AML in 2025: Expert Advice on BaFin’s Rules, AI, and What’s Next for Fund Managers

If you’re working in finance in Germany, you’ll definitely know all about BaFin or Bundesanstalt für Finanzdienstleistungsaufsicht.

BaFin is Germany’s Federal Financial Supervisory Authority. They’re the ones keeping the financial system in check.

Whether it’s banks, insurance companies, or investment firms, BaFin makes sure everyone’s playing by the rules to keep the system running smoothly and fairly.

One area BaFin oversees is anti-money laundering (AML). And lately, they’ve been reminding stakeholders of the expectations.

Earlier this year, Carsten Sperl, BaFin's specialist in money laundering prevention, highlighted the regulator's intensified focus on insurance companies' anti-money laundering measures.

While speaking specifically about the insurance industry, he suggested that AML is a real topic for concern.

“One of the areas we are focussing on right now is foreign insurance undertakings with branches in Germany,” he explained.

“They are not required to file any reports with us regarding their measures for the prevention of money laundering and terrorist financing. They are mainly supervised by the supervisory authorities in their respective home countries.”

This followed on from a 2023 BaFin published article emphasizing the importance of anti-money laundering compliance for registered asset management companies in Germany.

The article highlighted that, since 2021, these companies are required to undergo annual financial statement audits, which include AML assessments.

However, many have not yet adequately adapted their AML processes.

To make sense of how BaFin influences asset management and figure out how to stay ahead of the curve, we chatted with YPOG’s experts Stefanie Nagel, Sylwia Luszczek and Jannik Zerbst.

They’ve got some great insights into BaFin’s priorities, the biggest AML challenges fund managers face, and some practical tips for navigating what can often feel like a compliance quagmire.

BaFin’s Eye on AML: What It Means for Private Equity

In private equity, compliance with anti-money laundering regulations is a well-known responsibility.

But as Germany’s financial regulator, BaFin, clarifies its expectations, the question arises: is BaFin becoming more stringent, or is the industry simply hearing more reminders about its obligations?

The YPOG team, who have been closely observing the shifting regulatory landscape, provides a clearer picture.

According to them, the heightened attention to AML compliance isn’t necessarily new, but it is becoming more visible.

“What we do know is that for some time now, BaFin has been conducting more on-site inspections of registered asset management companies and their compliance with the AML regulation, ”YPOG explains.

BaFin’s inspections are broad, often going beyond the onboarding process to examine the overall effectiveness of a company’s AML framework.

However, the scrutiny on investor checks during onboarding has had a noticeable impact on how private equity firms operate.

“This includes investors’ AML checks during the onboarding process but is definitely not limited to it. Due to that, we have seen two different approaches: either more compliance roles within the asset manager’s own organization or an outsourcing to external AML/KYC service providers.”

This is an area where Vestlane can help.

Our platform makes KYC and AML simple, giving private equity firms automated tools, clear insights, and everything they need to stay compliant without the hassle.

Tightening the Rules on Investor Verification

One area where BaFin’s stance has become clearer is investor verification.

While there hasn’t been a legislative change, YPOG notes a significant clarification in the interpretation of the rules.

“With respect to investor identification, or to be more exact, verification, we observed a change in the use of certified copies of identification documents, which do not satisfy the verification requirements as a standard procedure.

“This is not due to a change of law but rather a clarification that only in cases of simplified due diligence a deviation from the strict verification requirements is allowed.”

This adjustment means that firms must be more rigorous in verifying their investors' identities in most cases, rather than relying on less stringent procedures.

The clarification has likely created a need for firms to revisit their compliance policies and ensure they align with BaFin’s expectations.

Onboarding: Where Mistakes Often Happen

Investor onboarding is a critical step in AML compliance.

But according to the YPOG team, it’s just one piece of a much larger puzzle under German money laundering law.

While BaFin has not identified specific topics of focus, its recent enforcement actions reveal recurring issues.

“We are not aware of certain preferred topics,” YPOG explains.

“However, if you assess BaFin’s notifications of fines for money laundering offences, most of the errors seem to lie in the misinterpretation of the applicable due diligence requirements and in the incorrect ongoing monitoring and updating requirements."

This means that onboarding is not just about getting it right at the start; it’s about maintaining accurate and updated records throughout the relationship.

For instance, if the fund’s risk environment changes or the investor’s profile evolves, ongoing monitoring is crucial to avoid falling out of compliance.

Recent geopolitical crises have added complexity to the process. “Screening of sanction lists has become more and more relevant,” YPOG notes.

