Appointing a Money Laundering Compliance Officer (GwB): Obligation, Procedure, and Appointment Deed under § 7 GwG
§ 7 GwG requires a clearly defined group of companies to appoint a money laundering compliance officer. Failure to make the appointment, or a procedurally defective appointment, risks substantial fines. This article explains the procedure step by step.
§ 7 para. 1 GwG requires credit and financial institutions, insurance undertakings, financial service providers, goods traders with cash payment risk, estate agents, lawyers, notaries, tax advisers, and further obligated parties within the meaning of § 2 GwG to designate a money laundering compliance officer (GwB). The authority responsible for auditing in cases of doubt is the Financial Intelligence Unit (FIU) at the Federal Customs Authority, as well as — depending on the sector — BaFin, the DIHK, or the competent state authority. Failure to make the appointment, or a defective appointment, constitutes a regulatory offence under § 56 GwG and may be sanctioned with a fine of up to EUR 150,000.
This article explains which companies are required to make an appointment, what formal requirements the appointment deed must meet, how internal and external appointments differ, and what documentation the supervisory authority expects in an audit. At the end, you will find a structured overview of the CIVAC models that can cover the appointment and ongoing compliance obligations.
Key Takeaways
- § 7 GwG establishes the appointment obligation for all obligated parties under § 2 GwG; failure to make an appointment is subject to a fine under § 56 GwG.
- The appointment deed must contain the name, function, reporting line to senior management, date, and signatures of both parties, and must be filed in an audit-proof manner.
- An external GwB is permissible under § 7 para. 2 GwG but must meet the same qualification requirements and be immediately reachable.
Appointment Obligation under § 7 GwG: Who Is Affected?
§ 2 GwG exhaustively defines the circle of obligated parties. These include, among others: credit institutions and financial services institutions under § 1 KWG, payment service providers, insurance undertakings in the life insurance segment, lawyers and notaries to the extent involved in certain transactions, auditors and tax advisers, estate agents for transactions of EUR 10,000 or more, and goods traders processing cash transactions of at least EUR 10,000.
For goods traders, the obligation to appoint a GwB applies only where a corresponding risk from cash transactions exists; the risk profile must be documented under § 5 GwG. Financial institutions, by contrast, are subject to the obligation regardless of transaction size. The FIU provides no exemption for micro-enterprises; what matters is membership of the obligated group, not the size of the business.
Companies uncertain whether they belong to the circle of obligated parties should seek a formal determination from the competent supervisory authority. A structured review pathway is also provided by the article Reviewing Obligated Companies under § 2 GwG on civac.de. The appointment obligation arises immediately upon commencement of business activities; there is no grace period.
Requirements for the Money Laundering Compliance Officer: Qualifications and Position
§ 7 para. 1 sentence 2 GwG requires the GwB to belong to the management level or, as a senior manager, to have direct access to senior management. This requirement is not merely declaratory but must be understood functionally: the GwB requires authority to issue instructions to employees in matters involving money laundering risks, and must be able to submit reports to the FIU independently, without first consulting senior management.
In terms of qualification, the law requires adequate knowledge of the GwG, the relevant regulations (in particular the GwGMeldV-Immobilien and Hochwertige-Güter-GwG-VO), and internal processes. A formal certification is not prescribed by statute, but is in practice expected by some supervisory authorities. BaFin has clarified in its Interpretative and Application Guidelines (AuA) that the GwB must demonstrate regular continuing professional development.
The deputy must also be formally appointed in writing under § 7 para. 1 sentence 4 GwG. In the absence of the GwB, the deputy assumes all obligations without restriction. Absence of a deputy appointment is treated as an organisational deficiency that will be noted in an audit.
The Appointment Deed: Minimum Content and Formal Requirements
The appointment deed is the central document that the supervisory authority requests first in an audit. It must be in writing (§ 126 German Civil Code (BGB)), meaning signed by both parties in their own hand. A purely electronic signature without a qualified certificate does not in principle meet the written form requirement; a qualified electronic signature under eIDAS may be accepted as written form.
