German Money Laundering Act (GwG): Your Comprehensive Guide to AML Compliance

Money Laundering Act

As last amended by Article 23 of the Act of 23 June 2017 (Federal Law Gazette 2017 I p. 1822)
Replaces Act 7613-2 of 13 August 2008 (Federal Law Gazette 2008 I p. 1690) (GwG 2008)

This Act, adopted by the Bundestag with the consent of the Bundesrat as Article 1 of the Act of 23 June 2017 (Federal Law Gazette 2017 I p. 1822), entered into force on 26 June 2017, as per Article 24 sentence 1 of that Act.

Please note: German version is binding. This English translation is for informational purposes only. The original German text is legally binding.

Part 1: Definitions and Obliged Entities

Section 1: Definitions

(1) Money laundering under this Act refers to offenses as defined in section 261 of the Criminal Code (Strafgesetzbuch).

(2) Terrorist financing under this Act encompasses:

1. Providing or collecting property knowing it will be used for:
   a) Offenses under section 129a of the Criminal Code, including in conjunction with section 129b, or
   b) Offenses described in Articles 1 to 3 of Council Framework Decision 2002/475/JHA on combating terrorism.
2. Committing offenses under section 89c of the Criminal Code.
3. Instigating or aiding and abetting offenses in points 1 or 2.

(3) Identification under this Act involves:

1. Gathering information to establish identity.
2. Verifying the identity.

(4) Business relationship refers to any ongoing relationship directly linked to the commercial or professional activities of obliged entities, expected to be of a lasting nature.

(5) Transaction means any single act or series of linked acts aimed at or resulting in the transfer of funds or movement of assets or property.

(6) Trust is a legal arrangement established as a trust under applicable law. It also includes similar legal arrangements modeled on trusts under relevant law.

(7) Property includes:

1. Any asset, whether tangible or intangible, movable or immovable.
2. Legal documents and instruments, in any form (including electronic), evidencing rights to assets in point 1.

(8) Game of chance is any game where payment is made for a chance to win, with the outcome primarily determined by chance.

(9) Trader in goods is someone who commercially sells goods, regardless of who they are acting for.

(10) Valuables are goods that:

1. Stand out from everyday items due to quality, market value, or intended use.

2. Are not considered everyday purchases due to their price.

   This particularly includes:

   1. Precious metals (gold, silver, platinum).
   2. Precious stones.
   3. Jewellery, watches, and clocks.
   4. Artworks and antiques.
   5. Motor vehicles, ships, motorboats, and aircraft.

(11) Estate agent is someone who commercially brokers the purchase or sale of real estate or equivalent rights.

(12) Politically exposed person (PEP) includes individuals holding or having held high-ranking public functions at international, European, or national levels, or comparable political roles below the national level. Specifically, PEPs include:

1. Heads of state, heads of government, ministers, EU Commissioners, deputy and assistant ministers.
2. Parliament members and members of similar legislative bodies.
3. Governing body members of political parties.
4. Supreme court, constitutional court, or other high-level judicial body members whose decisions are typically not subject to further appeal.
5. Boards of court of audit members.
6. Central bank board members.
7. Ambassadors, chargés d’affaires, and defense attachés.
8. Administrative, management, or supervisory body members of state-owned enterprises.
9. Directors, deputy directors, board members, or managers with comparable roles in international or European intergovernmental organizations.

(13) Family member of a PEP means a close relative, specifically:

1. Spouse or civil partner.
2. Child and the child’s spouse or civil partner.
3. Parents.

(14) Person known to be a close associate of a PEP is someone the obliged entity has reason to believe:

1. Is a beneficial owner jointly with a PEP of an association (section 20(1)) or legal arrangement (section 21).
2. Has close business relationships with a PEP.
3. Is the sole beneficial owner of an association (section 20(1)) or legal arrangement (section 21) established for the de facto benefit of a PEP.

(15) Member of senior management is an officer or senior employee with sufficient knowledge of the entity’s money laundering and terrorist financing risk exposure and decision-making authority in this area.

(16) Group refers to a group of companies consisting of:

1. A parent company.
2. The parent company’s subsidiaries.
3. Entities in which the parent company or its subsidiaries hold a participation.
4. Companies linked by relationships as defined in Article 22(1) of Directive 2013/34/EU.

(17) Third country is a country that is:

1. Not an EU member state.
2. Not a signatory to the Agreement on the European Economic Area.

(18) Electronic money is as defined in section 1a (3) of the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz).

(19) Supervisory authority is the competent authority defined in section 50.

(20) Reliable employees are those who can be safely assumed to:

1. Carefully comply with obligations under this Act, anti-money laundering and counter-terrorist financing laws, and internal controls.
2. Report facts as per section 43 (1) to their manager or money laundering reporting officer.
3. Not participate in dubious transactions or business relationships.

(21) Correspondent relationship is a business relationship where:

1. Banking services (account provision, cash management, international transfers, forex, cheque clearing) are provided by obliged entities (correspondents) to CRR credit institutions or equivalent entities in third countries (respondents).
2. Non-banking services are provided by obliged entities (correspondents) to other CRR credit institutions or financial institutions, or equivalent entities in third countries (respondents).

(22) Shell bank is:

1. A CRR credit institution or financial institution as per Directive (EU) 2015/849.
2. A company carrying out equivalent activities, registered in a different country from where it’s managed, and not affiliated with a regulated group.

Section 2: Obliged Entities, Authorization to Issue Regulations

(1) Obliged entities under this Act are the following institutions and persons in their business or profession:

1. Credit institutions as defined in the Banking Act (Kreditwesengesetz), excluding specific institutions and branches of foreign credit institutions.
2. Financial services institutions as defined in the Banking Act, excluding specific institutions and branches of foreign financial services institutions.
3. Payment institutions and electronic money institutions as defined in the Payment Services Supervision Act and branches of comparable foreign institutions.
4. Agents and electronic money agents as defined in the Payment Services Supervision Act.
5. Independent businesspersons distributing or redeeming electronic money of credit institutions.
6. Financial companies as defined in the Banking Act whose principal activity aligns with Banking Act definitions, and branches of such foreign companies.
7. Insurance undertakings offering life insurance, accident insurance with premium refunds, or money loans.
8. Insurance intermediaries brokering activities covered in point 7, excluding those under specific sections of the Industrial Code (Gewerbeordnung), and branches of foreign insurance intermediaries.
9. Asset management companies as defined in the Investment Code (Kapitalanlagegesetzbuch), branches of EU and foreign AIF management companies, and foreign AIF management companies supervised by the Federal Financial Supervisory Authority in Germany.
10. Lawyers, legal advisors (bar members), patent attorneys, and notaries when involved in specific activities for clients, such as real estate transactions, asset management, account management, company organization, or financial/real estate transactions on behalf of clients.
11. Non-bar-member legal advisors and registered persons under the Legal Services Act (Rechtsdienstleistungsgesetz) involved in activities similar to point 10 for clients.
12. Auditors, chartered accountants, tax advisors, and authorized tax agents.
13. Service providers for companies and trusts offering services like company formation, acting as directors or partners, providing registered offices, or acting as nominee shareholders, excluding those in points 10-12.
14. Estate agents.
15. Organizers and brokers of games of chance, excluding specific types of gambling operations with state licenses or social lotteries.
16. Traders in goods.

(2) The Federal Ministry of Finance can issue regulations to exempt certain obliged entities (points 1-9 and 16) with low money laundering and terrorist financing risks if their financial activities are occasional, limited, and ancillary to their main business, with transaction limits and turnover thresholds.

Section 3: Beneficial Owner

(1) Beneficial owner refers to the natural person who ultimately owns or controls the contracting party or on whose instructions a transaction is carried out or a business relationship is established. This includes individuals listed in subsections (2) to (4).

(2) For legal persons (excluding foundations) and corporate entities not publicly listed and subject to transparency requirements, beneficial owners include natural persons who directly or indirectly:

1. Hold more than 25% of the capital stock.

2. Control more than 25% of the voting rights.

3. Exercise control in a comparable manner.

   Indirect control exists when corresponding percentages are held by associations controlled by a natural person. Control exists if a natural person can exert dominant influence. Section 290 (2) to (4) of the Commercial Code applies mutatis mutandis. If no natural person is identified after extensive investigation, or if there are doubts about the identified person, the beneficial owner is assumed to be the legal representative, managing partner, or partner of the contracting party.

(3) For foundations, legal arrangements managing assets, and comparable constructs, beneficial owners include:

1. Trustor, trustee, or protector.
2. Foundation board members.
3. Designated beneficiaries.
4. The class of beneficiaries if not yet designated.
5. Any natural person exercising controlling influence on asset management or income distribution.

(4) In cases of trading on instruction, the instructing person is the beneficial owner. Contracting parties acting as trustees are also considered to be trading on instruction.

Part 2: Risk Management

Section 4: Risk Management

(1) Obliged entities must have effective risk management systems appropriate to their business’s nature and size to prevent money laundering and terrorist financing.

(2) Risk management includes a risk analysis (section 5) and internal safeguards (section 6).

(3) A management member must be appointed to oversee risk management and compliance with anti-money laundering and counter-terrorist financing laws. This member must approve risk analysis and internal safeguards.

(4) Traders in goods (section 2 (1) no. 16) must have risk management systems if they make or receive cash payments of €10,000 or more per transaction.

Section 5: Risk Analysis

(1) Obliged entities must identify and assess money laundering and terrorist financing risks associated with their business activities, paying particular attention to risk factors in Annexes 1 and 2 and national risk assessment information. The extent of the analysis depends on the business’s nature and size.

(2) Obliged entities must:

1. Document the risk analysis.
2. Regularly review and update it.
3. Make the latest version available to the supervisory authority upon request.

(3) For parent companies, subsections (1) and (2) apply to the entire group.

