External Money Laundering Compliance Officer: Appointment Obligation, Duties, and Legally Sound Engagement
Anti-money laundering legislation requires numerous companies to appoint a money laundering compliance officer. Those who ignore the obligation risk fines under § 56 GwG. This article explains the appointment obligation, duties, qualification requirements, and the option of external appointment.
§ 7 para. 1 GwG requires all obligated parties listed in § 2 GwG to appoint a money laundering compliance officer at management level. This group includes credit institutions, payment service providers, life insurers, estate agents, notaries, auditors, tax advisers, and other professional categories. For failure to comply with the appointment obligation, § 56 GwG provides for fines of up to one million euros; in particularly serious cases, supervisory authorities may take further action.
§ 7 para. 2 GwG permits the appointment of an external money laundering compliance officer, provided they meet the same qualification and availability requirements as an internal officer. This article explains which companies are affected, what duties the officer performs, what qualifications are required, and how an external appointment is implemented in a legally sound and audit-proof manner.
Key Takeaways
- § 7 para. 1 GwG requires all companies under § 2 GwG to appoint a money laundering compliance officer; failure to do so may result in fines of up to one million euros under § 56 GwG.
- An external money laundering compliance officer under § 7 para. 2 GwG must meet the same qualification and availability requirements as an internal officer — ultimate responsibility remains with the obligated party.
- Via CIVAC, the external money laundering compliance officer — including appointment deed and reporting line documentation — is in place within two working days, rather than the typical two to six weeks.
Appointment Obligation under § 7 GwG: Who Is Affected?
§ 7 para. 1 GwG requires all obligated parties within the meaning of § 2 GwG to appoint a money laundering compliance officer at management level. The circle of affected companies is broad: it includes credit institutions, financial services institutions, payment service providers, e-money institutions, life insurance undertakings, capital management companies, and estate agents. The obligation also applies to auditors, chartered accountants, tax advisers, and lawyers, to the extent they accompany fiduciary activities or certain transactions.
The competent supervisory authority varies by sector: BaFin is responsible for credit institutions and financial service providers, the IHK generally for estate agents, the Chamber of Notaries for notaries, and the Tax Adviser Chamber for tax advisers. Each of these authorities examines in the course of regular audits whether a money laundering compliance officer has been appointed and whether the appointment documentation is complete.
Companies with multiple branches must ensure that the money laundering compliance officer is responsible for all establishments, or that group structures are covered under § 9 GwG. Subsidiaries with their own operational business generally require a separate appointment. The appointment deed must name the specific company and the named officer. Appointment deed, signed, filed, verifiable — that is the audit standard.
A practical note: even where a parent company already has a money laundering compliance officer, the liability of the management of a subsidiary is not automatically covered. A formal individual appointment for each obligated party is required. Further guidance on the appointment obligation is available on the money laundering compliance officer page at CIVAC.
Permissibility and Requirements: § 7 para. 2 GwG in Detail
§ 7 para. 2 GwG expressly permits the appointment of an external money laundering compliance officer. The appointed person or organisation must meet the same substantive and formal requirements as an internal officer: adequate GwG knowledge, direct access to the senior management of the appointing company, the ability to submit FIU reports via goAML independently, and authority to issue instructions to employees in suspicious cases.
It is important to distinguish this from a pure advisory role: a lawyer or consultant who advises the company on GwG matters without having been formally appointed as GwB does not satisfy the appointment obligation under § 7 GwG. Supervisory authorities draw a clear distinction between advisory services and formal appointment. Only the written appointment deed serves as evidence vis-à-vis the authority.
Ultimate responsibility for compliance with the GwG remains with the obligated party, not the external service provider. External appointment reduces the operational burden, not the liability. Senior management must ensure that the external GwB is reachable, familiar with the company's operational processes, and has access to all relevant information.
§ 7 para. 6 GwG requires that the officer be given access to all necessary information. The external GwB requires access to relevant IT systems, transaction data, and employees. This must be contractually established and practically ensured before the supervisory authority audits.
