77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Internal security measures according to Section 6 GwG: Implement obligations operationally
Anti-Money Laundering

Internal security measures according to Section 6 GwG: Implement obligations operationally

15 June 202613 min readBy Dr. Henrik Bauer
CIVAC

Section 6 of the GwG obliges banks, insurers, goods traders and many service providers to introduce internal security measures. This article explains what the standard specifically requires, which structures are typically missing, how risk management, employee screening and suspicious activity reports are properly documented and when an external money laundering officer makes sense.

Since the amendment to the AMLA in 2017 and the subsequent adjustments in 2020 and 2024, Section 6 AMLA has been one of the most frequently examined paragraphs in German money laundering law. It obliges all obliged entities within the meaning of Section 2 GwG to create appropriate business and customer-related internal security measures that prevent money laundering and terrorist financing. BaFin and the state supervisory authorities regularly check the implementation and punish violations with fines of up to 150,000 euros in individual cases, and in the case of serious breaches of duty up to 5 million euros or 10 percent of the annual turnover.

This article explains how Section 6 GwG is implemented in practice: which guidelines, procedures and controls are required, when a money laundering officer is to be appointed, how employee reviews and training are documented, which ones Suspicion reporting obligations apply and how a compliance platform maps the measures in an audit-proof manner. With a concrete implementation plan for the next 90 days.

Key Takeaways

  • Section 6 GwG requires every obliged entity under Section 2 GwG to take appropriate internal security measures; appropriate means proportional to risk and size, not arbitrary.
  • Mandatory components include written guidelines, training, employee reviews, a whistleblower system and, in many cases, an appointed money laundering officer in accordance with Section 7 of the GwG.
  • According to Section 56 GwG, violations are punished as administrative offenses with fines of up to 5 million euros or 10 percent of the annual turnover; personal liability of the management according to Section 130 OWiG is added.

Who is the obligated party within the meaning of Section 2 GwG

§ 2 GwG lists 16 categories of obliged entities. These include credit institutions, financial service providers, insurance companies, insurance intermediaries, capital management companies, lawyers and notaries for certain activities, tax advisors, auditors, real estate agents, organizers of games of chance, trustees, goods dealers for cash payments over 10,000 euros, art dealers and art brokers with a business value of 10,000 euros or more, and rental agents for monthly net rents of 10,000 euros or more.

The obligated status is not depending on the size of the company. A real estate agent with three employees is just as liable as a major bank. However, the requirements according to Section 6 GwG scale via the principle of appropriateness. The risk analysis according to Section 5 GwG is the basis on which the security measures are set up. If you don't know whether you are an obligated person, check the categories first; A misjudgment is considered grossly negligent if the business activity clearly falls under Section 2 GwG. CIVAC supports the classification as part of its compliance platform and Officer-as-a-Service with a structured self-assessment form that is linked to the risk analysis. The appointment certificate, signed, filed, verifiable.

What Section 6 GwG specifically requires

Section 6 Para. 1 GwG requires appropriate business and customer-related internal security measures. Section 6 Para. 2 GwG specifies this obligation in a non-exhaustive list: elaboration of internal principles, procedures and controls for risk management in accordance with Section 4 GwG, appointment of a money laundering officer in accordance with Section 7 GwG, if requested, training of employees in accordance with Section 6 Para. 2 No. 6 GwG, checking of employees for reliability in accordance with Section 6 Para. 2 No. 5 GwG and establishment of a Whistleblower system in accordance with Section 6 Paragraph 5 GwG.

The management must decide on these measures in writing and monitor their effectiveness. What is often overlooked is that the hedging measures need to be reviewed regularly and adapted to changes, such as new business areas, new products or changes in the risk situation. Others run compliance like a filing cabinet. We run it like software. CIVAC reflects Section 6 GwG with eleven mandatory fields in the workspace, each with the person responsible, deadline and status display. This makes it clear where the next adjustment is due instead of only discovering it after the BaFin audit.