(4) The supervisory authority may exempt an obliged entity from documenting its risk analysis if sector-specific risks are demonstrably clear and understood.

Section 6: Internal Safeguards

(1) Obliged entities must implement appropriate business and customer-oriented internal safeguards (principles, procedures, controls) to manage and mitigate money laundering and terrorist financing risks. These measures must correspond to the entity’s risk situation and be sufficiently comprehensive. Functionality must be monitored and safeguards updated as needed.

(2) Internal safeguards specifically include:

1. Developing internal principles, procedures, and controls for risk management, customer due diligence (sections 10-17), reporting obligations (section 43 (1)), record-keeping (section 8), and compliance with AML/CFT laws.
2. Appointing a money laundering reporting officer and deputy (section 7).
3. Establishing group-wide procedures for parent companies (section 9).
4. Developing measures to prevent abuse of new products and technologies for money laundering/terrorist financing or anonymity.
5. Reliability screening of employees.
6. Initial and ongoing employee training on money laundering/terrorist financing typologies, methods, and relevant legal obligations.
7. Independent review of principles and procedures if appropriate for business nature and size.

(3) If obliged entities (section 2 (1) nos. 10-14 and 16) perform professional activities as company employees, the obligations in subsections (1) and (2) fall to the company.

(4) Games of chance organizers/brokers (section 2 (1) no. 15) must operate data processing systems to identify suspicious business relationships and transactions in gambling operations and accounts (section 16), based on public information and corporate experience of money laundering/terrorist financing methods. These systems must be updated. The supervisory authority may exempt entities from using these systems based on specified criteria.

(5) Obliged entities must establish confidential reporting mechanisms for employees and comparable persons to report AML/CFT contraventions.

(6) Obliged entities must be able to provide information to the German Financial Intelligence Unit (FIU) or other competent authorities on whether they maintained a business relationship with specific persons in the past five years and its nature. Information must be transmitted securely and confidentially. Lawyers and tax advisors (section 2 (1) nos. 10 and 12) may refuse information if it relates to client relationships subject to professional secrecy, unless they know the client is using the relationship for money laundering or terrorist financing.

(7) Obliged entities may contractually engage third parties for internal safeguards, notifying the supervisory authority in advance. The authority can prohibit this if the third party cannot assure proper implementation, or if management capabilities or supervisory oversight would be adversely affected. Obliged entities remain ultimately responsible.

(8) The supervisory authority may issue orders to obliged entities to implement necessary internal safeguards.

(9) The supervisory authority may order the application of subsections (1)-(6), appropriately risk-adjusted, to specific obliged entities or groups based on transaction types or business size, considering money laundering and terrorist financing risks.

Section 7: Money Laundering Reporting Officer

(1) Obliged entities (section 2 (1) nos. 1-3, 6, 7, 9, and 15) must appoint a money laundering reporting officer at senior management level and a deputy, responsible for AML/CFT compliance and directly subordinate to top management.

(2) The supervisory authority may exempt entities from appointing a reporting officer if information loss or duty separation risks are mitigated and other risk-based measures are in place to prevent money laundering and terrorist financing.

(3) The supervisory authority may order obliged entities (section 2 (1) nos. 4, 5, 8, 10-14, and 16) to appoint a reporting officer if deemed appropriate, especially for traders in high-value goods (section 2 (1) no. 16).

(4) Obliged entities must notify the supervisory authority of the appointment or dismissal of the reporting officer and deputy. The authority can revoke appointments if appointees lack qualifications or reliability.

(5) The reporting officer must function in Germany, serving as the point of contact for law enforcement, threat prevention agencies, the FIU, and the supervisory authority. They must have sufficient powers and resources, including unrestricted access to relevant information, data, records, and systems, and report directly to top management. They are not subject to top management instructions when submitting reports (section 43 (1)) or responding to FIU information requests (section 30 (3)).

(6) The reporting officer may use data and information solely for their functions.

(7) Reporting officers and deputies must not face employment disadvantages due to their role. Termination is only admissible for good cause without notice. Post-appointment termination is inadmissible within a year, except for good cause without notice.

Section 8: Recording and Retention Requirement

(1) Obliged entities must record and retain:

1. Data and information from due diligence requirements on contracting parties, representatives, and beneficial owners, as well as business relationships and transactions, including transaction documents for investigations.

2. Information on risk evaluation implementation and results (sections 10 (2), 14 (1), 15 (2)), and the suitability of measures taken.

3. Results of examinations (section 15 (5) no. 1).

4. Reasons and explanations for reporting obligation evaluations (section 43 (1)).

   Records for legal persons include measures to identify beneficial owners (section 3 (2) sentence 1).

(2) For identification verification (section 12 (1) sentence 1 no. 1), the type, number, and issuing authority of presented documents must be recorded. For documents under section 12 (1) sentence 1 nos. 1 or 4, or section 12 (2), or documents specified by regulation (section 12 (3)), obliged entities can copy or digitize them fully, which qualifies as a record. If repeat identification is omitted (section 11 (3) sentence 1), the person’s name and prior identification must be recorded. For section 12 (1) sentence 1 no. 2, service and card identifiers are recorded instead of document details, along with verification via electronic proof of identity. For qualified signatures (section 12 (1) sentence 1 no. 3), validation is recorded. Printouts of electronically managed register/directory data (section 12 (2)) qualify as records.

(3) Records can be stored digitally, ensuring data consistency, availability during retention, and readability within a reasonable timeframe.

(4) Records and evidence (subsections (1)-(3)) must be retained for five years and then destroyed. Other legal record-keeping provisions remain. For section 10 (3) sentence 1 no. 1, retention starts at the end of the calendar year of business relationship termination. In other cases, it starts at the end of the calendar year of information gathering.

(5) For presenting retained documents to public agencies, section 147 (5) of the Fiscal Code applies mutatis mutandis regarding document readability.

Section 9: Group-wide Compliance with Obligations

(1) Parent companies must conduct a group-wide risk analysis for all group companies, branches, and offices subject to AML/CFT obligations. Based on this, they must implement group-wide:

1. Consistent internal safeguards (section 6 (1) and (2)).

2. Appointment of a money laundering reporting officer to devise group-wide strategy, coordinate, and monitor implementation.

3. Procedures for intra-group information exchange for AML/CFT.

4. Data protection measures.

   They must ensure effective implementation of these obligations and measures by subsidiaries, branches, and offices subject to AML/CFT law.

(2) For group companies in other EU member states, parent companies must ensure compliance with national rules implementing Directive (EU) 2015/849.

(3) For group companies in third countries with less strict AML/CFT requirements, subsection (1) applies compatibly with third-country law. If incompatible, parent companies must:

1. Ensure additional measures by third-country group companies to effectively counter money laundering and terrorist financing.

2. Inform the supervisory authority of these measures.

   If these measures are insufficient, the supervisory authority can order parent companies to prevent their third-country subsidiaries, branches, and offices from initiating or continuing business relationships or transactions, and to terminate existing relationships, regardless of other laws or contracts.

Part 3: Customer Due Diligence Requirements

Section 10: General Due Diligence Requirements

(1) General due diligence requirements include:

1. Identifying contracting parties and representatives (sections 11 (4), 12 (1), and (2)), and verifying representative authority.
2. Clarifying if the contracting party is acting for a beneficial owner and identifying them (section 11 (5)), including understanding the ownership and control structure for non-natural persons.
3. Obtaining and evaluating information on the purpose and intended nature of the business relationship, if not already clear.
4. Establishing, using risk-oriented procedures, if the contracting party or beneficial owner is a PEP, family member, or close associate.
5. Continuously monitoring the business relationship and transactions to ensure consistency with available information about the contracting party, beneficial owner, business activity, customer profile, and, if needed, source of wealth. Documents, data, and information must be updated regularly based on risk.

(2) The specific extent of measures in subsection (1) nos. 2-5 must align with the money laundering or terrorist financing risk, considering risk factors in Annexes 1 and 2. Risk evaluation must also consider:

1. Purpose of the account or business relationship.

2. Level of deposited assets or transaction size.

3. Regularity or duration of the business relationship.

   Obliged entities must demonstrate the adequacy of their measures based on money laundering and terrorist financing risks to competent authorities upon request.

(3) Obliged entities must fulfill general due diligence requirements:

1. When establishing a business relationship.
2. For transactions outside an existing relationship:
   a) Funds transfers (Regulation (EU) 2015/847) of €1000 or more.
   b) Other transactions of €15,000 or more.
3. Regardless of thresholds, when facts indicate property is linked to money laundering or terrorist financing, or doubt exists about the veracity of identity information.
4. For all new customers and, for existing relationships, at appropriate times on a risk-sensitive basis, especially when customer circumstances change.

(4) Obliged entities (section 2 (1) nos. 3-5) must fulfill requirements under subsection (1) nos. 1 and 2 when accepting cash for payment services (Payment Services Supervision Act).

(5) Games of chance organizers/brokers (section 2 (1) no. 15) must fulfill due diligence requirements when a player wins or bets €2,000 or more, unless online. Identification can occur upon casino entry if transactions of €2,000 or more can be attributed to the player.

(6) Traders in goods (section 2 (1) no. 16) must fulfill due diligence requirements in cases of suspected money laundering/terrorist financing (subsection (3) sentence 1 no. 3) and for cash transactions of €10,000 or more.

(7) Section 25i (1) of the Banking Act applies to obliged entities (section 2 (1) nos. 4 and 5) issuing electronic money, limited to requirements under subsection (1) nos. 1 and 4. Section 25i (2) and (4) of the Banking Act apply mutatis mutandis.

(8) Insurance intermediaries (section 2 (1) no. 8) collecting premiums for insurance undertakings (section 2 (1) no. 7) must notify the insurer when cash premiums exceed €15,000 in a calendar year.

