‘New provisions in Section 11(3) GWG’ – Identification by third parties
Legitimation & identification in accordance with the Money Laundering Act (GWG)
1. Classification of the legal amendment
Identification regulated by the Money Laundering Act (GWG) is subject to constant adjustments. In addition to more effective methods of combating money laundering, the use of digital possibilities and technical innovations are also taken into account. Section 11 (3) GWG regulates in particular the exceptions in which identification may take place at a later date. In particular, the transfer of data in the context of intermediary transactions has been revised and adapted. The options for (initial) identity verification and the transfer of data by other obligated parties are described below.
2. Basic obligations under the Money Laundering Act
In order to prevent and restrict money laundering, financial service providers, insurance companies and credit institutions, for example, are obliged under the GWG to verify the identity of their business partners or customers on certain occasions. Among other things, this obligation applies when establishing a new business relationship (e.g. opening an account) or in the case of certain transactions (e.g. cash deposits). Re-identification may also be necessary if there are doubts about previously provided information or if there is suspicion of terrorist financing or money laundering.
3. Permissible identification procedures
Identity verification in accordance with the GWG can be carried out by:
- Identity card/passport
- Electronic identity (eIDAS-compliant)
- Qualified electronic signature
- PostIdent
- VideoIdent
4. Identification by third parties (Section 17 GWG)
However, under certain conditions, Section 17 of the GWG may allow for a waiver of re-identification if, for example, the data is transferred by other parties subject to the GWG in the course of intermediary business. However, all parties subject to the GWG must ensure that identifications are fully and correctly documented and archived. It is irrelevant whether the legitimation or identification is carried out for themselves or for transfer to third parties. Important: Even in the case of identification by third parties, the responsibility for proper compliance with money laundering due diligence obligations always remains with the transferee. Simply transferring data does not replace the transferee’s own risk assessment.
The following conditions must be met for permission to pass on identification data:
- The identification documents are still valid.
- There are no concerns regarding the completeness and accuracy of the data.
- There is no increased risk (e.g. foreign transactions, suspicious cases).
- The previous and original identification is not older than 24 months.
- The recipient of the identification data is itself an obligated party under the GWG.
- Notification of the date of initial identification
If the entire process (including the method used, the persons involved and the time) is fully documented, personal and electronic identification can be carried out. Electronic options include video identification, eID or other certified methods.
5. Obligations to keep information up to date
The GWG does not specify any fixed deadlines for updating data. Update obligations arise from internal guidelines or industry standards, based on the principle that re-identification is always necessary if there are doubts about the accuracy or currency of the data previously collected. It is crucial that institutions update their customer information on a risk-oriented and regular basis, as emphasised by BaFin in its revised interpretation and application guidelines. These update steps can be carried out and documented entirely digitally, provided that the requirements for completeness, traceability and storage in accordance with Section 8 GwG are met.
6. The risk-based approach as a decision-making criterion
The risk-based approach of the GWG is central to all identification decisions.
Depending on the risk classification, the following applies:
- simplified due diligence obligations (Section 14 GWG)
- general duties of care
- enhanced due diligence obligations (Section 15 GWG)
Increased risks may arise in particular in the following cases:
- politically exposed persons (PEPs)
- Business relationships with high-risk countries
- complex or unusual transactions
- cross-border structures
In such cases, simply transferring data is generally not sufficient.
7. Digitalisation and regulatory outlook
Identification processes are undergoing profound change. The planned Europe-wide digital identity wallet (eIDAS 2.0) will enable standardised digital identification that can be used across borders. This will lead to seamless processes, particularly in the brokerage business. The new European Anti-Money Laundering Authority (AMLA) will lead to greater harmonisation of supervision in the future. Processes should therefore be designed to be Europe-compliant at an early stage. In AI-supported identity verification, modern AI models enable automated document verification, image recognition for authenticity checks, automated risk indicators (e.g. suspicious patterns), and more.
Institutions are thus faced with a strategic dilemma and the challenge of combining regulatory security with digital efficiency.
8. Recommendations for action
For intermediary and product provider structures, it is advisable to establish clear and binding framework conditions for the identification process. This includes, first and foremost, a clear contractual regulation of responsibilities to ensure that all parties involved know who is responsible for carrying out the identification, data transfer and documentation. In addition, a documented risk assessment of the data transfer should be established in order to assess whether the reuse of existing identification data is permissible or whether re-identification is necessary.
In addition, institutions benefit from standardised technical interfaces that enable secure, structured and traceable data transfer while reducing media breaks. Equally important are audit-proof documentation processes so that all steps – from identification to data transfer – are recorded in a transparent, complete and verifiable manner at all times.
Another key success factor is regularly checking customer data to ensure that identification data, ID documents and risk assessments are always up to date. Finally, institutions should consistently promote the integration of digital identification procedures – such as eID, qualified electronic signatures or modern video identification solutions – in order to achieve both efficiency gains and greater compliance security in increasingly digitised intermediary channels.
If you need support in introducing digital processes for authentication or identification, our experienced and competent staff will be happy to help. We have experience in the implementation of interfaces, test management, test execution and test automation, and training. Please contact us.