In terms of content, the deed should include the following elements: full name and function of the appointed person, date of appointment, identification of the appointing entity (company, legal form, registered office), description of the scope of duties with reference to §§ 7, 14, 15 GwG, express provision for the reporting line to senior management, and signatures of both senior management and the appointed person.
Appointment deed, signed, filed, verifiable. This principle also applies to the revocation of an appointment: where the GwB departs, the revocation must also be documented in writing, and the effective date recorded. Gaps in the appointment history are identified in regulatory audits as compliance deficiencies.
Internal vs. External GwB: Comparison of Models
§ 7 para. 2 GwG permits the outsourcing of the GwB function to an external service provider, provided the provider meets the same requirements as an internal GwB and the appointing company secures its data protection and supervisory law obligations through a data processing agreement. Ultimate responsibility remains with the obligated party at all times.
The internal GwB offers immediate knowledge of the company structure but is associated with personnel costs, continuing education costs, and the risk of vacancy. The external GwB, by contrast, brings specialised knowledge of regulatory developments, can be deployed more quickly, and reduces internal staffing requirements. For smaller institutions or companies with low transaction volumes, the external model is often more economical.
The key practical distinction: the external GwB must be reachable within a few hours when an FIU report under § 43 GwG is triggered. Response times should be fixed contractually in a Service Level Agreement (SLA). CIVAC offers both routes: appoint a money laundering compliance officer as Officer-as-a-Service or as a workspace licence for the internal function.
Reporting Obligations under §§ 43, 44 GwG: What the GwB Must Do on an Ongoing Basis
The GwB's core responsibility is assessing and reporting suspicious cases to the FIU at the Federal Customs Authority under § 43 GwG. Reports are submitted exclusively via the goAML portal. Deadlines: a report must be submitted without delay once suspicion is established; for transactions not yet executed, a prohibition on execution applies under § 46 GwG until clearance is granted by the FIU or three working days have elapsed following the report.
In addition to the suspicious activity reporting obligation, the GwB has ongoing duties: updating and maintaining the internal risk management system under § 4 GwG, training employees under § 6 para. 2 no. 6 GwG, monitoring business relationships with elevated risk under § 15 GwG, and documenting audit results with retention obligations under § 8 GwG (five to ten years).
The GwB must establish internal reporting channels for employees and ensure their confidentiality. § 47 GwG protects reporting persons from liability provided the report was made in good faith. The deadline runs from point of knowledge: anyone who is internally aware of a suspicion but fails to report it risks personal liability under § 56 para. 1 no. 58 GwG.
Risk Management and Risk Analysis under §§ 4 and 5 GwG
§ 4 GwG requires all obligated parties to take appropriate measures to identify, assess, control, and monitor money laundering and terrorist financing risks. The result must be recorded in writing in a risk analysis (§ 5 GwG). This analysis is not a one-off document; it must be reviewed and updated regularly — at least annually or whenever there are material changes to the business model.
In terms of content, the risk analysis must cover the following dimensions: customer base (origin, PEP status, UBO), products and services (susceptibility to abuse), distribution channels (remote sales, cash, digital channels), and geographic risks based on FATF country classifications. Risk assessments must be graded on a clear scale (low, medium, high, very high) and matched with corresponding measures.
The GwB coordinates the risk analysis but does not bear sole responsibility for assessing operational risks, which must be contributed by specialist departments. A poor or outdated risk analysis is the most common finding in regulatory audits and independently constitutes a fine offence under § 56 para. 1 GwG.
Supervisory Practice: What BaFin, DIHK, and State Authorities Require in Audits
Supervision over compliance with the GwG is divided by sector: BaFin for credit and financial institutions, insurance undertakings, and capital management companies; the Chambers of Commerce and Industry (IHK/DIHK) for goods traders and estate agents; the Tax Adviser Chambers and the Federal Chamber of Notaries for the respective professional groups; and state authorities for gambling providers and other sectors.
Audits regularly cover the following documents: current appointment deed for GwB and deputy, risk analysis with version control and date, evidence of employee training with attendance lists, records of suspicious activity reports (without disclosure to the client), and internal policies and procedural instructions. Auditors have the right to conduct unannounced inspections; preparation for short-notice calls is therefore essential.
