Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.217.71

Germany GwG Compliance: AML Obligations for Fintech & Banks Under the Geldwäschegesetz

When the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) handed J.P. Morgan SE a €45 million fine in November 2025 for failing to file suspicious transaction reports without undue delay, the message landed across every Frankfurt boardroom. Germany’s Geldwäschegesetz (GwG, the Money Laundering Act) is no longer a paperwork exercise.

The regulator now treats anti-money-laundering (AML) failures as systemic governance failures, with penalties calculated on annual turnover rather than fixed ceilings. For neobanks, payment institutions, crypto-asset service providers, and traditional banks, Germany’s GWG compliance has become a board-level risk, not a back-office checklist. This guide walks through what the law requires, who falls inside its scope, how BaFin enforces it, and how the rules align with the new EU AML package taking effect in 2027.

What the Geldwäschegesetz Requires and Who It Covers

The Geldwäschegesetz is Germany’s primary AML statute. It transposes the EU AML directives into national law and is enforced principally by BaFin for the financial sector, with state authorities covering non-financial obliged entities. The law applies to a broad list of obliged entities under § 2 GwG. That list includes credit institutions, financial services institutions, payment and e-money institutions, capital management companies, insurance brokers offering life products, and crypto-asset service providers. Fintech companies offering payment accounts, lending, custody of crypto assets, or any regulated financial service fall squarely inside scope. The threshold is regulated activity, not company size. A Series A neobank carries the same statutory obligations as a tier-one bank.

Core AML Obligations Under Germany’s GwG

The GwG sets out five interlocking duties that every obliged entity must operationalise. Each duty connects to a specific BaFin AML obligations Germany framework that examiners test during routine inspections and event-driven reviews. The 2025 BaFin guidance update,effective 1 February 2025, tightened how each duty is documented and reviewed.

Customer Due Diligence and KYC Requirements for Banks

Under § 10 GwG, obligated entities must identify and verify every customer before establishing a business relationship and at defined trigger events thereafter. The GwG KYC requirements banks rely on include collecting full identification data, verifying that data against a reliable independent source, identifying the beneficial owner, and understanding the purpose and nature of the relationship. Documentation must be retained for five years after the relationship ends. BaFin’s 2025 guidance prescribes maximum review intervals for rolling Know Your Customer (KYC) file refreshes, anticipating the AML Regulation update cycles that take effect in 2027. For digital-only onboarding, BaFin Circular 3/2017 prescribes attended video identity proofing as one accepted proofing path.

Beneficial Ownership and the Transparenzregister

Germany operates a central beneficial ownership register, the Transparenzregister, under § 19–24 GwG. Legal entities must report any natural person holding more than 25% of shares or voting rights, or otherwise exercising control. Banks and fintechs must consult the register during onboarding and flag any discrepancy between register data and the customer’s own declaration. Discrepancy reports are mandatory under § 23a GwG. Failure to register, register correctly, or report discrepancies carries fines of up to €5 million per breach under § 56 GwG. The register has tightened repeatedly since the 2021 transparency reform abolished the prior reporting fiction.

Enhanced Due Diligence for PEPs and High-Risk Customers

  • 15 GwG requires enhanced due diligence (EDD) whenever a politically exposed person (PEP), a customer from a high-risk third country, or a transaction with elevated money-laundering risk is involved. EDD measures include senior management approval before onboarding, source-of-funds and source-of-wealth verification, ongoing intensified monitoring, and shorter file refresh cycles. The 2025 BaFin update shortened the post-suspicion intensified monitoring window from three months to 21 calendar days for institutions facing a fresh suspicious activity report. PEP coverage extends to family members and known close associates, which is what trips up most automated screening that only flags the principal.

