Your questions - our answers

Here you will find answers to your questions on the topic of money laundering prevention. We cover the following topics here in this order: 1. money laundering in general, 2. money laundering prevention, 3. obligations, 4. money laundering reporting officers, 5. Know Your Customer (KYC) and 6. KYC app.

Do you have any further questions? Contact us now.

Money laundering

What is money laundering?

Money laundering describes the channeling of incriminated - i.e. illegally acquired - funds into the legal economic cycle. The aim is to provide the criminal with legal assets that can be explained and that do not allow any evidence of criminal activity. Money laundering is used in particular to finance organised crime and global terrorism.

For this reason, there are many complex obligations that do not always make it easy for obligated parties to achieve full AML compliance (compliance with the obligations under the Money Laundering Act or money laundering prevention compliance). Non-compliance with the requirements and obligations according to the Money Laundering Act is still widespread. The authorities are increasingly imposing high fines for this. Fines of up to five million euros are possible.

Who is responsible for combating money laundering?

In principle, everyone should be aware of the consequences of money laundering. Not only does it support the crime behind it, money laundering also has a lasting impact on the market economy as such and can, under certain circumstances, influence price formation.

First of all, of course, the state law enforcement authorities as well as the political representatives have a duty to take appropriate measures to prevent money laundering as well as to prosecute money launderers themselves. In addition, however, obligated parties under the Money Laundering Act in particular are required to combat money laundering.

Who is responsible for money laundering prevention?

Successful money laundering prevention or the effective combating of money laundering can only succeed if both the public sector (authorities) and the private sector (companies) play their part. The Money Laundering Act also takes this idea into account. Thus, the obligated parties under the Money Laundering Act - all of whom are from the private sector (cf. § 2 GWG) - are obliged to cooperate in the prevention of money laundering. The authorities are also broadly positioned in this regard:

  • The Financial Intelligence Unit (FIU) is the central office for receiving, collecting and evaluating suspicious activity reports. It analyzes all reports related to money laundering or terrorist financing and transmits the results of its analysis to the competent law enforcement authorities if it determines that an asset is related to money laundering, terrorist financing or any other criminal offense.
  • The Federal Financial Supervisory Authority (BaFin) is the competent supervisory authority in the financial sector and supervises the compliance of credit institutions, insurance companies, capital management companies and financial services institutions, etc. with their obligations under money laundering law.
  • The supervisory authorities of the non-financial sector supervise the compliance with money laundering obligations of obligated parties of the non-financial sector, including dealers in goods, real estate agents, art brokers and organizers and brokers of games of chance etc.. Here, the responsibility is a "federal state matter" with the consequence that - depending on the federal state - different authorities may be responsible, including regional councils, senate administrations, district governments, ministries and chambers, etc.
  • The state criminal investigation offices and public prosecutors' offices are responsible for criminal investigations in the area of money laundering. Here, the specific jurisdiction is usually based on the crime scene or place of residence principle (cf. §§ 7 ff. Strafprozessordnung).

When is money laundering a criminal offense?

According to the German Money Laundering Act (GwG), money laundering is not only punishable once a certain amount of money is exceeded. For the legislator, it is also largely irrelevant whether cash or non-cash transactions are involved.

What does the three-phase model of money laundering describe?

A well-known and easy-to-understand model to describe money laundering is the so-called "three-phase model of money laundering" which is also taught by the UNDOC (United Nations Office on Drugs and Crime) in training courses. Money laundering is divided into three phases: Placement, Layering and Integration.

The three phases can be illustrated with an example in the motor vehicle sector: A customer orders several cars from a car dealer and makes the down payment in cash (placement). Shortly before delivery, the customer cancels the order and has the deposit paid back by bank transfer (layering). Afterwards, the alleged customer can invest the money laundered in this way further into the legal economic cycle (integration), as he has a proof of origin through the repayment of the down payment of the cars at the car dealer. The legislator therefore starts the fight against money laundering at the placement stage. Car dealers may also have to identify their customers when they are seriously interested in buying and subject them to a risk analysis.

What is understood by structuring?

Structuring" is the deliberate splitting of larger sums into smaller amounts in order to circumvent thresholds.

The Money Laundering Act provides for certain threshold values for transactions in specific sectors, above which obligated parties must implement their obligations under the Money Laundering Act. These thresholds can be circumvented through structuring. If, for example, KYC checks only have to be carried out above a certain threshold, the sums to be laundered are broken down into smaller amounts.

