Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.216.200

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

TL;DR (Key Takeaways)

  • EU AMLR became directly applicable on 10 July 2027, replacing BaFin Circular 3/2017 as the primary framework for remote identity verification.
  • eIDAS-compliant electronic identification becomes the preferred onboarding method, while VideoIdent is reserved for justified fallback scenarios.
  • German firms should review existing VideoIdent workflows, implement an eIDAS-first onboarding strategy, and update evidence packs to meet EBA RTS requirements.
  • AMLA introduces stronger EU-wide supervision, making consistent compliance across Member States increasingly important.
  • Shufti supports the transition with an AMLR-ready identity verification platform combining eIDAS, VideoIdent, and audit-ready evidence under one solution.

German compliance teams have spent years building VideoIdent processes around BaFin Circular 3/2017 (trained agents, security feature checks, TAN binding, full session recording). From 10 July 2027, that rulebook stopped being the primary reference. 

The EU’s Anti-Money Laundering Regulation (AMLR) becomes directly applicable across all 27 Member States, and the European Banking Authority’s new Regulatory Technical Standards on customer due diligence push remote onboarding toward eIDAS-compliant electronic identification, with attended video surviving only as a fallback.

This article walks through what changes, what stays, and what German banks, fintechs, and other regulated firms should do in the months before AMLR takes effect.

What the EU AML Regulation 2027 changes for Germany

The AMLR (Regulation (EU) 2024/1624) is the first directly applicable EU AML rulebook. National transposition is no longer the mechanism. The regulation sits on top of every Member State’s domestic law from 10 July 2027. Alongside it, AMLD6 reshapes supervisory architecture, and the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA), headquartered in Frankfurt and operational since summer 2025, takes on EU-level coordination and direct-supervision duties.

For Germany, that has three concrete effects. The Geldwäschegesetz (GwG) keeps existing for areas the regulation does not cover, but it loses its status as the primary identity-verification rulebook for credit institutions. BaFin’s role shifts from rule-setter to enforcer of EU requirements. And the customer due diligence rules, including how a remote ID check must be performed, now sit in Article 22 of the AMLR plus the EBA’s RTS, not in BaFin Circular 3/2017.

The AMLR also moves more than identification. Beneficial-ownership thresholds, enhanced due diligence triggers, the EU-wide €10,000 cash-payment limit, and the obliged-entity perimeter (now expanded to include parts of crypto, professional football, and luxury goods) are written into the regulation rather than left to national interpretation. That breadth matters in practice, not just on paper, for any German institution touched by the regulation, not only firms running VideoIdent. AMLD6 sits alongside the regulation and governs supervisory cooperation, FIU coordination, and beneficial-ownership register interconnection across Member States.

Will the EU AML Regulation 2027 replace BaFin’s VideoIdent rules in Germany?

In practical terms, yes. Article 22(6) of the AMLR establishes electronic identification under the eIDAS Regulation at substantial or high assurance level as the default route for remote, non-face-to-face onboarding. The EBA’s draft RTS on customer due diligence (Article 7 in particular) only allows other remote identification methods, including video identification, where an eIDAS-compliant tool is “not available, is unreasonable, or would be disproportionate” (EBA Final Draft RTS, October 2025).

The result for German firms: the prescriptive choreography of BaFin Circular 3/2017 (three random security features, MRZ validation, spoken character sequences, TAN session binding, five-year retention) is no longer the reference standard. The regulation does not formally ban video identification. It downgrades it from “permitted equivalent of face-to-face” to “narrowly justified fallback,” which is a different operational position.

Two consequences follow. First, an institution defaulting users to attend video without first checking eIDAS coverage is exposed to a finding that it failed to apply the proportionate verification method. Second, BaFin’s existing approvals tied to Circular 3/2017 do not carry forward as standalone authorisations under EU law. Existing implementations are not grandfathered. They are reviewed against AMLR Article 22(6) and the EBA RTS in their current form on the application date.

How AMLA’s supervisory powers change German VideoIdent compliance

EU AMLA’s direct-supervision regime starts in 2028, but the selection process for the first 40 directly supervised obliged entities runs through 2027. Financial-sector firms active in at least six Member States with a high residual risk profile sit in scope. Even firms outside that 40 feel the AMLA Germany KYC impact through indirect supervision. The Frankfurt authority sets the standards, conducts peer reviews of national supervisors, and can take over supervision of any obliged entity when systemic AML failures emerge.