(9) If obliged entities cannot fulfill general due diligence requirements (subsection (1) nos. 1-4), business relationships must not be established or continued, and transactions must not be executed. Existing relationships must be terminated. This does not apply to lawyers and tax advisors (section 2 (1) nos. 10 and 12) providing legal advice/representation, unless they know the client is seeking advice for money laundering or terrorist financing.

Section 11: Identification

(1) Obliged entities must identify contracting parties, representatives, and beneficial owners before establishing business relationships or executing transactions. Identification can be completed during business relationship establishment if necessary to avoid business disruption and if money laundering/terrorist financing risk is low.

(2) Estate agents (section 2 (1) no. 14) must identify contract parties when a serious interest in a real estate sales contract is expressed and parties are sufficiently defined.

(3) Identification can be omitted if the person was previously identified and information recorded. Re-identification is required if doubts arise about the correctness of prior information.

(4) Identification requires collecting:

1. For natural persons:
   a) First and last name.
   b) Place of birth.
   c) Date of birth.
   d) Nationality.
   e) Residential address or postal address (if no EU residence and verifying identity for a basic payment account).
2. For legal persons or partnerships:
   a) Company, name, or trading name.
   b) Legal form.
   c) Commercial register number (if available).
   d) Registered office or head office address.
   e) Names of representative body members or legal representatives, and data (a-d) for legal person representatives.

(5) For beneficial owner identification, at least name must be established, and further identifying information collected if appropriate based on money laundering/terrorist financing risk. Date and place of birth and address may be collected regardless of risk. Obliged entities must verify information veracity using risk-adequate measures, not relying solely on transparency register information.

(6) Contracting parties must provide necessary information and documents for identification and notify obliged entities of any changes. They must disclose if they are acting on behalf of a beneficial owner and provide evidence of the beneficial owner’s identity.

Section 12: Identity Verification, Authorization to Issue Regulations

(1) Identity verification for natural persons (section 10 (1) no. 1) must be based on:

1. Valid official ID with a photo, meeting German passport/ID requirements (German passport, ID card, or substitutes, or recognized foreign passports/IDs).

2. Electronic proof of identity (Act on Identity Cards and Electronic Identification or Residence Act).

3. Qualified electronic signature (Regulation (EU) No 910/2014).

4. Notified electronic identification scheme (Regulation (EU) No 910/2014).

5. Documents specified in regulations for payment account opening (Verordnung über die Bestimmung von Dokumenten).

   For qualified electronic signatures, obliged entities must validate them per Regulation (EU) No 910/2014 and ensure a transaction from a payment account (Payment Services Supervision Act) in the contracting party’s name with an obliged entity (section 2 (1) sentence 1 no. 1 or no. 3) or a credit institution in EU/EEA or a third country with equivalent due diligence and supervision.

(2) Identity verification for legal persons (section 10 no. 1) must be based on:

1. Extract from commercial register, cooperative society register, or comparable official register/directory.
2. Formation documents or equivalent substantiating documents.
3. Documented inspection by the obliged entity of register/directory data.

(3) The Federal Ministry of Finance, in consultation with the Federal Ministry of the Interior, may designate further documents for identity verification via regulation.

Section 13: Identity Verification Procedures, Authorization to Issue Regulations

(1) Obliged entities verify natural person identity through:

1. Appropriate examination of physically presented documents.
2. Other procedures suitable for AML/CFT identity verification with equivalent security levels.

(2) The Federal Ministry of Finance, in consultation with the Federal Ministry of the Interior, may issue regulations to:

1. Detail or add requirements to the procedure in subsection (1) or for obliged entities using it.
2. Define procedures appropriate for AML/CFT identification under subsection (1) no. 2.

Section 14: Simplified Due Diligence Requirements, Authorization to Issue Regulations

(1) Obliged entities may apply simplified due diligence requirements in areas with low money laundering/terrorist financing risk, particularly for customers, transactions, services, or products, considering risk factors in Annexes 1 and 2. They must ascertain the lower risk before applying simplified measures. Section 10 (2) sentence 4 applies mutatis mutandis for demonstrating adequacy.

(2) Where simplified due diligence is applicable, obliged entities may:

1. Reduce the extent of general due diligence measures appropriately.

2. Use other credible and independent source documents, data, or information for identity verification, deviating from sections 12 and 13.

   Transaction and business relationship scrutiny must still enable recognition and reporting of unusual or suspicious transactions.

(3) If simplified due diligence requirements cannot be met, section 10 (9) applies mutatis mutandis.

(4) The Federal Ministry of Finance, in consultation with the Federal Ministry of the Interior, may designate types of cases with lower money laundering/terrorist financing risk via regulation, where simplified due diligence is sufficient, considering risk factors in Annexes 1 and 2.

(5) Directive (EU) 2015/847 does not apply to domestic funds transfers to a beneficiary’s payment account exclusively for goods/services payments if:

1. The beneficiary’s payment service provider is subject to this Act.
2. The provider can trace transfers back to the agreement with the beneficiary using a unique transaction reference.
3. The amount transferred does not exceed €1,000.

Section 15: Enhanced Due Diligence Requirements, Authorization to Issue Regulations

(1) Enhanced due diligence requirements are additional to general requirements.

(2) Obliged entities must fulfill enhanced requirements if they find a higher money laundering/terrorist financing risk through risk analysis or by considering risk factors in Annexes 1 and 2. The extent of measures depends on the higher risk level. Section 10 (2) sentence 4 applies mutatis mutandis for demonstrating adequacy.

(3) Higher risk arises particularly:

1. If a contracting party or beneficial owner is a PEP, family member, or close associate, or from a high-risk third country identified by the European Commission (Directive (EU) 2015/849), except for EU-domiciled branches or majority-owned subsidiaries in high-risk third countries fully implementing group-wide policies (Directive (EU) 2015/849).
2. If a transaction is unusually complex, large, follows an unusual pattern, or lacks apparent economic or lawful purpose.
3. In cross-border correspondent relationships with third-country respondents, or EEA respondents if heightened risk is identified.

(4) In cases of subsections (2) and (3) no. 1, at least the following enhanced due diligence requirements must be met:

1. Senior management approval for establishing or continuing the business relationship.

2. Adequate measures to establish the source of funds.

3. Enhanced, ongoing monitoring of the business relationship.

   For PEPs (subsection (3) no. 1 (a)) becoming PEPs during the relationship or identified as PEPs after establishment, senior management approval is required for continued relationship.

(5) In cases of subsection (3) no. 2, at least the following enhanced due diligence requirements must be met:

1. Transaction examination to monitor and assess money laundering/terrorist financing risk and determine if a reporting requirement exists (section 43 (1)).
2. Enhanced, ongoing monitoring of underlying business relationships to assess and monitor money laundering/terrorist financing risk.

(6) In cases of subsection (3) no. 3, obliged entities (section 2 (1) nos. 1-3 and 6-9) must fulfill at least these enhanced due diligence requirements:

1. Obtain sufficient information about the respondent to understand their business nature, reputation, AML/CFT controls, and supervision quality.
2. Obtain senior management approval before establishing a business relationship.
3. Determine and document responsibilities for due diligence fulfillment (section 8) before relationship establishment.
4. Take measures to avoid relationships with respondents whose accounts are used by shell banks.
5. Take measures to ensure respondents do not permit payable-through accounts.

(7) For former PEPs, obliged entities must consider specific PEP risks for at least twelve months after they leave public function and take risk-adequate measures until the risk is assumed to no longer exist.

(8) If national or international AML/CFT agencies indicate higher risk beyond subsection (3) cases, the supervisory authority may order enhanced transaction/business relationship monitoring and additional risk-adequate due diligence.

(9) If enhanced due diligence requirements cannot be met, section 10 (9) applies mutatis mutandis.

(10) The Federal Ministry of Finance may designate types of cases with potentially higher money laundering and terrorist financing risk via regulation, requiring specific enhanced due diligence, considering risk factors in Annexes 1 and 2.

Section 16: Special Provisions Regarding Online Games of Chance

(1) Obliged entities (section 2 (1) no. 15) offering or brokering online games of chance are subject to subsections (2)-(8).

(2) Players can only be admitted to online games of chance after a gambling account is set up in their name.

(3) Obliged entities cannot accept deposits or refundable monies into gambling accounts. Account balances must not bear interest. Section 2 (2) sentence 3 of the Payment Services Supervision Act applies mutatis mutandis to received funds.

(4) Player transactions to gambling accounts must occur only:

1. Via payment transactions:
   a) Direct debit.
   b) Credit transfer.
   c) Payment card in the player’s name.

2. From a payment account (Payment Services Supervision Act) in the player’s name with an obliged entity (section 2 (1) no. 1 or no. 3).

   Exemptions from sentence 1 no. 1 (c) and no. 2 may be granted if game participation payments do not exceed €25 per transaction or €100 for multiple transactions per month.

(5) Obliged entities must inform the supervisory authority without delay when a payment account (Payment Services Supervision Act) in their name is opened or closed for player funds for online games of chance.

(6) When obliged entities or other issuers issue monetary value instruments (Payment Services Supervision Act) for gambling account transactions, they must ensure the instrument holder’s identity matches the gambling account holder.

(7) Obliged entities can only transact with players:

1. Via payment transactions under subsection (4).

2. To a payment account in the player’s name with an obliged entity (section 2 (1) no. 1 or no. 3).

   The payment reference must be transparent. Competent authorities may specify standard wordings.

(8) Deviating from section (11), provisional player identification for gambling accounts is allowed, based on electronic or postal copies of documents (section 12 (1) sentence 1 no. 1). Full identification must follow without delay. Both provisional and full identification can also follow gambling law identification and authentication requirements.

