BaFin VideoIdent Requirements: Complete Compliance Checklist (2026)

Germany generates an estimated EUR 40 to EUR 60 billion in criminal proceeds each year, according to the FATF Mutual Evaluation Report on Germany. As the EU’s largest economy, the country faces AML risks that regulators address with specific, prescriptive obligations. For institutions doing remote customer onboarding, those obligations run through the video identification process.

VideoIdent is a live, attended video call in which a trained agent inspects an official identity document, performs a liveness challenge, and confirms the match between the document photo and the person on screen. Under the German Money Laundering Act (GwG), it counts as equivalent to face-to-face identification when all regulatory conditions are met.

BaFin Circular 3/2017 specifies every step a compliant session must include. All requirements apply cumulatively. Partial compliance does not satisfy the standard, and BaFin examiners review the full procedure, not individual elements in isolation. This guide translates each requirement into a practitioner checklist and covers what the pending GwVideoIdentV draft ordinance signals for businesses looking ahead to 2026.

BaFin VideoIdent requirements under Circular 3/2017

The circular applies to banks, payment institutions, e-money institutions, insurance undertakings, and asset management companies supervised by BaFin. It came into force on 15 June 2017 and replaced earlier 2014 guidance. Every requirement listed below is mandatory.

Personnel and infrastructure

Before any session begins, these conditions must be in place.

• Agents must complete VideoIdent-specific training before taking up identification duties and must retrain at minimum once per year, or whenever regulatory or procedural requirements change.

• Training documentation must cover accepted document types, verifiable security features, common counterfeiting methods, and the relevant AML and data protection rules.

• Video identification must take place in a dedicated room with restricted access, separated from general office areas.

• Case assignment must use randomisation mechanisms that prevent predictable allocation and the manipulation risk associated with it.

• Sessions must run in real time, without interruption, over an end-to-end encrypted video channel meeting BSI Technical Guideline TR-02102.

• Image and audio quality must remain sufficient throughout the session for unambiguous verification of all document security features and facial matching.

Identity document and person verification

During the live session, agents must work through these checks.

• Documents must carry a machine-readable zone and optical security features that are verifiable through video. The agent must confirm at least three features randomly selected from different categories, which can include holograms, kinematic structures, tilted laser images, microlettering, guilloche structures, or security threads.

• The person must tilt the document on camera horizontally and vertically, and the agent must verify that all visible security features are present, undamaged, and free from signs of manipulation or photo substitution.

• MRZ data must undergo automated check-digit calculation, cross-checked against the visible information on the document face. The person must also read out the full document serial number during the call.

• The agent must ask targeted questions about the person’s date of birth, place of birth, reason for identification, and stated intention, including behavioural observation for signs of coercion, social engineering, or pressure from a third party.

• Photos and screenshots must capture the person, the document front, the document back, and the security features examined.

Session binding and evidence retention

These final steps close out the session.

• A centrally generated TAN must be delivered to the person by email or SMS during the live call. The person enters it online and the agent confirms receipt. The identification is complete only after successful TAN confirmation in the system.

• The person must give explicit, logged consent at the start of the session, covering both the identification procedure and the screenshots to be taken.

• A complete audio and video recording of the entire process must be retained for five years under Section 8(3) of the GwG, accessible at any time for internal audit, external audit, and BaFin review.

• The session must be terminated immediately if visual verification fails at any point due to poor lighting, insufficient image quality, or transmission issues. Any discrepancy or uncertainty about the person’s identity also triggers mandatory termination.

What the 2024 GwVideoIdentV draft means for 2026?

The current VideoIdent framework rests on administrative practice, with Circular 3/2017 as the operative document. Germany’s Federal Ministry of Finance published a draft ordinance, the GwVideoIdentV, on 18 April 2024, to put video identification on a statutory footing for the first time.

First, the draft extends the VideoIdent framework to all GwG-obligated entities, not only financial sector firms. Lawyers, notaries, tax advisors, real estate agents, and gambling operators would fall within the scope, making the Circular 3/2017 requirements a practical baseline for a far broader set of businesses.

Second, the draft distinguishes between standard VideoIdent procedures and partially automated procedures where individual steps are handled by IT systems rather than a live agent. Fully automated procedures remain in a restricted pilot phase available only to credit institutions and are prohibited for high-risk customers under Section 15(2) of the GwG. Human agent involvement remains the default for the vast majority of onboarding flows.

The draft also requires that any business using VideoIdent must offer eID card verification as an alternative. This is a new obligation with practical procurement and integration implications for businesses currently running video-only remote identification.

How to assess your current VideoIdent setup?

For organisations evaluating attended video identification providers in the German market, three compliance gaps appear most often when teams run through the checklist above.

Written records of agent training are frequently thin. The circular requires documented training measures tied to specific document types and verifiable features. Verbal briefings or informal onboarding do not satisfy this standard, and the gap shows quickly when examiners request training records.

Session abort thresholds are often left to agent discretion. BaFin expects documented procedures defining exactly when a session must be terminated, covering lighting conditions, transmission quality, and discrepancy scenarios. If agents are making those calls without written guidance, that is a procedural finding waiting to happen.

Evidence retrieval timelines matter in enforcement contexts. A 48-hour window to produce case files is a realistic audit scenario. Manual export processes that take days to pull recordings, document images, and consent logs create risk that structured evidence storage removes.

For context on overlapping obligations in the German banking sector, the video KYC for banks guide covers the broader regulatory environment. Germany’s AML compliance obligations under the GwG are worth reviewing alongside the VideoIdent checklist, as BaFin audits typically examine both in the same cycle.

Secure & Compliant VideoIdent for Regulated Businesses

German regulators do not accept partial VideoIdent compliance, and a failed audit means revisiting your entire remote identification architecture under examination pressure. Shufti’s VideoIdent is built around BaFin Circular 3/2017, with trained agent workflows, real-time encrypted sessions, TAN session binding, and evidence packs with five-year retention accessible via API. Request a demo to see a compliant German VideoIdent session run from initiation through to evidence retrieval.