Performance of due diligence by third parties

Performance of due diligence by third parties

The landscape of Anti-Money Laundering (AML) compliance has been significantly shaped by the provisions of the 4th AML Directive (Directive (EU) 2015/849), the German Anti-Money Laundering Act (Geldwäschegesetz – GwG), and the BaFin-Interpretation and Application Guidance. These regulations collectively underscore the role of third parties in the effective performance of due diligence obligations. This article offers a comprehensive overview of how Articles 25 to 29 of the 4th AMLD, Section 17 of the GwG, and Chapter 8 of the BaFin Guidance navigate the complexities of third-party involvement in due diligence processes.

The 4th AMLD sets a foundational framework for the involvement of third parties in due diligence:

  • Article 25 introduces the concept of third-party reliance for due diligence, placing the ultimate responsibility on the obliged entity.
  • Articles 26 to 29 further define the scope and limitations of this reliance, emphasizing the need for third parties to adhere to equivalent AML standards and setting out conditions for compliance at a group level.

The GwG, particularly Section 17, aligns with the 4th AMLD, providing detailed guidelines on third-party involvement:

  • It outlines the conditions under which obliged entities may engage third parties for due diligence.
  • The section further delineates the categories of eligible third parties and the restrictions on engaging entities from high-risk countries.
  • It emphasizes the importance of direct and timely information transmission from third parties to obliged entities, ensuring transparency and accountability.

The BaFin-Interpretation and Application Guidance offers practical applications of these regulations within the German context:

  • It distinguishes between different types of third-party arrangements, including those without separate contractual bases and those involving outsourcing or sub-outsourcing.
  • The guidance highlights the importance of maintaining ultimate responsibility for compliance, despite the delegation of certain tasks.
  • It also addresses the nuances of due diligence performance, especially in relation to politically exposed persons (PEPs) and the transmission of identification data.

Best Practices

  • Vigilant Selection: Choose third-party providers that demonstrate compliance with AML standards equivalent to those required by the 4th AMLD and GwG.
  • Contractual Clarity: Define clear contractual terms that outline the obligations and responsibilities of third parties.
  • Ongoing Monitoring: Continuously assess the performance of third parties to ensure they meet the required due diligence standards.
  • Documentation and Reporting: Keep detailed records of all due diligence activities performed by third parties for accountability and regulatory compliance.

The performance of due diligence by third parties, as governed by the 4th AMLD, the German GwG, and the BaFin Guidance, offers a strategic pathway for entities to fulfill their AML obligations effectively. Understanding and implementing these provisions is crucial for maintaining a robust and compliant AML framework. By leveraging third-party expertise within the defined regulatory boundaries, obliged entities can enhance their due diligence processes while ensuring compliance with the highest AML standards.

4th AMLD

The 4th AMLD (Directive (EU) 2015/849) introduces pivotal norms for the performance of customer due diligence by third parties. Articles 25 to 29 of the 4th AMLD provide a comprehensive framework for Member States and obliged entities to understand and implement these regulations effectively. In this article, we delve into the intricacies of these articles, emphasizing their significance in enhancing AML efforts across the European Union.

Delegating Due Diligence to Third Parties Article 25 opens the gate for Member States to allow obliged entities to delegate customer due diligence responsibilities to third parties. This provision is a game-changer in the AML domain, offering flexibility in due diligence processes. However, it firmly places the ultimate accountability for due diligence on the obliged entities, ensuring a robust AML framework.

Defining Third Parties and Restricting High-Risk Relationships Article 26 of the 4th AMLD plays a crucial role in defining ‚third parties‘ and setting boundaries for their operation. It categorically prohibits the reliance on third parties based in high-risk third countries, with certain exemptions. This article ensures that the integrity of the AML framework is maintained by limiting exposure to high-risk jurisdictions.

Information Exchange between Obliged Entities and Third Parties Under Article 27, there is an emphasis on the flow of information between obliged entities and third parties. This provision ensures that obliged entities have access to essential due diligence information, bolstering transparency and efficiency in the fight against money laundering and terrorist financing.

Compliance through Group Programmes Article 28 addresses the compliance aspects for entities operating within group structures. It outlines conditions under which an entity can be considered compliant through its group programme, facilitating a coordinated approach to AML compliance across different jurisdictions.

