Section 6 GwG – Internal controls and safeguards
(1) 1Obliged entities are required to implement appropriate business- and customer-related internal controls and safeguards in the form of principles, procedures and controls in order to manage and mitigate the risks of money laundering and terrorist financing. 2Such measures are appropriate if they correspond to the risk situation of the obliged entity and cover it sufficiently. 3The obliged entities are required to monitor the functionality of the internal controls and safeguards and update them where necessary.
(2) In particular, internal controls and safeguards include:
- the development of internal principles, procedures and controls in relation to
a) dealing with risks under subsection (1),
b) the customer due diligence requirements under sections 10 to 17
c) compliance with the reporting obligation under section 43 (1)
d) recording of information and retention of documents under section 8 and
e) compliance with other provisions under anti-money laundering and counter terrorist financing law, - appointing a money laundering officer and a deputy under section 7,
- in cases of obliged entities that are parent companies of a group, the establishment of group-wide procedures under section 9,
- the development and updating of appropriate measures to prevent the abuse of new products and technologies for committing money laundering and terrorist financing or for the purpose of promoting the anonymity of business relationships or transactions,
- the reliability screening of employees by appropriate means, in particular via systems of the obliged entity for controlling and appraising the staff,
- initial and ongoing training of employees with regard to the typologies and current methods of money laundering and terrorist financing and on the provisions and obligations relevant in this regard, including rules for data protection, and
- reviewing the above-mentioned principles and procedures in an independent inspection where such a review is appropriate given the nature and size of the business.
(3) If an obliged entity under section 2 (1) nos. 10 to 14 and 16 performs their professional activities as an employee of a company, the obligations under subsections (1) and (2) fall to this company.
(4) 1In addition to the measures set out in subsection (2), obliged entities under section 2 (1) no. 15 are required to operate data processing systems that enable them to identify both business relationships and individual transactions in gambling operations and via a gambling account under section 16 that are to be regarded as suspicious or unusual given publicly available information on, or corporate experience of, the methods of money laundering and terrorist financing. 2They are required to update these data processing systems. 3The supervisory authority may specify criteria on the basis of which, if met, the obliged entities under section 2 (1) no. 15 may be exempt from the obligation to use the data processing systems under sentence 1.
(5) The obliged entities are required to make arrangements appropriate to their nature and size to enable their employees and persons in a comparable position to report contraventions of provisions under anti-money laundering and counter terrorist financing law to appropriate bodies while ensuring that their identity remains confidential.
(6) 1The obliged entities are required to make arrangements to ensure they are in a position, if asked by the German Financial Intelligence Unit (Zentralstelle für Finanztransaktionsuntersuchungen) or by other competent authorities, to provide information as to whether they maintained a business relationship with certain persons during a period of five years prior to the enquiry, and what the nature of that relationship was. 2They are required to ensure that the information is transmitted safely and confidentially to the institution making the enquiry. 3Obliged entities under section 2 (1) nos. 10 and 12 may refuse to provide information if the enquiry refers to information they received in the course of providing legal advice or legal representation. 4The obligation to provide information continues to exist if the obliged entity knows that the legal advice or legal representation was or is being used for the purpose of money laundering or terrorist financing.
(7) 1The obliged entities may, on the basis of contractual agreement, engage third parties to implement internal controls and safeguards if they notify the supervisory authority of this in advance. 2The supervisory authority may prohibit the engagement of a third party if - the third party does not provide an assurance that the controls and safeguards will be implemented properly,
- the management capabilities of the obliged entity would be adversely affected or
- supervision by the supervisory authority would be adversely affected.
3In their notification, the obliged entities are required to demonstrate that the criteria for prohibiting the engagement under sentence 2 are not fulfilled. 4The ultimate responsibility for implementing the controls and safeguards continues to lie with the obliged entities.
(8) In individual cases, the supervisory authority may issue appropriate and necessary orders to an obliged entity to implement the necessary internal controls and safeguards.
(9) The supervisory authority may order that the provisions of subsections (1) to (6) are to be applied, in a manner appropriate to the level of risk, to individual obliged entities or groups of obliged entities on account of the kind of transactions they engage in or of the size of their business, in consideration of the risks with regard to money laundering and terrorist financing.