77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
CIVAC
Geldwäscheprävention3 July 202613 min read

AML Compliance in Germany: Geldwaeschegesetz Obligations and How to Operate Them

By Dr. Henrik Bauer13 min read

Germany regulates anti-money laundering through the Geldwaeschegesetz (GwG) and BaFin guidance. This article explains who qualifies as an obliged entity, what risk analysis and KYC obligations apply and how CIVAC supports the AML officer with platform plus officer-as-a-service.

Germany implements the European AML framework through the Geldwaeschegesetz (GwG), most recently amended by the AML Package adopted by the EU in 2024 and the German implementation steps that follow. The supervisory architecture combines BaFin for the financial sector under § 50 No. 1 GwG with the federal state authorities for the non-financial sector under § 50 No. 9 GwG. Obliged entities, defined in § 2 GwG, range from credit institutions and insurance undertakings to real estate agents, goods traders above the EUR 10,000 cash threshold, art market participants and tax advisors. Each obliged entity has to run a risk analysis, KYC procedures, transaction monitoring, suspicious activity reporting to the Financial Intelligence Unit (FIU) and, in many cases, the appointment of a Money Laundering Reporting Officer (Geldwaeschebeauftragter).

This article is written for foreign and domestic compliance leads who want a structured operational view rather than a high-level overview. It covers the scope of the GwG, the appointment of the AML officer under § 7 GwG, the risk-based approach, FIU reporting, BaFin supervisory practice and how CIVAC, as a compliance platform and officer-as-a-service, supports the function in daily operations. License the workspace for your internal officers, or have our officers appointed.

Auf einen Blick

  • The Geldwaeschegesetz applies to a wide range of obliged entities under § 2 GwG, with BaFin and federal state authorities as supervisors and the FIU as the central reporting point.
  • The AML officer is mandatory for many entities under § 7 GwG, with personal liability if appointment, training or reporting structures are missing or insufficiently documented.
  • CIVAC delivers a workspace with 37 audit-ready templates, EU data residency, ISO/IEC 27001:2022 with 93 controls and the option to appoint an external Geldwaeschebeauftragter as officer-as-a-service.

Who qualifies as an obliged entity under the GwG

Section 2 GwG defines the obliged entities. The list includes credit institutions, financial services institutions, payment services and e-money providers, insurance undertakings and intermediaries, capital management companies, lawyers and notaries when acting in specific scopes, auditors, tax advisors, trust and company service providers, real estate agents, art market participants, custodians of art and goods traders above the EUR 10,000 cash threshold. The 2021 amendment expanded the scope to include all participants in the art market and tightened the rules for crypto asset service providers.

Foreign companies operating in Germany should pay particular attention to the cross-border footprint. A foreign credit institution with a German branch is an obliged entity for the German operations. A goods trader based abroad that accepts cash in Germany above the threshold is captured for that transaction. The supervisory authority depends on the sector: BaFin for financial services, the federal state authorities for legal and tax professionals and for goods traders, the Bundessteuerberaterkammer for tax advisors and the Bundesrechtsanwaltskammer for lawyers in their respective professional supervisory dimension.

Each obliged entity has to identify itself in the supervisory landscape and assign a clear contact for AML matters. The Geldwaeschebeauftragter is the operational anchor for this. Even where appointment under § 7 GwG is not legally mandatory, BaFin and many federal state authorities expect a designated function and a documented escalation path. The platform documents this assignment with a signed appointment letter, training records and reporting line, so that an inspector can verify the function within minutes. Bestellurkunde, unterschrieben, abgelegt, belegbar.

The AML officer under § 7 GwG and § 25h KWG

Section 7 GwG sets the appointment obligation for many obliged entities. Credit institutions and financial services institutions face the additional requirement under § 25h KWG, which requires not only appointment but also organizational independence, sufficient resources and direct reporting to the management board. The AML officer is not a part-time add-on for the deputy chief of accounting; the role requires capacity, training and a documented mandate. BaFin has issued the AuA (Auslegungs- und Anwendungshinweise) most recently in March 2025, clarifying the expectations in detail.