Exclusions for Outsourcing and Agency Relationships Article 29 provides clarity on the scope of the directive, stating that these provisions do not apply to outsourcing or agency relationships. This distinction is vital for entities in structuring their AML strategies and ensuring compliance with the 4th AMLD.

The 4th AMLD, through Articles 25 to 29, offers a nuanced approach to the involvement of third parties in AML processes. By setting clear guidelines and responsibilities, it reinforces the European Union’s commitment to preventing money laundering and terrorist financing. These articles are instrumental for obliged entities in understanding their roles and obligations in the broader context of AML compliance. As the regulatory landscape continues to evolve, staying abreast of these directives remains crucial for all stakeholders in the financial sector.

5th AMLD

Article 1(14) amends Article 27, paragraph 2, of the 4th AMLD, Directive (EU) 2015/849. The revision mandates Member States to ensure that obliged entities, upon receiving a customer referred by a third party, must take adequate steps to obtain immediate access to specific types of identification and verification data. This data includes information obtained through electronic identification means and relevant trust services, in accordance with eIDAS-Regulation (Regulation (EU) No 910/2014), or any other secure, remote, or electronic identification process recognized by national authorities.

Impact on Third-Party Performance The amendment significantly impacts how third parties perform in the AML framework. It emphasizes the importance of swift and efficient access to electronic and digital forms of identification, reflecting the growing reliance on technology in financial transactions. This change ensures a more robust, secure, and modern approach to customer due diligence.

Compliance Challenges and Opportunities With this amendment, obliged entities face the challenge of integrating advanced technological solutions into their due diligence processes. However, this also presents an opportunity for entities to upgrade their systems, enhance security, and ensure a higher standard of compliance.

Strategies for Effective Implementation Entities must now focus on developing strategies that incorporate electronic identification methods. This includes investing in technology that aligns with EU standards and ensures quick access to verification data. Collaboration with third parties that are technologically equipped to handle these requirements becomes crucial.

Article 1(14) of the 5th AMLD marks a significant step towards modernizing AML compliance, particularly in the performance of third parties. By mandating quick access to electronic and digital verification data, it paves the way for a more secure, efficient, and technology-driven approach to fighting money laundering and terrorist financing. For obliged entities, staying ahead means adapting to these changes, investing in technology, and fostering partnerships that align with these new standards.


In the digital era, the concepts of Electronic Identification (eID) and Trust Services are pivotal in facilitating secure online transactions and services. Under the eIDAS-Regulation (Regulation (EU) No 910/2014), these terms are defined and regulated to ensure a standardized and secure framework across the European Union. This article delves into the definitions of Electronic Identification and Trust Services as outlined in Article 1 (3) and Article 1 (16) of the eIDAS Regulation, highlighting their importance in the digital landscape.

What is Electronic Identification? Electronic Identification, as defined in eIDAS, refers to the process of using electronic data to uniquely identify a natural or legal person, or a natural person representing a legal entity. This innovative approach to identification plays a crucial role in enhancing the security and efficiency of online services, providing a reliable means for individuals and organizations to prove their identity in the digital realm.

The Role of Trust Services Trust Services under eIDAS encompass a range of electronic services, often provided for remuneration, that ensure the integrity and security of online transactions. These include:

  • Creation, verification, and validation of electronic signatures and seals, ensuring the authenticity of digital documents.
  • Electronic time stamps that provide a reliable record of time for digital actions.
  • Services related to electronic registered delivery, guaranteeing the secure transfer of electronic data.
  • Certificates for website authentication, enhancing trust and security in e-commerce and online interactions.

Impact on Digital Transactions and Services The implementation of eID and Trust Services under eIDAS significantly impacts the way digital transactions and services are conducted within the EU. By providing a standardized framework, it fosters trust and confidence among users, enabling a seamless and secure digital experience. This regulation paves the way for increased efficiency, reduced fraud, and enhanced user authentication processes.

Strategies for Compliance and Implementation Businesses and service providers must adopt strategies that align with eIDAS requirements to leverage these technologies effectively. This involves integrating compliant electronic identification methods and trust services into their digital platforms, ensuring the security and authenticity of their online offerings.

The eIDAS Regulation, through its clear definitions and regulatory framework for Electronic Identification and Trust Services, marks a significant step in the digital transformation of the European Union. By standardizing and securing online identification and transactions, it empowers businesses and consumers alike, fostering a more connected, efficient, and secure digital Europe.