Risk analysis according to Section 5 GwG as a foundation

Without risk analysis, there are no meaningful security measures. Section 5 GwG requires a written analysis of the risks from business activities, broken down by customers, products, sales channels and geographical factors. The analysis must be updated regularly, at least annually and when there are significant changes. It is the basis for determining the specific security measures and the general, simplified or enhanced due diligence obligations in accordance with Sections 10 to 17 of the GwG.

The risk analysis must be documented, approved by management and presented to the supervisory authority upon request. A general statement such as low risk because known customers is not enough. What is required are specific categories with specific assessments and specific measures. CIVAC provides a risk analysis template that is linked to the Federal Ministry of Finance's national risk report and the supervisory sector guidelines. Audit-proof, documented, § 5-proof. Versions, releases and connections to security measures are automatically managed in the workspace, so the auditor calls and the proof is ready.

Obligation to appoint a money laundering officer in accordance with Section 7 of the GwG

§ 7 Para. 1 GwG prescribes the appointment of a money laundering officer for certain obligated parties: credit and financial services institutions, capital management companies, insurance companies with certain products, gambling operators and others. The supervisory authority can order the appointment of other obligated parties if this appears necessary to prevent money laundering. Section 7 Para. 3 GwG expressly allows the appointment of an external representative.

The money laundering officer reports directly to the management, is not subject to instructions on technical issues and enjoys special protection against dismissal in accordance with Section 7 Para. 7 GwG. His tasks are regulated in Section 7 Para. 5 GwG: ensuring compliance with the GwG, processing suspicious transaction reports, contact person for the supervisory authority and the FIU. Licence the workspace for your internal representatives or have our representatives order it. CIVAC offers the external money laundering officer with an appointment certificate, a fixed SLA of two working days and connection to the workspace in which suspected cases, training and reports are managed centrally.

Employee screening and training

§ 6 Para. 2 No. 5 GwG requires the reliability of the employees who are entrusted with fulfilling the GwG obligations to be checked. In practice this means: Obtaining a certificate of good conduct in accordance with Section 30 BZRG, self-disclosure, if necessary SCHUFA information, documented assessment. The test must be repeated regularly, usually every 24 or 36 months. If there are indications of unreliability, management must act, possibly with personnel consequences.

The training obligation according to Section 6 Para. 2 No. 6 GwG includes content on methods of money laundering and terrorist financing, applicable obligations, internal procedures and suspicious signs. Initial training before starting work, annual refresher, documented with participants, date, content and monitoring of learning success. BaFin and the state authorities often require the complete training history of the last three years to be presented in audits. CIVAC documents training with mandatory fields and an automatic reminder function and records the training status of each employee in an audit-proof manner. Deadline expires as soon as we become aware of it.

Suspicion report and whistleblower system

§ 43 GwG obliges every obligated party to immediately report suspected cases to the Financial Intelligence Unit (FIU) at the Customs Criminal Investigation Office. The report is made electronically via the goAML portal. The definition of suspected case is broad: facts are sufficient that indicate that an asset comes from a crime or is related to terrorist financing. A certain knowledge is not required. A report may only be carried out after receipt of a release from the FIU or after three working days, as far as the reporting transaction is concerned.

Section 6 Para. 5 GwG also requires an internal whistleblower system that allows employees to confidentially report AMLA violations. The HinSchG, which has been in force since July 2023, supplements this obligation and sets strict requirements for confidentiality, confirmation and processing deadlines. CIVAC maps both paths: the internal reporting system according to HinSchG with the Whistleblower Protection Reporting Office and the FIU reporting path for suspected AMLA cases, with templates, escalation levels and audit-proof documentation.

Documentation and retention requirements

§ 8 GwG prescribes a comprehensive recording and retention obligation. Identification data of the contractual partners and beneficial owners, information on the business relationship, results of due diligence checks, suspicious activity reports and risk assessment measures must be retained for five years, and longer in certain cases. The retention period begins at the end of the calendar year in which the business relationship ends or the transaction is completed.