Supervisory authorities increasingly expect the availability of the external GwB to be documented in writing. Response times for suspicious activity reports, emergency contact arrangements, and provisions for the officer's absence due to holiday or illness should be explicitly set out in the engagement contract. A provider that does not address these points in the contract is not a suitable partner for a regulated company.
Core Duties of the Money Laundering Compliance Officer
The money laundering compliance officer oversees the company's entire anti-money laundering compliance. Their core duties arise from § 6 GwG: developing and continuously updating the internal safeguarding concept, carrying out and documenting the risk analysis, training employees, and processing and forwarding suspicious activity reports to the Central Office for Financial Transaction Investigations (FIU) under § 43 GwG.
The officer monitors the entire Know-Your-Customer process. They verify whether the general customer due diligence obligation under § 10 GwG is correctly applied and whether enhanced due diligence under § 15 GwG is triggered in risk cases. This includes the correct identification of beneficial owners under § 11 GwG, including queries in the Transparency Register.
§ 7 para. 5 GwG protects the independent reporting line: the officer reports directly to senior management, and no operational line managers may filter or delay that reporting. This structural independence is easier to establish for external officers than for internal employees who simultaneously hold line management responsibilities.
All activities of the officer must be documented in an audit-proof manner: suspicious activity reports, risk analyses, training records, and communication with the supervisory authority. The auditor calls, the evidence is ready. That is the standard the documentation must meet.
Regular duties also include communication with the competent supervisory authority. In the event of special audits, information requests, or regulatory enquiries, the money laundering compliance officer is the first point of contact. They coordinate the company's response and ensure that the documents provided are complete and consistent. An experienced external officer is familiar with regulatory procedures from their own audit experience.
Risk Analysis and Safeguarding Concept under §§ 5 and 6 GwG
§ 5 GwG requires companies to prepare and regularly update a risk analysis assessing the threat environment with respect to money laundering and terrorist financing. The risk analysis is the foundation of the safeguarding concept under § 6 GwG. It must reflect the company's specific risks: customer profiles, transaction volumes, geographic exposures, and product structures.
The safeguarding concept establishes, on the basis of the risk analysis, which internal safeguarding measures the company employs. It must be set out in writing, approved by senior management, and updated whenever there are material changes to the business or the threat environment. The supervisory authority examines both its existence and its substantive adequacy.
An external money laundering compliance officer typically begins the mandate with a baseline assessment: they analyse existing KYC processes, evaluate the completeness of documentation, and review whether the safeguarding concept meets FATF recommendations and national implementation requirements. This frequently reveals structural gaps that have developed during day-to-day operations.
For documentation, a well-organised filing system with direct access for auditors is recommended. Audit-ready, documented, and compliant with § 6 GwG is the standard. The CIVAC Workspace provides risk analysis templates and safeguarding concept structures natively, so the officer does not need to start from scratch.
The risk analysis must be reviewed and updated at least annually, as well as on an ad hoc basis whenever there are material changes to the business. New product lines, geographic expansions, or changes in the customer portfolio trigger an obligation to update. BaFin explicitly assesses in audits whether the risk analysis reflects the current state of the business or whether it is out of date.
Suspicious Activity Reports and FIU Reporting Obligation under § 43 GwG
§ 43 GwG requires all obligated parties to submit suspicious activity reports to the FIU where facts exist suggesting that a transaction may be connected with money laundering or terrorist financing. Reports are submitted electronically via the FIU's goAML portal. The money laundering compliance officer is responsible for reviewing, deciding on, and submitting the report.
The deadline runs from point of knowledge. Under § 46 GwG, a reported matter generally may not be carried out before three working days have elapsed from the FIU's receipt of the report. At the same time, the confidentiality obligation under § 47 GwG applies: the reporting process must not be disclosed to the person concerned.