In the case of jewellers and traders of precious metals, for example, individual items could be regularly acquired by the same person, the amount of which is below the threshold value in each case, without there being a comprehensible reason. This makes it possible for money launderers to circumvent identification and documentation even in the case of larger, accumulated sums and thus to conceal the origin of funds. Even though it is difficult to identify this form of money laundering in practice, such attempts must be reported. If no report is made, a company is in danger of making itself liable to prosecution in case of doubt.

What does smurfing mean?

"Smurfing" is similar to the concept of "structuring", but this process is more complicated and requires more human resources from the money launderer. Smurfing involves distributing the payment or execution of a transaction among different people. In this way, amounts can be pieced together and then distributed via middlemen and women. The clients act in the background.

This form of money laundering can also be detected if the company has an effective money laundering prevention concept that includes staff training, KYC checks and monitoring of transactions.

Money laundering prevention

What is money laundering prevention?

Active money laundering prevention makes it possible to detect and prevent the concealment of illegally acquired funds and their infiltration into the regular economic cycle.

From an economic point of view, many obligated parties under the German Money Laundering Act (GwG) do not see the prevention of money laundering as their original task, but they are nevertheless obligated by law to prevent money laundering. The reason for this is that it is becoming increasingly difficult to trace laundered money once it has entered the legal economic cycle.

While the international community is guided by the guidelines of organisations such as the Financial Action Taskforce (FATF), compliance with money laundering guidelines in Germany is regulated, among other things, by the GwG, which was first passed in 1993 and has undergone numerous amendments to date. The "Act on the Tracing of Profits from Serious Crimes" defines various measures and obligations that must be implemented by the so-called "obligated persons". These measures form the concept of money laundering prevention, which is essentially based on three pillars: Risk management, due diligence obligations and suspicious activity reporting.

Who is responsible for combating money laundering?

Who is included among the obligated parties according to the German Money Laundering Act (GwG) is regulated in § 2 para. 1 GwG. This includes, among others:

  • Credit institutions (§ 2 Para. 1 No. 1 GwG)
  • Financial services institutions (Section 2 (1) No. 2 AMLA)
  • Payment institutions and electronic money institutions (Section 2 (1) No. 3 AMLA)
  • (self-employed) financial agents (section 2 (1) no. 4 AMLA)
  • Insurance companies (Section 2 (1) No. 7 AMLA)
  • Insurance intermediaries (section 2 (1) no. 8 AMLA)
  • Capital management companies (section 2 (1) no. 9 AMLA)
  • Lawyers, patent lawyers and notaries (section 2 (1) no. 10 AMLA)
  • Legal advisers (section 2 (1) no. 11 AMLA)
  • Auditors, tax consultants (section 2 (1) no. 12 AMLA)
  • Fiduciary dealers (section 2 (1) no. 13 AMLA)
  • Real estate agents (Section 2 (1) No. 14 AMLA)
  • Organisers and brokers of games of chance (Section 2 (1) No. 15 AMLA)
  • Dealers in goods, art brokers and art stockists (Section 2 (1) No. 16 AMLA)

The obligations to be complied with differ depending on the sector.

What is the penalty for money laundering?

In Germany, fines of up to five million euros are due for violations of the Money Laundering Act. However, only a record fine of 145,600 euros has been imposed so far. Nevertheless, an infringement does not only have financial consequences for the obligated party. Unappealable penalty notices are also partially disclosed ("naming" and "shaming") according to Section 57 AMLA.

The text of the law states: "In the notice, the nature and character of the offence and the natural persons and legal persons or associations of persons responsible for the offence must be named. This can mean a high loss of reputation for those affected.

What are interpretation and application notes (AuAs)?

The Money Laundering Act (AMLA) is flanked, among other things, by so-called interpretation and application notes (AuAs for short), which are typically prepared by the supervisory authorities.

The AuAs are specific statements on the interpretation and application of the Money Laundering Act. Although the Money Laundering Act partly contains clear provisions on the practical application, some specifications remain unclear. The reason for this is that there are different sector-specific factors that must be taken into account, for example, when preparing risk analyses. In order to provide obligated parties with clearer specifications, these are developed on the basis of the Money Laundering Act in so-called "AuAs".

What is the non-financial sector?

