GwG Compliance: Anti-Money Laundering Requirements for Financial Services

Introduction

Money laundering remains one of the most serious threats to the integrity of the European financial system. The estimated annual volume of money laundered through EU financial institutions runs into hundreds of billions of euros, and Germany -- as Europe's largest economy -- is a primary target. The Geldwaschegesetz (GwG), Germany's Anti-Money Laundering Act, implements the EU Anti-Money Laundering Directives (currently AMLD 5, Directive (EU) 2018/843, with AMLD 6 requirements being transposed) into national law and establishes the framework within which German financial institutions must identify, prevent, and report money laundering and terrorist financing.

For banks, payment service providers, investment firms, and insurance companies operating in Germany, GwG compliance is not optional and the consequences of failure are severe. BaFin, as the competent supervisory authority for the financial sector under Section 50 GwG, has imposed fines exceeding EUR 10 million for AML compliance failures in recent years and has the authority to issue cease-and-desist orders, restrict business activities, and remove managers. Beyond regulatory penalties, AML failures carry devastating reputational consequences that can undermine customer trust and business relationships for years. This article covers the core GwG obligations, practical implementation challenges, and how automation can strengthen AML compliance programs.

What Is the GwG?

The Geldwaschegesetz was substantially rewritten in 2017 to implement the EU's Fourth Anti-Money Laundering Directive (AMLD 4, Directive (EU) 2015/849) and has since been amended to incorporate the Fifth Anti-Money Laundering Directive (AMLD 5). The Act establishes obligations for "obliged entities" (Verpflichtete) -- a category that includes all credit institutions, financial services institutions, payment institutions, e-money institutions, insurance companies offering life insurance products, investment management companies, and numerous non-financial entities such as real estate agents, notaries, and dealers in high-value goods.

The GwG is organized around several core pillars: customer due diligence (Sorgfaltspflichten), risk management and analysis, suspicious transaction reporting to the Financial Intelligence Unit (FIU), internal safeguards (Interne Sicherungsmasssnahmen), and record-keeping. Each obliged entity must establish an AML compliance program that addresses all of these pillars, proportionate to its risk exposure.

BaFin supervises GwG compliance for the financial sector and has issued detailed guidance through its "Auslegungs- und Anwendungshinweise zum Geldwaschegesetz" (Interpretation and Application Guidance on the GwG), most recently updated in 2024. This guidance provides practical specifications for how financial institutions should implement GwG requirements. The FIU (Zentralstelle fur Finanztransaktionsuntersuchungen), housed within the Zollkriminalamt (Customs Criminal Investigation Office), receives and analyzes suspicious transaction reports.

Germany is also a member of the Financial Action Task Force (FATF), and FATF's mutual evaluation reports provide additional context for understanding how German AML requirements align with international standards. The most recent FATF evaluation of Germany (2022) identified areas for improvement in beneficial ownership transparency and supervisory effectiveness, both of which have influenced subsequent GwG amendments.

Key Requirements

Customer Due Diligence (Sections 10-17 GwG)

The cornerstone of GwG compliance is the customer due diligence (CDD) obligation. Under Section 10 GwG, obliged entities must perform CDD measures when establishing a business relationship, conducting occasional transactions above EUR 15,000 (or EUR 1,000 for certain transfer services), when there is suspicion of money laundering or terrorist financing, or when there are doubts about previously obtained identification data.

CDD comprises four core elements:

Identification of the contracting party (Section 11 GwG): Obtaining the name, date of birth, place of birth, nationality, and address of natural persons, or the company name, legal form, registration number, and registered address of legal entities. Identification must be verified using reliable, independent sources -- for natural persons, typically an identity document; for legal entities, an extract from the commercial register (Handelsregister).

Identification of the beneficial owner (Section 11(5) GwG / Section 3 GwG): Determining the natural person(s) who ultimately own or control the contracting party. For legal entities, this means identifying any natural person holding more than 25% of the capital shares or voting rights, or who otherwise exercises control. The Transparenzregister (Transparency Register) maintained by the Bundesanzeiger is a key resource for beneficial ownership information, and obliged entities must consult it as part of their CDD process.

Assessment of the business relationship (Section 10(1)(4) GwG): Understanding the purpose and intended nature of the business relationship, including the expected transaction patterns and the source of funds.

Continuous monitoring (Section 10(1)(5) GwG): Ongoing monitoring of the business relationship to ensure that transactions are consistent with the institution's knowledge of the customer, and updating CDD information when trigger events occur.

Enhanced due diligence (EDD) is required under Section 15 GwG for higher-risk situations, including relationships with politically exposed persons (PEPs, defined in Section 1(12) GwG), correspondent banking relationships, and transactions involving high-risk third countries identified by the European Commission.

Risk Assessment and Management (Sections 4-9 GwG)

Section 4 GwG requires each obliged entity to conduct an entity-wide money laundering risk assessment (Risikoanalyse). This assessment must identify and evaluate the money laundering and terrorist financing risks specific to the entity, considering factors such as customer types, products and services offered, delivery channels, geographic exposure, and transaction volumes.

The risk assessment must be documented, updated regularly (at least annually for financial institutions), and made available to BaFin upon request. BaFin's guidance specifies that the risk assessment must be a substantive document that reflects the entity's actual risk profile, not a generic template.

Section 6 GwG requires obliged entities to implement internal safeguards (Interne Sicherungsmasssnahmen) proportionate to their risk exposure. For financial institutions, this includes appointing a GwG compliance officer (Geldwaschebeauftragter) under Section 7 GwG, who must be a member of management or report directly to management. The compliance officer must be notified to BaFin and have adequate resources, authority, and access to information.

Suspicious Transaction Reporting (Section 43 GwG)

When an obliged entity identifies facts that suggest money laundering or terrorist financing, it must file a suspicious transaction report (Verdachtsmeldung) with the FIU without delay. Section 43 GwG defines the triggering criteria broadly: a report must be filed whenever an asset related to a transaction could be the proceeds of a criminal offense, or whenever there are facts that indicate money laundering or terrorist financing.

The reporting obligation is strict. BaFin and the FIU have emphasized that over-reporting is preferable to under-reporting, and that the decision to file should not be influenced by the expected outcome of the FIU's analysis. Reports are submitted electronically through the FIU's goAML portal (goAML Web).

Under Section 47 GwG, obliged entities are prohibited from disclosing to the customer or any third party that a suspicious transaction report has been filed (tipping-off prohibition). Violation of this prohibition can result in criminal penalties under Section 57 GwG.

Record-Keeping (Section 8 GwG)

All CDD information and documentation must be retained for five years after the end of the business relationship or the completion of the occasional transaction (Section 8(4) GwG). Transaction records must also be retained for five years. Records must be stored in a manner that allows them to be made available to BaFin and the FIU within a reasonable timeframe.

Relationship to Other Frameworks

GwG compliance intersects with several other regulatory frameworks. DORA's requirements for ICT risk management (Articles 5-16) are directly relevant because AML monitoring systems -- transaction monitoring platforms, screening tools, and case management systems -- are critical ICT systems that must meet DORA's resilience, testing, and incident reporting requirements. A failure in the AML transaction monitoring system is both a GwG compliance issue and a DORA incident.

GDPR creates a tension with GwG that financial institutions must carefully manage. GwG Section 11a explicitly permits the processing of personal data for AML purposes and provides that GDPR's data minimization principle does not prevent the collection of data required by the GwG. However, institutions must still comply with GDPR's transparency, security, and data subject rights provisions to the extent they do not conflict with GwG obligations. BaFin's guidance addresses this interaction and provides that GwG obligations take precedence where there is a direct conflict.

ISO 27001 supports the information security requirements that underpin AML system integrity. The confidentiality and integrity of customer data, suspicious transaction reports, and AML investigation files must be protected through appropriate technical and organizational measures. ISO 27001's control framework provides a structured approach to meeting these requirements.

KWG Section 25h specifically addresses AML requirements for credit institutions, supplementing the general GwG obligations with additional requirements tailored to the banking sector. These include the requirement for group-wide AML policies and procedures, the obligation to apply CDD measures to existing customers on a risk-sensitive basis, and specific requirements for correspondent banking relationships.

Compliance Automation with Matproof

GwG compliance is inherently data-intensive and documentation-heavy. The CDD process alone generates thousands of records for even medium-sized financial institutions, each of which must be verified, stored, monitored, and updated. Transaction monitoring systems process millions of data points daily. The risk assessment must be maintained as a living document. And all of this must be evidenced for BaFin inspections and the annual audit under Section 29 KWG.

Matproof automates the evidence collection and monitoring aspects of GwG compliance that are most prone to gaps and human error. The platform continuously monitors whether required AML controls are in place and functioning: Are screening systems properly configured and up to date? Are transaction monitoring rules aligned with the documented risk assessment? Are CDD review triggers functioning correctly?