For a German bank or fintech, that means the BaFin VideoIdent transition AMLA brings is not just a rule change. It is a supervisory change. BaFin remains the day-to-day supervisor for most German entities, but it now applies AMLA-coordinated standards and is benchmarked against peers across the Union. Drift between BaFin’s historical interpretation and the new RTS will be visible, and correctable from Frankfurt.

AMLA’s intervention powers go beyond standard-setting. The authority can request information directly from any obliged entity, conduct on-site inspections, and, under specific conditions, take over supervision from a national regulator when systemic AML failures persist. For German institutions, the practical signal is that local-only interpretations of identity verification rules carry less weight than they did under a directive-plus-circular regime.

Can German businesses still use VideoIdent after EU AMLR takes effect?

Yes, but only when an eIDAS solution is genuinely not viable for the user. The EBA’s RTS framing is restrictive on purpose. The Article 7(3-5) safeguards for any non-eIDAS remote method include encrypted video communication, integrity checks, timestamped recordings, secure retention, technical anti-spoofing measures, and detailed document verification of why eIDAS could not be used in that case.

In practice, the EU AMLR VideoIdent replacement scenarios where attended video survives include customers from third countries whose national IDs are not yet NFC- or eID-readable, users without an active eIDAS-notified scheme, high-risk step-up triggers (unusual transaction patterns, PEP hits, account recovery) where a richer evidence pack is justified, and verticals like crypto, gaming, and forex where regulators expect supervisor-grade documentation regardless of channel.

What changes is the burden. Previously, video identification was a primary route under a national circular. From 10 July 2027, it is a justified exception under EU law, and every session needs evidence why eIDAS was inappropriate, not just that the verification was performed. The “unreasonable or disproportionate” language in the RTS gives obligated entities room to operate, but the burden of proof sits with the institution that chose video over electronic identification.

What German compliance teams should do before 10 July 2027

The window between now and the AMLR application date is short for institutional change. Three workstreams matter most.

Inventory and mapping is the first. List every customer journey that currently uses VideoIdent. For each, identify whether eIDAS-notified electronic identification covers the user population, partially covers it, or does not cover it. The eIDAS 2.0 European Digital Identity Wallet rollout is mid-deployment across Member States, so coverage will move during 2026 and 2027.

Architecture for fallback is the second. The AMLR-compliant onboarding pattern is eIDAS-first, with documented fallback to other remote methods. Compliance, fraud, and product teams need a single orchestrator that can route a user to eIDAS where supported and to attend video where not, without duplicating audit trails.

Evidence pack alignment is the third. RTS Article 7 raises the bar on documentation for non-eIDAS methods. Encryption standards, integrity hashes, timestamped recordings, retention schedules, and the rationale for skipping eIDAS all need to live in a single, retrievable evidence pack for each verification session. BaFin’s existing retention period of five years is a floor, not a ceiling. AMLA-coordinated supervision will look at completeness and retrievability across cross-border records.

How Shufti helps German firms manage the BaFin-to-AMLR VideoIdent transition

Shufti’s identity verification platform was built around the BaFin Circular 3/2017 evidence model and now extends to the AMLR’s eIDAS-first architecture. The same platform handles eIDAS-notified electronic identification for jurisdictions where schemes are live, attended VideoIdent for users and step-up scenarios where eIDAS is not viable, and a unified evidence pack that satisfies both BaFin’s documentation expectations and the EBA RTS Article 7 safeguards.

Three things matter for German firms specifically.

  • The eIDV layer covers EU-notified schemes and database-backed verification for third-country users where eIDAS is unavailable.
  • The attended video flow continues to support BaFin’s prescribed steps (security feature inspection, MRZ validation, TAN binding, on-record consent), so existing operational processes do not need a ground-up rebuild.
  • And the orchestration layer routes users between paths based on configurable rules, so compliance teams can encode the “eIDAS unavailable, unreasonable, or disproportionate” logic from RTS Article 7 directly into the verification journey rather than relying on agent judgement at session time.