The Scientific Service of the Bundestag stated in 2019: There is no definition of the non-financial sector. The Money Laundering Act lists all obligated parties without subdivision. Nevertheless, in order to make a subdivision, the Budget and Finance Department is also guided by a classification by the Financial Intelligence Unit (FIU) - the money laundering special unit of customs.

Accordingly, the following obligated parties belong to the non-financial sector:

  • Financial companies,
  • insurance intermediaries,
  • Lawyers, chamber counsel, patent attorneys and notaries,
  • legal advisors,
  • auditors, certified public accountants, tax advisors and tax agents,
  • service providers for trust companies, trustees,
  • real estate agents,
  • organizers and brokers of games of chance and
  • dealers in goods.

Who are traders in goods?

According to § 1 Abs. 9 GwG, dealers in goods are anyone who sell commercial goods "regardless of in whose name or on whose account." This includes, among others, motor vehicle dealers, dealers in jewelry or precious metals, galleries, and even dealers in rare stamps. According to § 1 Abs. 10 GwG, high-value goods are those that, due to their value, nature or intended use, stand out from everyday objects or do not represent an everyday purchase.


What is risk management?

Obligated persons under the Money Laundering Act must carry out risk management. Effective risk management means the identification and minimisation of money laundering risks in the activities of obligated persons.

For this purpose, it is important to determine and assess the risk of money laundering and terrorist financing in the company or trade in a risk analysis. Based on this, security measures must be taken. These include, for example, the implementation of training, the examination of employees and, in the case of certain obligated parties, the appointment of an anti-money laundering officer.

In addition, the general design of measures to fulfil further legal obligations, such as the establishment of anonymous whistleblower systems or mandatory transaction monitoring, may be required by the legislator or the authorities.

In order for the supervisory authorities to be able to understand what obligated parties have done to comply with their legal obligations, all these processes must be transparently documented and archived. Supervisory authorities attach great importance to the fact that risk management procedures are not only set up once, but - also against the background of constantly evolving legal requirements - are regularly reviewed and adapted.

What is included in the general duties of care?

In order to combat money laundering and terrorist financing, it is mandatory to comply with the customer due diligence requirements of the Money Laundering Act. Before entering into a business relationship, obligated persons must fulfil various due diligence obligations towards their customers. The AMLA distinguishes between general and enhanced due diligence obligations.

These include, for example, customer due diligence obligations such as the obligation to identify contractual partners, to clarify whether the contractual partner is acting for a beneficial owner or whether the customer is a politically exposed person.

When are the general duties of care to be fulfilled?

The general duties of due diligence (§10 GwG) must be fulfilled by every obligated party according to the Money Laundering Act. Exceptions are set out in §14 GwG in the simplified due diligence obligations.

What are enhanced due diligence requirements?

Reinforced due diligence obligations occur according to §15 (2) GwG and must be additionally fulfilled if there are indications of an increased risk with a customer. According to §15 (4) GwG, at least the following enhanced due diligence requirements must then be met:

  • Initiation of a business relationship requires approval at management level.
  • The origin of the assets used in the business relationship must be determined by appropriate means
  • The business relationship must be subject to increased continuous monitoring.

What purpose have the general duties of care?

The information obtained through compliance with the general due diligence requirements make it possible to carry out an individual risk assessment of the respective customer relationship. The aim of this, in turn, is to determine whether one must fulfil enhanced due diligence obligations - this can be the occasion for more intensive follow-up research. Obligated persons may have to find out whether a contractual partner is domiciled in a third country - a country outside the EU - whether there is a high risk of money laundering or terrorist financing in the respective country and whether the contractual partner holds political office. These circumstances significantly influence the risk of a business relationship or transaction. These questions must be asked by obligated parties and answers must be documented. Negligent breaches of customer due diligence obligations could result in fines.

In order to be able to prove that all customer due diligence obligations have been fulfilled, all documents must be kept for at least five years after the audit in compliance with the General Data Protection Regulation.

What is meant by suspicious activity reporting?

If there are indications of money laundering, companies are obliged to report the suspicion. This includes the suspicion that assets originate from an illegal source, transactions are connected to terrorist financing or contractual partners do not disclose their beneficial owners. In these cases, the obligated party must report the facts to the Central Financial Transaction Investigation Unit (FIU) via the reporting portal goAML. The authorities investigate the reports and initiate an investigation if necessary.

