Compliance and KYC are inseparable in Europe. European Union directives have led to harmonising legal regulations; however, differences still exist between the individual member states. In this article, you will learn what KYC is and why these procedures in Germany differ from those in other EU countries. We also clarify the importance of KYC for German companies and what requirements they must meet to comply with the law.

What’s in this article?

• What is KYC, and what is its purpose?
  
• Why and how do the KYC requirements differ in Germany?
  
• What KYC requirements must German companies meet?
  

What is KYC, and what is its purpose?

The abbreviation KYC stands for “Know Your Customer”. Its principles set international standards to combat money laundering, terrorist financing, fraud, corruption, and other types of financial crime. It includes a series of regulations and procedures that primarily identify and verify account holders, their ownership structures, and economic backgrounds.

The KYC process uncovers potential risks in new or existing commercial relationships – for instance, shell companies or monetary resources from questionable sources. It is important for businesses because it helps them prevent fraud by identifying their clients. Basically, it is about validating that customers are who they claim to be.

KYC is used in various industries worldwide, especially where fiscal operations and regulatory compliance are concerned. Key industries include:

• Financial sector: Banks, insurance companies, credit institutions, and payment service providers must legally carry out KYC measures.
  
• E-commerce and marketplaces: Platforms with financial transactions use KYC to prohibit fraud.
  
• Fintech and cryptocurrencies: Crypto exchanges and wallet providers must validate customer identities to prevent money laundering, among other things.
  
• Property industry: Customers’ economic circumstances are subject to review when purchasing or brokering property.
  
• Legal and business consulting: Law firms and auditors use KYC to verify clients and partners.
  

In many nations, KYC is a key component of regulatory obligations. Nonetheless, the specific criteria vary considerably depending on the region, which can challenge internationally active firms. Some countries have stringent requirements; others offer more flexibility.

In the United States, KYC compliance provisions are relatively strict. The USA PATRIOT Act and the Bank Secrecy Act require comprehensive identity checks to detect and prevent illegal fiscal flows at an early stage. Financial institutions must authenticate customers and continuously monitor their transactions to report suspicious activity.

KYC is becoming increasingly important in Asia. In financial centres such as Singapore and Hong Kong, banks and other service providers have clear guidelines regarding identity verification. The 6th EU Anti-Money Laundering Directive (6AMLD), which sets uniform minimum standards for all EU member states, acts on KYC. Despite common goals, there are country-specific differences in implementation.

Why and how do the KYC requirements differ in Germany?

German companies face a particular challenge when it comes to KYC compliance. There are various reasons for this.

Legal regulations

In Germany, the “Act on the Tracing of Proceeds from Serious Crimes”, or the Money Laundering Act (GwG), implements the EU Anti-Money Laundering Directives (AMLD). The GwG is relatively strict and detailed when compared with international policies. The requirements for customer identity verification, documentation, and reporting obligations are high. For example, German banks not only conduct KYC checks when opening an account or making large transactions, but they also regularly monitor their business relationships to be able to notify any suspicious activity at an early stage. This continuous review requires significant investment in compliance processes and systems.

Transparency register

Another key difference compared to other European countries is the German Transparency Register. The Transparency Register is a database containing information on companies’ beneficial owners (see Section 3 of the GwG) and serves to combat money laundering and tax evasion. Authorities and other entities can use the Register to uncover suspicious activities, trace cash flows, and identify hidden assets.

The German Transparency Register has been full since 1 August 2021. Almost all domestic companies must report their beneficial owners with complete records. In other EU nations, the Transparency Register remains a so-called catchall register, where companies only have to provide data if they cannot find beneficial owners in other official sources. This means that the administrative burden for organisations in Germany is higher: they always have to make a separate submission.

Additionally, firms in Germany are mandated to regularly review and update their information. Violations of the transparency obligations could constitute an administrative offence and result in fines of up to €150,000. In individual cases, companies can face fines of €5 million, or 10% of total revenues, for serious, repeated, or systematic violations. In other EU countries, officials can institute lower penalties or enforce them less frequently.

Federal Financial Supervisory Authority (BaFin)

The role of BaFin in terms of KYC is different from that of other nations. As the monetary supervisory authority for Germany, they monitor banks and their commercial activities, among other things. KYC and compliance go hand in hand because BaFin has insight into not only the balance sheets but also the business practices of the banks. BaFin punishes violations with sanctions ranging from warnings and fines to withdrawing a company’s banking licence. In Germany, financial institutions and other organisations are subject to intensive monitoring and rapid sanctions in the event of misconduct. In other countries, various regulators could be responsible for comparable tasks, which can lead to less stringent control.

What KYC requirements must German companies meet?

Under the GwG, German companies must meet numerous requirements for the KYC procedure. Here is an overview of the most important ones:

General due diligence obligations

Section 10 of the GwG lists the general due diligence obligations that companies must follow regarding KYC compliance. These include:

• Identifying the contracting parties
  
• Determining whether the contracting parties are acting on behalf of beneficial owners and, if necessary, detecting these persons
  
• Determining whether the contracting parties are politically exposed persons or are close to them
  
• Clarifying the purpose of the business relationship
  
• Monitoring the relationship and the transactions carried out continuously
  

According to Section 11, Paragraph 4 of the GwG, the following data is required for the correct identification of natural persons:

• First and last name
  
• Place and date of birth
  
• Nationality
  
• Address
  

Companies must collect the following data for a legal entity or partnership:

• Company, name, or designation
  
• Legal formation
  
• Registration number (if available)
  
• Address of the registered office or main branch
  
• The names of the members of the representative body or the names of the legal representatives
  

Since customer authentication is at the core of the KYC principle, companies need to use an adequate technical solution. With Stripe Identity, you can validate official identification documents from over 100 different countries. This extensive verification is technically challenging because there are various standards for ID cards worldwide. In addition, Identity enables biometric comparison of ID photos and selfies as well as validation of names, dates of birth, and social security numbers.

Internal security measures

KYC compliance requires internal safeguards that enable effective risk management appropriate to the nature and scope of the operation. Companies must take the following measures, among others, based on Paragraphs 4, 6, and 7 of the GwG:

• Check employees for reliability
  
• Regularly inform employees about current illicit finance methods and regulations
  
• Appoint a qualified money laundering officer and a deputy
  
• Provide information upon request from the financial intelligence unit (FIU)
  
• Create a whistleblowing system to enable responsible employees to report violations of the GwG confidentially
  

Risk analysis

Paragraph 5 of the GwG requires companies to examine each business relationship or transaction. The aim is to identify and assess the risks of money laundering and terrorist financing. You can find a list of the key risk factors in Annexes 1 and 2 of the GwG. These relate to the customers, the product, the service, or the operation, as well as the geographical location of the organisation. If there is only a low threat, companies must only fulfil simplified due diligence obligations (see Section 14 of the GwG).

Retention obligation

Under Section 8 of the GwG, companies must carefully record and retain all data from KYC procedures for at least five years. This includes information about contractual partners, copies of identification documents, details on commercial relationships, and risk analyses.

Reporting obligation

If there is a suspicion that activities or business will result in money laundering or terrorist financing, you are required to notify the FIU. According to Section 43 of the GwG, this obligation to report applies regardless of the asset’s value or the transaction amount.