EU data residency, SOC 2 Type II and ISO 27001 controls, and audit-ready evidence packs ship by default. For institutions that already use BaFin-aligned attended video, the migration path is configuration rather than reintegration: the eIDAS path is added in front of the existing flow, and the existing flow becomes the documented fallback.

Move from BaFin compliance to AMLR readiness

The shift to a single EU rulebook is operational, not just legal. German compliance teams have roughly fourteen months to inventory VideoIdent journeys, route new onboarding through eIDAS-notified paths, and rebuild evidence packs around the EBA RTS. Talk to Shufti about an AMLR-ready identity verification stack for the German market.

Frequently Asked Questions

Will GwG VideoIdent rules be replaced when EU AMLR takes effect in 2027?

The GwG continues to exist, but the parts governing remote identity verification for credit institutions are superseded by AMLR Article 22 and the EBA RTS on customer due diligence from 10 July 2027. BaFin Circular 3/2017 stops being the primary reference for those journeys.

How will AMLA's supervisory powers change German VideoIdent compliance?

AMLA sets the EU-wide standard and directly supervises 40 selected obligated entities from 2028. BaFin remains the day-to-day German supervisor for most firms but applies AMLA-coordinated rules. Drift between national interpretation and EU standards becomes visible and correctable from Frankfurt.

What transitional arrangements will apply for existing BaFin-approved VideoIdent solutions?

The AMLR text contains no formal grandfathering for VideoIdent flows. Existing implementations need to be reviewed against AMLR Article 22(6) and EBA RTS Article 7 before 10 July 2027. Continued use after that date depends on satisfying the new fallback conditions.

Could EU AMLR introduce stricter VideoIdent standards than current BaFin rules?

In some areas, yes. RTS Article 7(3-5) raises the technical bar for non-eIDAS remote methods, with encryption, integrity checks, timestamping, anti-spoofing, and per-session documentation of why eIDAS was unavailable. BaFin's choreography becomes a baseline rather than a ceiling.

Related Posts

Shufti Blog

What Is Transaction Screening? Definition, Process, and How It Works

What Is Transaction Screening? Definition, Process, and How It Works

Explore More

Shufti Blog

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Compliance Requires in 2026

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Compliance Requires in 2026

Explore More

Shufti Blog

What happens during a Shufti identity check?

What happens during a Shufti identity check?

Explore More

Shufti Blog

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

Explore More

Shufti Blog

VideoIdent for Non-Financial Businesses in Germany: New Rules for Lawyers, Real Estate Agents and Notaries

VideoIdent for Non-Financial Businesses in Germany: New Rules for Lawyers, Real Estate Agents and Notaries

Explore More

Shufti Blog

What was the Embargo Act of 1807, and what it teaches modern compliance teams.

What was the Embargo Act of 1807, and what it teaches modern compliance teams.

Explore More

Shufti Blog

Demand Deposit Account (DDA) Fraud: What It Is, How It Works, and How to Stop It

Demand Deposit Account (DDA) Fraud: What It Is, How It Works, and How to Stop It

Explore More

Shufti Blog

What Is Transaction Screening? Definition, Process, and How It Works

What Is Transaction Screening? Definition, Process, and How It Works

Explore More

Shufti Blog

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Compliance Requires in 2026

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Compliance Requires in 2026

Explore More

Shufti Blog

What happens during a Shufti identity check?

What happens during a Shufti identity check?

Explore More

Shufti Blog

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

Explore More

Shufti Blog

VideoIdent for Non-Financial Businesses in Germany: New Rules for Lawyers, Real Estate Agents and Notaries

VideoIdent for Non-Financial Businesses in Germany: New Rules for Lawyers, Real Estate Agents and Notaries

Explore More

Shufti Blog

What was the Embargo Act of 1807, and what it teaches modern compliance teams.

What was the Embargo Act of 1807, and what it teaches modern compliance teams.

Explore More

Shufti Blog

Demand Deposit Account (DDA) Fraud: What It Is, How It Works, and How to Stop It

Demand Deposit Account (DDA) Fraud: What It Is, How It Works, and How to Stop It

Explore More

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Contact us

Request demo

Get free access to our platform and try our products today.

Get started