The auditor calls, the evidence is ready. This principle presupposes an audit-proof documentation structure. Written evidence on paper that cannot be located is treated as non-existent. Digital compliance platforms such as the CIVAC Workspace secure the evidence chain through automatic timestamps and audit logs.
Appointment Process Step by Step: From Decision to Legally Sound Deed
Step 1: Verify the appointment obligation. Does the company fall under § 2 GwG? If so, which supervisory authority has jurisdiction? Jurisdiction influences audit practice and potentially the data to be notified.
Step 2: Candidate selection. Internal senior employee or external service provider? Qualifications, availability, and capacity for training must be assessed. A conflict of interest (e.g. the GwB simultaneously heading the sales department) must be avoided.
Step 3: Draft the appointment deed. Prepare the full content to the minimum requirements described above, execute with signatures from both parties, and date. Simultaneously appoint a deputy.
Step 4: Notify the supervisory authority. Some supervisory authorities (BaFin, certain IHKs) require notification of the appointment. Deadlines and forms are authority-specific and must be researched in advance.
Step 5: Internal communication. Inform employees of the appointment and communicate the internal reporting channels.
Step 6: Establish documentation structure. Define the storage location for the deed, risk analysis, training records, and FIU reports. Observe retention periods under § 8 GwG (five to ten years depending on document type).
Step 7: Ensure ongoing obligations. Set up an annual schedule for repeat training, risk analysis reviews, and regulatory notifications.
Appointing a GwB via CIVAC: Workspace and Officer-as-a-Service
CIVAC is a compliance platform and Officer-as-a-Service that covers the entire appointment chain for the money laundering compliance officer: from risk analysis under § 5 GwG and FIU reporting under § 43 GwG to audit-proof documentation under § 8 GwG. Licence the workspace for your internal officers or appoint our officers directly.
The CIVAC SLA provides for contract, appointment deed, and initial briefing within two working days — compared to the two-to-six weeks typical in the market. The workspace contains prepared templates for risk analyses, employee training with attendance records, and an integrated audit log that secures every process step with a timestamp.
Others run compliance like a filing cabinet. We run it like software. The difference becomes apparent when the supervisory authority audits without notice: all evidence is immediately retrievable, organised, and filterable. For companies that have until now operated without structured GwB documentation, this is the most direct path to an audit-ready state.
Turn reading into a mandate. Write to info@civac.de or use the contact form on civac.de to arrange the GwB appointment.
FAQ
Who must appoint a money laundering compliance officer under § 7 GwG?
All obligated parties within the meaning of § 2 GwG, including credit institutions, financial service providers, life insurers, estate agents, notaries, lawyers involved in certain transactions, auditors, tax advisers, and goods traders with cash transactions of EUR 10,000 or more. The complete list is exhaustively set out in § 2 GwG.
Is an external money laundering compliance officer permissible under the GwG?
Yes. § 7 para. 2 GwG expressly permits outsourcing to an external service provider, provided the provider meets the same statutory requirements as an internal GwB. The ultimate responsibility of the obligated party remains; response times and reporting obligations should be regulated contractually.
Which documents does the supervisory authority examine first in a GwG audit?
As a rule, the appointment deed for the GwB and the deputy, the current risk analysis under § 5 GwG, and evidence of employee training under § 6 GwG are requested first. All three documents must be immediately producible.
What fines are imposed for failure to appoint a GwB?
§ 56 GwG provides for fines of up to EUR 150,000 for the absence of or defective appointment of the GwB. For repeated infringements or supervised institutions, authorities may additionally initiate measures under § 51 GwG, including public disclosure.
Must the appointment of the GwB be reported to the supervisory authority?
This depends on the sector. BaFin-supervised institutions must report the appointment and any change of GwB in accordance with the requirements of MaRisk and BaFin's Interpretative and Application Guidelines. IHK-supervised companies should enquire with the competent IHK, as practice varies regionally.
For how long must GwB-related documents be retained?
§ 8 GwG stipulates a retention period of at least five years from the end of the business relationship or transaction. Longer periods may apply to certain risk analysis documents. After expiry, data must be deleted unless other legal provisions provide otherwise.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.