In practice, the decision on whether a reporting obligation exists is one of the officer's most demanding responsibilities. BaFin publishes typology papers and Interpretative and Application Guidelines that serve as guidance in borderline cases. An experienced external officer is familiar with these materials and can reliably categorise factual situations.
The number of FIU reports is an indicator that supervisory authorities use in evaluating the anti-money laundering prevention system. Companies that submit no reports despite demonstrable risk indicators come under scrutiny. An active reporting practice by the officer significantly reduces this risk.
The internal reporting process must be clearly structured: employees must know to whom they report suspicious indicators internally. The money laundering compliance officer defines this internal reporting pathway, documents all notifications received, and decides on the basis of the facts whether a referral to the FIU is required. An internal reporting register with evidence of all decisions is a prerequisite for robust audit documentation.
Qualification Requirements and Evidence of Expertise
§ 7 para. 1 sentence 3 GwG requires the money laundering compliance officer to be reliable and to possess the expertise necessary to fulfil their duties. BaFin elaborates on this requirement in its Interpretative and Application Guidelines: the officer must have knowledge of the key anti-money laundering provisions and be able to apply them in practice.
For regulated companies under BaFin supervision, the authority examines the officer's qualifications in depth. A background in finance or law, supplemented by specific continuing education in anti-money laundering, is generally considered sufficient. Certifications from ACAMS or IHK institutions are in practice accepted, but are not legally prescribed. What is decisive is evidence of regular continuing education; an officer without current evidence of continuing professional development will be assessed by BaFin as insufficiently qualified.
The same requirements apply to the deputy of the money laundering compliance officer, as required by § 7 para. 4 GwG. The deputy must also be formally appointed in writing and demonstrate the necessary expertise. The deputy arrangement must be documented and retrievable for the supervisory authority at all times.
External service providers typically bring cross-sector experience. They are familiar with current supervisory priorities and have established templates for risk analyses and training materials. This significantly reduces the onboarding effort for the company. More on officer requirements can be found at Compliance Officer.
Reliability within the meaning of § 7 para. 1 GwG also means that no relevant criminal convictions exist and that no conflicts of interest are apparent that could impair the performance of the role. Supervisory authorities may review the reliability of an appointed GwB in the course of audits and, if there is justified doubt, initiate appropriate measures.
Training Obligations under § 6 para. 2 no. 6 GwG
§ 6 para. 2 no. 6 GwG requires obligated parties to train employees regularly who are relevant to anti-money laundering prevention. Training must be risk-oriented — i.e. it must reflect the company's specific risk profile. Content, participants, date, and test results must be documented in an audit-proof manner.
The money laundering compliance officer is responsible for designing, delivering, and documenting the training. They must be able to demonstrate which employees were trained, when, and what content was covered. A training programme that is three years out of date is regarded as inadequate in regulatory audits.
External money laundering compliance officers use structured training modules that are adapted to the company's sector. Credit institutions have different priorities from estate agents or tax advisers. Through cross-sector deployment, external officers can draw on established materials and supplement them with company-specific content.
BaFin assesses in audits whether training is substantively up to date and whether guidance from recent FATF reports or national typology papers has been incorporated. The CIVAC Workspace provides the officer with current training modules with test certificates and completion records, so that the documentation obligation can be met without in-house development.
The training obligation applies not only to existing staff. Newly hired employees working in money-laundering-relevant roles must also be trained before or shortly after commencing their duties. The money laundering compliance officer determines which positions are to be classified as relevant, and ensures that the training history for each employee is comprehensively traceable.
Internal versus External Money Laundering Compliance Officer: Structural Comparison
Mid-sized companies face the question of whether an internal employee should take on the role or whether an external service provider makes more sense. Both approaches have structural differences that depend on company size, the supervisory risk classification, and the available internal resources.
An internal officer has detailed knowledge of company processes and is permanently on site. The risks lie in potential conflicts of interest where the officer simultaneously holds line responsibilities, as well as in continuing education requirements and the dependence on a single individual. If that person is unavailable, immediate action is required.