Which suspicious behaviour must lead to a report is regularly explained by the FIU in so-called sector-specific "typology papers". Typology papers deal with typical practices of money launderers and can thus help obligated persons to better recognise and report suspicious behaviour. In order to access the reporting portal and the typology papers, obligated persons must have access to the internal area of the FIU.

What are the components of a risk analysis?

There is no standardised process for the preparation of risk analyses, however, the Annexes to the AMLA specify certain risk factors that must be included in the risk analysis. The risk analysis is an integral part of money laundering prevention.

The inventory should include general data of the company, the location as well as on the customer, sales and product structure. In the risk analysis, company-specific risks are identified and evaluated on the basis of internal as well as external sources. For this purpose, industry-specific typology papers from the fight against crime, publications of the supervisory authorities and adverse media checks, among others, should be consulted. The internal security measures based on this derive, among other things, recommendations for action from the risk analysis. This also includes, among other things, the handling of suspicious cases and the appointment of a money laundering officer (if necessary).

A risk analysis should be reviewed and updated regularly. Kerberos Compliance takes on this task as part of the creation of a complete money laundering prevention concept. We ensure that the requirements of the German Money Laundering Act (GwG) are met.

What happens if money laundering is suspected?

If money laundering is suspected, reporting obligations are triggered (cf. § 43 ff. GwG). Irrespective of the value of the asset concerned or the amount of the transaction, the obligated parties under the Money Laundering Act (cf. § 2 Geldwäschegesetz) are obliged to submit a suspicious activity report in electronic form to the Financial Intelligence Unit (FIU) without delay. In this context, it is not necessary to determine in the criminal law sense whether a predicate offense of money laundering may be involved (cf. § 261 Strafgesetzbuch). Rather, it must be determined whether the facts of the case are unusual and/or conspicuous on the basis of general professional experience.

What is an extract from the transparency register?

The Transparency Register is a register kept by each EU member state which contains, among other things, information on the beneficial owners of a company. Accordingly, an extract from the Transparency Register ideally also contains data on the beneficial owners of business partners, which must be obtained as part of a KYC or due diligence review.

Money Laundering Officer

Who can become a money laundering officer?

A money laundering officer should have the necessary expertise to ensure compliance with money laundering prevention requirements. Although the legislator does not explicitly stipulate which requirements an anti-money laundering officer must fulfil, it is advisable, in view of the increasingly complex requirements, to obtain certification in the area of anti-money laundering before taking on tasks. Otherwise, proper fulfilment of due diligence obligations is very unlikely. In this context, Section 7 (4) AMLA states that the appointment of an anti-money laundering officer can be revoked at the request of the supervisory authority "if the person does not possess the necessary qualifications and reliability".

Accordingly, companies themselves should be interested in the proper qualification of their money laundering officers. Money laundering officers are not only endowed with special rights and protection against dismissal, they also protect their company from high fines through their work

When must a money laundering officer be appointed?

The Money Laundering Act lists in § 2 GwG who belongs to the circle of obligated persons. This includes financial service providers, insurance companies, lawyers, casinos, gambling providers and dealers in goods. However, the companies concerned are not necessarily obliged to appoint a money laundering officer.

§ Section 7 (1) AMLA stipulates who among the obligated parties must appoint an anti-money laundering officer and his deputy at management level:

  • Credit institutions pursuant to Section 1 (1) of the German Banking Act (Kreditwesengesetz).
  • financial services institutions pursuant to Section 1 (1 a) of the Banking Act
  • Payment institutions and electronic money institutions pursuant to section 1 (3) of the Payment Services Supervision Act
  • Financial undertakings
  • Insurance undertakings
  • Capital management companies
  • Organisers and brokers of games of chance

The law stipulates that the competent supervisory authorities may issue orders as to whether the other obligated parties within the meaning of Section 2 AMLA must appoint a money laundering officer. In the case of dealers in goods, art brokers and art warehouse keepers (Section 2 (1) no. 16 AMLA), the order is to be issued if the principal activity of the obliged party is trading in high-value goods.

What does a money laundering officer do?

The duties of a money laundering officer include among other things, the preparation of a risk analysis, the creation of uniform reporting channels, the processing of suspicious cases and suspicious activity reports. Furthermore, the money laundering officer must also undertake actual monitoring measures to ensure that the regulations are complied with, which includes employee training. These measures must be carried out in addition to internal audit checks.

