Merkel government embedding new AML/CFT Act ahead of 4MLD deadline

The new German Anti-Money Laundering Act finally has passed both chambers of parliament and will become mandatory by the end of June 2017. 

Germany's Federal Council (Bundesrat) agreed to the act on June 2, 2017, 
allowing Chancellor Angela Merkel's government to apply the requirements of the Fourth Money Laundering Directive (4MLD) ahead of the mandatory implementation date, June 26, 2017. Continuing political debate regarding the new transparency register had threatened to delay implementation.

The new act has imposed far more detailed requirements on firms. Enforcement has been restructured and supervisors have been given additional dedicated powers of analysis, the range of businesses covered has been expanded and regulatory fines have become much more drastic. Firms may want to check that they are fully prepared for all aspects of the new act and the ways in which it may affect different parts of their business activities.

Background

The German Ministry of Finance issued a first draft of the act in October 2016. The draft included 4MLD requirements, discussion of the 5MLD following the Paris terrorist attacks and requirements which emerged from the Panama Papers affair. A second draft, incorporating feedback from industry associations and other affected parties, was issued for parliamentary discussion during December 2016. 

There was extensive debate about the composition of, and access rights to, a transparency register holding details of beneficial owners; other public registers in Germany can generally be accessed by any legitimate party.

Major AML reform

The final version of the new act has 59 sections — considerably more than the 17 sections included in the original 2008 Act. Germany's Federal Council has also signed off further reforms, and in particular a new Tax Circumvention Offences Act, which aims to address issues raised by the Mossack Fonseca affair.

New requirements set out in the AML Act

Germany's new AML Act comprises 59 sections, set out in seven chapters:
    • Chapter 1: Terminology and obligated parties

      As with any piece of German legislation, the first part of the act contains definitions of terminology used, obligated parties and beneficial owners, and sets out the legal references to be considered. Firms should be aware that the new definitions have more detailed granularity , and must train their staff accordingly. 

      The wider circle of obligated parties proposed in the draft act has been retained, placing AML obligations on several businesses beyond financial services sector. In particular, the new act highlights the risks associated with commercial goods trading, and as such extends AML obligations to a wider range of businesses. For an export-driven economy, such as Germany this represents a major extension of compliance duties.


    • Chapter 2: Risk management

      Chapter 2 sets out individual and group-wide risk management and risk-based analysis which firms will now be expected to perform, outlines the internal measures which must be taken and sets out the rights and duties of the German equivalent of money laundering reporting officers' role and the dedicated records which must be kept. 

      The act has introduced more safeguards regarding MLROs' job security, and placed a greater emphasis on the need for the role to be independent. It has also set out further obligations for firms to train employees on actual typologies and terrorist financing methods, and obligation requirement for firms to introduce measures which allow issues to be reported between all parts of a group.

      The new act explains the probity expected of employees under AML law; this must include regular background checks to conform with risk management provisions.


    • Chapter 3: Customer due diligence

      This chapter sets out know-your-customer duties, dependent on underlying risk; dedicated German identification and verification measures; requirements governing the outsourcing of due diligence activities to third parties; and specific requirements for online gambling due diligence.

      Two new addenda define risk factors firms must consider, and the German Ministry of Finance has been given power to request enhanced due diligence for certain customers, products, services, transactions or distribution channels.


    • Chapter 4: Transparency register

      This chapter includes details of how the register must be kept, the installation of a pan-European network, details for beneficial owners, specific transparency duties for trusts and other entities, and provides documents, together with details of data transmission and fees and costs. 

      This section is completely new. It defines different sorts of transparency obligations, sets out how the transparency register will interact with other German registers and the requirements for submitting details to the register. 

      There was strong parliamentary debate regarding who was allowed to access details from the register; in the final version this includes obligated parties, state prosecutors and anyone who can prove to the register that they have a legitimate interest, including non-governmental organisations and investigative journalists. Any access to data will be governed by electronic protocols.


    • Chapter 5: Central Unit for Financial Transaction Review (FIU)

      The chapter details the role of the new central unit, oversight and any national and international collaboration, conflicts between different privacy and protection requirements, general reporting obligations, analysis outcomes and consequence management, including feedback to reporting parties. 

      The act has provided some clarification about the actions the FIU is allowed to ask firms to carry out, which includes stopping transactions and freezing the funds involved instantly. The deadline for continuing with transactions when no notice has been received by the FIU after reporting day has been extended by one working day to three days.


    • Chapter 6: Reporting duties

      This chapter covers the duties of obligated parties and of regulators and other state supervisors; forms of reporting; the impact on transactions and information to affected parties; and offers legal protection for obliged parties' reporting individuals.


