AML Officer Services for Financial Institutions in Germany: External Appointment, Scope, Cost

Section 7 of the German Anti-Money Laundering Act (Geldwaeschegesetz, GwG) obliges financial-sector entities to appoint a money laundering officer (Geldwaeschebeauftragter, GwB) and a deputy, both at management level and with direct reporting to the executive board. The MaRisk circular AT 4.4.2 sets out the BaFin expectations for the AML function as a Zentrale Stelle within the second line of defence, independent of the first-line business and from internal audit. From 1 July 2027 the European Anti-Money Laundering Authority (AMLA) takes over direct supervision of selected cross-border obliged entities under Regulation (EU) 2024/1620, with binding regulatory technical standards already in scoping.

This article explains how external AML officer services for financial institutions in Germany work in practice. You will see the scope of the mandate, who can hold the role, how cost compares to a senior in-house hire, how the appointment connects with the suspicious activity report channel toward the Financial Intelligence Unit (FIU), and how the CIVAC dual model (license the Compliance Workspace for your internal Geldwaeschebeauftragter or appoint CIVAC officers) keeps the function audit-fest, dokumentiert, § 7-fest, including for BaFin Sonderpruefungen. The article is written for heads of compliance, executive boards, and project leads preparing the AMLA transition for German banks, payment institutions, EMIs, asset managers, and crypto-asset service providers.

The German AML framework rests on three layered sources. The Geldwaeschegesetz (GwG) implements the Fifth and Sixth EU AML Directives and is the primary statutory basis. § 7 GwG requires obliged entities (Verpflichtete) including credit institutions, payment institutions, e-money institutions, investment firms, insurance undertakings with life-insurance business, and crypto-asset service providers under MiCAR, to appoint a money laundering officer at management level and a deputy. § 9 GwG sets out the risk management duties, and § 10 to § 17 GwG cover customer due diligence (CDD), enhanced due diligence (EDD), and ongoing monitoring.

BaFin operationalises these duties through the MaRisk circular AT 4.4.2 for the AML compliance function as a Zentrale Stelle in the second line of defence, independent of the first-line business and from internal audit. The role reports directly to the management board and receives unrestricted access to data, systems, and personnel. The MaRisk-Novelle 2026 reinforces governance and outsourcing requirements; § 25b KWG sets the boundary conditions for outsourcing of AML functions.

The European Anti-Money Laundering Authority (AMLA) starts direct supervision of selected cross-border obliged entities on 1 July 2027. National authorities such as BaFin remain responsible for non-selected entities. The AMLA single rulebook will harmonise CDD and reporting standards across the EU. The Geldwaeschebeauftragter role inside CIVAC is documented to both BaFin and AMLA-ready templates so that the transition does not require a separate evidence rebuild. Cross-references to § 25b KWG outsourcing requirements and to the EBA Outsourcing Guidelines complete the picture for any institution considering an external AML officer.

The AML officer must be reliable and professionally qualified. § 7 (1) GwG requires the role to sit at management level (Führungsebene), which BaFin interprets as a function with direct reporting to the executive board and sufficient seniority to challenge business decisions. The officer needs a track record in AML compliance, sound legal knowledge of the GwG, KWG, ZAG, and the relevant EU regulations, and German language skills sufficient for supervisory correspondence and BaFin Sonderpruefungen.

Outsourcing the role to an external service provider is admissible under § 7 (4) GwG, provided the obliged entity remains responsible, the BaFin is notified, and the service agreement includes audit rights, segregation duties, and data-access provisions. The external officer must be available within the prescribed deadlines, especially for the suspicious activity report (SAR) filing under § 43 GwG. The reporting line to the executive board is preserved through a written engagement letter and a Bestellurkunde.

The deputy is required under § 7 (1) GwG and follows the same qualification standards. In practice, financial institutions appoint the principal and the deputy as a pair to ensure continuity during leave, illness, and supervisory inspections. The CIVAC model offers both the principal and the deputy as external appointments, or as a hybrid where the principal is internal and the deputy is external, depending on the size and risk profile of the entity. The Bestellurkunde is countersigned by the executive board and stored inside the workspace, alongside the deputy appointment and the BaFin notification.

The AML officer function spans the full second-line workflow. First, the Zentrale Stelle defines risk-based policies and procedures for customer onboarding, including KYC under § 10 to § 12 GwG, beneficial owner identification under § 19 GwG, and enhanced due diligence for politically exposed persons (PEPs), high-risk third countries, and complex ownership structures. The risk analysis under § 5 GwG is reviewed at least annually and following material changes in the business model.

