationship. For legal entities, verification typically rests on commercial register excerpts (Handelsregister), articles of association, and beneficial ownership records held in the Transparency Register (Transparenzregister), which has been mandatory since 2017 and ceased to be a "fallback" register in 2021.
Beneficial ownership thresholds follow the 25% standard. Where no natural person can be identified above that threshold, the senior managing official is recorded as the "notional" beneficial owner (fiktiv wirtschaftlich Berechtigter) - BaFin's 2024 consultation draft proposed identifying all such notional owners but, after industry pushback, the final AuA retained the rule of identifying only one. PEP screening is required for clients, beneficial owners, and counterparties; market practice is to rely on commercial PEP databases, which BaFin accepts provided data quality and screening logic can be evidenced. Enhanced Due Diligence under Section 15 GwG continues for at least 12 months after a PEP ceases to hold the relevant function, and longer where residual risk persists.
Simplified Due Diligence under Section 14 GwG remains available for genuinely low-risk relationships, but the burden of demonstrating that classification rests on the obliged entity. A general allergy among German supervisors to over-broad SDD categorisation has only intensified post-Wirecard.
Sanctions Screening and the Foreign Trade Regime
Sanctions implementation in Germany rests on EU regulations directly applicable in Member States, supplemented by the Außenwirtschaftsgesetz (AWG) and Außenwirtschaftsverordnung (AWV) - the Foreign Trade and Payments Act and its implementing ordinance. Enforcement responsibility is split: the Federal Office for Economic Affairs and Export Control (BAFA) handles export licensing and dual-use goods, while the new Central Office for Sanctions Enforcement (Zentralstelle für Sanktionsdurchsetzung, ZfS), established in 2022, coordinates asset-tracing in the financial sector. Germany missed the April 2025 deadline for transposition of the EU Sanctions Crime Directive, but the substantive conduct is largely already criminalised under the AWG; the directive will, when transposed, add a specific offence of grossly negligent breach of the Dual-Use Regulation.
For obliged entities, this means real-time screening against the EU Consolidated Financial Sanctions List, the UN Consolidated List, and any national designations, with name screening on every onboarding and ongoing transaction monitoring against the same lists. Russia-related sanctions remain the dominant operational concern: in 2025 prosecutors conducted multiple raids in connection with suspected sanctions evasion, and BaFin signalled that audits of sanctions controls would intensify into 2026.
SAR/STR Reporting
Suspicious Activity Reports must be filed via goAML, the FIU's electronic reporting platform. The new Money Laundering Reporting Ordinance, which takes effect on 1 March 2026, codifies formal and substantive minimum standards for SARs and Suspicious Transactions and Order Reports (STORs), including content requirements, structural fields, and timeliness expectations. Deficient filings will themselves become a basis for administrative fines, and in serious cases, criminal exposure for individuals.
The timeliness standard sits at the centre of recent enforcement. Under Section 43(1) GwG and the Joint Guidance, "without undue delay" means same-day or next-working-day filing in most cases. The €45 million J.P. Morgan SE fine in November 2025 was levied precisely because the bank had, between October 2021 and September 2022, "systemically" failed to meet that standard. BaFin made clear that lateness is not a procedural footnote but a substantive breach, and that organisational failures producing systematic delays will be treated as more serious than isolated incidents.
The "duty to stand still" under Section 46(1) GwG is widely misunderstood. A transaction subject to a SAR may be executed only after the FIU or prosecutor consents, or after three working days have elapsed without prohibition. Executing earlier exposes the institution and individual decision-makers to administrative and criminal liability.
Risk-Based Approach
Sections 4 to 6 GwG require obliged entities to implement a risk management system proportionate to their nature and size, anchored in a documented institution-wide risk assessment. The 2025 AuA formalised the requirement to maintain separate risk analyses for money laundering and for terrorist financing, reflecting BaFin's view that the underlying typologies, customer indicators, and red flags differ materially.
BaFin's "Risks in Focus 2026" publication identifies inadequate AML/CFT prevention as one of six core supervisory priorities for the coming three-year horizon. Expect intensified inspections, with particular attention to payment institutions, e-money institutions, and crypto-asset service providers, all of which were singled out as elevated-risk sectors in the 2025 enforcement cycle.
Crypto-Assets: MiCAR, KMAG, and the New §15a GwG
Germany's crypto-asset framework was rebuilt in late 2024 and early 2025 around the EU's Markets in Crypto-Assets Regulation (MiCAR). The domestic implementing legislation, the Kryptomärkte-Aufsichtsgesetz (KMAG), gives BaFin enhanced supervisory powers, including the authority to publish public warnings about non-compliant firms. The Finanzmarktdigitalisierungsgesetz (FinmadiG) brought CASPs into the GwG's catalogue of obliged entities under Section 2.