Section 17: Performance of Due Diligence Requirements by Third Parties, Contractual Outsourcing

(1) Obliged entities may engage third parties to fulfill general due diligence requirements (section 10 (1) nos. 1-4). Third parties must be:

1. Obliged entities (section 2 (1)).

2. Obliged entities in other EU member states (Directive (EU) 2015/849).

3. Member organizations of point 2 entities or entities in third countries subject to equivalent due diligence and record-keeping requirements (Directive (EU) 2015/849) with supervision consistent with Directive (EU) 2015/849 Chapter IV(2).

   Obliged entities remain responsible for fulfilling general due diligence requirements.

(2) Obliged entities must not engage third parties in high-risk third countries, except for EU-domiciled branches or majority-owned subsidiaries of EU obliged entities fully implementing group-wide policies (Directive (EU) 2015/849).

(3) When engaging third parties, obliged entities must ensure they:

1. Obtain information for due diligence requirements (section 10 (1) nos. 1-3).

2. Transmit information directly and promptly to the obliged entity.

   Obliged entities must also ensure third parties promptly present copies of relevant documents for identity verification of contracting parties and beneficial owners upon request. Third parties can copy and pass on identity documents for this purpose.

(4) Requirements of subsections (1) and (3) are deemed fulfilled if:

1. Third parties belong to the same group.
2. Group’s due diligence, record-keeping, policies, and procedures are consistent with Directive (EU) 2015/849 or equivalent.
3. Effective implementation is supervised at group level.

(5) Obliged entities can delegate performance of due diligence measures (section 10 (1) nos. 1-4) to suitable persons/companies other than third parties in subsection (1) via contractual agreement. Delegated measures are considered the obliged entity’s own. Subsection (3) applies mutatis mutandis.

(6) Delegation under subsection (5) must not:

1. Hinder the obliged entity’s obligations under this Act.
2. Interfere with management’s supervisory powers.
3. Interfere with the supervisory authority’s oversight.

(7) Before delegation (subsection (5)), obliged entities must verify the reliability of the person/company. During cooperation, they must spot-check the appropriateness of measures.

(8) Contractual agreements with German embassies, foreign chambers of commerce, or consulates are deemed suitable. Subsection (7) does not apply in this case.

(9) Delegation under subsection (5) does not affect outsourcing provisions of section 25b of the Banking Act.

Part 4: Transparency Register

Section 18: Establishment of the Transparency Register and the Registrar Entity

(1) A transparency register is established to record and make available beneficial owner information.

(2) The register is administered electronically as a sovereign function of the Federal Republic by the registrar entity, chronologically organizing stored data.

(3) If notifications (section 20 or 21) are unclear or attribution is doubtful, the registrar entity can request clarifying information from the notified association or legal arrangement within a reasonable period.

(4) The registrar entity produces printouts of register data and confirmations of no current entries upon request. It can certify data correspondence to register content, but certification does not guarantee accuracy or completeness of beneficial owner information. Applications for printouts of data accessible via the register (section 22 (1) sentence 1 nos. 4-8) can also be transmitted to the court via the register. This applies mutatis mutandis to transmitting applications for data accessible under section 22 (1) sentence 1 nos. 2 and 3 to the company register operator.

(5) The registrar entity establishes an information security concept for the register, detailing data protection measures.

(6) The Federal Ministry of Finance can regulate technical details of register establishment and administration via regulation, including historical data storage and deletion rules.

Section 19: Information on the Beneficial Owner

(1) The following beneficial owner information is accessible via the transparency register (section 23) for associations (section 20 (1) sentence 1) and legal arrangements (section 21):

1. First and last name.
2. Date of birth.
3. Place of residence.
4. Nature and extent of beneficial interest.

(2) Section 3 (1) and (2) apply mutatis mutandis for determining beneficial owners of associations (excluding foundations). Section 3 (1) and (3) apply mutatis mutandis for legal arrangements and foundations.

(3) Information on the nature and extent of beneficial interest (subsection (1) no. 4) indicates the reason for beneficial owner status:

1. For associations (excluding foundations):
   a) Ownership interest (capital share, voting rights).
   b) Control by other means (agreements, appointment rights).
   c) Legal representative, managing partner, or partner role.
2. For legal arrangements and foundations: roles specified in section 3 (3).

Section 20: Transparency Obligations Regarding Certain Associations

(1) Private law legal persons and registered partnerships must obtain, retain, update, and notify the registrar entity of beneficial owner information (section 19 (1)) for transparency register entry without delay, electronically in an accessible format. The reason for beneficial owner status (section 19 (3)) must be indicated for the nature and extent of beneficial interest (section 19 (1) no. 4), except where subsection (2) sentence 2 applies.

(2) Notification obligations (subsection (1) sentence 1) are deemed fulfilled if beneficial owner information (section 19 (1)) is already in electronically accessible documents and entries from:

1. Commercial register.

2. Partnership register.

3. Cooperative society register.

4. Register of associations.

5. Company register.

   Notification obligations are always fulfilled for companies listed on organized markets or subject to equivalent transparency obligations. No separate information on the nature and extent of beneficial interest is required if the reason for beneficial owner status (section 19 (3)) is shown in documents and entries (section 22 (1)). If beneficial owners change after notification, such that information is now in registers (sentence 1), the registrar entity must be informed without delay (subsection (1)).

(3) Shareholders who are beneficial owners or under direct beneficial owner control must promptly notify associations (subsection (1)) of information required to fulfill obligations in subsection (1) and any changes. This applies to members controlling over 25% of voting rights, and to persons subject to notification obligations under sentences 2 and 3 who are under direct beneficial owner control. If notification-obligated persons are under indirect beneficial owner control, the obligation applies to the beneficial owner.

(4) Notification obligations (subsection (3)) do not apply if reporting obligations (subsection (1)) are deemed fulfilled (subsection (2)) or if required information is communicated in another form.

(5) The FIU and supervisory authorities can view or receive stored information (subsection (1)) within their functions and powers.

Section 21: Transparency Obligations Regarding Certain Legal Arrangements

(1) Trustees of trusts resident or domiciled in Germany must obtain, retain, update, and notify the registrar entity of beneficial owner information (section 19 (1)) and nationalities for transparency register entry without delay, electronically in an accessible format. Trusts must be unambiguously identified. The reason for beneficial owner status (section 19 (3)) must be indicated for the nature and extent of beneficial interest (section 19 (1) no. 4).

(2) Subsection (1) applies mutatis mutandis to trustees domiciled or resident in Germany for:

1. Foundations without legal capacity if the donor’s purpose is in their own interest.
2. Legal arrangements with equivalent structure and function.

(3) The FIU and supervisory authorities can view or receive stored information from trust administrators and trustees (subsections (1) and (2)) within their functions and powers.

Section 22: Accessible Documents and Transmission of Data to the Transparency Register, Authorization to Issue Regulations

(1) The following information is accessible via the transparency register website (section 23):

1. Register entries on reports (sections 20 (1) sentence 1, 20 (2) sentence 4, and 21).

2. Announcements of shareholdings (Stock Corporation Act section 20 (6)).

3. Voting rights notifications (Securities Trading Act sections 26 and 26a).

4. Shareholder lists of limited liability companies and entrepreneurial companies (Limited Liability Companies Act sections 8 (1) no. 3 and 40) and articles of association deemed shareholder lists (Limited Liability Companies Act section 8 (1) no. 1 in conjunction with section 2 (1a) sentence 2).

5. Commercial register entries.

6. Partnership register entries.

7. Cooperative society register entries.

8. Register of associations entries.

   Documents and entries (sentence 1 nos. 2-8) are accessible to the extent set out in register law if electronically retrievable from public registers (section 20 (2) sentence 1).

(2) To provide access to original data (subsection (1) sentence 1 nos. 2-8), index data are transmitted to the transparency register. The company register operator transmits index data for original data (subsection (1) sentence 1 nos. 2 and 3). State justice administrations transmit index data for original data (subsection (1) sentence 1 nos. 4-8). Index data serve only to mediate access and are not publicly accessible.

(3) The Federal Ministry of Finance, in agreement with the Federal Ministry of Justice and Consumer Protection, can regulate technical details of data transmission between federal state authorities and the transparency register via regulation, including data formats and data protection/security guarantees. Federal state law procedural rule deviations are inadmissible.

(4) The Federal Ministry of Finance, in agreement with the Federal Ministry of Justice and Consumer Protection, can regulate registration procedures for those subject to notification obligations (sections 20 and 21) and technical details of data transmission (subsection (2) sentence 2 and sections 20 and 21) via regulation, including data formats, forms, and data protection/security guarantees.

Section 23: Inspection of the Transparency Register, Authorization to Issue Regulations

(1) Inspection of the transparency register for associations (section 20 (1) sentence 1) and legal arrangements (section 21) is permitted for:

1. Authorities for legal functions:
   a) Supervisory authorities.
   b) German FIU.
   c) Responsible authorities (Foreign Trade and Payments Act section 13).
   d) Law enforcement agencies.
   e) Federal Central Tax Office and local revenue authorities (Fiscal Code section 6 (2) no. 5).
   f) Threat prevention and elimination authorities.

2. Obliged entities demonstrating inspection for due diligence obligations (section 10 (3)).

3. Anyone demonstrating a legitimate interest.

   For point 3, only name, month/year of birth, and country of residence are accessible, unless full information is already public.

(2) At the beneficial owner’s request, the registrar entity can restrict inspection if overriding legitimate interests are demonstrated, considering all individual case circumstances. Legitimate interests exist if:

1. Inspection risks exposure to criminal offenses: fraud, kidnapping, hostage-taking, extortion, robbery, life/limb threats, coercion, threats.

2. Beneficial owner is a minor or incapacitated.

   Legitimate interests are not deemed to exist if data are already publicly accessible. Inspection restriction is not possible for authorities (subsection (1) sentence 1 no. 1), obliged entities (section 2 (1) nos. 1-3 and 7), or notaries.

(3) Inspection requires prior online registration and may be logged for monitoring.

(4) The transparency register allows searching for associations and legal arrangements in all stored data and index data.