An external money laundering compliance officer brings institutional independence. They are not embedded in internal hierarchies, which structurally secures the freedom from instructions under § 7 para. 5 GwG. For companies that cannot justify a full-time position, the external model is economically advantageous: costs are predictable, qualifications are established, and deputy arrangements are included.
When making the decision, compare not only ongoing costs but also the effort involved in training, continuing education, system access, and deputy arrangements. An external provider bundles these services; an internal officer requires continuous investment in qualifications and infrastructure. An overview of all officer roles can be found on the CIVAC roles overview page.
A further point of comparison is continuity: when an internal officer leaves the company, a gap frequently arises in the formal appointment documentation until a successor is found and appointed. An external provider guarantees continuity regardless of personnel changes and ensures uninterrupted performance of the mandate.
Appointing an External Money Laundering Compliance Officer via CIVAC
CIVAC is a compliance platform and Officer-as-a-Service for German companies. In the field of anti-money laundering, CIVAC provides qualified external money laundering compliance officers who can be formally appointed within two working days. The process encompasses a written engagement contract, appointment deed, handover of the reporting line, and initial briefing of senior management.
The CIVAC Workspace reflects the officer's operational work: risk analyses, training modules with certificates, suspicious activity report workflows for goAML, and audit-proof documentation of all activities. All data is stored on EU servers and processed in accordance with ISO/IEC 27001:2022. The platform covers all 25 officer roles that a German company may require. Licence the workspace for your internal officers or appoint our officers directly via the Officer-as-a-Service model.
Others run compliance like a filing cabinet. We run it like software. This means: when BaFin or the relevant state authority audits, the appointment deed, risk analysis, training records, and suspicious activity report history are retrievable in a structured audit log. No searching through email folders, no manually updated spreadsheets.
The CIVAC model scales flexibly: for company groups with multiple obligated parties under § 2 GwG, CIVAC can coordinate appointments for multiple subsidiaries without bypassing the formally required individual appointments per company. Each entity receives its own appointment deed; coordination is handled centrally via the CIVAC Workspace.
Turn reading into a mandate. Write to info@civac.de or use the contact form on civac.de. The team will respond within one working day.
FAQ
Which companies must appoint a money laundering compliance officer under § 7 GwG?
All obligated parties listed in § 2 GwG are required to make an appointment. These include credit institutions, payment service providers, life insurers, estate agents, notaries, tax advisers, and auditors. The specific obligation and the competent supervisory authority depend on the respective field of activity.
Is external appointment of the money laundering compliance officer legally permissible?
Yes. § 7 para. 2 GwG expressly permits the appointment of an external money laundering compliance officer, provided they meet the same qualification and availability requirements as an internal officer. The obligated party's ultimate responsibility for GwG compliance remains.
May the money laundering compliance officer hold other roles within the company?
§ 7 para. 5 GwG protects the officer's freedom from instructions. A dual role alongside operational line functions is not legally precluded, but is viewed critically by BaFin where conflicts of interest become apparent. External appointment avoids this risk by design.
What sanctions apply for failure to make an appointment?
§ 56 GwG provides for fines of up to one million euros for breaches of the appointment obligation. In serious or repeated cases, supervisory authorities may take further action. In addition, personal liability of senior management may arise.
What must the appointment deed for the money laundering compliance officer contain?
The appointment deed must document the name of the officer, the appointing company, the scope of the mandate, the reporting line to senior management, and the date of appointment. It is the central evidential document vis-à-vis the supervisory authority and must be producible at any time.
Must a deputy for the money laundering compliance officer be appointed?
Yes. § 7 para. 4 GwG requires the appointment of a deputy. The deputy must meet the same qualification requirements as the principal officer and must also be formally appointed in writing. The deputy arrangement must be documented and retrievable for the supervisory authority at all times.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.