AML/CTF Checklist

Annex 5 to Section 27 of the German Audit Report Regulation (PrüfbV)

The latest version of AML/CTF Checklist combines the content of the existing AML obligations in the German Money Laundering Act (GwG) and the German Banking Act (KWG). The checklist is a translation of the Annex 5 to Section 27 of the German Audit Report Regulation (PrüfbV).

Obliged entity: ­­_______

Reporting period: ­­_______

Examination date: ­­_______

On-site audit manager: ­­_______

A. Information on the following risk factors based on the obliged entities latest and complete risk assessment:

  1. List of all high-risk products offered (according to risk assessment):  
  1. Number of customers: ___ ­­_______
    1. Proportion of customers with low risk __.__%
    2. Proportion of customers with high risk __.__%
    3. Number of politically exposed persons (Contracting parties, beneficial owners) _____
  1. Number of correspondence relationships with companies based in:
    1. EU/EEA states _____
    2. Third Countries _____ thereof in High-Risk Third Countries (HRTC) _____
  1. Number of branches/branch offices/ subsidiaries:
    1. Domestic _____
    2. In other EU/EEA countries _____
    3. In third countries _____ of which in High-Risk Third Countries (HRTC) _____
  1. Number of people working as tied agent for the obliged entity:
    1. Domestic _____
    2. Abroad _____

B. Classification of audit findings

The on-site audit manager is responsible for the classification of audit findings.

  • F0 – No defects
  • F1 – Minor defects
  • F2 – Moderate defects
  • F3 – Serious defects
  • F4 – Very serious defects
  • F5 – Not Applicable (N/A)
  • An F0 finding describes a complete absence of norm violations.
  • An F1 finding describes a violation of the norm with a slight impact on the effectiveness of the preventive measure or precautionary measure.
  • An F2 finding describes a violation of the norm with noticeable effects on the effectiveness of the preventive measure or precautionary measure.
  • An F3 finding describes a violation of the norm with clear effects on the effectiveness of the preventive measure or precautionary measure.
  • An F4 finding describes a violation of the norm that significantly impairs or completely eliminates the effectiveness of the preventive measure or precautionary measure.
  • An F5 finding describes the inapplicability of the examination area in the audited institute.