(5) The Federal Ministry of Finance can regulate specific inspection details via regulation, including online registration, logging, inspection requirements for obliged entities and legitimate interest parties, and inspection restriction requirements.

Section 24: Fees and Charges, Authorization to Issue Regulations

(1) The registrar entity charges fees to associations (section 20) and legal arrangements (section 21) for register management.

(2) The registrar entity charges fees and expenses for inspection of notified data and production of printouts, confirmations, and certifications (section 18 (4)). Section 7 nos. 2 and 3 of the Act on Fees and Expenses for Federal Services do not apply. Section 8 of that Act applies to authorities.

(3) The Federal Ministry of Finance can regulate fee details via regulation: fee-subject situations, fee payers, fee rates (fixed or scaled), and expense reimbursement.

Section 25: Transfer of the Administration of the Transparency Register, Authorization to Issue Regulations

(1) The Federal Ministry of Finance can transfer registrar entity functions and powers to a private law legal person via regulation.

(2) Transfer is only possible if the legal person guarantees proper function performance, especially reliable and long-term register operation, indicated by fit and proper managers, experience with register law information access, necessary organizational/technical/financial resources, and data protection compliance.

(3) Transfer periods are time-limited (minimum five years) with early termination possibilities for important reasons or if transfer conditions are not met. Upon termination, all software and data for register administration must be made available to the Federal Ministry of Finance or its appointee, with rights transferred.

(4) The conferee can use the small Bundessiegel for register printout certification and confirmations (section 18 (4)).

(5) The conferee can collect fees (section 24), with revenue belonging to them. The Federal Ministry of Finance may transfer charge notification enforcement to the conferee.

(6) The conferee is subject to legal and operational supervision by the Federal Office of Administration, which can request information, reports, records, object to unlawful measures, demand remedial action, and implement measures itself if the conferee fails to comply. Federal Office of Administration employees can enter conferee premises during business hours for inspections and seize documents if necessary.

(7) If administration is not transferred or is terminated, the Federal Ministry of Finance can transfer it to a higher federal authority within its competence or, in consultation, to another higher federal authority.

Section 26: European System for the Interconnection of Registers, Authorization to Issue Regulations

(1) Data (section 22 (1) sentence 1) concerning legal persons, partnerships, or legal arrangements (section 21) are also accessible via the European e-Justice Portal. Section 23 (1)-(3) applies mutatis mutandis. To enable access, the registrar entity transmits notified data (sections 20 (1) and 21) and index data (section 22 (2)) to the central European platform (Directive 2009/101/EC Article 4a(1)) to the extent necessary for original data access via the e-Justice Portal search function.

(2) The Federal Ministry of Finance, in agreement with the Federal Ministry of Justice and Consumer Protection, can regulate electronic data traffic details via regulation, including data formats and payment terms, unless European Commission implementing acts (Directive 2009/101/EC Article 4c) contain regulations.

Part 5: Financial Intelligence Unit (Zentralstelle für Finanztransaktionsuntersuchungen)

Section 27: German Financial Intelligence Unit

(1) The Zentralstelle für Finanztransaktionsuntersuchungen (FIU) is the German Financial Intelligence Unit for preventing, detecting, and supporting the combating of money laundering and terrorist financing (Directive (EU) 2015/849 Article 32(1)).

(2) The FIU is organizationally autonomous and operates with functional independence within its functions and powers.

Section 28: Functions, Supervision, and Cooperation

(1) The FIU’s function is to collect and analyze information related to money laundering or terrorist financing and pass it to competent domestic public authorities for investigation, prevention, or prosecution. In this context, it is responsible for:

1. Receiving and collecting reports under this Act.
2. Conducting operational analyses, including report and information assessment.
3. Exchanging information and coordinating with domestic supervisory authorities.
4. Cooperating and exchanging information with FIUs of other countries.
5. Prohibiting transactions and ordering urgent action.
6. Transmitting relevant operational analysis results and information to competent domestic public authorities.
7. Providing feedback to reporting obliged entities (section 43 (1)).
8. Conducting strategic analyses and producing reports.
9. Engaging in dialogue with obliged entities, domestic supervisory authorities, and competent domestic public authorities on typologies and methods.
10. Compiling statistics (Directive (EU) 2015/849 Article 44(2)).
11. Publishing an annual report on operational analyses.
12. Attending national and international working group meetings.
13. Performing additional functions assigned by other provisions.

(2) The FIU is subject to legal supervision by the Federal Ministry of Finance, limited to cases in subsection (1) nos. 1, 2, 5, and 6.

(3) The FIU and other competent domestic public authorities for investigation, prevention, and prosecution of money laundering, terrorist financing, and other offenses, as well as domestic supervisory authorities, cooperate to implement this Act and provide mutual support.

(4) The FIU, when necessary, informs competent authorities for taxation or social security protection of matters it learns in its functions, if not transmitted elsewhere.

Section 29: Data Processing and Further Use

(1) The FIU may process personal data as necessary for its functions.

(2) The FIU may compare stored personal data with other data if legally permissible.

(3) The FIU may process personal data for training or statistical purposes if anonymized data processing is not possible.

Section 30: Receipt and Analysis of Reports

(1) The FIU receives and processes the following reports and information for its functions:

1. Reports from obliged entities (section 43) and supervisory authorities (section 44).
2. Notifications from revenue authorities (Fiscal Code section 31b).
3. Information transmitted under Regulation (EC) No 1889/2005 Article 5(1) and Customs Administration Act section 12a.
4. Other information from public and non-public sources within its functions.

(2) The FIU analyzes reports (sections 43 and 44) and notifications (Fiscal Code section 31b) to verify if matters relate to money laundering, terrorist financing, or other offenses.

(3) The FIU may obtain information from obliged entities regardless of reports if necessary for its functions, setting adequate response time limits. Lawyers and tax advisors (section 2 (1) nos. 10 and 12) may refuse information relating to legal advice or representation, unless they know the client is using it for money laundering or terrorist financing.

Section 31: Right to Obtain Information from Domestic Public Authorities, Right of Access to Data

(1) The FIU may collect data from domestic public authorities as necessary for its functions. Public authorities provide information upon request if no transmission restrictions exist.

(2) Public authorities must answer inquiries without delay and make relevant data available.

(3) The FIU should establish automated processes for retrieving personal data from other public authorities it is legally entitled to receive, unless legally stipulated otherwise, if appropriate due to the volume or urgency, considering data subject interests. For monitoring permissibility, the FIU must state in writing:

1. Reason and purpose of comparison/retrieval.
2. Information recipients.
3. Data types transmitted.
4. Technical and organizational data protection measures.

(4) The FIU can compare its stored personal data with police information system data (Act on the Bundeskriminalamt sections 13 and 29 (1) and (2)) automatically if necessary for its functions (section 28 (1) sentence 2 no. 2). Matches trigger automated information retrieval from the police system. If police system participants categorize data as sensitive and prevent retrieval, they receive match notifications and must contact the FIU and transmit data if no restrictions exist. These provisions supersede Act on the Bundeskriminalamt section 29 (8). More extensive automated retrieval is permissible with consent from relevant federal and state ministries if appropriate due to volume or urgency, considering data subject interests.

(5) Revenue authorities provide information per Fiscal Code section 31b (1) no. 5 and notify the FIU per Fiscal Code section 31b (2). For information requests from tax offices, the FIU can retrieve relevant tax office and tax number details using first name, surname, address, or date of birth from the database under section 139b of the Fiscal Code. Automated retrieval of other revenue authority data subject to tax secrecy (Fiscal Code section 30) is only possible if permitted by the Fiscal Code or tax laws. Subsection (3) applies to automated retrieval of Customs Administration revenue authority data the FIU is legally entitled to receive.

(6) The FIU may automatically retrieve data from files credit institutions (section 2 (1) no. 1) and institutions (section 2 (1) no. 3) must maintain (Banking Act section 24c (1)) for its functions. Banking Act section 24c (4)-(8) applies mutatis mutandis to data transmission.

(7) To verify person particulars, the FIU can retrieve the following data using automated retrieval (Federal Act on Registration section 38), in addition to data in Federal Act on Registration section 38 (1):

1. Current nationalities.
2. Previous addresses (primary and secondary residences).
3. Issuing authority, issue date, validity duration, serial number of identity card, provisional ID, replacement ID, recognized passport, or passport substitute.

Section 32: Obligation to Transmit Data to Domestic Public Authorities

(1) Reports (sections 43 (1) and 44) must be transmitted by the FIU without delay to the Federal Office for the Protection of the Constitution if there are factual indications that transmission is necessary for its functions.

(2) If the FIU finds property related to money laundering, terrorist financing, or another offense, it transmits analysis results and relevant information to competent law enforcement agencies without delay. Information is also transmitted to the Federal Intelligence Service if necessary for its functions. In cases of subsection (1), analysis results and information related to the report are also transmitted to the Federal Office for the Protection of the Constitution.

(3) The FIU transmits personal data upon request to law enforcement agencies, the Federal Office for the Protection of the Constitution, the Federal Intelligence Service, or the military counterintelligence office if necessary for:

1. Money laundering and terrorist financing investigations or related criminal proceedings.

2. Other threat investigations and criminal proceedings not in point 1.

   The FIU transmits personal data ex officio or upon request to other competent domestic public authorities if necessary for:

3. Taxation procedures.

4. Social security system protection procedures.

5. Supervisory authority functions.

(4) In cases of subsection (3) sentence 1 nos. 1 and 2, law enforcement agencies and the Federal Office for the Protection of the Constitution can retrieve data automatically from the FIU if no transmission restrictions exist. For monitoring permissibility, they must state in writing:

1. Reason and purpose of retrieval.
2. Information recipients.
3. Data types transmitted.
4. Technical and organizational data protection measures.