In line with the range of tasks and responsibilities involved, money laundering officers must possess the qualifications required to perform their duties. Pursuant to Section 7 (4) of the Money Laundering Act, the supervisory authorities may revoke money laundering officers if they do not possess these qualifications. Training and further education to become a certified money laundering officer is offered by the Kerberos Academy in cooperation with DEKRA Certification GmbH.

Why do you need a money laundering officer?

The function of a money laundering officer is defined in Section 7 (1) AMLA: "The money laundering officer is responsible for ensuring compliance with money laundering regulations; this does not affect the responsibility of the management level. The money laundering officer is directly subordinate to the management." The money laundering officer is thus the central office for combating money laundering and terrorist financing in a company.

Know Your Customer (KYC)

What is "Know-Your-Customer (KYC)"?

Know-Your-Customer (KYC) refers to the identification of customers. Identification involves extensive research and is generally known as "Know Your Customer" (KYC).

This includes the following steps in identification:

  • Identification and verification of all contractual partners
  • Identification of beneficial owners
  • Sanctions list comparison
  • PeP check (comparison with lists of politically exposed persons)
  • Adverse media check (comparison of publications by various media to assess reputational risk recommended)

In addition, there is an obligation to document the collected data and to keep it for five years in compliance with the German Data Protection Regulation (DSGVO).

What is the legal basis for KYC?

The identification of the contracting party - commonly known as "Know Your Customer" checks - is part of the general due diligence obligations under Article 10 of the AMLA.

Legally, Know Your Customer checks are further defined in Articles §11 and §12 of the AMLA. Accordingly, "Obligated persons (...) shall identify contracting partners, any persons acting on their behalf and beneficial owners before establishing the business relationship or before carrying out the transaction." (§11 GwG para. 1 sentence 1). However, it should be noted that different obligated parties - such as brokers - may also have to comply with sector-specific requirements for customer identification, which result from the following sections.

Exceptions to the identification of contractual partners are only permitted if the person to be identified has already been identified on previous occasions and there is no doubt that the information collected has not changed since then (§11 GwG. Para. 3).

Section 12 AMLA primarily regulates how obligated persons must verify the identity of contractual partners. In this context, the differences in the identification of natural persons (Section 12 AMLA Para. 1) and companies (legal persons) (Section 12 AMLA Para. 2) must be taken into account.

When is the identification obligation under the Money Laundering Act?

KYC checks must be carried out by all obligated parties according to the German Money Laundering Act if the specific requirements for their respective industry are met.

Real estate agents, for example, are only required to identify their clients if they broker rental contracts of 10,000 euros or more per month and/or purchase contracts. Car dealers are only obliged to do so from cash transactions of 10,000 euros. In the gaming sector, the limit for stakes or winnings is already 2,000 euros. These specifications are regulated in §10 GwG.

Irrespective of the above-mentioned thresholds, however, obligated parties are always obliged under the Money Laundering Act to comply with the general due diligence obligations vis-à-vis their contractual partners - i.e. also to conduct KYC checks - if there are facts indicating that the assets are related to terrorist financing or money laundering. Due diligence obligations must also be observed if there are doubts regarding the accuracy of the information on the identity of the parties involved in the transaction. This is regulated by §10 par. 3 nos. 3 and 4.

KYC check: What data has to be collected?

If the contractual partner to be identified is a natural person, then data must be collected in accordance with Section 11 GwG Paragraph 4 No. 1. These are:

  • First name and surname
  • Place of birth
  • Date of birth
  • Nationality
  • A residential address;

Changes in the contracting parties during a business relationship must also be documented by the obligated parties according to Section 11 AMLA Paragraph 6.

What data must be collected to identify companies?

If the contractual partner to be identified is a company - i.e. a legal entity - then data must be recorded in accordance with §11 GwG para. 4 no. 2. These are:

  • Company name, name or designation
  • Legal form
  • Registration number, if available
  • address of the registered office or principal place of business
  • the names of the members of the representative / representative body.

For the identification of beneficial owners, further information is required according to §11 GwG para. 5. In some cases, this also includes extracts from the transparency register.

Changes in the contracting parties during a business relationship must also be documented by the obligated parties according to Section 11 AMLA Paragraph 6.

What documents are required for the KYC exam?