A new Section 15a GwG, effective 2025, addresses transfers to and from unhosted (self-custodied) wallets, requiring obliged entities to assess the elevated money-laundering risk such transfers can present and apply risk-mitigating measures. In practice, BaFin expects CASPs to deploy blockchain analytics, document risk assessments, and impose additional verification or limits where wallet provenance cannot be established. The grace period for unlicensed crypto operators ended on 31 December 2025; from 1 January 2026, any exchange offering services in Germany without BaFin authorisation operates illegally.
Recent Enforcement
The 2024-2025 enforcement record demonstrates BaFin's willingness to use the full range of penalties available under the GwG, including turnover-based calculations that produce eight-figure fines for systemic failures.
| Date | Institution | Penalty | Basis |
|---|---|---|---|
| Nov 2025 | J.P. Morgan SE | €45.0m | Systemic failure to file STRs without undue delay (Oct 2021 - Sep 2022) |
| Feb 2025 | Deutsche Bank | €23.05m | Organisational and governance breaches, fragmented investigations |
| May 2024 | N26 Bank | €9.2m | Delayed flagging of suspicious payments |
| Mar 2024 | Solaris SE | €6.5m | Systematic late filing of SARs |
| 2023 | Sofort GmbH | €150k | Inadequate ongoing monitoring and identification controls |
Beyond the headline fines, BaFin imposed numerous smaller penalties across the sector for record-keeping and reporting failures, intensified inspections of payment institutions and CASPs, and continued to use its "name-and-warn" power under KMAG to publish warnings about suspected MiCAR violations. The pattern is unmistakable: AML deficiencies are no longer treated as discrete operational matters but as failures of governance and operational resilience, attracting penalties calibrated to institutional turnover rather than the cost of remediation.
Practical Compliance Checklist for German Institutions
Minimum Documentation Set Under the 2025 AuA
- Institution-wide risk assessment under Section 5 GwG, with separate ML and TF analyses, refreshed annually and on material change.
- Internal safeguards manual under Section 6 GwG, covering customer due diligence, ongoing monitoring, sanctions screening, training, and reporting.
- Written CDD procedures aligned with the 2025 AuA, including KYC review cycles consistent with Article 26 AMLR.
- Sanctions screening policy covering EU, UN, and national lists with documented matching logic and false-positive review procedure.
- SAR/STR procedures referencing Section 43 GwG, the goAML platform, the same-day/next-working-day standard, and the Section 46 standstill.
- PEP identification and EDD procedure including the 12-month post-departure continuation requirement.
- Designated AML Officer and deputy notified to BaFin under Section 7 GwG.
- Staff training programme under Section 6(2) No 6 GwG, with documented annual refresher cycles.
- For CASPs: documented Section 15a procedures for unhosted wallet transfers and blockchain analytics deployment evidence.
- Outsourcing register and oversight framework consistent with Section 6(7) GwG and DORA where applicable.
Common Pitfalls
Three patterns dominate recent enforcement files. The first is SAR latency: institutions that have built escalation processes around weekly compliance committees rather than daily filing capacity find themselves systemically late. BaFin's view, evident in the J.P. Morgan and Solaris cases, is that "without undue delay" is a real-time standard, not a weekly one.
The second is fragmented governance: where AML investigations sit across multiple business lines, multiple geographies, or multiple legal entities, BaFin treats the resulting coordination failures as substantive breaches in their own right. The Deutsche Bank fine turned in significant part on the regulator's view that disorganisation is itself a compliance offence.
The third is over-reliance on commercial screening tools without documented rationale. BaFin accepts the use of third-party PEP and sanctions databases but expects the obliged entity to be able to evidence the matching algorithms applied, the false-positive thresholds set, the data quality controls in place, and the periodic validation of the vendor. A black-box approach is not defensible.
The EU Anti-Money Laundering Regulation (AMLR) applies directly from 10 July 2027 and will replace much of the GwG's substantive content. Institutions should treat the period to mid-2027 as a transition window: build now to AMLR standards using the BaFin AuA as a forward-looking interpretation, rather than waiting for parallel German legislation that may never materialise in its current form.
How RegMantle Helps
RegMantle generates jurisdiction-specific AML/CFT documentation for German institutions, citing the GwG, KWG, AuA 2025, and applicable EU regulations directly in the text. Generated documents include the institution-wide risk assessment, AML/CFT policy manual, KYC/CDD procedures aligned with Article 26 AMLR cycles, sanctions screening policy referencing the EU Consolidated Financial Sanctions List, SAR/STR procedures keyed to Section 43 GwG and the goAML platform, and the staff training programme required under Section 6 GwG. Live OFAC, EU, UN, and UK screening is built in, alongside adverse media review and 12-factor risk scoring. Every document is exportable as a branded DOCX file ready for board approval and BaFin inspection.
Generate your German AML documentation in minutes
Stop paying €15,000 to €50,000 for templated consultancy outputs. RegMantle produces audit-ready, GwG-compliant documentation in under ten minutes.
Start Free →