The documentation must be accessible electronically or physically at any time and can be presented to the supervisory authority upon request. The most common findings in BaFin audits relate to incomplete identification documents, missing updates for beneficial owners, missing documentation of the risk assessment per contractual partner and incomprehensible suspicious transaction reporting decisions. CIVAC integrates the documentation requirements into the workspace, with encrypted EU data residency, ISO/IEC 27001:2022 certified ISMS and 93 documented controls. Audit-proof, documented, § 8-proof.

90-day plan for the implementation of Section 6 GwG

A realistic implementation plan for a medium-sized obliged entity without an existing structure looks like this. Weeks one and two: status assessment of business activities, customers, products and sales channels; Classification according to Section 2 GwG; Clarification of the obligation to order according to Section 7 GwG. Weeks three to six: Preparation of the risk analysis in accordance with Section 5 GwG, approval by management, appointment of the money laundering officer, written appointment document with reporting line.

Weeks seven to ten: Development of internal principles, procedures and controls in accordance with Section 6 Paragraph 2 No. 1 GwG; Setting up employee review and training planning; Establishment of the whistleblower system in accordance with Section 6 Paragraph 5 GwG and HinSchG. Weeks eleven to thirteen: initial training of employees, test of the FIU reporting paths, test run of a supervisory request, connection to the CIVAC workspace. After 90 days, there is a verifiable structure that can withstand a BaFin or state supervisory audit. Licence the workspace for your internal representatives or have our representatives order it.

From reading to ordering

Internal security measures according to Section 6 GwG are not a one-off project, but an ongoing process with clear deadlines, responsible parties and documentation obligations. Anyone who organises the process without a platform will spend more time managing documents than actually preventing money laundering. The result is often a BaFin decision with findings of deficiencies and a fine.

CIVAC is a compliance platform and officer-as-a-service for 25 officer roles, including the money laundering officer appointed in accordance with Section 7 of the GwG. With workspace, audit templates, appointment certificates, reporting line, ISO/IEC 27001:2022 certified ISMS, EU data residency and an SLA of two working days instead of the usual two to six weeks of classic consulting. Turn reading into an assignment. Write to info@civac.de or use the contact form. In the 30-minute initial consultation, we clarify the obligated status, the obligation to order and the optimal mix of internal staff and external GwB for your size, industry and risk situation.

FAQ

Who decides whether our company is an obligated party according to Section 2 GwG

Obligated status arises directly from the law, without an authority having to confirm this. The classification is carried out by the company itself, documented with reasons. If in doubt, a written statement from the responsible supervisory authority, such as BaFin or the state supervisory authority, will help.

Do we have to appoint a money laundering officer even without an obligation to appoint one?

Not mandatory, but recommended if the risk situation is increased or the supervisory authority suggests this due to size and business area. Section 7 (2) of the GwG allows the supervisory authority to issue an order. A voluntarily appointed GwB strengthens the internal control structure and signals diligence in an audit.

How high are the fines for violations of Section 6 GwG?

According to Section 56 GwG, up to 150,000 euros in individual cases, in the case of serious, repeated or systematic violations up to 5 million euros or 10 percent of the annual turnover of the previous year, whichever is higher. Personal liability of the management according to Section 130 OWiG is added.

How often do we need to update the risk analysis

At least annually and always in the event of significant changes, such as new business areas, new products, new sales channels or significant external risk events. The update is documented and approved by management.

Is external advice enough or do we have to order an GwB?

If Section 7 GwG prescribes the appointment, pure advice is not enough. There must be a specifically appointed person with an appointment certificate. In the CIVAC model, the external GwB is managed as a person appointed in accordance with Section 7 Paragraph 3 GwG, with a reporting line and SLA. Advice is included, but not the main subject.

What happens during a BaFin audit if documents are missing?

BaFin formulates findings, sets deadlines for improvements and can impose fines. Serious or repeated deficiencies can lead to extended inspections, special representatives or, in the case of activities relevant to supervisory law, the withdrawal of licences. Complete documentation in the workspace significantly reduces this risk.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles