BaFin VideoIdent Requirements for Crypto Platforms & German VASPs (2026)

Germany’s crypto licensing transition closed at the end of 2025. Any crypto-asset service provider operating without BaFin authorisation after January 1, 2026, is operating outside the law. For compliance teams that have cleared the authorisation hurdle, the practical challenge now centres on something more operational: knowing exactly when attended video identification is required and what the session must produce to satisfy a BaFin examiner.

VideoIdent is not a general onboarding check. It is an event-driven control that fires at specific risk moments. The trigger logic and the evidence pack requirements are the two areas where German VASP compliance programmes most often fall short.

This guide covers what looks like at each risk tier, which transactions require an attended video session under GwG, and the evidence pack elements BaFin expects to see when it reviews a flagged account.

What step-up verification means for a German VASP

Step-up verification is a tiered approach where the verification method applied to a user depends on the risk level of the action they are attempting, not on a uniform check at account opening.

For most users on a German crypto exchange, automated document checks and biometric matching cover routine onboarding. VideoIdent, the attended form of video identity proofing, enters the flow only when a defined risk event changes the transaction’s risk profile. This design keeps video session volumes manageable while concentrating human oversight where fraud concentrates most.

The architecture matters for a practical reason. BaFin’s risk-based approach under the German Money Laundering Act (GwG) does not require attended video for every user. It requires proportionate due diligence, and VideoIdent is the proportionate response to high-risk moments: large withdrawals, tier changes, or account recovery events where a machine confidence score is not a defensible control on its own.

The now frames the authorisation layer for German VASPs, but the identity proofing standard still flows from GwG. That means BaFin Circular 3/2017 remains the compliance floor for any video session a German VASP conducts.

BaFin Circular 3/2017 and what it requires from a VideoIdent session

Video identification procedures sets out the requirements for any attended video KYC session conducted under the German Money Laundering Act. The requirements are cumulative: all must be satisfied, not a subset.

Session requirements

A compliant session requires a trained agent working in a secure environment to confirm the user’s live presence through head movement and a spoken system-generated random character sequence. The agent then inspects the presented ID document by checking at least three randomly selected security features from an enumerated list, plus MRZ validation. Explicit consent from the user must be captured on camera before any evidence creation begins.

Session binding via TAN or OTP ties the completed session to the verified user’s registered contact channel. This step is specific to BaFin’s framework, and its absence from a session record is an immediate flag in any review.

Evidence pack requirements

The full evidence pack includes the complete audio and video recording of the session, captured images of the ID document (front, back, and security features visible), a face comparison screenshot, the TAN or OTP confirmation timestamp, and a structured verification report with the agent’s decision and the rationale. BaFin expects this pack to be retained for five years and retrievable on examiner request without manual consolidation effort.

BaFin has shown a clear appetite for enforcement where AML controls fall short. In March 2024, the regulator imposed a  for systematically submitting suspicious activity reports late. Evidence trail completeness, in VideoIdent sessions as in AML reporting, is the mechanism BaFin checks under examination.

Which transactions trigger VideoIdent step-up at a German crypto exchange

The trigger logic is configurable by each VASP, but the compliance floor comes from GwG guidance and the broader obligation stack. Five categories of events consistently warrant an attended video session at a German crypto platform.

Large withdrawals. Transfers above internal thresholds, particularly to self-hosted wallets, concentrate fraud and mule account activity. The recommended wallet ownership verification for self-hosted wallet transfers above €1,000. Pairing this due diligence check with a VideoIdent session creates a consolidated evidence record for that withdrawal event.

Tier upgrades. Moving a customer from a lower withdrawal limit to a higher one represents a material change in account risk. Enhanced due diligence at this point is expected under the GwG risk-based framework, and VideoIdent produces the documented record that supports the decision.

PEP or sanctions hits. When identifying a potential match against a politically exposed persons list or a sanctions watchlist, an automated assessment is not sufficient as a standalone decision. A documented attended session provides a defensible basis for clearing or escalating the match.

Device anomalies and SIM swap signals. Account takeover attempts at crypto platforms are substantially more common than in traditional finance, given the irreversible nature of on-chain transfers. A device change, SIM swap alert, or login velocity flag is a reasonable trigger for step-up verification before the transaction proceeds.

Account recovery. When a user loses access to their device and attempts to recover account control, the original onboarding check is no longer sufficient as a standalone control. A fresh VideoIdent session re-confirms identity before access is restored.

A well-configured trigger framework means the large majority of users complete their tasks entirely through automated flows. VideoIdent fires where risk justifies it, not uniformly across the customer base.

Common VideoIdent implementation gaps in German VASP workflows

Most German VASPs that run into audit problems at the VideoIdent layer do so because of what the evidence pack is missing, not because the video session itself failed to occur.

The evidence pack is the unit of compliance. A session recording that cannot be retrieved, a TAN confirmation missing its session identifier, and consent captured after evidence creation began are the three evidence failures that appear most often in BaFin audits. Any one of them turns a completed session into an indefensible record under BaFin Circular 3/2017.

VASPs using separate vendors for document checks, liveness, and AML screening face a specific consolidation problem. When a BaFin examiner reviews a flagged account, they expect a single, retrievable evidence pack. Evidence spread across three systems with no automated consolidation mechanism requires manual assembly under time pressure, and that is exactly the failure mode that audits surfaces.

The German Federal Ministry of Finance published a draft VideoIdent ordinance in April 2024 that introduces a tiered structure for simple and partially automated video identification procedures. The ordinance has not been finalised, but compliance teams building VideoIdent workflows in 2026 should treat the draft as directional guidance for how statutory requirements will eventually be formalised.