(5) Personal data must not be transmitted under subsection (3):

1. If it could negatively impact ongoing public authority investigations.

2. If disclosure is disproportionate.

   If automated retrieval (subsection (4)) relates to restricted data, the FIU is notified of the query, and must contact the querying authority to clarify data transmission permissibility.

(6) If law enforcement agencies initiate criminal proceedings based on FIU-transmitted matters (subsection (2)), they notify the revenue authority with underlying facts if transactions are relevant for taxation or criminal tax proceedings. Records (section 11 (1)) used in proceedings can also be transmitted. Notifications and records can be used for taxation and criminal tax proceedings.

(7) Recipients may only use transmitted personal data for the intended purpose. Use for other purposes is permissible if data transmission would also be permissible for those purposes.

Section 33: Exchange of Data with Member States of the European Union

(1) Data exchange with FIUs of other EU member states for preventing, detecting, and combating money laundering and terrorist financing is ensured regardless of predicate offense type and even if the type is undetermined. Differing definitions of tax crimes as predicate offenses do not preclude information exchange. If the FIU receives a report (section 43 (1)) concerning another member state’s competence, it promptly forwards it.

(2) International data transmission provisions (section 35 (2)-(6)) apply mutatis mutandis. The FIU is responsible for data transmission permissibility.

(3) If additional information is needed about an obliged entity active in Germany and registered in another EU member state, the FIU sends its request to that member state’s FIU.

(4) The FIU can only reject information transmission requests from EU member state FIUs if:

1. Transmission could jeopardize internal or external security or essential interests of Germany.

2. Data subject’s legitimate interests override public interest due to essential German law principles.

3. Transmission could hinder criminal investigations or judicial proceedings.

4. Transmission is precluded by mutual legal assistance conditions.

   The FIU must appropriately set out rejection reasons in writing to the requesting FIU, unless operational analysis is incomplete or it could jeopardize investigations.

(5) If the FIU transmits information to an EU member state FIU upon request, it should promptly consent to disclosure to other authorities in that member state. Consent can be refused if the matter would not constitute money laundering or terrorist financing under German law. The FIU must appropriately set out refusal reasons. Information use for other purposes requires prior FIU consent.

Section 34: Information Requests in the Framework of International Cooperation

(1) The FIU may request information, including personal data or documents, from FIUs of other countries dealing with AML/CFT if necessary for its functions.

(2) The FIU may transmit personal data in requests if necessary to substantiate legitimate interest in the information and if overriding legitimate interests of the person concerned do not preclude it.

(3) The FIU must disclose the purpose of data collection and its intention to disclose data to other domestic public authorities in requests. The FIU may only use transmitted data:

1. For requested purposes.

2. In compliance with conditions under which data were made available.

   Subsequent disclosure to other public authorities or use beyond original purposes requires prior consent of the transmitting FIU.

Section 35: Data Transmission in the Framework of International Cooperation

(1) If the FIU receives a report (section 43 (1)) concerning another country’s competence, it may promptly forward it to that country’s FIU, notifying that personal data may only be used for the intended purpose.

(2) The FIU may transmit personal data to another country’s FIU upon request:

1. For operational analysis.

2. For planned urgent measures (section 40), if property is in Germany and connected to a matter before the other country’s FIU.

3. For functions of another foreign public authority preventing, detecting, and combating money laundering or terrorist financing.

   It may use its information to respond. If information includes data from other domestic or foreign authorities, disclosure requires their consent, unless information is publicly accessible. The FIU can request information from domestic public authorities (sections 28, 30, and 31) or demand information from obliged entities. Requests and demands must be answered timely.

(3) Personal data transmission to another country’s FIU is only permissible if requests contain:

1. Requesting authority details.
2. Request reasons and intended data use purpose (subsection (2)).
3. Necessary identity details of the person concerned, if known.
4. Description of the matter and authority to which data will be disclosed.
5. Indication of money laundering or terrorist financing concern and alleged predicate offense.

(4) The FIU may also transmit personal data to another country’s FIU without request if facts indicate money laundering or terrorist financing offenses by persons in that country.

(5) The FIU is responsible for data transmission permissibility and can impose usage restrictions and conditions.

(6) Data recipients must be notified that personal data may only be used for the intended purpose. Disclosure by the requesting FIU to another authority in that country requires prior FIU consent, considering data subject interests. Use as criminal proceedings evidence is subject to cross-border criminal matter cooperation rules.

(7) Personal data must not be transmitted if:

1. Transmission could harm German internal or external security or essential interests.
2. Special federal law transmission provisions preclude it.
3. Data subject’s legitimate interests override public interest, considering data protection level in the receiving country.

(8) Personal data should not be transmitted if:

1. Transmission could hinder criminal investigations or judicial proceedings.
2. Reciprocity is not ensured.

(9) Rejection reasons must be appropriately set out to the requesting FIU.

(10) The FIU must record transmission date, data, and receiving FIU, and retain data for three years before deletion. Non-transmissions are also recorded.

Section 36: Automated Data Comparison in a European Network

The FIU may establish and operate an encrypted, automated data comparison system in a network with EU member state FIUs to determine if other FIUs have already analyzed a data subject or have related information.

Section 37: Rectification, Restriction of Processing, and Deletion of Personal Data in the Case of Automated Processing and in the Case of Storage in Automated Files

(1) The FIU rectifies inaccurate stored personal data processed automatically.

(2) The FIU deletes stored personal data if storage is impermissible or no longer necessary for its functions.

(3) Processing is restricted instead of deletion if:

1. Deletion could adversely affect data subject legitimate interests.

2. Data are needed for ongoing research.

3. Deletion is disproportionately difficult due to storage nature.

   Restricted data may only be processed for the purpose preventing deletion, for ongoing criminal proceedings, or with data subject consent.

(4) The FIU reviews stored personal data in individual cases and within time limits to determine if rectification, deletion, or processing restriction is needed.

(5) Time limits begin when the FIU completes operational analysis (section 30).

(6) The FIU takes reasonable steps to ensure inaccurate, incomplete, or restricted data are not transmitted, verifying data quality before transmission and adding information enabling recipient assessment of accuracy, completeness, and reliability.

(7) If the FIU determines transmitted data are inaccurate, should be deleted, or restricted, it notifies the recipient if necessary to protect data subject legitimate interests.

Section 38: Rectification, Restriction of Processing, and Destruction of Personal Data Which Are Neither Processed by Automated Means Nor Stored in an Automated File

(1) The FIU records if personal data not processed automatically or in automated files are inaccurate or if accuracy is contested by the data subject.

(2) The FIU restricts processing of such data if it determines in an individual case that:

1. Legitimate data subject interests would be adversely affected without restriction.

2. Data are no longer necessary for functions.

   Processing is also restricted if deletion is required under section 37 (2).

(3) The FIU destroys documents containing personal data according to file retention provisions if documents are no longer needed for its functions.

(4) Destruction does not occur if:

1. Legitimate data subject interests would be adversely affected.

2. Data are needed for ongoing research.

   In these cases, processing is restricted, and a restriction note is attached to documents. Section 37 (3) sentences 2 and 3 apply mutatis mutandis.

(5) Documents are delivered to competent archives if they have lasting value under the Federal Archives Act section 3.

(6) If transmitted data are inaccurate, should be deleted, or restricted, section 37 (7) applies mutatis mutandis.

Section 39: Order Opening a File

(1) The FIU issues a file opening order for every automated personal data file it maintains for its functions, requiring Federal Ministry of Finance consent and prior hearing of the Federal Commissioner for Data Protection and Freedom of Information.

(2) File opening orders must set out:

1. File name.

2. Legal basis and processing purpose.

3. Group of persons data pertain to.

4. Types of personal data stored.

5. Types of personal data making file accessible.

6. Data supply or input.

7. Conditions for data transmission, recipients, and procedure.

8. Time limits for data review and storage period.

9. Logging system.

   Data review time limits cannot exceed five years and are based on storage purpose and matter importance.

(3) If urgency prevents authorities in subsection (1) consultation, the Central Customs Authority can issue an urgent order, notifying and submitting it to the Federal Ministry of Finance, followed by the procedure in subsection (1) without delay.

(4) The necessity of maintaining or amending file opening orders is reviewed at suitable intervals.

Section 40: Urgent Measures

(1) If the FIU has indications of money laundering or terrorist financing related transactions, it may prohibit transaction execution to investigate and analyze. It may also, under the same conditions:

1. Prohibit obliged entities (section 2 (1) nos. 1-3) from account/securities account dispositions and other financial transactions.
2. Instruct obliged entities (section 2 (1) no. 1) to deny safety deposit box access.
3. Issue other orders to obliged entities related to transactions.

(2) Measures (subsection (1)) can be taken based on requests from other countries’ FIUs, with requests containing information in section 35 (3). Rejection reasons should be appropriately set out.

(3) Measures (subsection (1)) are rescinded when conditions are no longer met.

(4) Measures (subsection (1)) end:

1. No later than one month after ordering.
2. At the end of the fifth working day after matter referral to law enforcement (Saturday not a working day).
3. Earlier if determined by the FIU.

(5) The FIU may release property subject to measures (subsection (1) sentence 2) upon request if it serves:

1. Basic needs of the person or family.
2. Pension or maintenance payments.
3. Comparable purposes.

(6) Obliged entities or adversely affected parties may object to measures (subsection (1)). Objections have no suspensory effect.

Section 41: Feedback to Reporting Obliged Entities

(1) The FIU confirms report receipt to reporting obliged entities (section 43 (1)) electronically without delay.

(2) The FIU provides feedback on report relevance within a reasonable period. Obliged entities may only use obtained personal data to improve risk management, due diligence, and reporting, deleting data when no longer needed, and at the latest after one year.