The platform maps GwG requirements to specific evidence items and collects them automatically from connected systems. When BaFin conducts an AML-focused inspection -- which it does regularly, often with minimal advance notice -- compliance teams can produce structured evidence packages demonstrating the ongoing effectiveness of their AML program rather than relying on point-in-time snapshots that may not reflect actual day-to-day operations.

Matproof's cross-framework mapping ensures that AML-related evidence also satisfies overlapping requirements under DORA (for ICT system resilience), KWG Section 25h (for banking-specific AML controls), and GDPR (for data protection documentation). All data remains within German data centers, which is essential given the highly sensitive nature of AML compliance data, including suspicious transaction reports and customer investigation files.

Implementation Roadmap

Phase 1 (Weeks 1-3): Risk Assessment Review. Review and update the entity-wide money laundering risk assessment under Section 4 GwG. Ensure it reflects current customer profiles, product offerings, geographic exposures, and delivery channels. Document the methodology and conclusions. This is the foundation on which all other AML measures are built.

Phase 2 (Weeks 4-6): CDD Process Audit. Conduct a comprehensive audit of the CDD process against Sections 10-17 GwG. Verify that identification and verification procedures meet BaFin's guidance, that beneficial ownership determinations are properly documented, that enhanced due diligence is applied where required, and that ongoing monitoring triggers are functioning.

Phase 3 (Weeks 7-9): Controls Automation. Deploy automated monitoring for AML controls. Configure evidence collection for transaction monitoring systems, screening tools, CDD databases, and training records. Establish dashboards that provide real-time visibility into the effectiveness of the AML program.

Phase 4 (Weeks 10-12): Testing and Remediation. Conduct scenario-based testing of the AML program, including simulated suspicious transactions and test-filing of suspicious transaction reports. Identify weaknesses and remediate them. Document the testing and its outcomes as evidence of the program's effectiveness.

Ongoing: Continuous Monitoring and Reporting. Maintain automated evidence collection. Update the risk assessment at least annually. Report AML program effectiveness to management and the supervisory board quarterly. Prepare for BaFin inspections by maintaining an always-current evidence repository.

FAQ

Who must appoint a GwG compliance officer (Geldwaschebeauftragter)?

Under Section 7 GwG, all obliged entities in the financial sector must appoint a GwG compliance officer. This includes credit institutions, financial services institutions, payment institutions, e-money institutions, and insurance companies offering life insurance. The compliance officer must be a member of management or report directly to management, must have adequate resources and authority, and must be notified to BaFin. For groups, the parent company must also appoint a group-level GwG compliance officer.

What triggers a suspicious transaction report under the GwG?

Section 43 GwG requires a report whenever there are facts suggesting that an asset related to a business relationship or transaction could be the proceeds of a criminal offense, or that money laundering or terrorist financing is being attempted. The threshold is deliberately low -- suspicion, not certainty, triggers the obligation. Common triggers include unusual transaction patterns, discrepancies in customer information, transactions involving high-risk jurisdictions, and customer behavior inconsistent with the documented business purpose. BaFin has consistently stated that it is better to file a report and have the FIU determine it is unfounded than to fail to report a genuinely suspicious transaction.

What are the penalties for GwG violations?

Administrative fines under Section 56 GwG can reach up to EUR 1 million for individuals and up to EUR 5 million or 10% of the previous year's total turnover for legal entities (whichever is higher) for serious, repeated, or systematic violations. BaFin can also issue public reprimands (Section 57 GwG) and, in extreme cases, restrict the institution's business activities or revoke its license under KWG Section 35. Criminal penalties for money laundering itself are defined in Section 261 of the German Criminal Code (Strafgesetzbuch) and can include imprisonment of up to ten years.

How does the upcoming EU AML Regulation (AMLR) affect GwG compliance?

The EU Anti-Money Laundering Regulation (AMLR), part of the EU's AML legislative package adopted in 2024, will be directly applicable across all member states and will replace much of the GwG's substantive content. The new EU Anti-Money Laundering Authority (AMLA), headquartered in Frankfurt, will directly supervise certain high-risk financial institutions. However, GwG will continue to exist as the national implementing legislation for aspects that require member state-level rules, including the designation of competent authorities and national-specific risk factors. Financial institutions should begin aligning their AML programs with AMLR requirements while maintaining current GwG compliance.