Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.216.200

VideoIdent for German Crypto Exchanges: MiCA, GwG and BaFin Compliance Guide for CASPs

TL;DR

  • German CASPs must comply with both BaFin Circular 3/2017 (GwG) and MiCA when onboarding customers remotely.
  • Low-risk customers can complete automated KYC, while higher-risk cases require VideoIdent with trained agents.
  • BaFin expects evidence such as document security checks, liveness verification, TAN/OTP binding, and audit-ready records.
  • MiCA does not replace Germany’s AML rules it builds on them, making compliant VideoIdent workflows important for EU passporting.
  • A unified onboarding flow helps CASPs satisfy both BaFin and MiCA requirements while reducing operational complexity.

In March 2024, the German Federal Financial Supervisory Authority (BaFin) fined Solaris SE €6.5 million for systemically late filing of suspicious-transaction reports under the German Money Laundering Act (Geldwäschegesetz, GwG) (Global Investigations Review). The case reset BaFin’s expectation for what adequate AML controls look like at a regulated digital institution. Crypto exchanges and crypto-asset service providers (CASPs) in Germany now sit under two stacked obligations.

BaFin Circular 3/2017 on video identification under the GwG, and Regulation (EU) 2023/1114 (MiCA), which has applied to CASPs since 30 December 2024. Most German crypto onboarding stacks were not built for both at once. This guide walks the operator side of that stack. When VideoIdent fires, where automated KYC stops being enough, and what the dual-compliance evidence trail looks like for a CASP planning to passport across the EU before the transitional regime closes in mid-2026.

Why German crypto exchanges face a dual VideoIdent mandate under MiCA and GwG

BaFin treats VideoIdent for crypto in Germany under MiCA as a stacked obligation, not a single-rulebook problem. The agency’s framework treats VideoIdent as the only AML-compliant remote identification path equivalent to face-to-face under the GwG, codified in Circular 3/2017. Since 30 December 2024, every German CASP also answers to MiCAR. Two regimes anchor different parts of the crypto compliance flow. The operator’s job is to produce one evidence trail that satisfies both regulators reading the same session. 

Under BaFin Circular 3/2017, a German CASP that opens accounts remotely must run video sessions with trained agents, capture three randomly selected security features plus the document MRZ, run a spoken liveness challenge, bind the session with a transaction authentication number (TAN) or one-time password (OTP) delivered to the customer’s registered channel, and retain the full session evidence pack for five years. The Solaris fine illustrates how BaFin reads thin documentation across regulated digital institutions, including German CASPs in the same supervisory bucket. Late filings, weak controls, monitor extension, fines stacked. None of that turns on a missed checkbox. It turns on whether the institution can hand the regulator a session-by-session evidence trail on demand, in formats the supervisor accepts on first review.  

MiCA lays a second layer over the same flow. Articles 60 and 63 of Regulation (EU) 2023/1114 require a CASP authorisation, ongoing conduct rules, and customer-due-diligence parity with the GwG framework Germany already enforces. The BaFin MiCAR services page confirms application to crypto-asset service providers from 30 December 2024, with the transitional regime running until 1 July 2026. A German CASP under MiCA is the same German CASP under the GwG. The identification flow runs once. One evidence pack does the work of two.

How MiCA reshapes VideoIdent requirements for German CASPs

MiCA does not replace BaFin Circular 3/2017. It absorbs it. A CASP that wins MiCAR authorisation in Germany passports its services across the EU on one BaFin licence, but the identification stack travels with the licence. Examiners in Madrid, Paris, or Vilnius read the same evidence pack BaFin originally certified, and the rules from Circular 3/2017 sit inside it as the operative standard.

The practical shift is structural, not procedural. Before MiCAR, a German crypto exchange ran VideoIdent under the GwG framework for German customers and patched separate KYC stacks for each EU country it served. After MiCAR took effect on 30 December 2024, that fragmentation is no longer an option. BaFin’s MiCAR Fachartikel, published in January 2025, sets out the simplified authorisation path for institutions already active under national supervision. The simplification reduces filing, not the substantive identification requirements.

