VideoIdent vs eIDV vs Document Verification: What BaFin Accepts (2026)

BaFin fined Solaris SE €6.5 million in 2024 for the systematic late filing of suspicious transaction reports, a failure rooted in AML control gaps that auditors had flagged for years. It was a clear signal that German regulators examine the quality of your compliance process, not just its existence.

For fintechs and regulated institutions onboarding customers remotely in Germany, the equivalent risk in identification is this: VideoIdent, eIDV, and document verification are all sold as BaFin-compatible solutions, but the German Money Laundering Act (GwG) does not treat them the same way. Getting the method wrong means your onboarding records may not hold up when an examiner requests the session evidence.

This article maps exactly where each method stands under the GwG, what BaFin Circular 3/2017 actually requires of VideoIdent, and why passive eIDV and standalone document upload do not clear the same bar.

What the GwG says about remote identification

The GwG sets out customer identification obligations in sections 11 to 13. For remote identification of natural persons, the Act explicitly recognises several pathways. These include VideoIdent conducted by a trained employee under BaFin Circular 3/2017, electronic identification using the German eID online function under section 18 of the Personal Identity Card Act (Personalausweisgesetz), and identification via a qualified electronic signature under the eIDAS Regulation.

What the GwG does not recognise as standalone substitutes for an attended session is passive database checks alone, or automated document capture without a live agent present.

VideoIdent remains the most widely used option in regulated financial services because it generates an evidence pack that BaFin can audit directly. The German eID online function also qualifies, but real-world adoption is constrained by the number of customers with NFC-enabled smartphones and an activated chip on their Personalausweis. Document verification occupies a different role in the workflow entirely, which the sections below explain.

VideoIdent under BaFin Circular 3/2017: what compliance actually requires

BaFin Circular 3/2017 is the authoritative source for VideoIdent requirements. It applies to all entities supervised by BaFin, including credit institutions, financial services providers, payment institutions, and e-money issuers.

The circular sets out nine cumulative requirements, all of which must be satisfied. Identification must be conducted by a trained employee of the obliged entity or a permitted outsourced third party, working in restricted-access premises. Before the session begins, the customer must give explicit, recorded consent to the identification process and to screenshots being taken.

During the session, the employee inspects the identity document and verifies at least three security features randomly selected from an enumerated list, including holograms, tilted laser images, microlettering, guilloche structures, and optically variable ink. The machine-readable zone (MRZ) is validated through automated check-digit calculation. Live presence is confirmed through psychological questioning and behavioural observation, and the document photograph is matched against the person on camera.

To close the session, a TAN or OTP is generated centrally, delivered to the customer’s registered channel, and confirmed during the call. The full session, covering audio, video, screenshots, and structured output, must be recorded and retained for five years.

One firm limit applies. This circular covers natural persons only. It cannot be used to identify a legal person or partnership directly, though it can verify an authorised representative acting on behalf of one.

For a broader look at how attended video identification works across markets, the video KYC guide sets useful context alongside the German-specific rules.

eIDV under the GwG: two very different tiers

“eIDV” is not a single product category in German compliance law. The distinction between active eIDV using the German eID function and passive database-check eIDV is decisive for whether your records qualify.

When the German eID online function qualifies

Germany’s Personalausweis includes an eID chip that allows cardholders to authenticate their identity electronically with public and private sector bodies. The GwG explicitly permits this as a remote identification method, referencing section 18 of the Personalausweisgesetz and the eID-Karte-Gesetz. When a customer uses their eID chip to authenticate directly with your institution, the session qualifies as identity verification under the Act.    

This pathway carries sovereign-grade trust because the data comes from the issuing authority. It also satisfies strong authentication requirements, since the cardholder must enter their PIN or use biometrics to activate the eID function. For institutions operating across EU markets, how national eID schemes connect to the broader eIDAS 2.0 framework is worth reviewing alongside German-specific rules.

Why passive eIDV database checks do not meet the same standard

Passive eIDV covers the background cross-referencing of name, date of birth, and address against credit bureau, telecom, and government data sources. It is a valuable fraud-prevention tool and satisfies KYC requirements in several other jurisdictions. In Germany, it is not a BaFin-approved substitute for VideoIdent or the eID function.

The GwG’s attended identification requirement calls for a verifiable, retained session record. A database match does not produce one. Several electronic identity verification platforms position passive checks as equivalent to attended verification in regulated markets. For Germany, that claim does not hold.

Document verification alone: where it fits and where it falls short

Automated document verification, covering the capture, extraction, and authentication of ID document images, is a standard step in many identity workflows. It is not, on its own, a BaFin-approved substitute for attended identification.

BaFin Circular 3/2017 requires that document security features are inspected by a trained employee in real time, with the customer visible on camera. An automated upload captures some of the same information, including OCR data, MRZ check-digit results, and document database lookups, but it lacks the live agent session, the presence check, the TAN binding, and the audio/video retention requirement.

Document verification works accurately as a component inside a VideoIdent session, not as a replacement. Compliance teams who treat an automated upload flow as equivalent to VideoIdent will find a gap in their evidence pack if BaFin requests the session record.

What the GwVideoIdentV draft changes and what it does not yet

Germany’s Federal Ministry of Finance published a draft Money Laundering Video Identification Ordinance (GwVideoIdentV) in April 2024. The draft would permit fully automated AI-based identification procedures for the first time, subject to Federal Office for Information Security (BSI) security testing and a supervised trial of up to two years. Automated procedures would remain prohibited for customers who present elevated money-laundering risk.

The draft does not retroactively validate existing automated or document-only flows. Until the ordinance is adopted and a specific procedure clears BSI review, BaFin Circular 3/2017 and the German eID function remain the accepted standards for remote attended identification.

Choosing the right method for your compliance setup

For most regulated entities onboarding German customers remotely, the decision follows a clear logic.

If your customer holds a German Personalausweis with the eID function activated, that pathway is fast and produces sovereign-grade evidence. Practical adoption constraints mean a large share of customers still cannot complete it, which limits its use as a primary channel.

VideoIdent covers the widest range of accepted documents and customer profiles and produces the most complete evidence pack for examiner review. It is the practical default for high-assurance remote onboarding under current German law.

Passive eIDV and document verification are valuable layers in a full KYC workflow, but they do not substitute for an attended session. Use them as supporting steps, not as standalone compliant alternatives.