  • Chapter: Oversight, collaboration, fines, data protection

    Nine sections detail state oversight, collaboration duties for involved parties; privacy and protection considerations regarding the handling of sensitive information; working with other state bodies; regulatory and legal fines; and regulatory privacy implications.

    For German-regulated firms there are new provisions requiring details of AML wrongdoings and fines to be published on the regulator's website.
What the new act will mean

Additional duties from the new transparency register

The beneficial ownership register will also bring new duties for firms. As outlined in the act, all entities governed by the law must report and update details of their beneficial owners electronically on a regular basis. That said, they are not obliged to do so if the data is fed through from other public registers. Firms should therefore double-check that they comply with submission requirements, and ensure that their IT departments have an appropriate data interface. Firms may also like to consider whether, now that the new transparency register is in place, they need to revisit the internal business processes they use to mitigate their third-party risk from contractual relationships.

Need to report cases to a new enhanced FIU unit

Firms are required to report cases to the financial intelligence unit, which will be reorganised. The FIU will now focus on adopting a more operational and strategic analysis role as part of the Ministry of Finance and the central customs office. As such, it is expected that AML officers will need to answer somewhat different sets of questions. There may be also more direct feedback from the FIU, as cases shared with them will first be analysed to see whether it makes sense for them to go through to enforcement, thus taking some of the pressure away from their investigative resources. 

Firms must ensure they have business processes in place to comply with the new direct asset-freezing obligations the FIU may now issue shortly after receiving a report.

More drastic regulatory fines and new BaFin powers

As part of their AML training programmes, firms may want communicate the more drastic fines which have now been introduced for wrongdoing. For any serious, repeated and systematic breaches the maximum fine has risen from 100,000 euros to 5,000,000 euros for banks, or up to 10 percent of a group's annual turnover. Even for non-bank, fines can be as high as 1 million euros and twice the financial benefit realised from the offence.

In addition, the new act provides for financial service firms to be "named-and-blamed" on BaFin's website; this is a new provision for anti-money laundering offences in Germany. The regulator will also be able to ban persons found to be responsible for breaches from exercising further management functions at the entity in focus; senior management therefore needs to be made aware of new BaFin powers.

Enhanced training required 

The regulator has clearly asked firms to evolve their internal risk assessments to ensure that they include the latest methods for money laundering and terrorist financing. To ensure this has been fully understood throughout a firm, the regulators intend to look at how training is carried out, and whether the content of such training and its methodology is constantly updated to meet requirements. 

Dedicated training needs include updated training for in-house specialists covering AML, tax and fraud developments. Now that the definitions and details set out in the act have become so much more extensive, this needs to be reflected in specialist training.

Provide evidence of background checks for employees 

The new AML Act defines the probity of an employee with regard how aware they are of their anti-money laundering obligations, and how firms can evidence this. The act also asks firms to check the probity of employees involved to activities which fall under the act on a regular basis, and not just at the point of hiring. HR functions should check how this affects workers' council rights, and how evidence of background checks is being recorded.

Wider range of business now in regulatory focus

Any business considered by the act to be an obligated party has to perform and document a risk-based analysis of its inherent money laundering risk, and there also needs to be a dedicated analysis of group-wide risks at all levels, which must be updated on a regular basis. 

This requirement is no longer limited to financial services firms, which are used to performing that analysis; the new law has brought many other kinds of businesses into scope, and they may want to consider employing external expertise. Sources suggest that state oversight administration has launched first AML reviews of large German-based retailers, and major law firms and consultants have put AML compliance for retail and import-export firms at the top of their agenda, something which seems appropriate for one of the leading export nations in the world. 

Outlook

The new act goes in hand-in-hand with BaFin's recent initiative to allow new ways of digital identification for individuals, and firms from all kinds of different backgrounds have been looking at how the new act might be used to provide enhanced service quality for clients and customers. 

Most recently a group consisting of Allianz Insurance, Deutsche Bank and Postbank, media house Axel Springer and the two internet venues Core and Here issued plans to install a pan-industry platform for online registration, e-identification and data services.

Even though the transparency register provides key information on beneficiary owners, firms may face more information requests to confirm details obtained from the register, and may want to revisit all information-sharing processes to ensure they are fit-for-purpose and that any personal data shared is appropriately protected.
 

 

  • Hermann Wennekers is senior regulatory intelligence expert (DACH) for Thomson Reuters Regulatory Intelligence in Hamburg. He is a senior level compliance officer with more than 20 years' compliance and audit experience.