In general, Kerberos requires the following documents for a KYC check:

If the contract partner to be identified is a natural person, a copy of a valid identification document* (ID) is sufficient.

For the identification of companies - i.e. legal entities - Kerberos requires the following documents:

  • Name of the company,
  • Registration (in Germany: commercial register number + register court; for foreign companies: an equivalent register number),
  • registered office (street, house number, postcode, city),
  • Copy of a valid identity document* (ID) of the appearing person (the person with whom you are conducting negotiations or who is your contact person),
  • Surname and first name of the beneficial owner of the company.

*Valid identity documents are in particular:

  • German identity card,
  • EU identity card incl. proof of address (registration confirmation or a recurring consumption bill (telephone, gas, water, electricity, etc.)),
  • Passport incl. proof of address (see above).

What is Due Diligence?

Due diligence is generally understood to be an extended Know Your Customer check - i.e. an in-depth check of the identity of business partners and customers. While due diligence is generally always recommended, it is only mandatory in certain cases - namely when there is an increased risk of money laundering or terrorist financing.

What exactly is meant by "enhanced" due diligence is only vaguely defined in Section 15 AMLA on enhanced due diligence obligations. Among other things, it states that "appropriate measures" must be taken to identify assets (Section 15 (4) AMLA). Likewise, in certain cases, "additional information" must be obtained about contracting partners and beneficial owners, without a more precise definition of where the information is to be retrieved and how much there should be. Within Europe, there are still different standards with regard to these checks, which sometimes makes the cross-border prosecution of money launderers more difficult.

You can find out more about the due diligence process with Kerberos here on our solutions page.

The risk assessment provides information on whether a business relationship should be maintained or terminated and provides a solid basis for decision-making. For this purpose, various databases are used to disclose as many connections to business partners, service providers and other third parties as possible.

Who needs due diligence?

On the one hand, due diligence can be used to comply with the identification obligation under money laundering law. In addition, it is also useful for any company that wants to know who it is doing business with. It is "smart business", so to speak, to know who you are doing business with.

Why do companies and organizations need due diligence?

Due diligence is an in-depth and intensive examination of business partners to identify any anomalies. This can involve all kinds of issues. From bad press, to actual criminal matters, to organized crime. But also general, extended information about a business partner, such as licenses or the countries in which a business partner is active, can be useful for a business decision.

A due diligence check can be used as a follow-up check to the identification of a business partner under money laundering law. This is because, on the one hand, there is a legal obligation to conduct extended investigations in accordance with the German Money Laundering Act if an increased risk arises in connection with a business partner. Furthermore, it is also useful overall to be informed about risks in connection with business partners in order to reduce one's own reputational or criminal risk.

What and who are beneficial owners?

The beneficial owner is the natural person who owns or controls the contracting party or at whose instigation a transaction is carried out or a business relationship is established.

According to this definition, beneficial owners include any natural person who indirectly (e.g. through shares in a company) or directly (e.g. as a private individual) owns more than 25% of the capital shares and/or more than 25% of the voting rights. In practice, however, the situation is complicated.

For example, start-ups are often financed through different sources, so that private investors and companies sometimes hold equal stakes in these companies and each own more than 25% of the voting rights or capital shares.

In the case of multi-level shareholding structures, the natural persons - possibly also through several legal entities - who exercise control over the contracting party according to the above standard must be determined. If, for example, a natural person directly owns 30% of a company while a legal partnership holds the remaining 70%, the beneficial owners of the legal partnership must also be indicated as indirect beneficial owners.

This assessment is based on legal information from the Federal Office of Administration on the obligation to report beneficial owners in the transparency register. According to this, persons who can prevent fundamental decisions via a blocking minority also count as beneficial owners. Thus, if two natural persons each hold 50% of the voting shares of a company, both are considered beneficial owners of this company. Thus, if two natural persons each hold 50% of the voting shares of a company, they are both deemed to be beneficial owners of that company.

Since 2017, beneficial owners must be entered in the transparency register. In this register, the beneficial owners of legal entities, companies and associations are to be centrally recorded and made publicly accessible.

What are "FIU suspicious transaction reports" and what must be observed when complying with reporting obligations?

One of the obligations of the AMLA is to report suspicious transactions to the FIU (Financial Intelligence Unit) via the goAML portal. Obligated persons must register with this portal for this purpose. Violations of this obligation can be punished with fines.