AML/CTF Checklist

No.RegulationAudit requirementsFindingLocation
A. Money Laundering/ Terrorist Financing
I. Internal Safeguards
1.Section 5 (1) and 2 GwGPreparation, documentation, review and, if necessary, updating of a risk assessment with regard to Money Laundering and Terrorist Financing
2.Section 6 (2) Nos. 1 and (4), (5) GwGImplementation of Internal Safeguards with regard to Money Laundering and Terrorist Financing
3.Section 6 (2) No. 2 i. V. m. Section 7 GwGFulfilment of duties relating to the Anti-Money Laundering Officer (appointment, notification, equipment, controls)
4.Section 6 (2) No. 5 GwGConducting background checks
5.Section 6 (2) No. 6 GwGCarrying out training and informing employees
6.Section 6 (2) No. 7 GWGConducting internal audit audits regarding measures to prevent Money Laundering and Terrorist Financing
7.Section 25h (2) KWGCreation and operation of a IT monitoring system
8.Section 6 (7) GwGContractual outsourcing of Internal Safeguards
II. Customer-related due diligence obligations
9.Section 10 (2) GwG, Section 14 (1) GwG, Section 15 (2) GwGConducting risk assessments of business relationships and transactions
10.Section 10 (1) No. 1 (in conjunction with Sections 11 to 13 GwG, Section 25j KWG), Section 10 (9) GwGIdentification of the contracting party and the persons acting on their behalf (including non-performance/termination obligation)
11 .Section 10 (1) No. 2 GwG (in conjunction with Section 11 (1) and (5) GwG), Section 10 (9) GwGClarification and, if necessary, identification of the beneficial owners (including non-performance/termination obligation)
12.Section 10 (1) No. 3 GwG, Section 10 (9) GwGObtaining information on the purpose/type of the business relationship (including non-execution/termination obligation)
13.Section 10 (1 No. 4 GwG, Section 10 (9 GwGClarification of politically exposed person status (including non-implementation/termination obligation)
14.Section 10 (1) No. 5 Sentence 1 GwGOngoing monitoring of business relationships (unless covered by Section 25h Para. 2 KWG)
15.Section 10 (1) No. 5 Sentence 2 GwGCarrying out updates
16.Section 14 (1) and (2) GwGImplementation of simplified due diligence obligations (documentation, appropriateness of measures)
17.Section 15 (1) to (7), (9) i. V. m. Section 10 (9) GwG, Section 25k KWGImplementation of enhanced due diligence obligations (documentation, appropriateness of measures)
18.Section 17 (1) to (7) GwGExecution of due diligence obligations by third parties and contractual outsourcing
19.Section 25i KWGFulfilling due diligence obligations regarding electronic money
III. Other duties
20.Section 6 (6) GwGOrganization and fulfilment of the information obligation 
21.Section 8 GwGRecord keeping and retention 
22.Section 9 i. V. m. Section 5 (3) GwGCarrying out group-wide duties 
23.Section 43 GwG i. V. with Section 47 (1) to (4) GwGImplementation of the Suspicious Activity Reporting (SAR) procedure (including compliance with the ban on passing on information)  
24.Section 6 (8) and 9, Section 7 (3, Section 9 (3) Sentence 3, Section 15 (8) GwG, Section 28 (1) Sentence 2 No. 5 GwG, Section 39 (3) GwG, Section 40 (1) Sentence 2 No. 3 GwG, Section 6a KWG, Section 25h (5) KWG, Section 25i (4) KWGCompliance with orders  
25.Section 25m KWGCompliance with business prohibitions  
B. Other criminal acts within the meaning of Section 25h KWG
26.Section 25h (1) KWG Creation, documentation, review and, if necessary, updating of a risk assessment in relation to other criminal acts 
27.Section 25h (1) KWGImplementation of Internal Safeguards in relation to other criminal acts 
28.Section 25h (1) KWGCarrying out audits by the internal audit department with regard to measures to prevent other criminal acts 
29.Section 25h (2) KWGOperating and updating IT monitoring systems 
30.Section 25h (3) Sentence 1 and 2 KWG i. V. m. Section 8 GwGCarrying out the obligation to examine 
31.Section 25h (4) KWGContractual outsourcing of Internal Safeguards 
32.Section 25h (5) KWGCompliance with orders 
33.Section 25h (7) KWG i. V. m. Section 7 GwGExecution of the tasks of the central
office (permissible omission if necessary)
 
C. Regulation (EU) 2015/847 on information accompanying transfers of funds
34.Regulation (EU) 2015/847Obligations under Regulation (EU) 2015/847  
35.Section 25g Para. 3 KWGCompliance with orders relating to obligations under Regulation (EU) 2015/847  
D. Automated retrieval of account information
36.Section 24c KWGObligations of the credit institution in connection with the automated retrieval of account information  

Section 27 of the German Audit Report Regulation (PrüfbV) – Description and assessment of the measures taken to prevent money laundering and the financing of terrorism, and fraudulent activities at the expense of the institution

(1) The auditor must describe in the audit report the measures taken by the obligated institution during the reporting period to prevent money laundering, terrorism financing, and other criminal activities. The auditor’s statements must cover all obligations listed in the capture form according to Annex 5.

(2) Regarding the measures taken, the auditor must assess in the audit report: a) their appropriateness, and b) their effectiveness, as far as this must be given according to Article 7 paragraph 2, Article 8 paragraph 1 sentence 1, Article 11 paragraphs 1 and 2, or Article 12 paragraph 1 sentence 1 of Regulation (EU) 2015/847.