“The same applies to the continuous monitoring of the various country lists, which are constantly changing and now also include countries that are more relevant to onboarding."

Fund managers must stay vigilant and regularly update their processes to align with these shifting realities."

What Auditors Look for: The Spotlight on Outsourcing

When auditors review AML compliance during onboarding, their priorities can shift.

In recent audits, outsourcing arrangements have come under scrutiny.

This focus on third-party arrangements ties in with the Digital Operational Resilience Act (DORA), which applies to fully-regulated fund managers and is all about making sure companies have solid processes in place to manage risks when working with external providers.

It’s a reminder that even if you outsource, you’re still responsible for keeping things compliant.

“One focus this year was on outsourcing issues,” YPOG explains, “specifically, the question of whether the GP uses the help of third parties in fulfilling its anti-money laundering obligations.”

Outsourcing AML functions, such as customer due diligence or transaction monitoring, is common in the private equity industry.

But it comes with specific regulatory requirements under the German AML Act (AMLA).

The type of outsourcing whether to a service provider, consultant, or technology platform determines the compliance framework that must be followed.

“GPs are therefore well advised to take a close look at which persons and, if applicable, technology they use to fulfill their anti-money laundering obligations,” says YPOG’s experts.

Regular reviews of outsourcing contracts, clear documentation of roles, and ongoing monitoring of external providers can help firms avoid penalties during audits.

Strategies to Prepare for AML Challenges

For GPs, YPOG’s advice is practical. The essential set of documents for legal person typically includes the following:

• The official company register excerpts, including information regarding, inter alia,  the legal name,  the legal form, the commercial register number if available, the address of the registered office representative body and rules, , and information on beneficial owners.
  
  
• The structure chart to clarify the organization of the investing entity.
  
  
•  In case of foreign structures, such as trusts, which often lack legal personality, the trustee is typically authorized to act on behalf of the trust, including managing investments and undertaking legal actions.
  
  In this context, official agreements confirming this relationship are requested, along with relevant documents pertaining to the trustee.
  
  Depending on the legal form, these may include a certificate of incorporation, a certificate of good standing, operating agreements, and details about the shareholder structure.

The AML Check Timeline & Tech Assistance

The time to complete AML checks really depends on the type of structure, the jurisdiction involved, and the completeness of the documentation provided.

“It can take anywhere from just a few days to several weeks,” says YPOG.

Foreign legal structures, particularly those originating from the United States, tend to face the longest delays.

This is primarily due to the stringent German AML requirements, the need for additional documentation and checks by US counsel, as well as time zone differences, YPOG explains.

To avoid surprises, YPOG recommends setting aside at least two weeks for onboarding foreign investors, particularly those with complex structures like trusts or multi-layered entities.

Digital onboarding platforms like Vestlane can also play a pivotal role.

For example, Vestlane uses automatic name screening with ComplyAdvantage to enhance due diligence processes.

This approach helps identify potential risks by cross-referencing names against global watchlists, politically exposed persons (PEP) databases, and adverse media, ensuring compliance and reducing onboarding delays.

“These platforms and tools certainly help to have all data safely stored in one place, and to have a sufficient overview of all information, which significantly speeds up the review process,” YPOG says.

“One of these platforms is Vestlane, which provides for an increased overview of the relevant information while at the same time managing - through drop down questionnaires - that the right questions are being asked.”

However, the YPOG team points out that such reviews cannot be done yet without significant input from professionals.

So the tech is there to help but not replace experts.

AML in 2025: What Fund Managers Should Prepare For

The integration of artificial intelligence into AML processes is one of the most significant changes on the horizon.

“We believe that we will see tools with implemented AI functions that help pre-identify beneficial owners,” YPOG says.

This shift could streamline compliance efforts by reducing the time and resources required to analyze complex ownership structures and identify risks.

And as audits become more rigorous and digital tools continue to evolve, AI is expected to play a crucial role in helping fund managers comply with their obligations more efficiently.

Looking further ahead, the EU Anti-Money Laundering Directive marks another major milestone.

“The EU Anti-Money Laundering Directive has been adopted, but will not come into force until July 2027 or (certain parts) July 2029. “This means that the substantive anti-money laundering obligations will be shifted from the national to the EU level. It may be premature to prepare for this now, but at least knowing about this fundamental change certainly can't hurt,” YPOG concludes.

With AI and automation tools on the rise and significant regulatory changes coming up, fund managers have a window to prepare for a future where AML compliance is both more sophisticated and more standardized.

To find out how Vestlane has been preparing for this future, read our 2024 year in review blog.