The appointment letter has to set out the scope of authority, the access rights to relevant systems, the right to report directly to management, the deputy arrangement during absence and the formal end conditions. A weak appointment letter is one of the most frequent findings in BaFin inspections. The AML officer is personally exposed if the appointment is missing or unclear: § 56 GwG provides for administrative fines of up to EUR 150,000 in standard cases, EUR 1 million for systematic violations and up to 10 percent of total annual turnover for the most serious cases against credit institutions.

The relationship between the AML officer and the management board is structured as a reporting line, not a hierarchical one. The officer reports findings, the board takes the decisions and bears the responsibility under § 130 OWiG. If the board decides against the officer's recommendation, the divergent decision and its rationale must be documented. The CIVAC workspace captures this reporting line with date, signatures and version. Other companies run compliance like a filing cabinet. We run it like software, and the AML officer benefits from that architecture every working day, particularly during BaFin inspections.

Risk analysis and the risk-based approach

Section 5 GwG requires a written risk analysis as the foundation of every AML programme. The analysis identifies, evaluates and documents the inherent risks of the business, taking into account customer types, products and services, geographic exposure and delivery channels. It is not a one-off exercise; § 5 Abs. 2 GwG requires regular updates and ad hoc reviews when business changes. BaFin and the federal state authorities review the risk analysis as the first document during an inspection. A weak analysis triggers cascading findings across the entire AML programme.

The risk-based approach means that KYC depth, transaction monitoring scenarios and ongoing due diligence intensity scale with risk. Section 14 GwG defines enhanced due diligence triggers, including politically exposed persons (§ 1 Abs. 12 GwG), high-risk third countries listed by the EU Commission and complex unusual transactions. Section 14 Abs. 1 sets enhanced measures: senior management approval for the relationship, additional source of funds checks and enhanced ongoing monitoring. Simplified due diligence under § 14 Abs. 2 applies only where the risk is demonstrably low and never in case of suspicion.

A platform-based approach captures the risk analysis as a structured template, with risk factors, weighting, residual risk and mitigation measures linked to each customer segment, product and country. CIVAC ships an AML risk analysis template among the 490 audit-ready templates, which the AML officer adapts to the obliged entity's business model. The template is versioned, so each annual update or ad hoc revision remains traceable. Audit-ready, documented, § 5-GwG-proof.

Know-Your-Customer and transaction monitoring

KYC obligations under § 10 to § 17 GwG cover identification, verification, beneficial ownership and ongoing monitoring. The obliged entity has to identify the customer, verify the identification through reliable documents or electronic means under § 12 GwG, identify the beneficial owner under § 11 Abs. 5 GwG and document the purpose and nature of the business relationship. Beneficial ownership is verified through the Transparenzregister, the German beneficial ownership register, which was substantially expanded in 2021 to cover all legal entities, not just those that had no other public disclosure.

Transaction monitoring under § 10 Abs. 1 No. 5 GwG requires ongoing surveillance of the business relationship with risk-based scenarios. Credit institutions typically run automated scenarios on payment data, with alerts triaged by the AML officer or a dedicated transaction monitoring team. Non-financial obliged entities operate lighter setups, often manual reviews of unusual transactions. The scenarios should reflect the risk analysis: a real estate agent monitors for cash transactions and unusual financing patterns, a goods trader monitors for cash close to the EUR 10,000 threshold and structuring patterns, a credit institution monitors against a broad scenario library.

Suspicious transactions trigger reporting to the Financial Intelligence Unit (FIU) under § 43 GwG. The report must be submitted without undue delay through the goAML platform, and the underlying transaction must generally not be executed until the FIU has cleared the matter under § 46 GwG, with limited exceptions. Failure to report is itself an offence under § 56 Abs. 1 No. 69 GwG, with fines up to the levels described in section 02. The platform documents each alert, the assessment, the decision to report or not and the FIU confirmation.

FIU reporting and the goAML platform

The German FIU sits within the Generalzolldirektion (Customs Directorate-General) and is the central reporting and analysis point for suspicious activity reports. Section 43 GwG sets the reporting obligation: if facts indicate that an asset stems from a criminal offence that could be a predicate offence to money laundering, that a transaction relates to terrorist financing or that a customer has not disclosed beneficial ownership truthfully, a report is mandatory. The report is submitted through the goAML web portal, the FIU's electronic reporting system.

