Contents
Annex 5 to Section 27 of the German Audit Report Regulation (PrüfbV)
The latest version of AML/CTF Checklist combines the content of the existing AML obligations in the German Money Laundering Act (GwG) and the German Banking Act (KWG). The checklist is a translation of the Annex 5 to Section 27 of the German Audit Report Regulation (PrüfbV).
Obliged entity: _______
Reporting period: _______
Examination date: _______
On-site audit manager: _______
A. Information on the following risk factors based on the obliged entities latest and complete risk assessment:
- List of all high-risk products offered (according to risk assessment):
- Number of customers: ___ _______
- Proportion of customers with low risk __.__%
- Proportion of customers with high risk __.__%
- Number of politically exposed persons (Contracting parties, beneficial owners) _____
- Number of correspondence relationships with companies based in:
- EU/EEA states _____
- Third Countries _____ thereof in High-Risk Third Countries (HRTC) _____
- Number of branches/branch offices/ subsidiaries:
- Domestic _____
- In other EU/EEA countries _____
- In third countries _____ of which in High-Risk Third Countries (HRTC) _____
- Number of people working as tied agent for the obliged entity:
- Domestic _____
- Abroad _____
B. Classification of audit findings
The on-site audit manager is responsible for the classification of audit findings.
- F0 – No defects
- F1 – Minor defects
- F2 – Moderate defects
- F3 – Serious defects
- F4 – Very serious defects
- F5 – Not Applicable (N/A)
- An F0 finding describes a complete absence of norm violations.
- An F1 finding describes a violation of the norm with a slight impact on the effectiveness of the preventive measure or precautionary measure.
- An F2 finding describes a violation of the norm with noticeable effects on the effectiveness of the preventive measure or precautionary measure.
- An F3 finding describes a violation of the norm with clear effects on the effectiveness of the preventive measure or precautionary measure.
- An F4 finding describes a violation of the norm that significantly impairs or completely eliminates the effectiveness of the preventive measure or precautionary measure.
- An F5 finding describes the inapplicability of the examination area in the audited institute.
AML/CTF Checklist
| No. | Regulation | Audit requirements | Finding | Location |
| A. Money Laundering/ Terrorist Financing | ||||
| I. Internal Safeguards | ||||
| 1. | Section 5 (1) and 2 GwG | Preparation, documentation, review and, if necessary, updating of a risk assessment with regard to Money Laundering and Terrorist Financing | ||
| 2. | Section 6 (2) Nos. 1 and (4), (5) GwG | Implementation of Internal Safeguards with regard to Money Laundering and Terrorist Financing | ||
| 3. | Section 6 (2) No. 2 i. V. m. Section 7 GwG | Fulfilment of duties relating to the Anti-Money Laundering Officer (appointment, notification, equipment, controls) | ||
| 4. | Section 6 (2) No. 5 GwG | Conducting background checks | ||
| 5. | Section 6 (2) No. 6 GwG | Carrying out training and informing employees | ||
| 6. | Section 6 (2) No. 7 GWG | Conducting internal audit audits regarding measures to prevent Money Laundering and Terrorist Financing | ||
| 7. | Section 25h (2) KWG | Creation and operation of a IT monitoring system | ||
| 8. | Section 6 (7) GwG | Contractual outsourcing of Internal Safeguards | ||
| II. Customer-related due diligence obligations | ||||
| 9. | Section 10 (2) GwG, Section 14 (1) GwG, Section 15 (2) GwG | Conducting risk assessments of business relationships and transactions | ||
| 10. | Section 10 (1) No. 1 (in conjunction with Sections 11 to 13 GwG, Section 25j KWG), Section 10 (9) GwG | Identification of the contracting party and the persons acting on their behalf (including non-performance/termination obligation) | ||