Suspicious Activity Reporting and Record Retention

  • 43 GwG obliges every employee of an obliged entity to file a suspicious activity report (SAR, in German: Verdachtsmeldung) with the German Financial Intelligence Unit (FIU) without undue delay where there is a fact pattern suggesting money laundering or terrorist financing. Reports are filed through the goAML portal. The threshold is suspicion, not certainty. The €45 million J.P. Morgan SE fine in 2025 was driven by reporting delays between October 2021 and September 2022, not by undetected laundering itself. Records, including the rationale for non-reporting decisions, must be retained for five years.

Internal AML Controls and the AML Officer Mandate

  • 4–9 GwG requires obliged entities to install an AML risk management framework. That framework includes a designated money laundering reporting officer (Geldwäschebeauftragter), a written risk analysis updated annually, internal controls, employee training, and a whistleblower channel. The AML officer reports directly to senior management and bears personal liability for omissions. Outsourcing of AML duties is permitted under § 6 GwG, but the obliged entity retains full accountability for the outsourced workstreams.

How Does GwG Differ from the EU AML Package?

The GwG is the German implementation of successive EU AML directives, most recently 6AMLD via the 2020 amendment. The new EU AML package adopted in May 2024 changes the relationship. Where the directives required transposition into national law (and tolerated divergence between member states), the AML Regulation (AMLR) directly applies in every member state from 10 July 2027.

The new EU Anti-Money Laundering Authority (AMLA) began operations on 1 July 2025 in Frankfurt and will directly supervise around 40 of the highest-risk credit and financial institutions across the bloc. For German firms, this means BaFin remains the day-to-day supervisor, but parts of the rulebook will be set in Brussels rather than Berlin from 2027 onwards. The GwG is being progressively pre-aligned through BaFin guidance updates rather than wholesale repeal.

BaFin’s Enforcement Reality in 2025

BaFin’s 2025 enforcement drive shows what GwG compliance failure costs in practice. J.P. Morgan SE was fined €45 million in November 2025 for failing to file suspicious transaction reports without undue delay between October 2021 and September 2022. Deutsche Bank AG paid €23.05 million in February 2025 across three regulatory offences.

Solaris SE absorbed a €6.5 million fine in 2024 for AML control failures linked to its banking-as-a-service partners. Under § 56 GwG, monetary penalties can reach €5 million per breach or 10% of annual turnover, whichever is higher. That turnover-based calculation is how a single institution can end up with a fine eight or nine figures deep. BaFin can also order remediation, install a special commissioner, restrict new customer onboarding, or in extreme cases revoke a banking licence.

How Shufti Supports GwG Compliance for Fintech and Banks

Building a Geldwäschegesetz fintech compliance stack means stitching identity proofing, due diligence, ongoing monitoring, and audit trails into a single defensible workflow. Shufti supports this in one platform. KYC and Identity Verification cover § 10 GwG identification with document checks across 230+ countries, biometric face match, and liveness detection that holds up against deepfake injection attempts

AML Screening covers § 15 EDD and ongoing monitoring with screening against 3,500+ global watchlists, 2.6 million PEP profiles, and 50,000+ adverse-media sources, refreshed every 15 minutes. 

Know Your Business handles beneficial-ownership lookups against the Transparenzregister and equivalent registers across the EU. VideoIdent delivers BaFin Circular 3/2017-aligned attended video identity verification for high-assurance moments such as onboarding regulated accounts, tier upgrades, and account recovery. Each session generates full audio-video evidence packs that survive examiner scrutiny. Every step writes a structured audit trail tied to a session identifier, retained for the five-year window § 8 GwG mandates. 

Building a GwG-compliant onboarding and monitoring stack should not require seven vendors and a year of integration work. Shufti gives fintechs and banks one platform for KYC, KYB, AML screening, beneficial-ownership lookups, and BaFin-aligned VideoIdent, with audit trails ready for examiner review. Book a demo to see how the platform fits your GwG obligations.

Frequently Asked Questions

What are the core AML obligations fintech companies must meet under Germany's Geldwäschegesetz?

