For companies in the financial sector, the risk of being abused for money laundering and terrorist financing is still high, particularly given the current conflicts and geopolitical tensions. They must therefore protect themselves. The financial sector, which is under BaFin’s supervision, has made progress in preventing money laundering and combating terrorist financing in past years. But there is still a need for improvement, as BaFin’s inspections show.

Effective money laundering prevention is important, but it also requires substantial resources. It presents companies with multiple challenges, as the regulations are complex and their implementation very time-consuming. The anti-money laundering (AML) officers play a key role in preventing money laundering and therefore require a strong position in their companies and the support of the management bodies. Companies need sufficient staffing, material and financial resources for their money laundering prevention.

AML officers – support of the management body essential

Besides money laundering prevention, AML officers and their deputies often assume other responsibilities in the company, for example as securities compliance officer or in the legal department. Depending on the size, business model and risk situation of the company, these multiple responsibilities mostly do not pose a problem and can create synergies.

However, in the course of its inspections BaFin also regularly observed that AML officers were not able to sufficiently execute their AML responsibilities. In some cases, backlogs were observed in, for example, the processing of hits in the transaction monitoring or screening systems. Or suspicious cases were reviewed too late, thus leading to a delayed submission of the suspicious activity reports. As AML officers are often also responsible for other functions, their organisational units must have sufficient means to execute the tasks.

The management bodies must support money laundering prevention and expand the personnel resources in this area. The principle of “tone from the top” also applies in this context – managerial staff and the management body must exemplify the (compliance) culture. If in the course of spot checks, for example, BaFin finds that specific warnings of the AML officers are possibly being disregarded in favour of potential earnings possibilities, it interprets this as a clear sign that money laundering prevention in that company is not being taken seriously enough.

Shortcomings in control activities

Findings from the control activities of the AML officers or the AML organisation are a fundamental component for assessing the appropriateness and effectiveness of a company’s safeguards and due diligence measures. The starting point for the control activities is a comprehensive control plan that encompasses all risk and business areas and all prevention measures. It must reflect the results from the risk analysis. The control activities themselves must be well structured, particularly with regard to the targets, objects and timing of the controls.

Frequently, the control plans failed to fully encompass all relevant business areas and important topics relating to money laundering. Moreover, checks were not regularly made to ensure that the plans were up-to-date. The inspections also revealed that the control activities were in some cases ineffective because the object of the controls or the manner in which the controls were executed failed to address the risks. Furthermore, complete and sufficiently meaningful documentation of the activities was often missing.

Risk analysis – incomplete inventory

In several cases, BaFin has found that the companies’ inventory (Bestandsaufnahme) of their customers, products and structures was incomplete. Yet this inventory forms the starting point for the risk analysis. To fulfil this role properly, the inventory must provide a comprehensive picture of the company. An incomplete inventory could have a negative impact on the risk analysis, which in turn would not be able to fulfil its role as the basis for identifying and assessing risks. Companies must therefore ensure that they prepare a detailed and structured description of their customer and product structures.

A comprehensive overview of a company’s business activities also requires taking the organisational and distribution structures as well as transactions fully into account and considering outsourcings in the assessment. Statistical data can be attached as an annex.

No structured identification and assessment of the risks

BaFin’s inspections also focussed on the methodology to identify and asses the risks. The objective of the risk analysis is not to present the lowest possible risk but to deliver a realistic assessment of the risks. The analysis must therefore pursue an objective and structured approach. This is the only way for it to form the basis for appropriate and effective safeguards. In the inspections, BaFin was often unable to comprehend how the company arrived at its assessments and results.

The methodology also includes a suitable method for the assessment of the risks. BaFin’s inspections showed that factors such as “likelihood of occurrence” and “severity of damage” were used to assess the risks arising from money laundering and terrorist financing. However, these factors are only relevant for assessing other criminal offences. Additionally, an assessment of the risk of non-compliance has often been conducted, in other words the risk arising if the company fails to comply with laws or regulations. However, no assessment was made of the risk of the company being abused for money laundering or terrorist financing.

Shortcomings were also frequently noted in the assessments of the safeguards already implemented. In many cases, no assessment was made of the effectiveness of the safeguards and, thus, their risk-mitigating effect. Instead, the mere fact that a safeguard was in place was deemed sufficient.

Companies insufficiently differentiate risks

In its inspections, BaFin determined that the obliged entities were often not differentiating their entity-specific risks clearly enough. They either took no account at all of the risks from terrorist financing or failed to consider them sufficiently. This was particularly striking if risks from money laundering and terrorist financing were being analysed and assessed together. As a result, the individual risks were not specifically examined. BaFin recommends differentiating between the respective risks and dividing the risk analysis into separate sections.

The companies also failed to differentiate sufficiently between measures taken to prevent money laundering and measures to combat terrorist financing. Depending on the business model and customer structure, specific measures must be employed here.

Need to individually adjust the monitoring systems

Credit institutions, payment institutions and asset management companies are obliged to use IT-systems for monitoring business relations and individual payment transactions. This enables them to identify potential indications of money laundering, terrorist financing and other criminal offences. BaFin often found that the monitoring parameters were not sufficiently institution-specific to identify suspicious activity. The model regularly failed to cover all risk areas that had been identified in the company’s risk analysis.

Relevant typologies of the Financial Intelligence Unit were either not or not fully taken into account in the model. Furthermore, the companies often failed to determine thresholds and peer groups using reliable (for example statistical) methods that take the customer and product structures into account. It is therefore important that companies validate their parameterisation regularly as well as on an event-driven basis.

BaFin frequently noted that a complete documentation of the regular model validation was missing. Moreover, the companies often did not examine the quality, completeness and availability of the relevant data used for their monitorings. In its inspections, BaFin also determined that the transaction monitoring systems did not sufficiently account for typologies of terrorist financing.

Shortcomings in the fulfilment of recording and retention requirements

The German Money Laundering Act (Geldwäschegesetz) requires companies in the financial sector to record and retain the data collected as part of their due diligence. This enables them to prove the appropriateness of the due diligence measures taken and provide information. The inspections often revealed shortcomings in the photographs or copies of identity documents. Frequently, photographs or other copies and scans of identity documents were provided electronically by the customers themselves. This is inadmissible if the documents were not checked on the company’s premises. Moreover, copies were often stored in the company’s system without a designation of origin.

Photographs of identity documents that have been presented on-site are admissible for fulfilling the recording and retention obligations. However, the institution must ensure and prove that it was not using a copy that had been made in advance and that the document had actually been presented. On-site inspections have shown that a company-owned recording device can be useful for this purpose. Alternatively, the taking of the photograph must be comprehensibly documented by employees of the institutions.