Second, the officer operates the ongoing monitoring framework, which includes transaction monitoring, ad-hoc reviews on alerts, and periodic refresh of KYC files. The transaction monitoring engine, whether a vendor system or a tailored solution, is governed by a model-validation regime aligned with MaRisk AT 4.4.2. Third, the SAR channel toward the Financial Intelligence Unit (FIU) under § 43 GwG runs on the goAML reporting portal; reports are filed without undue delay once the threshold for suspicion is reached.

Fourth, sanctions screening under EU sanctions regimes and the OFAC framework runs alongside AML, often on the same screening platform. Fifth, group functions such as the FATF-FATCA-CRS reporting set, the BaFin Sonderpruefungen, the internal audit interaction, and the supervisory dialog round out the daily work. CIVAC documents each of these workflows inside the Compliance Workspace with a named owner, a timer, and an evidence trail. The hallmark stands: Audit-fest, dokumentiert, § 7-fest. Each workflow links back to the underlying GwG paragraph and to the relevant BaFin circular, so a supervisory request is traceable in seconds.

An external AML officer engagement for a German financial institution follows a defined structure. The starting point is the service agreement under § 25b KWG with the auditable terms: scope of services, segregation requirements, data-access provisions, audit rights for BaFin and internal audit, sub-contracting restrictions, and termination clauses. The BaFin must be notified of the outsourcing under MaComp BT 3 or the equivalent prudential expectation, and the obliged entity records the outsourcing in its outsourcing register under § 25b KWG.

The Bestellurkunde for the AML officer follows. It names the external person or legal entity, the scope of the mandate under § 7 GwG, the reporting line to the executive board, the deputy arrangement, and the term. The supervisory contact details with BaFin and the FIU are updated to point to the external officer. The internal team receives a single point of contact, and the executive board receives a monthly officer report covering KPIs, open SARs, audit findings, and emerging risks.

Service-level commitments matter. For SAR filing, the response window from internal escalation to FIU submission is typically defined at less than 24 hours for high-priority cases; for periodic KYC refresh, the cadence follows the risk classification, typically annually for high-risk and three to five years for low-risk customers. The CIVAC workspace stores the service levels and the actual lead times in a transparent dashboard, so the executive board and the BaFin auditor see compliance with the commitments without separate requests.

A senior internal Geldwaeschebeauftragter in a German bank, payment institution, or asset manager typically costs between EUR 140,000 and EUR 220,000 in total annual compensation depending on the size of the entity and the complexity of the business model. The deputy adds another EUR 110,000 to EUR 160,000. Both roles include statutory employer contributions of around 20 percent, training and certification of EUR 4,000 to EUR 9,000 per year per officer, and recruiting cycles of three to six months for senior roles. The fully loaded annual cost for a paired in-house team typically sits between EUR 320,000 and EUR 480,000 in the first year, before tooling.

External AML officer services compress this. Monthly retainers for a small payment institution or fund administrator typically range from EUR 4,500 to EUR 8,500. Mid-sized credit institutions and Tier-2 payment institutions sit between EUR 8,500 and EUR 18,000 per month. Larger entities with cross-border footprints land between EUR 18,000 and EUR 40,000 per month. The retainer includes the named principal officer and deputy, the workspace license, the SAR channel into goAML, sanctions screening governance, and monthly board reporting.

The economics depend on entity size, product complexity, and the existing data infrastructure. A small EMI with two products and one EU passport can outsource the function fully and save approximately 60 percent against an internal team. A mid-sized bank usually runs a hybrid where the internal head of AML is supported by an external deputy and the workspace. The classical internal hire remains the right path for large diversified financial groups with extensive cross-border activity, but even there the workspace lowers per-officer hours by structuring evidence and reporting.

BaFin Sonderpruefungen are unannounced or short-notice on-site inspections of the AML function. They focus on the risk analysis under § 5 GwG, the policies and procedures, the SAR archive, the transaction monitoring model and its validation, the EDD files for high-risk customers, the sanctions screening logs, and the cooperation with the internal audit function. Sonderpruefungen often follow a media event, a peer-group finding, or a thematic supervisory priority. Findings can lead to administrative orders, fines under § 56 GwG, or business restrictions.

The evidence backbone matters. A defensible AML function delivers the auditor a single workspace with the policies, the risk analysis, the SAR archive, the monitoring rules and tuning history, the EDD files, the sanctions screening logs, the model validation reports, the training records, and the management board minutes covering AML topics. The CIVAC workspace stores all of these artefacts with timestamps and named owners, so the auditor finds evidence in minutes rather than days.

The hallmark: Der Prüfer ruft an, der Nachweis liegt bereit. The 490 CIVAC audit templates cover the recurring inspection categories, from the policy framework over the SAR workflow to the model validation. The Compliance-Beauftragter in CIVAC complements the AML officer role and ensures that bribery prevention under § 130 OWiG and AML controls share a consistent evidence base. Across a typical Sonderpruefung the workspace shortens preparation time from weeks to days, and the officer report to the executive board references the same evidence base used by the supervisor.