The report includes answers to the following four basic questions - but should be enriched with further information:

  • Who is it about?
  • What was purchased?
  • What was suspicious?
  • Additional conspicuous features

A non-exhaustive - but further-reaching list of information to be included in SARs can be found here. After the examination of SARs, the FIU sends the reporters corresponding requests for action.

Why are countries on the FATF risk lists?

The FATF (Financial Action Task Force) consists of 39 member states. It establishes international criteria to combat and prevent money laundering, terrorist financing and proliferation financing and verifies their worldwide compliance. The advantage of compliance is that countries receive a kind of seal of approval that facilitates access to the international market. If no strategic deficit is identified in an FATF audit, other countries do not have to comply with special security measures in trade with these very countries. If countries are on the so-called "grey list", they show (according to the FATF) strategic deficits in the implementation of international requirements or, as in the case of Syria, have not been able to be audited by the international organisation for a long time. International trade can adjust to the particular risks associated with the FATF's assessment and exercise special caution. The naming of a country on the "black list", as is currently the case only with Iran and North Korea, is explicitly linked by the FATF with the recommendation not only to exercise special caution, but also to immediately impose sanctions to protect the international market. A complete overview of the lists can be found here.

What is a "sanctions list check" and a "PeP check"?

According to the Money Laundering Act, contracting partners must be checked to see if they are politically exposed persons. This means that it is checked whether they hold or have held political office. This would result in stricter due diligence requirements.

In addition, it is advisable to check whether contractual partners are on sanctions lists.

In this process, it makes a difference whether it is a natural or legal person - especially with regard to their beneficial owners. In particular, persons against whom international sanctions have been imposed often use company networks that conceal the identity of the beneficial owners. Under certain circumstances, sanctions can be circumvented in this way. The identification of the actual beneficial owners and their comparison with sanctions lists are accordingly important components of the KYC process.

KYC checks therefore also help to comply with international sanctions and prevent corruption. If the authorities determine that there are avoidable illegal business transactions due to structural deficits in compliance with customer due diligence obligations, there is sometimes not only the threat of fines. There is also the risk of high reputational damage and the possibility that countries such as the USA could initiate further legal action.

KYC web app

Is the application a browser solution?

The KYC app can be used as a web app on all digital devices without downloading. Simply access the web app here and log in with your user data.

Is there a separate authorisation management system?

Yes, the applications at Kerberos Compliance have an authorisation management system. The technical and organisational measures to ensure data security are documented in the annex to the order processing contract.

Where is the data stored?

The data is stored in the Google Cloud Europe (Belgium).

In the case of cloud use - is the data held there in accordance with BaFin requirements?

Yes, Kerberos follows the legal requirements as a compliance service provider (audit and instruction rights; data security and data protection, deletion of data).

Is there an appropriate emergency concept?

Yes, business continuity management is part of the certified information security management system.

How is the data deleted?

The data is stored in accordance with the legal retention periods from the GwG and then deleted in accordance with data protection.

Is Kerberos a processor?

Yes, Kerberos is acting as a processor here and therefore provides a processing contract.

Do you have appropriate technical and organisational measures and documentation?

Yes, the technical and organisational measures to ensure data security are documented in the annex to the order processing contract.

Does the company have subcontractors outside Europe that are related to the application? If yes, what are the contractual arrangements in this respect?

No, only sub-processors in the EU are used for the KYC solutions.

Is there an architecture description for the application (functionality, procedure)?

There is documentation for the application (e.g. architecture, sequence and flow diagrams).

Is the company certified in terms of IT? If yes, which certificates are available?

 Yes, Kerberos operates an information security management system in accordance with the international standard ISO/IEC 27001, which has been certified by TÜV since 2019.

Are KYC checks assigned to or shown on specific invoices?

For data protection reasons, it is not possible to identify the test object on the corresponding invoice. If you want to assign an inspection to an invoice, you can use the filter function in the app. To do this, click on "Orders", then on the filter symbol next to the upper search bar and now select "Completed" from the menu. All completed KYC checks will then be displayed.

Sie haben weitere Fragen?

Nehmen Sie jetzt Kontakt auf.

An unexpected error has occurred. Please try again or write to

Please fill in all required fields.

Thank you. We will contact you soon.

In a hurry? Call us!

Our support staff is available on weekdays from 09:00 - 17:30.

+49 221 650 88 92 – 0