(3) For parent companies of corporate groups, the auditor must also assess the measures according to § 9 of the Money Laundering Act to determine whether: a) the obligation under § 9 paragraph 1 sentence 1 of the Money Laundering Act to conduct a risk analysis was effectively fulfilled, and the measures according to § 9 paragraph 1 sentence 2 of the Money Laundering Act are effectively implemented or their effective implementation is ensured according to § 9 paragraph 1 sentence 3 of the Money Laundering Act, and b) in the case of § 9 paragraph 3 sentence 2 of the Money Laundering Act, it is ensured that the group-affiliated companies located in the respective third country take additional measures to effectively counteract the risk of money laundering and terrorism financing, and that the Federal Agency has been informed about the measures taken to this extent.

(4) The auditor must: a) in the assessment according to paragraphs 2 and 3, also address whether the risk analysis conducted by the institution as part of the risk management for preventing money laundering and terrorism financing according to § 5 of the Money Laundering Act corresponds to the actual risk situation of the institution, and b) in the assessment according to paragraph 2, also address whether the risk analysis required as part of the risk management for preventing criminal activities according to § 25h paragraph 1 of the Banking Act corresponds to the actual risk situation of the institution.

(5) Regarding the obligations of a credit institution in connection with the automated retrieval of account information according to § 24c of the Banking Act, the auditor must particularly address in the assessment according to paragraph 2 whether the procedures employed by the credit institution to fulfill these obligations ensure the accurate capture of the collected identification data with correct allocation to the respective account, deposit, or safe deposit box in the retrieval system.

(6) If the Federal Agency has issued orders to the obligated institution under the Money Laundering Act or the Banking Act that are related to the institution’s obligations to prevent money laundering, terrorism financing, and other criminal activities, the auditor must report on this within the scope of their presentation according to paragraph 1. Furthermore, the auditor must assess whether the obligated institution has properly followed these orders.

(7) In describing the measures taken to prevent money laundering and terrorism financing as well as other criminal activities according to paragraph 1, and in the assessment of these measures according to paragraphs 2 to 6, the auditor must consider the results of all internal audit examinations that have been conducted during the reporting period of the audit.

(8) In describing the risk situation of the institution, the auditor must also include the following information in Annex 5 based on the current and complete risk analysis of the institution:

  1. All high-risk products offered by the institution,
  2. The total number of customers of the institution, the percentage of low-risk customers and high-risk customers, and the number of politically exposed persons among the customers,
  3. Regarding the correspondence relationships of the institution as defined in § 1 paragraph 21 of the Money Laundering Act: a) The number of correspondence relationships of the institution with institutions located in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area, and b) The number of correspondence relationships of the institution with institutions located in a third country, and of these correspondence relationships, the number of relationships the institution has with institutions located in a high-risk country as defined in § 15 paragraph 3 number 1 letter b of the Money Laundering Act,
  4. Regarding the branches, branch offices, and other subordinate companies of the institution: a) Their number domestically, b) Their number in other member states of the European Union and contracting states of the Agreement on the European Economic Area, c) Their number in third countries, and of these branches, branch offices, and other subordinate companies, the number of those located in high-risk countries as defined in § 15 paragraph 3 number 1 letter b of the Money Laundering Act, and
  5. The number of tied agents working for the institution domestically and the number of tied agents working for the institution abroad.

(9) The auditor must additionally enter and evaluate the essential results of their audit in a capture form according to Annex 5 of this regulation. The classification provided for the capture form must be used for the evaluation. If the respective underlying obligations are not relevant in individual cases with respect to the business activities of the institution, the auditor must note this with the statement F 5. The capture form is part of the audit report and must be completed in full. It must be submitted to the Federal Agency by the institution in every case, notwithstanding § 26 paragraph 1 sentence 4 of the Banking Act.

(10) The regulation on the audit interval according to § 26 paragraph 4 remains unaffected by the preceding paragraphs.