| 11 . | Section 10 (1) No. 2 GwG (in conjunction with Section 11 (1) and (5) GwG), Section 10 (9) GwG | Clarification and, if necessary, identification of the beneficial owners (including non-performance/termination obligation) | ||
| 12. | Section 10 (1) No. 3 GwG, Section 10 (9) GwG | Obtaining information on the purpose/type of the business relationship (including non-execution/termination obligation) | ||
| 13. | Section 10 (1 No. 4 GwG, Section 10 (9 GwG | Clarification of politically exposed person status (including non-implementation/termination obligation) | ||
| 14. | Section 10 (1) No. 5 Sentence 1 GwG | Ongoing monitoring of business relationships (unless covered by Section 25h Para. 2 KWG) | ||
| 15. | Section 10 (1) No. 5 Sentence 2 GwG | Carrying out updates | ||
| 16. | Section 14 (1) and (2) GwG | Implementation of simplified due diligence obligations (documentation, appropriateness of measures) | ||
| 17. | Section 15 (1) to (7), (9) i. V. m. Section 10 (9) GwG, Section 25k KWG | Implementation of enhanced due diligence obligations (documentation, appropriateness of measures) | ||
| 18. | Section 17 (1) to (7) GwG | Execution of due diligence obligations by third parties and contractual outsourcing | ||
| 19. | Section 25i KWG | Fulfilling due diligence obligations regarding electronic money | ||
| III. Other duties | ||||
| 20. | Section 6 (6) GwG | Organization and fulfilment of the information obligation | ||
| 21. | Section 8 GwG | Record keeping and retention | ||
| 22. | Section 9 i. V. m. Section 5 (3) GwG | Carrying out group-wide duties | ||
| 23. | Section 43 GwG i. V. with Section 47 (1) to (4) GwG | Implementation of the Suspicious Activity Reporting (SAR) procedure (including compliance with the ban on passing on information) | ||
| 24. | Section 6 (8) and 9, Section 7 (3, Section 9 (3) Sentence 3, Section 15 (8) GwG, Section 28 (1) Sentence 2 No. 5 GwG, Section 39 (3) GwG, Section 40 (1) Sentence 2 No. 3 GwG, Section 6a KWG, Section 25h (5) KWG, Section 25i (4) KWG | Compliance with orders | ||
| 25. | Section 25m KWG | Compliance with business prohibitions | ||
| B. Other criminal acts within the meaning of Section 25h KWG | ||||
| 26. | Section 25h (1) KWG | Creation, documentation, review and, if necessary, updating of a risk assessment in relation to other criminal acts | ||
| 27. | Section 25h (1) KWG | Implementation of Internal Safeguards in relation to other criminal acts | ||
| 28. | Section 25h (1) KWG | Carrying out audits by the internal audit department with regard to measures to prevent other criminal acts | ||
| 29. | Section 25h (2) KWG | Operating and updating IT monitoring systems | ||
| 30. | Section 25h (3) Sentence 1 and 2 KWG i. V. m. Section 8 GwG | Carrying out the obligation to examine | ||
| 31. | Section 25h (4) KWG | Contractual outsourcing of Internal Safeguards | ||
| 32. | Section 25h (5) KWG | Compliance with orders | ||
| 33. | Section 25h (7) KWG i. V. m. Section 7 GwG | Execution of the tasks of the central office (permissible omission if necessary) | ||
| C. Regulation (EU) 2015/847 on information accompanying transfers of funds | ||||
| 34. | Regulation (EU) 2015/847 | Obligations under Regulation (EU) 2015/847 | ||
| 35. | Section 25g Para. 3 KWG | Compliance with orders relating to obligations under Regulation (EU) 2015/847 | ||
| D. Automated retrieval of account information | ||||
| 36. | Section 24c KWG | Obligations of the credit institution in connection with the automated retrieval of account information | ||
Section 27 of the German Audit Report Regulation (PrüfbV) – Description and assessment of the measures taken to prevent money laundering and the financing of terrorism, and fraudulent activities at the expense of the institution
(1) The auditor must describe in the audit report the measures taken by the obligated institution during the reporting period to prevent money laundering, terrorism financing, and other criminal activities. The auditor’s statements must cover all obligations listed in the capture form according to Annex 5.
