What Is BaFin?
BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) is an autonomous public-law institution under the Federal Ministry of Finance that was established under the Financial Services and Integration Act (Finanzdienstleistungsaufsichtsgesetz - FinDAG) in 2002. Its headquarters are in Bonn and Frankfurt.
It supervises banks, financial service providers, insurance undertakings and securities trading. However, its scope of operations is not limited to these. In this post, we will provide an overview of BaFin’s structure and role in AML.
What Are the Differences Between BaFin and Germany’s FIU?
While BaFin is the financial supervisory authority of Germany, German FIU (Zentralstelle für Finanztransaktionsuntersuchungen) is the country’s financial intelligence unit.
The main difference between these two institutions comes from their respective missions. While BaFin ensures that financial institutions and other obligated entities comply with AML/CFT obligations under GwG, German FIU, on the other hand, receives and analyzes suspicious transactions and forwards them to relevant law-enforcement and foreign FIUs.
How Does BaFin Oversee AML Compliance?
BaFin supervises obligated entities and ensures they comply with statutory obligations to prevent financial crimes under German Money Laundering Act (GwG). Below, we have detailed its key AML efforts.
Risk-based AML programs: According to section 4 of the GwG, obligated parties have to have a risk management that includes a risk analysis according to section 5 of the GwG and internal risk measures according to section 6 of the GwG.
Official AML guidance: In order to ensure proper due diligence and internal safeguarding measures, BaFin provides regularly updated interpretation and application instructions (Auslegungs -und Anwendungshinweise) for the obligated persons and entities.
Appointing MLRO (Money Laundering Reporting Officer): BaFin also requires institutions to appoint an MLRO (Geldwäschebeauftragter). However, there are certain criteria for these appointments and it must be approved by BaFin.
Cooperation with European Authorities: As a member of the EU, Germany’s AML authority actively works with European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and the European Anti-Money Laundering Authority (AMLA).
Monitoring Due Diligence (CDD & EDD): BaFin requires obligated parties to comply with the customer due diligence. Furthermore, according to section 15 (2)of the GwG, these parties must also comply with enhanced due diligence if they determine that there is a higher risk of money laundering or terrorist financing.
Recordkeeping and Reporting STRs/SARs: BaFin also obligates entities to report suspicious transactions and activities to Germany’s Financial Intelligence Unit, Zentralstelle für Finanztransaktionsuntersuchungen. These entities are also obligated to keep the records of customer identities, transaction data, and business relationships.
On-site Inspections: BaFin examines whether the companies are effectively complying with the regulatory requirements. Each year, the number of BaFin’s AML inspections increases. For example, it conducted 48 inspections in 2022, while the total number was 66 in 2023.
Which Institutions Are Subject to BaFin AML Rules?
· Banks
· Payment and e-money institutions
· Crypto-asset entities and Virtual Asset Service Providers (VASPs)
· Insurance providers and asset managers
· Investment brokers
· Real estate brokers
· Auditors
· Notaries
What Is the BaFin Licensing Process for AML-Regulated Firms?
1. Preliminary Assessment: In the first step, you must first determine whether you are subject to authorization or registration. Then, you must clarify the business model, what services you provide, and how you fit within ZAG (Zahlungsdiensteaufsichtsgesetz)/GwG framework.
2. Preparation of Documents: After you have clarified the preliminary details, you must submit a full application to BaFin, which should include details such as your business plan, risk management framework, internal controls, organizational structure, resources and many other things.
Furthermore, you should prove your AML safeguards by presenting examples of your appointed money-laundering reporting officer (MLRO), internal security measures, and customer-due-diligence policies.
3. BaFin Review: If you have submitted your application successfully, BaFin will now review your details and decide if your business model is appropriate and sustainable. The duration of this process depends on the type of institution. It should be noted that during these, BaFin may request additional documents as well.
4. Authorization and Registration: When you meet all requirements, you will receive an authorization or registration, depending on what you have applied for. This will allow BaFin and ZAG to list you in their respective registers.
5. Ongoing Supervision: The fact that you have completed all these steps doesn’t mean that the decision is definite. If you do not comply with relevant regulations, the responsible authority may withdraw your license or impose supervisory measures.
What Is BaFin’s Role in Fintech and RegTech Oversight?
You can find “FinTech Innovation Hub” on BaFin’s website, where you can see business-models, technologies, authorization requirements and supervisory laws.
BaFin’s approach to FinTech and RegTech is rather complementary than a separate one, where it continues to apply the principle “same business, same risks, same rules”. Germany’s AML authority also oversees emerging technologies and ensures that these innovations are not undermining consumer protection and the integrity of the financial system.