Section 42: Notification by Domestic Public Authorities to the German Financial Intelligence Unit

(1) In criminal proceedings where the FIU disclosed information, the public prosecution office notifies the FIU of public prosecution commencement and proceedings outcome, including termination decisions, by sending copies of indictments, reasoned termination decisions, or verdicts.

(2) If the FIU discloses information to other domestic public authorities, the receiving authority notifies the FIU of the final use made of the information and outcome of measures taken, unless other legal provisions preclude notification.

Part 6: Obligations Concerning the Reporting of Matters

Section 43: Reporting Obligation of Obliged Entities

(1) Obliged entities must report matters to the FIU without delay if facts indicate:

1. Property related to a business relationship, brokerage, or transaction is from a criminal offense that could be a money laundering predicate offense.

2. A business transaction, transaction, or property is related to terrorist financing.

3. Contracting parties have not disclosed beneficial ownership (section 11 (6) sentence 3).

   Reporting is required regardless of property value or transaction amount.

(2) Lawyers and tax advisors (section 2 (1) nos. 10 and 12) are exempt from reporting if matters relate to client relationship information subject to professional secrecy, unless they know the client is using the relationship for money laundering, terrorist financing, or another offense.

(3) A senior management member of an obliged entity must file reports (subsection (1)) if:

1. The obliged entity operates an establishment in Germany.
2. The reportable matter relates to the German establishment’s activity.

(4) Reporting obligations (subsection (1)) do not preclude voluntary reporting under Criminal Code section 261 (9).

(5) The FIU, in agreement with supervisory authorities, may define transaction types that must always be reported (subsection (1)).

Section 44: Reporting Obligation of Supervisory Authorities

(1) Supervisory authorities must report facts to the FIU without delay if they indicate property is related to money laundering or terrorist financing.

(2) Subsection (1) applies mutatis mutandis to stock, forex, and financial derivatives market supervisory authorities.

Section 45: Form of Reporting, Authorization to Issue Regulations

(1) Reports (sections 43 (1) or 44) must be filed electronically. Postal transmission is permissible if electronic transmission is disrupted. Reports under section 44 are mandatory for federal state supervisory authorities.

(2) To avoid undue hardship, the FIU may waive electronic transmission and authorize postal transmission upon obliged entity request, possibly for a limited period.

(3) The official form must be used for postal transmission.

(4) The Federal Ministry of Finance can enact detailed provisions on reporting form (sections 43 (1) or 44) via regulation. Federal state law derogations from subsection (1) or regulations are inadmissible.

Section 46: Execution of Transactions

(1) Transactions reported (section 43 (1)) may be executed only when:

1. The FIU or public prosecution office consents.
2. The third working day after report sending has elapsed without prohibition from the FIU or public prosecution office (Saturday not a working day).

(2) Transaction execution is permitted if postponement is impossible or could frustrate proceedings for suspected offenses. Reports (section 43 (1)) must be filed subsequently without delay.

Section 47: Prohibition of Disclosure, Authorization to Issue Regulations

(1) Obliged entities must not inform contracting parties, transaction instructing parties, or third parties of:

1. Intended or filed reports (section 43 (1)).
2. Investigations launched based on reports (section 43 (1)).
3. Information demands (section 30 (3) sentence 1).

(2) Prohibition does not apply to disclosure:

1. To government agencies.

2. Within groups.

3. Between obliged entities (section 2 (1) nos. 1-3 and 6-8) and their third-country group companies subject to a group program (section 9).

4. Between obliged entities (section 2 (1) nos. 10-12) from EU member states or third countries with equivalent AML/CFT systems, if persons perform professional activities via self-employment, within the same legal person, or within a structure sharing common ownership, management, or compliance monitoring.

5. Between obliged entities (section 2 (1) nos. 1-3, 6, 7, 9, 10, and 12) in cases related to the same contracting party and transaction involving multiple obliged entities, if entities are domiciled in EU/equivalent third countries, from the same professional category, and subject to comparable professional secrecy and data protection obligations.

   Information disclosed under sentence 1 nos. 2-5 may only be used for AML/CFT prevention.

(3) Government agencies (excluding the FIU) learning of reports (section 43 (1)) must not disclose information to contracting parties, transaction instructing parties, beneficial owners, representatives, or legal advisors without prior FIU consent.

(4) Lawyers and tax advisors (section 2 (1) nos. 10-12) dissuading clients from illegal activity is not disclosure.

(5) Obliged entities (section 2 (1) nos. 1-9) may provide each other with information beyond subsection (1) about abnormalities indicating money laundering, predicate offenses, or terrorist financing, if they assume other obliged entities need it for risk assessment or to assess reporting (section 43 (1)) or criminal complaints. Information can be provided via databases, used solely for AML/CFT prevention, and subject to conditions imposed by the providing entity.

(6) The Federal Ministry of Finance, in consultation with relevant ministries, can enact further provisions prohibiting information disclosure regarding obliged entities from high-risk third countries (Directive (EU) 2015/849 Article 9) via regulation.

Section 48: Exemption from Liability

(1) Reporters (section 43 (1)) or criminal complainants (Criminal Procedure Code section 158) are not liable unless false reports or complaints are filed with willful intent or gross negligence.

(2) Subsection (1) applies if:

1. Employees report matters (section 43 (1)) to superiors or in-house reporting bodies.
2. Obliged entities or employees comply with FIU information demands (section 30 (3) sentence 1).

Section 49: Access to Information and Protection of Reporting Employees

(1) If analysis of reported matters (section 43) is incomplete, the FIU may provide details to the person concerned upon request if it does not interfere with analysis, redacting personal data of reporters (section 43 (1)).

(2) If analysis is complete but not transmitted to law enforcement, the FIU may provide details upon request, refusing if it would negatively affect international relations, national security, other criminal investigations, or judicial proceedings. Reporter personal data is redacted. Exceptions to redaction may be permitted if data subject legitimate interests override.

(3) The FIU is no longer authorized to provide details after matter referral to law enforcement, but again authorized after public prosecution or court proceedings are completed, with subsection (2) applying mutatis mutandis.

(4) Employees reporting (section 43 (1)) internally or externally must not face employment discrimination as a result.

Part 7: Supervision, Cooperation, Administrative Fine Provisions, Data Protection

Section 50: Competent Supervisory Authority

The competent supervisory authority for enforcing this Act is:

1. The Federal Financial Supervisory Authority (BaFin) for:
   a) Credit institutions (excluding Deutsche Bundesbank).
   b) Financial services institutions, payment institutions, and electronic money institutions.
   c) Domestic branches of foreign credit, financial services, and payment institutions.
   d) Asset management companies.
   e) Domestic branches of EU and foreign AIF management companies.
   f) Foreign AIF management companies supervised by BaFin in Germany.
   g) Agents and electronic money agents.
   h) Companies and persons (section 2 (1) no. 5).
   i) KfW Banking Group.
2. The competent insurance sector supervisory authority for insurance undertakings (section 2 (1) no. 7).
3. Competent local chambers of lawyers for lawyers (section 2 (1) no. 10).
4. The Chamber of Patent Attorneys for patent attorneys (section 2 (1) no. 10).
5. Presidents of Regional Courts for notaries (section 2 (1) no. 10).
6. The Chamber of Public Accountants for auditors and chartered accountants (section 2 (1) no. 12).
7. Competent local chambers of tax advisors for tax advisors and authorized tax agents (section 2 (1) no. 12).
8. Authority granting gambling licenses for organizers and brokers of games of chance (section 2 (1) no. 15), unless state law provides otherwise.
9. Authority responsible under federal or state law for all others.

Section 51: Supervision

(1) Supervisory authorities oversee obliged entities.

(2) Supervisory authorities may take appropriate and necessary measures and issue orders to ensure compliance with this Act and regulations. Objections and annulment actions have no suspensory effect.

(3) BaFin (for section 50 no. 1 (g) and (h)) and supervisory authorities (section 50 nos. 3-9) may conduct inspections at obliged entities without specific reason, delegating inspections by contract. Inspection frequency and intensity are based on the obliged entity’s money laundering/terrorist financing risk profile, re-evaluated regularly and upon significant management/business activity changes.

(4) Supervisory authorities (section 50 nos. 8 and 9) may charge costs for measures and orders to cover administrative expenses.

(5) BaFin (for section 50 no. 1 (g) and (h)) and supervisory authorities (section 50 nos. 3-9) may temporarily prohibit or revoke licenses of obliged entities whose activity requires a license if they willfully or negligently contravene this Act, regulations, or supervisory orders, continue after a caution, and the contravention is sustained. They may also temporarily prohibit senior management or employees from holding senior management positions for contraventions. If the supervisory authority is not the licensing authority, the licensing authority performs revocation procedures at the supervisory authority’s request.

(6) The competent supervisory authority (section 50 no. 9) also exercises supervision delegated under Commission Regulation (EU) No 1031/2010 Article 55(1).

(7) Competent supervisory authorities (section 50 nos. 8 and 9) for obliged entities (section 2 (1) no. 15) may request information from obliged entities (section 2 (1) no. 1 or no. 3) on payment accounts and transactions of online gambling organizers/brokers and players.

(8) Supervisory authorities regularly provide obliged entities with updated guidance on due diligence and internal safeguards, possibly by approving guidance from obliged entity associations.

(9) Supervisory authorities must retain statistical data on their activity, including:

1. Supervisory activity data per year:
   a) Number of full-time equivalent supervisory staff.
   b) Number of on-site inspections and other measures, broken down by obliged entity type.
   c) Number of measures finding breaches and cases learned otherwise.
   d) Nature and extent of legally binding measures (cautions, fines, removals, license withdrawals, other measures), including fine publication status.
   e) Nature and extent of measures to inform obliged entities of due diligence and internal safeguard requirements.

2. Number of suspicious transaction reports (section 44) filed by supervisory authorities per year, broken down by obliged entity type.

   Supervisory authorities transmit data to the Federal Ministry of Finance electronically by March 31st of the following year. The Federal Ministry of Finance may provide a form.