(2) Regarding the measures taken, the auditor must assess in the audit report: a) their appropriateness, and b) their effectiveness, as far as this must be given according to Article 7 paragraph 2, Article 8 paragraph 1 sentence 1, Article 11 paragraphs 1 and 2, or Article 12 paragraph 1 sentence 1 of Regulation (EU) 2015/847.
(3) For parent companies of corporate groups, the auditor must also assess the measures according to § 9 of the Money Laundering Act to determine whether: a) the obligation under § 9 paragraph 1 sentence 1 of the Money Laundering Act to conduct a risk analysis was effectively fulfilled, and the measures according to § 9 paragraph 1 sentence 2 of the Money Laundering Act are effectively implemented or their effective implementation is ensured according to § 9 paragraph 1 sentence 3 of the Money Laundering Act, and b) in the case of § 9 paragraph 3 sentence 2 of the Money Laundering Act, it is ensured that the group-affiliated companies located in the respective third country take additional measures to effectively counteract the risk of money laundering and terrorism financing, and that the Federal Agency has been informed about the measures taken to this extent.
(4) The auditor must: a) in the assessment according to paragraphs 2 and 3, also address whether the risk analysis conducted by the institution as part of the risk management for preventing money laundering and terrorism financing according to § 5 of the Money Laundering Act corresponds to the actual risk situation of the institution, and b) in the assessment according to paragraph 2, also address whether the risk analysis required as part of the risk management for preventing criminal activities according to § 25h paragraph 1 of the Banking Act corresponds to the actual risk situation of the institution.
(5) Regarding the obligations of a credit institution in connection with the automated retrieval of account information according to § 24c of the Banking Act, the auditor must particularly address in the assessment according to paragraph 2 whether the procedures employed by the credit institution to fulfill these obligations ensure the accurate capture of the collected identification data with correct allocation to the respective account, deposit, or safe deposit box in the retrieval system.
(6) If the Federal Agency has issued orders to the obligated institution under the Money Laundering Act or the Banking Act that are related to the institution’s obligations to prevent money laundering, terrorism financing, and other criminal activities, the auditor must report on this within the scope of their presentation according to paragraph 1. Furthermore, the auditor must assess whether the obligated institution has properly followed these orders.
(7) In describing the measures taken to prevent money laundering and terrorism financing as well as other criminal activities according to paragraph 1, and in the assessment of these measures according to paragraphs 2 to 6, the auditor must consider the results of all internal audit examinations that have been conducted during the reporting period of the audit.
(8) In describing the risk situation of the institution, the auditor must also include the following information in Annex 5 based on the current and complete risk analysis of the institution:
- All high-risk products offered by the institution,
- The total number of customers of the institution, the percentage of low-risk customers and high-risk customers, and the number of politically exposed persons among the customers,
- Regarding the correspondence relationships of the institution as defined in § 1 paragraph 21 of the Money Laundering Act: a) The number of correspondence relationships of the institution with institutions located in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area, and b) The number of correspondence relationships of the institution with institutions located in a third country, and of these correspondence relationships, the number of relationships the institution has with institutions located in a high-risk country as defined in § 15 paragraph 3 number 1 letter b of the Money Laundering Act,
- Regarding the branches, branch offices, and other subordinate companies of the institution: a) Their number domestically, b) Their number in other member states of the European Union and contracting states of the Agreement on the European Economic Area, c) Their number in third countries, and of these branches, branch offices, and other subordinate companies, the number of those located in high-risk countries as defined in § 15 paragraph 3 number 1 letter b of the Money Laundering Act, and
- The number of tied agents working for the institution domestically and the number of tied agents working for the institution abroad.
(9) The auditor must additionally enter and evaluate the essential results of their audit in a capture form according to Annex 5 of this regulation. The classification provided for the capture form must be used for the evaluation. If the respective underlying obligations are not relevant in individual cases with respect to the business activities of the institution, the auditor must note this with the statement F 5. The capture form is part of the audit report and must be completed in full. It must be submitted to the Federal Agency by the institution in every case, notwithstanding § 26 paragraph 1 sentence 4 of the Banking Act.
(10) The regulation on the audit interval according to § 26 paragraph 4 remains unaffected by the preceding paragraphs.