BaFin emphasizes that the sector, whether it is FinTech or RegTech, is not what matters. What really matters is what the firm is doing. So, if it offers financial services, it will be held to the same AML standards as traditional financial institutions. Thus, one should expect similar measures such as ID verification, monitoring, or audits.
How Does BaFin Regulate Crypto and AML?
Crypto-assets have been defined in the Kreditwesengesetz (KWG) as financial instruments in section 1 (11) sentence 1 no. 10 KWG since 2020. As of 30 December 2024, the Markets in Crypto-Assets Regulation (MiCAR) has entered into force at the EU level. Since then, Germany has aligned its national regulations with MiCAR and specified BaFin’s supervisory role for crypto service providers.
Furthermore, these firms are considered obligated entities under the GwG and must perform customer due diligence (CDD), monitor transactions, report suspicious transactions, and have internal safeguards just like banks. However, one should pay attention to how BaFin classifies a token, whether it is a crypto asset, a financial instrument under securities law, or falls under MiCAR because this may change the AML obligations on the obligated entity.
One last thing to note is that even when the provider is located abroad, if it is actively targeting German clients, it may need to obtain authorization from BaFin.
Key AML Requirements for Crypto Businesses
Just like the other obligated entities, crypto service providers are required to take several actions such as customer identity verification, identifying ultimate beneficial owners (UBOs), ongoing monitoring, and reporting suspicious activities/transactions.
We must also mention the importance of licensing/authorization obligations. While using cryptos as a substitute currency doesn’t require a license, let’s say, a crypto custody business (Kryptoverwahrgeschäft) must obtain the relevant permission. Failure to meet this requirement can result in civil law risks and risk of closure of the business, even when done negligently.
Penalties Issued by BaFin
Under the GwG, BaFin has the power to impose administrative fines (Bußgelder) against obligated entities. Under § 56 GwG, fines can reach €5 million or 10% of annual turnover, whichever is higher. Moreover, BaFin is also able to order management changes, apply business restrictions and withdraw licenses.
Violations such as late submission of suspicious transaction reports (STRs), inadequate internal controls, and not updating customer data may result in serious penalties. Let’s give two recent cases to better illustrate the severity of these risks.
As reported by Le Figaro, Germany’s financial watchdog has fined Deutsche Bank €23 million over multiple violations in 2025. This marks the second highest penalty issued by BaFin, after the €40 million penalty to Deutsche again in 2015 (due to shortcomings in the bank’s anti-money laundering controls.
According to Reuters, Online bank N26 was fined €9.2 million due to late filing of reports of suspected money laundering to Germany’s financial intelligence unit. Timely reporting of these reports allows the authorities to take action quickly.
How Can Sanction Scanner Help You Comply with BaFin Rules?
Real-time PEPs Lists, sanctions, and watchlist screening: Sanction Scanner allows you to create an AML Control Program where you can scan your customers based on their risk levels against more than 3,000 Global Sanctions lists, PEPs (Politically Exposed Persons) lists, and Adverse Media Data. Moreover, we update this data every 15 minutes, so you do not risk falling behind.
Localized Risk Rules Aligned with BaFin & FATF: You can build configurable risk rules and score models on Sanction Scanner’s platform in order to align with risk-based approach of BaFin and FATF (Financial Action Task Force).
Full German-language interface and audit-ready logs: In addition to easy integration into your existing systems, our platform and dashboards are readily available in German. Furthermore, in a potential audit, you will have audit-ready logs aligned with § 8 GwG record-keeping.
Ongoing Vigilance: Both GwG and FATF Recommendations enforce ongoing due diligence and monitoring of business relationships. With Sanction Scanner, you can remain compliant after onboarding thanks to solutions such as real-time customer rescreening, transaction monitoring engine, dynamic risk re-scoring, case management and escalation.
FAQ's Blog Post
BaFin supervises fintech AML compliance by enforcing KYC rules, monitoring payment flows, and conducting risk-based audits.
BaFin coordinates with EU bodies like ESMA and EBA to harmonize AML rules, licensing standards, and cross-border supervision.
BaFin treats crypto as financial instruments and requires exchanges to obtain licenses and follow strict AML/KYC procedures.
BaFin issues fines, restricts business operations, or appoints special auditors when institutions violate AML or risk rules.
Sanction Scanner helps companies meet BaFin requirements through automated screening, transaction monitoring, and audit-ready reporting.