Crypto-asset service providers (CASPs) under Regulation (EU) 2023/1114 (MiCAR) became fully subject to AML obligations on 30 December 2024. § 1 (1d) GwG includes CASPs in the catalogue of obliged entities, and the BaFin authorisation process under MiCAR includes a dedicated AML pillar. CASPs must implement the full second-line framework, including KYC, transaction monitoring adapted to on-chain data, EDD for self-hosted wallets above EUR 1,000, and SAR filing under § 43 GwG.

The Travel Rule under Regulation (EU) 2023/1113 imposes specific information-accompanying duties on transfers of crypto-assets, equivalent to the wire-transfer regulation for fiat. CASPs need to capture originator and beneficiary information for each transfer above the threshold, screen the data against sanctions lists, and report mismatches. The transaction monitoring engine must combine on-chain analytics (cluster heuristics, attribution, mixing detection) with traditional rule-based monitoring.

The CIVAC workspace ships with a CASP control catalogue mapped to MiCAR, the Travel Rule regulation, and § 1 (1d) GwG. The Bestellurkunde for the CASP AML officer references the BaFin authorisation. CIVAC operates the Geldwaeschebeauftragter for several smaller CASPs in Germany under the Officer-as-a-Service model and licenses the workspace for larger crypto platforms that retain an internal AML head. The EU data residency of the workspace meets MiCAR governance expectations and supports cross-border passporting. The deputy can be appointed externally as well, which addresses the common challenge of finding senior AML talent with both crypto and traditional finance experience in the German market. The Bestellurkunde for CASP officers includes references to the BaFin authorisation file.

The European Anti-Money Laundering Authority (AMLA) was established by Regulation (EU) 2024/1620 and starts direct supervision of approximately 40 selected obliged entities on 1 July 2027. The selection criteria include cross-border footprint and risk profile. National competent authorities such as BaFin remain responsible for non-selected entities, but the AMLA single rulebook will harmonise minimum standards across the EU. Several level-2 measures are in technical scoping, including regulatory technical standards on CDD, beneficial ownership, and SAR formats.

For financial institutions in Germany, three preparatory steps reduce future re-engineering. First, align the risk analysis with the harmonised template that AMLA will adopt; the EBA Joint Guidelines on ML/TF Risk Factors are a useful interim reference. Second, structure the SAR archive to support AMLA-format reporting alongside the goAML format; the underlying data model is largely compatible. Third, document the outsourcing arrangements for the AML officer function in line with the EBA Outsourcing Guidelines and the MaRisk-Novelle 2026, including audit rights for AMLA.

The CIVAC workspace is built to be source-of-truth-agnostic between BaFin and AMLA. The evidence base, the SAR archive, and the risk analysis can be exported into either supervisory format without manual rework. Frist laeuft ab Kenntnis. For obliged entities considering an external AML officer in 2026, the AMLA roadmap is one more argument to consolidate into a workspace-backed function rather than continuing with a fragmented set of tools and shared drives. The investment in a structured evidence base now pays back as soon as the first AMLA-aligned RTS becomes binding.

CIVAC is a German Compliance-Plattform and Officer-as-a-Service with EU data residency, 25 officer roles available, 93 ISO/IEC 27001:2022 controls covered, and 490 ready-to-use audit templates. For AML officer services in Germany the practical entry points are two: license the Compliance Workspace for your internal Geldwaeschebeauftragter and use the templates, SAR routing, sanctions logs, and model-validation tracking; or appoint a CIVAC officer who carries the § 7 GwG mandate, signs the Bestellurkunde, and reports monthly to the executive board. Both options support BaFin Sonderpruefungen and AMLA readiness.

The dual model is the point: lizenzieren Sie den Workspace für Ihre internen Beauftragten, oder lassen Sie unsere Beauftragten bestellen. Smaller payment institutions and CASPs tend to take the full external model, including the deputy. Mid-sized credit institutions usually run a hybrid with an internal head of AML and an external deputy. Larger groups license the workspace and operate it as the system of record. The switching cost between the models is low because the evidence base remains stable.

To start, send a short note to info@civac.de or use the contact form on civac.de with the entity type (CRR institution, payment institution, EMI, CASP, investment firm, insurer with life business), the headcount, and the supervisory perimeter (BaFin only or with EU passports). CIVAC replies within two working days with a draft engagement letter, an indicative pricing range, and a Bestellurkunde for review. The first monthly officer report follows within thirty days of kickoff. Aus dem Lesen einen Auftrag machen.