Section 52: Cooperation Obligations

(1) Obliged entities, their governing bodies, and employees must provide BaFin (for section 50 no. 1 (g) and (h)), supervisory authorities (section 50 nos. 3-9), and their designated persons/institutions, upon request and free of charge, with information and documents relevant to compliance with this Act.

(2) In inspections (section 51 (3)), supervisory authority officials and designated persons can enter and inspect obliged entity premises during business hours.

(3) Those concerned must tolerate measures in subsection (2).

(4) Information providers may refuse answers that could incriminate themselves or relatives (Code of Civil Procedure section 383 (1) nos. 1-3).

(5) Obliged entities (section 2 (1) nos. 10 and 12) may refuse questions relating to legal advice or representation, unless they know the client is using it for money laundering or terrorist financing.

Section 53: Reports of Contraventions

(1) Supervisory authorities must establish systems for receiving reports of potential or actual contraventions of this Act, regulations, and other AML/CFT provisions. Reports can be anonymous.

(2) Supervisory authorities can process personal data necessary for their functions.

(3) Supervisory authorities only disclose reporter identity with explicit approval, and do not reveal the identity of reported persons, except for investigations, legal proceedings, or court orders.

(4) The Freedom of Information Act does not apply to cases under this provision.

(5) Staff of supervised entities or outsourced entities who report contraventions are protected from labor law, criminal law, and damages liability, unless false reports are filed with willful intent or gross negligence.

(6) The right to report contraventions must not be contractually restricted for staff of supervised entities or outsourced entities. Conflicting agreements are invalid.

(7) Establishing and maintaining reporting systems does not affect the rights of reported persons, particularly rights under the Administrative Procedure Act, Rules of the Administrative Courts, and Code of Criminal Procedure.

Section 54: Duty of Confidentiality

(1) Supervisory authority employees and those working for them must not, without authorization, reveal or utilize facts learned in their activity if confidentiality is in the interest of obliged entities or supervised third parties, especially business and trade secrets, even after duty ends. Legal data protection provisions remain unaffected.

(2) Subsection (1) applies to others who officially learn of these facts.

(3) Disclosure to specific institutions is not unauthorized if needed for their functions and no other legal provisions preclude it:

1. Law enforcement agencies, authorities (section 56 (5)), or criminal courts.
2. Institutions investigating/preventing money laundering or terrorist financing, and their agents.
3. German FIU.
4. Institutions supervising general risk management or compliance of obliged entities, and their agents.

(4) Facts can only be disclosed to foreign or supranational institutions if their employees are subject to comparable confidentiality duties and informed that information may only be used for the intended purpose. Information from another country can only be disclosed with explicit approval and for approved purposes.

Section 55: Cooperation with Other Authorities

(1) Supervisory authorities fully cooperate with each other and institutions (section 54 (3)) to prevent and combat money laundering and terrorist financing, exchanging information, including personal data and inspection results, necessary for their functions (section 51).

(2) Business registration authorities (Industrial Code section 155 (2)) transmit business registration data (Regulation on Business Registration annexes 1-3) for obliged entities (section 2 (1)) to competent supervisory authorities (section 50 no. 9) free of charge upon request if necessary for their functions (section 51).

(3) Register authorities (Industrial Code section 11a (1)) transmit data (Regulation on Financial Mediation section 6 and Regulation on Insurance Mediation section 5) to competent supervisory authorities (section 50 no. 9) free of charge upon request if necessary for their functions (section 51).

(4) Further data processing powers of supervisory authorities under other laws remain unaffected.

(5) In cross-border cases, cooperating supervisory authorities and institutions (section 54 (3)) coordinate measures.

(6) Supervisory authorities supervising obliged entities (section 2 (1) nos. 1-3 and 6-9) provide information necessary for European supervisory authority functions (Directive (EU) 2015/849, Regulations (EU) No 1093/2010, 1094/2010, and 1095/2010) to:

1. European Banking Authority.

2. European Insurance and Occupational Pensions Authority.

3. European Securities and Markets Authority.

   Information is made available per Directive (EU) No 1093/2010 Article 35, Directive (EU) No 1094/2010 Article 35, and Directive (EU) No 1095/2010 Article 35.

Section 56: Administrative Fine Provisions

(1) An administrative offense is committed by anyone who willfully or negligently commits any of the violations listed in points 1 through 64. (List of 64 violations as per the original German text)

(2) For serious, repeated, or systematic contraventions, the administrative offense may be punished by:

1. A fine up to €1 million, or

2. A fine up to twice the economic benefit derived from the contravention.

   The economic benefit includes profits gained and losses avoided and may be estimated. Fines for obliged entities (section 2 (1) nos. 1-3 and 6-9) that are legal persons or associations may exceed sentence 1 and must not exceed the higher of:

3. €5 million, or

4. 10% of the total turnover in the fiscal year prior to the authority’s decision.

   Fines for obliged entities (section 2 (1) nos. 1-3 and 6-9) that are natural persons may be up to €5 million.

(3) In all other cases, the offense may be punished by a fine of up to €100,000.

(4) Total turnover within the meaning of subsection (2) sentence 4 no. 2 is defined based on EU directives and national law for different types of obliged entities (credit institutions, insurance undertakings, others). Consolidated financial statements of the parent company are used where applicable. If annual or consolidated financial statements are unavailable, the most recent ones are used, or turnover may be estimated.

(5) BaFin (section 50 no. 1) is the administrative authority for administrative offenses under section 36 (1) no. 1 of the Act on Administrative Offences, except for offenses under subsection (1) nos. 52-56, where the Federal Office of Administration is the authority. For tax advisors and tax agents, the tax office is the authority. Competent supervisory authorities (section 50 nos. 8 and 9) are also administrative authorities.

(6) If the tax office is the administrative authority (subsection (5) sentence 3), specific sections of the Fiscal Code apply mutatis mutandis.

(7) Supervisory authorities check the Federal Central Criminal Register for relevant convictions of the person concerned.

(8) Competent supervisory authorities (section 50 nos. 1, 2, and 9) inform the respective European supervisory authority about fines and other measures taken against obliged entities (section 2 (1) nos. 1-3 and 6-9) and relevant appeal procedures and outcomes.

Section 57: Publication of Final and Conclusive Measures and of Unappealable Administrative Fine Decisions

(1) Supervisory authorities must publish final measures and unappealable administrative fine decisions for contraventions of this Act or regulations on their websites after informing the addressee, stating the contravention type, nature, and responsible persons/entities.

(2) Publication may be delayed if it would impinge on personality rights, jeopardize financial market stability, or jeopardize ongoing investigations. Anonymized publication is possible for personality rights protection. Publication can be delayed if anonymization reasons are expected to cease soon, with publication occurring when reasons no longer apply.

(3) Publication must not occur if measures in subsection (2) are insufficient to eliminate financial market stability threats or ensure publication proportionality.

(4) Publications must remain on the website for five years, with personal data deleted sooner if no longer necessary.

Section 58: Data Protection

Obliged entities may only use personal data under this Act for money laundering and terrorist financing prevention.

Section 59: Transitional Provisions

(1) Initial notifications (sections 20 (1) and 21) were due to the transparency register by October 1, 2017.

(2) Register of associations access (section 22 (1) sentence 1 no. 8) is provided from June 26, 2018. Technical requirements for index data transmission (section 22 (2)) were to be in place by June 25, 2018. During the transitional period (June 26, 2017 – June 25, 2018), the register contained a link to the federal states’ common register portal.

(3) Section 23 (1)-(3) entered into force on December 27, 2017.

(4) Supervisory authority exemptions (section 50 no. 8) for online game of chance operators/brokers (section 2 (1) no. 15) remained in force until June 30, 2018, deviating from section 16.

(5) If judicial proceedings regarding AML/CFT were pending on June 25, 2015, or if obliged entities possessed related information/documents, they could retain them until June 25, 2020.

Annex 1: Factors of Potentially Lower Risk

Non-exhaustive list of potentially lower risk factors (section 14):

1. Customer risk factors:
   a) Publicly listed companies with transparency requirements.
   b) Public administrations or companies.
   c) Customers in lower-risk geographical areas (no. 3).

2. Product, service, transaction, or delivery channel risk factors:
   a) Low-premium life insurance policies.
   b) Pension scheme insurance policies without early surrender and not usable as collateral.
   c) Pension, superannuation, or similar schemes with wage-deducted contributions and no member interest assignment.
   d) Financial products/services with defined and limited services to increase financial inclusion.
   e) Products where money laundering/terrorist financing risks are managed by other factors (purse limits, ownership transparency), e.g., certain electronic money types.

3. Geographical risk factors:
   a) Member States.
   b) Third countries with effective AML/CFT systems.
   c) Third countries with low corruption or crime levels.
   d) Third countries with FATF-consistent AML/CFT requirements and effective implementation.

Annex 2: Factors of Potentially Higher Risk

Non-exhaustive list of potentially higher risk factors (section 15):

1. Customer risk factors:
   a) Unusual business relationship conduct.
   b) Customers in higher-risk geographical areas (no. 3).
   c) Legal persons or arrangements as personal asset-holding vehicles.
   d) Companies with nominee shareholders or bearer shares.
   e) Cash-intensive businesses.
   f) Unusual or excessively complex company ownership structure.

2. Product, service, transaction, or delivery channel risk:
   a) Private banking.
   b) Products or transactions favoring anonymity.
   c) Non-face-to-face business relationships/transactions without safeguards (electronic signatures).
   d) Payments from unknown third parties.
   e) New products, business practices, and technologies.

3. Geographical risk factors:
   a) Countries without effective AML/CFT systems.
   b) Countries with significant corruption or crime levels.
   c) Countries under sanctions, embargos.
   d) Countries funding or supporting terrorism or with designated terrorist organizations.