The reporting threshold is fact-based suspicion, not certainty. Many obliged entities under-report because they wait for proof. § 43 GwG explicitly states that the obliged entity is not required to investigate the underlying offence; suspicion of facts is sufficient. The FIU has emphasized in its annual reports that under-reporting remains a structural issue, particularly in the non-financial sector. Over-reporting, by contrast, is discouraged through the FIU's quality feedback mechanism.

The platform-based approach captures the suspicion assessment as a structured workflow. The AML officer reviews the alert, documents the facts, assesses against the reporting threshold and submits the goAML report directly or hands it to the team responsible for the goAML interface. CIVAC's workspace logs the decision and the rationale with a timestamp, a signature and a version. Frist läuft ab Kenntnis, and an audit trail that proves the obliged entity reported without undue delay protects the AML officer and the management board from § 130 OWiG exposure if a later investigation questions the timing of the report.

BaFin supervisory practice and inspections

BaFin runs both routine and ad hoc inspections of supervised AML entities. The routine cycle ranges from two to five years depending on risk classification. Ad hoc inspections follow whistleblower reports, media coverage, FIU referrals or peer information from other supervisors. BaFin's expectations are codified in the AuA (Auslegungs- und Anwendungshinweise), most recently updated in March 2025, and in sector-specific guidance such as the AT 4.4 MaRisk module on AML organisation in credit institutions.

The inspection typically starts with a request for the risk analysis, the AML manual, the AML officer's appointment letter, the most recent training records, the FIU reporting statistics and a sample of KYC files. Within 48 to 72 hours, BaFin expects a complete and structured response. Obliged entities that scramble to assemble Excel files and Word documents from multiple shared drives signal organisational weakness, which often leads to follow-up inspections and more intrusive findings. A platform that produces a stichtag export within hours sends the opposite signal.

The most frequent findings in BaFin AML inspections include incomplete risk analyses, weak appointment letters, missing training documentation, untraceable KYC decisions, late or missing FIU reports and insufficient transaction monitoring scenarios. CIVAC's audit templates address each of these points: the AML risk analysis template, the appointment letter template, the training register, the KYC decision log, the FIU report log and the scenario library. The inspector calls, the evidence is ready. License the workspace for your internal officers, or have our officers appointed.

Cross-border setups: foreign parent, German subsidiary

Many AML setups in Germany are part of a wider group operation. A foreign parent runs group AML policies, a German subsidiary or branch implements them in line with local law. The challenge is the gap between group standards, which often reflect the parent's home jurisdiction, and the specific German rules under the GwG, the KWG and BaFin's AuA. A group policy that simply states "we follow international standards" does not satisfy § 5 GwG. The German entity needs a local risk analysis, a local AML officer, local FIU reporting procedures and German-language documentation.

The platform supports the group structure through mandant separation. A central group workspace can hold the group policy and template library, with subordinate mandants per country implementing the local specifics. The AML officer of the German entity has the local risk analysis, the local KYC files and the German FIU interface, while the group AML officer retains visibility for governance and consolidation. This separation also handles the data residency question: German customer data stays in EU data centres, regardless of where the group has its primary system.

CIVAC's officer-as-a-service is particularly useful for German subsidiaries of foreign groups where local talent is scarce or where the group does not want to build local AML capacity from scratch. The external Geldwaeschebeauftragter holds the formal appointment, the workspace, the reporting line to local management and the responsibility for FIU reporting. The group AML officer retains policy oversight and reviews periodic reports from the local function. Both layers are auditable and surface in the same workspace, with role separation enforced through the permission model.

Penalties, personal liability and reputational cost

Section 56 GwG sets the administrative fine framework. Standard violations are sanctioned with up to EUR 150,000. Serious, repeated or systematic violations against credit institutions can reach EUR 5 million or 10 percent of total annual turnover, whichever is higher. For natural persons, the upper limit is EUR 5 million for serious systematic violations. BaFin publishes its sanction decisions, which adds reputational exposure beyond the financial penalty. The publication remains online for five years.