For German CASPs the consequence is concrete. The Germany-ready VideoIdent flow becomes the Europe-ready VideoIdent flow. Customer due diligence under MiCA Article 60(7) maps directly onto BaFin’s existing Circular 3/2017 mechanics, so a CASP that already runs compliant attended video does not retool its onboarding stack. It documents the alignment. The European Securities and Markets Authority’s (ESMA) MiCA guidance reinforces that customer-identification requirements interlock with national AML frameworks rather than overriding them. Evidence a BaFin examiner accepts is evidence an ESMA peer review accepts.

Crypto-specific risk does not get easier under MiCAR. Chainalysis reported that stolen crypto funds reached $2.17 billion in the first half of 2025, with Germany among the highest-victim jurisdictions. The MiCAR transitional clock therefore sits beside an active fraud surface, and the Germany crypto KYC VideoIdent stack a CASP ships in 2026 has to defend against deepfakes and coached impersonators in real time, not just satisfy MiCA filings.

Where automated KYC fits and where it stops being enough for crypto onboarding

Most users onboarding to a German crypto exchange do not need a live agent. Automated Know Your Customer (KYC) flows handle the standard tier. The question regulators and engineering teams ask is the same one. Can German crypto platforms use automated KYC instead of VideoIdent? The answer is risk-based, not binary. BaFin Circular 3/2017 specifies when video identification is required, and the rest of the funnel can run on automated checks.

Standard onboarding and where automated KYC carries the load

For low-risk standard-tier customers passing automated document verification, passive-liveness biometric match, and AML screening with no PEP or sanctions hit, BaFin permits automated remote identification. The session is logged, retained, and produces an evidence pack. That pack is lighter than a Circular 3/2017 video pack but still complete on first request.

BaFin’s risk-based stance means automated KYC is not a workaround for the rules, it is the rules for the low-risk band. Examiners want clear documentation of why the firm landed on a low-risk determination, sourced from the same risk assessment that drives the step-up triggers. For most crypto exchanges this band covers 85 to 95 percent of new accounts.

Step-up moments when BaFin’s GwG framework requires a live agent

Once the risk engine flags a session, automated KYC stops being enough. Triggers fall into four buckets. High-deposit or high-withdrawal events past a configured threshold, account-recovery sessions where the customer cannot satisfy a knowledge-based check, PEP or sanctions hits requiring enhanced due diligence under the GwG, and onboarding for high-risk customer categories defined in the firm’s BaFin-approved risk assessment. At that point, BaFin CASP video identification under Circular 3/2017 is the operative standard.

How Shufti helps German CASPs ship MiCA-aligned VideoIdent

Shufti VideoIdent runs the BaFin Circular 3/2017 mechanics that German CASPs need to satisfy MiCA GwG crypto compliance, and runs them in a stack a German exchange can integrate inside the MiCAR transitional window. The product solves the dual-mandate problem at the session level rather than at the audit level.

For onboarding and high-risk step-up events, Shufti VideoIdent provides attended sessions with trained KYC experts, three random security feature checks plus MRZ validation, spoken liveness challenges, TAN or OTP session binding, and the full audio-video evidence pack BaFin examiners read on first request. Sessions connect inside roughly 20 to 30 seconds, average two minutes, and run 24/7 across English, German, French, and Spanish. The flexible agent model lets a CASP run Shufti’s experts, its own compliance team on Shufti infrastructure, or a hybrid where in-house staff cover business hours and Shufti covers nights and weekends.

Shufti’s compliance side runs as part of the same flow. Sanctions, PEP, and adverse-media screening plugs into the same session API, so a flagged hit triggers VideoIdent step-up automatically rather than via a separate vendor handoff. EU data residency, Service Organization Control (SOC) 2 Type II, and International Organization for Standardization (ISO) 27001 certification close the audit-trail loop, and the platform is white-labelled so the end customer sees only the German CASP brand.

The result a compliance team cares about is one onboarding stack that produces one evidence pack, ready for BaFin and ESMA peer review on the same day.

German CASPs running against the MiCAR transitional clock cannot afford an onboarding stack that satisfies one regulator and stalls in front of the other. Shufti VideoIdent ships attended video KYC aligned with BaFin and Austria’s Financial Market Authority (FMA), with 24/7 multilingual agents, bring-your-own (BYO) plus Shufti and hybrid agent models, and evidence packs your examiner can review on the first read. Request a demo and we’ll show you how a Germany-ready VideoIdent stack runs end-to-end.

Frequently Asked Questions

When must German CASPs use VideoIdent instead of standard document verification?

Whenever BaFin's risk-based assessment under Circular 3/2017 calls for face-to-face equivalent identification. Typical triggers include high-risk onboarding, withdrawal step-up beyond a defined threshold, account recovery, and ambiguous biometric or document signals. Standard automated checks suffice for low-risk standard-tier customers.

How do German crypto exchanges satisfy both MiCA and BaFin VideoIdent requirements?

One unified onboarding flow producing one evidence pack. The flow runs BaFin Circular 3/2017 mechanics (trained agents, security feature checks, liveness, TAN binding, retention) inside a CASP-authorised structure under MiCAR Articles 60 to 63, so the same session output answers both regulators on first request.

Does BaFin require VideoIdent for all crypto customers or only high-risk cases?

BaFin operates a risk-based regime under the GwG. VideoIdent is required wherever the firm cannot otherwise meet face-to-face equivalence, including high-risk onboarding and step-up events. Most CASPs run a hybrid stack. Automated KYC handles low-risk accounts, attended video handles step-up events above a defined threshold.

How will MiCA passporting affect German CASPs with existing BaFin VideoIdent approval?

MiCAR authorisation lets a Germany-licensed CASP passport across the EU on one BaFin licence. Existing Circular 3/2017 VideoIdent flows travel with the licence as part of the evidence pack, so the same identification stack covers customers in other EU member states.

Related Posts

Shufti Blog

What is Biometric Verification: Meaning, Types, Technology & Tools

What is Biometric Verification: Meaning, Types, Technology & Tools

Explore More

Shufti Blog

What Is Transaction Screening? Definition, Process, and How It Works

What Is Transaction Screening? Definition, Process, and How It Works

Explore More

Shufti Blog

Sanctions Screening: What It Is and How It Works in AML

Sanctions Screening: What It Is and How It Works in AML

Explore More

Shufti Blog

Florida SB1161 and Deepfake Platform Accountability: What the Law Requires (Updated October 2025)

Florida SB1161 and Deepfake Platform Accountability: What the Law Requires (Updated October 2025)

Explore More

Shufti Blog

VideoIdent for German Crypto Exchanges: MiCA, GwG and BaFin Compliance Guide for CASPs

VideoIdent for German Crypto Exchanges: MiCA, GwG and BaFin Compliance Guide for CASPs

Explore More

Shufti Blog

Video Identification in Switzerland: FINMA Compliance Guide for Banks, Insurance and Asset Managers

Video Identification in Switzerland: FINMA Compliance Guide for Banks, Insurance and Asset Managers

Explore More

Shufti Blog

FMA Video Identification in Austria: FM-GwG Compliance Guide for Financial Institutions

FMA Video Identification in Austria: FM-GwG Compliance Guide for Financial Institutions

Explore More

Shufti Blog

What is Biometric Verification: Meaning, Types, Technology & Tools

What is Biometric Verification: Meaning, Types, Technology & Tools

Explore More

Shufti Blog

What Is Transaction Screening? Definition, Process, and How It Works

What Is Transaction Screening? Definition, Process, and How It Works

Explore More

Shufti Blog

Sanctions Screening: What It Is and How It Works in AML

Sanctions Screening: What It Is and How It Works in AML

Explore More

Shufti Blog

Florida SB1161 and Deepfake Platform Accountability: What the Law Requires (Updated October 2025)

Florida SB1161 and Deepfake Platform Accountability: What the Law Requires (Updated October 2025)

Explore More

Shufti Blog

VideoIdent for German Crypto Exchanges: MiCA, GwG and BaFin Compliance Guide for CASPs

VideoIdent for German Crypto Exchanges: MiCA, GwG and BaFin Compliance Guide for CASPs

Explore More

Shufti Blog

Video Identification in Switzerland: FINMA Compliance Guide for Banks, Insurance and Asset Managers

Video Identification in Switzerland: FINMA Compliance Guide for Banks, Insurance and Asset Managers

Explore More

Shufti Blog

FMA Video Identification in Austria: FM-GwG Compliance Guide for Financial Institutions

FMA Video Identification in Austria: FM-GwG Compliance Guide for Financial Institutions

Explore More

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Contact us

Request demo

Get free access to our platform and try our products today.

Get started