4th Anti-Money Laundering Directive – effects on the German Money Laundering Act and the German Banking Act
On 18 May 2017 the German Parliament has accepted a bill implementing the 4th Anti-Money Laundering Directive into German law, which became effective on 26 June 2017.
There have been mainly changes to the German Money Laundering Act (Geldwäschegesetz) and the German Banking Act (Kreditwesengesetz) as follows:
- Changes to the German Money Laundering Act (Geldwäschegesetz)
First of all, the scope of application of the new German Money Laundering Act ("New MLA") is broader than before. For example insurance companies that grant loans, and insurance intermediaries (Versicherungsmittler) that offer such loans, are now included in the scope as well.
All entities within the scope of the application of the New MLA, the "obliged entities", have to establish an AML specific risk management (Risikomanagement) which is appropriate in respect to the type and extent of the entity's business operations and which consists of (i) an AML specific risk assessment (Risikoanalyse) and (ii) AML specific internal security measures (interne Sicherungsmaßnahmen).
The risk assessment has to be conducted on a regular basis, updated if needed, and documented. Parent companies have to conduct the risk assessment for the whole group. Under the former AML only obliged entities from the finance sector were required to conduct the risk assessment for the whole group. Under the New MLA all obliged entities have to conduct a group wide risk assessment. Internal security measures include the implementation of policies, procedures and controls in order to diminish and control any risks from money laundering or terrorism financing. This particularly includes to appoint an AML officer and its deputy as well as to have their AML policies independently reviewed (if appropriate in respect to the type and extent of their business), to conduct an AML specific "Know-Your-Customer" due diligence (KYC) and to fulfill certain specified record keeping requirements (Aufzeichnungs- und Aufbewahrungspflicht) with respect to the documentation from conducted risk assessments. For example, obliged entities have to implement procedures that enable them to inform authorities upon their request whether they had a business relationship with a certain person five years prior to the request and what kind of business relationship this has been.
One of the main differences between the New MLA and the former MLA is that under the former MLA in general a classification as low risk was possible for certain predefined situations. The New MLA however takes a more risk-based approach, meaning that obliged entities are required to rate each individual business relationship and transaction as to its respective money-laundering risk and defining certain circumstances as "risk factors". A categorization as low risk is not limited to certain scenarios anymore but rather a result of a consideration of the involved risk factors. Therefore only an assessment of all relevant risk factors leads to a rating as high risk or low risk and correspondingly to an enhanced or a simplified duty of care (vereinfachte oder verstärkte Sorgfaltspflichten) or a general level of duty of care (allgemeine Sorgfaltspflicht).
This new type of risk management requirements will mostly result in a more complex customer due diligence and companies will have to assess whether and to what extent their current risk management routines have to be updated in order to comply with the New MLA and the duty of care requirements.
In addition the fines for administrative offences (Ordnungswidrigkeiten) have been raised from a maximum fine of EUR 100,000 to up to EUR 1 million or twice the amount of the benefit derived from the breach if this benefit can be determined. Regarding credit and finance institutions, the maximum fine can be up to EUR 5 Million or 10 % of the institution's annual turnover – besides the reputational damage: in accordance with the "naming and shaming" approach of the EU-Directive, the competent supervisory authorities may publish decisions on breaches.
Another important novelty is the establishment of an electronic transparency register regarding the ultimate beneficial owners of companies. Please read more on this topic here – we have reserved a special article for this.
-
Changes to the German Banking Act (Kreditwesengesetz, "KWG")
Of the changes to the KWG particularly noteworthy are the following:Under the new KWG it is possible for companies to outsource internal security measures to an external third party within the scope of contractual agreements without the prior consent of the German Banking Supervisory Authority BaFin. Merely a notice of the outsourcing has to be given to BaFin whereas BaFin may forbid or reverse such outsourcing under certain circumstances.
Another change is regarding the issuer of e-money: A simplified customer due diligence applies only under much more limited circumstances than in the past.
Implementing the new sets of rules with new requirements as to risk management procedures requires enterprises to re-think their current approaches to KYC in order to lift them to the next level. This entails reconsidering manpower, technology and other resources to adjust internal processes appropriately. We will be happy to assist you in developing new routines to bring your business to the forefront of the new standards.
Save article as PDF