Personal liability of management board members under § 130 OWiG applies where supervisory duties were neglected and the violation would have been prevented or impeded with appropriate supervision. The administrative fine here can reach EUR 1 million for natural persons under § 130 Abs. 3 OWiG. In serious cases, criminal liability under § 261 StGB (money laundering) can attach to individual decision-makers, with prison terms up to ten years for severe variants of the offence. The criminal track is separate from the administrative track and can proceed in parallel.

Reputational cost is often larger than the direct fine. A published BaFin decision affects banking relationships, audit fees, insurance premiums and counterparty due diligence. A goods trader sanctioned for repeated KYC failures may lose access to payment service providers and correspondent banking. A platform-based AML programme reduces the probability and severity of findings, and the audit trail also reduces the duration and intensity of inspections. The inspector calls, the evidence is ready, and the inspector leaves with shorter findings or none at all. That outcome compounds across multiple inspection cycles.

Turn the read into a brief

AML compliance in Germany is not a checklist exercise. It is an operational function that ties together risk analysis, KYC, transaction monitoring, FIU reporting, training, appointment and reporting lines into a coherent system that BaFin and the federal state authorities expect to see in inspections. The Geldwaeschebeauftragter is the operational anchor of that system, and the platform on which the function runs decides whether evidence is ready in hours or in days. The choice is not a binary tool decision; it shapes the legal posture of the entity and the personal exposure of the management board under § 130 OWiG.

CIVAC is a compliance platform and officer-as-a-service. License the workspace for your internal officers, or have our officers appointed. Both models share the same data, the same 490 audit templates and the same reporting line. The workspace runs in EU data centres with an ISMS certified to ISO/IEC 27001:2022 covering 93 controls, which addresses both data residency and information security concerns common in financial services and cross-border setups. The model switch is possible at any time without breaking documentation.

Turn the read into a brief. Send a short description of your obliged entity status, your current AML setup and the open inspection or audit pressure to info@civac.de or use the contact form on civac.de. You will receive a written proposal within two business days, covering licence scope, optional appointment of an external Geldwaeschebeauftragter and a migration plan that brings existing KYC files, transaction monitoring logs and FIU report histories into the workspace without disruption.

FAQ

Who is obliged to comply with the Geldwaeschegesetz in Germany?

Section 2 GwG defines obliged entities, including credit institutions, financial services, insurance undertakings, lawyers and notaries in specific scopes, tax advisors, real estate agents, art market participants and goods traders above the EUR 10,000 cash threshold. Foreign companies with German operations are captured for those German activities, regardless of where the parent is based.

When is the appointment of an AML officer mandatory under § 7 GwG?

Section 7 GwG sets the appointment obligation for most obliged entities, with sector-specific thresholds. Credit institutions and financial services additionally fall under § 25h KWG, which requires organisational independence and direct board reporting. Even where appointment is not mandatory, supervisors expect a designated AML contact and a documented escalation path within the organisation.

What does the risk analysis under § 5 GwG cover?

Section 5 GwG requires a written risk analysis covering customer types, products and services, geographic exposure and delivery channels. The analysis identifies, evaluates and documents inherent risks, defines mitigation measures and is updated regularly and on an ad hoc basis when the business changes materially. It is the foundation document supervisors review first in inspections.

How are suspicious activity reports submitted in Germany?

Reports are submitted to the German Financial Intelligence Unit (FIU), located within the Generalzolldirektion, through the goAML web portal. The reporting threshold is fact-based suspicion under § 43 GwG, not proof. The transaction must generally not be executed until the FIU has cleared the matter under § 46 GwG, with limited statutory exceptions for specific scenarios.

What penalties apply for AML violations in Germany?

Section 56 GwG provides administrative fines up to EUR 150,000 in standard cases, EUR 5 million or 10 percent of annual turnover for serious systematic violations by credit institutions and EUR 5 million for natural persons in severe cases. Section 261 StGB adds criminal liability with prison terms up to ten years for individual decision-makers in severe variants of the offence.

Does CIVAC support cross-border AML setups with foreign parent companies?

Yes. The platform supports mandant separation, so a group workspace holds central policies while subordinate mandants implement local German specifics. CIVAC's officer-as-a-service can supply a German Geldwaeschebeauftragter for a German subsidiary or branch, with the workspace, reporting line, training records and goAML FIU interface fully operated locally under EU data residency.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles