KYC Obligations in Germany — Complete 2026 Guide

Regulatory Framework

Germany, Europe's largest economy, has a comprehensive anti-money laundering framework built on the Geldwäschegesetz (GwG) — the Money Laundering Act. Initially adopted in 1993, the GwG was thoroughly overhauled in 2017 to transpose the 4th EU Anti-Money Laundering Directive (AMLD4), then amended in 2020 (AMLD5) and 2023 (AMLD6). The current version of the GwG serves as the reference text for all due diligence obligations in the fight against money laundering and terrorist financing (AML/CFT).

BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht — Federal Financial Supervisory Authority) is the central regulatory authority. It supervises banks, insurance companies, investment firms, payment service providers, and other financial institutions. BaFin is responsible for enforcing the GwG in the financial sector and has extensive investigative, supervisory, and sanctioning powers. It regularly publishes interpretive guidelines (Auslegungs- und Anwendungshinweise) that clarify its expectations.

The Financial Intelligence Unit (FIU), attached to the General Customs Directorate (Generalzolldirektion), is Germany's financial intelligence unit. It receives suspicious transaction reports (Verdachtsmeldungen) from obligated entities and analyses them to determine whether they should be forwarded to law enforcement. Since its transfer from the police to customs in 2017, the FIU has faced criticism regarding processing delays, leading to reforms and increased staffing.

The German framework is distinguished by the role of the Länder (federal states) in supervising certain non-financial professions (real estate agents, goods dealers, etc.), creating a decentralised supervisory system. Each Land has a competent supervisory authority for non-financial professions, while BaFin remains competent for the financial sector at the federal level.

Who Must Comply

Section 2 of the GwG defines an extensive scope of obligated professions and activities:

Credit institutions (Kreditinstitute): universal banks, savings banks (Sparkassen), cooperative banks (Volks- und Raiffeisenbanken), online banks
Financial services institutions (Finanzdienstleistungsinstitute): brokers, investment advisors, portfolio managers
Payment institutions and electronic money institutions: fintechs, neobanks, payment service operators
Insurance companies: life insurers, insurance intermediaries for capitalisation products
Investment companies and depositaries: Kapitalverwaltungsgesellschaften (KVG) and Verwahrstellen
Crypto-asset service providers: exchange platforms, custody services, licensed by BaFin since 2020
Legal and accounting professions: lawyers (Rechtsanwälte), notaries (Notare), auditors (Wirtschaftsprüfer), tax advisors (Steuerberater)
Real estate agents (Immobilienmakler): for real estate transactions
High-value goods dealers (Güterhändler): for cash payments exceeding EUR 10,000
Casinos and gaming operators: land-based casinos and online gaming operators

Since the transposition of AMLD5, the GwG also covers art and antique dealers for transactions exceeding EUR 10,000 and real estate rental intermediaries for monthly rents exceeding EUR 10,000.

Customer Due Diligence Requirements

Standard Due Diligence (CDD)

Standard due diligence obligations (allgemeine Sorgfaltspflichten) are defined in Sections 10 to 13 of the GwG:

Customer identification: for natural persons, identification data includes name, first name, date of birth, place of birth, nationality, and address. Verification is carried out on the basis of a valid official identity document (Personalausweis, Reisepass). For legal persons, identification covers the company name, legal form, commercial register number (Handelsregisternummer), registered office address, and identification of legal representatives.

Beneficial owner identification (wirtschaftlich Berechtigter): any natural person who directly or indirectly holds more than 25% of the capital or voting rights of a legal entity, or exercises control by other means. Since 2017, the Transparenzregister (Transparency Register) has been accessible to obligated entities for verifying beneficial owner information. Since August 2021, the Transparenzregister has become a full register (Vollregister), rather than a mere referral register.

Understanding the purpose and nature of the business relationship: the obligated entity must gather information on the customer's activity, the purpose of the relationship, and the expected volume of business.

Ongoing monitoring: updating data and monitoring transactions throughout the relationship.

Remote identification: the GwG and BaFin guidelines recognise video identification (VideoIdent) as a compliant means of remote identity verification, subject to strict technical requirements (real-time video transmission, image quality, security checks). BaFin has also approved the use of the eID (the online electronic identity card function) for identity verification.

Enhanced Due Diligence (EDD)

Enhanced due diligence measures (verstärkte Sorgfaltspflichten, Section 15 GwG) apply in the following situations:

Politically Exposed Persons (PEPs — politisch exponierte Personen): persons holding or having held important public functions, direct family members, and persons known to be closely associated. Management approval is required, along with enhanced measures for source of wealth and funds.
Relationships with high-risk third countries: countries on the European Commission's list or identified as high-risk by the FATF.
Complex or unusual transactions: transactions whose amount, nature, or circumstances are atypical.
Correspondent banking with third-country institutions: specific measures for correspondent relationships with banks outside the EU.
Real estate transactions: mandatory enhanced due diligence for notaries in real estate transactions, given the high money laundering risk in this sector identified by Germany's NRA.

Required Documents

For natural persons:

Valid Personalausweis (German identity card) or Reisepass (passport)
Proof of address (Meldebescheinigung less than 3 months old)
Where applicable, tax identification number (Steuer-Identifikationsnummer)
For PEPs: additional documentation on source of wealth and funds

For legal persons:

Recent extract from the commercial register (Handelsregisterauszug)
Up-to-date articles of association (Gesellschaftsvertrag/Satzung)
Shareholder list (Gesellschafterliste)
Identity documents of legal representatives (Geschäftsführer, Vorstand)
Extract from the Transparenzregister for beneficial owners
Where applicable, powers of attorney and representation authorisations

For foundations and associations:

Constituting deed or articles of association
Registration in the foundation register or association register (Vereinsregister)
Identification of board members and beneficiaries

The retention period is 5 years after the end of the business relationship or execution of the transaction.

Reporting Obligations

Suspicious transaction report (Verdachtsmeldung): obligated entities must report to the FIU any transaction or attempted transaction which they know, suspect, or have reasonable grounds to suspect is related to money laundering, terrorist financing, or other proceeds of crime. Reports must be made via the FIU's goAML online portal.

Reporting thresholds: the GwG does not set a minimum threshold for suspicious transaction reports. However, cash transactions of EUR 10,000 or more in the goods trading sector must be documented, and fund transfers are subject to the EU Funds Transfer Regulation.

Blocking obligation: when a report is made, the obligated entity must refrain from executing the transaction for 3 business days (Transaktionsverbot), unless the FIU instructs otherwise or the competent authority grants permission.

Prohibition on tipping off (Tipping-off Verbot): the obligated entity may not inform the customer or any third party that the transaction has been reported. Violation of this prohibition is criminally sanctioned.

In 2024, the FIU received more than 340,000 Verdachtsmeldungen, a volume rising sharply compared to previous years, reflecting both increased awareness and digitalisation of the reporting process.

Penalties for Non-Compliance

Administrative sanctions (BaFin and Land authorities):

Orders to comply
Temporary or permanent prohibition from holding management positions
Licence or authorisation revocation
Financial penalties of up to EUR 5 million for natural persons and the higher of EUR 5 million, 10% of total annual turnover, or double the amount of benefit obtained for legal persons
For serious, repeated, or systematic violations, fines can reach EUR 1 million even for non-financial professions

Criminal sanctions:

Money laundering (Section 261 StGB) is punishable by imprisonment of 3 months to 5 years, increased to 6 months to 10 years for aggravated cases (organised crime, commercial activity)
Terrorist financing (Section 89c StGB) is punishable by 6 months to 10 years' imprisonment
Violation of reporting obligations (Section 56 GwG) can result in a fine of up to EUR 150,000 or, for intentional violations, imprisonment

Publication of sanctions: BaFin publishes certain sanction decisions on its website, in accordance with GwG provisions.

How CheckFile Helps

Germany's KYC framework requires rigorous document verification, reinforced by BaFin's specific guidelines on VideoIdent and eID. CheckFile offers an AI-powered document verification solution perfectly suited to the requirements of the GwG and BaFin's interpretive guidelines.

The CheckFile platform automatically verifies the authenticity of German identity documents (Personalausweis, Reisepass) and more than 6,000 international document types. The AI analyses physical and digital security features, performs MRZ zone reading and validation, and detects document fraud attempts (forgery, counterfeiting, alteration). Automatic cross-validation between document-extracted data and Transparenzregister information enables efficient beneficial owner verification.

CheckFile generates a comprehensive audit trail compliant with BaFin requirements, including timestamps, details of each check performed, confidence scores, and reasons for any alerts or rejections. Data is archived for the regulatory 5-year retention period with secure access for compliance teams. API integration enables smooth onboarding process automation, compatible with VideoIdent solutions and German banking platforms. Processing complies with the GDPR (DSGVO) with data hosted in the EU.

FAQ

What documents are required for KYC in Germany?

For natural persons, a valid German identity card (Personalausweis) or passport (Reisepass) and proof of address (Meldebescheinigung) are required. For legal persons, a commercial register extract (Handelsregisterauszug), articles of association, shareholder list, identity documents of directors, and a Transparenzregister extract for beneficial owners are needed. Retention is 5 years after the end of the business relationship.

What are the penalties for KYC non-compliance in Germany?

BaFin administrative sanctions can reach EUR 5 million for natural persons and 10% of annual turnover for legal persons. Money laundering is punishable by 3 months to 10 years' imprisonment. Violation of reporting obligations can result in a EUR 150,000 fine. Sanctions are published and carry significant reputational risk.

How often must KYC checks be updated in Germany?

Frequency depends on risk classification. High-risk customers (PEPs, high-risk countries) must be reviewed annually. Standard-risk customers are reviewed every 3 to 5 years according to internal policies. Any trigger event — change of beneficial owner, atypical transaction, contradictory information — requires an immediate update. BaFin checks file maintenance during its audits.