Fintechs classified as obliged entities under § 2 GwG must perform customer due diligence, screen for sanctions and PEPs, file suspicious activity reports through goAML, register beneficial owners in the Transparenz register, appoint a money laundering reporting officer, and retain records for five years.

How does GwG define beneficial ownership and what disclosure requirements apply to German banks?

§ 3 GwG defines a beneficial owner as any natural person directly or indirectly holding more than 25% of shares or voting rights, or exercising control by other means. Banks must consult the Transparenz register during onboarding and file a discrepancy report under § 23a if data conflicts.

What enhanced due diligence measures does GwG require for high-risk customers and PEPs?

§ 15 GwG requires senior-management approval before onboarding, source-of-funds and source-of-wealth verification, intensified ongoing monitoring, and shorter KYC file refresh cycles. The 2025 BaFin update shortened post-suspicion intensified monitoring windows from three months to 21 calendar days.

What penalties does BaFin impose on financial institutions for GwG non-compliance?

§ 56 GwG sets maximum fines at €5 million per breach or 10% of annual turnover, whichever is higher. BaFin can also order remediation, install a special commissioner, restrict onboarding, and revoke banking licences. Recent fines include €45 million for J.P. Morgan SE in 2025.

Related Posts

Shufti Blog

Germany GwG Compliance: AML Obligations for Fintech & Banks Under the Geldwäschegesetz

Germany GwG Compliance: AML Obligations for Fintech & Banks Under the Geldwäschegesetz

Explore More

Shufti Blog

EU Instant Payments Regulation & AML Screening: What PSPs Must Do

EU Instant Payments Regulation & AML Screening: What PSPs Must Do

Explore More

Shufti Blog

Watchlist Screening: What It Means And How It Actually Works

Watchlist Screening: What It Means And How It Actually Works

Explore More

Shufti Blog

Best Fraud Prevention Practices in Australia’s Banking Sector

Best Fraud Prevention Practices in Australia’s Banking Sector

Explore More

Shufti Blog

Enterprise Fraud Prevention: How to Detect, Prevent, and Mitigate Risks

Enterprise Fraud Prevention: How to Detect, Prevent, and Mitigate Risks

Explore More

Shufti Blog

What Is A Front Company? How Criminals Hide Behind Real Businesses

What Is A Front Company? How Criminals Hide Behind Real Businesses

Explore More

Shufti Blog

What Is a Shelf Company? Risks, Red Flags, And KYB Checks

What Is a Shelf Company? Risks, Red Flags, And KYB Checks

Explore More

Shufti Blog

Germany GwG Compliance: AML Obligations for Fintech & Banks Under the Geldwäschegesetz

Germany GwG Compliance: AML Obligations for Fintech & Banks Under the Geldwäschegesetz

Explore More

Shufti Blog

EU Instant Payments Regulation & AML Screening: What PSPs Must Do

EU Instant Payments Regulation & AML Screening: What PSPs Must Do

Explore More

Shufti Blog

Watchlist Screening: What It Means And How It Actually Works

Watchlist Screening: What It Means And How It Actually Works

Explore More

Shufti Blog

Best Fraud Prevention Practices in Australia’s Banking Sector

Best Fraud Prevention Practices in Australia’s Banking Sector

Explore More

Shufti Blog

Enterprise Fraud Prevention: How to Detect, Prevent, and Mitigate Risks

Enterprise Fraud Prevention: How to Detect, Prevent, and Mitigate Risks

Explore More

Shufti Blog

What Is A Front Company? How Criminals Hide Behind Real Businesses

What Is A Front Company? How Criminals Hide Behind Real Businesses

Explore More

Shufti Blog

What Is a Shelf Company? Risks, Red Flags, And KYB Checks

What Is a Shelf Company? Risks, Red Flags, And KYB Checks

Explore More

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Contact us

Request demo

Get free access to our platform and try our products today.

Get started