German GwG

In the realm of financial compliance, the German Anti-Money Laundering Act (Geldwäschegesetz – GwG) sets forth rigorous guidelines for combating money laundering and terrorist financing. A crucial aspect of this legislation is Section 17, which addresses the performance of due diligence by third parties. Understanding these regulations is essential for entities obliged under the GwG to ensure adherence to anti-money laundering (AML) standards. This article provides an insight into Section 17 of the GwG, elucidating the role of third parties in due diligence processes.

Overview Section 17 of the German Anti-Money Laundering Act permits obliged entities to engage third parties for fulfilling general due diligence requirements. This provision aims to facilitate a more flexible and efficient approach to compliance while maintaining high standards of AML and Know Your Customer (KYC) procedures.

Criteria for Third-Party Engagement

  • Third parties must be obliged entities under GwG or similar entities in other EU states, or in third countries with equivalent due diligence standards.
  • Ultimate responsibility for due diligence still resides with the obliged entity, ensuring accountability in the AML process.

Restrictions on High-Risk Third Countries

  • Section 17 stipulates a critical restriction: obliged entities are prohibited from engaging third parties established in high-risk third countries, with specific exemptions for EU-based branches and subsidiaries.

Information Transmission and Verification

  • Third parties are required to comply with GwG provisions, obtain necessary due diligence information, and promptly transmit this to the obliged entity. This ensures a seamless flow of vital compliance information.

Group-Level Compliance and Outsourcing

  • The section also covers scenarios where third parties are part of the same corporate group, detailing compliance requirements at the group level.
  • Additionally, it allows for contractual outsourcing of due diligence measures, subject to strict guidelines to maintain the integrity of the compliance process.

Adhering to Compliance Standards

  • Section 17 of the GwG emphasizes the need for thorough vetting and continuous oversight of third parties and outsourced entities to ensure they meet the necessary compliance standards.

Section 17 of the German Anti-Money Laundering Act provides a comprehensive framework for the engagement of third parties in due diligence processes. It balances flexibility in the compliance approach with stringent regulations to uphold the highest standards of AML practices. For obliged entities, understanding and implementing these provisions are key to maintaining regulatory compliance and fostering a robust AML environment.

BaFin-Interpretation and Application Guidance on the German GwG

Navigating the complexities of compliance under the German Anti-Money Laundering Act (Geldwäschegesetz – GwG) demands a thorough understanding of how obligations can be fulfilled through third parties and contractual outsourcing. Chapter 8 of the BaFin Interpretation and Application Guidance on the German GwG offers critical insights into these aspects. This article delves into the nuances of using third parties without a separate contractual basis, transferring due diligence obligations contractually (outsourcing), and the intricacies of sub-outsourcing, providing a roadmap for entities looking to ensure compliance while leveraging external resources.

Use of Third Parties Without a Separate Contractual Basis Under the GwG, obliged entities can engage third parties to fulfill due diligence obligations without a separate contractual basis. This includes:

  • Entities within Germany and the EU, as well as third countries with equivalent due diligence standards.
  • Utilization of third parties belonging to the same group, ensuring they adhere to the Fourth Money Laundering Directive or equivalent provisions.
  • Involvement of branches and subsidiaries in high-risk third countries, conditional on their adherence to group policies and procedures.

This approach simplifies compliance processes by allowing entities to rely on existing, compliant third-party frameworks without the need for additional contractual arrangements.

Transfer of Due Diligence Obligations on a Contractual Basis (Outsourcing) Contractual outsourcing involves transferring the implementation of due diligence measures to other persons or entities. Key aspects include:

  • Contracted entities act as vicarious agents, but the primary responsibility remains with the obliged entity.
  • Suitability of these entities is determined based on reliability and the effectiveness of their due diligence measures.
  • Outsourcing to entities outside Germany is permissible, barring those in high-risk third countries.

This process allows obliged entities to extend their compliance reach efficiently, ensuring that all measures adhere to the standards set by the GwG.

Sub-Outsourcing Sub-outsourcing involves further delegating the implementation of due diligence obligations by contracted parties to other entities. Essential considerations include:

  • Ensuring all parties involved meet the requirements of the GwG.
  • Contractually mandating compliance with due diligence obligations and allowing for oversight by the obliged entity and its supervisory authority.
  • Maintaining the integrity of the compliance process through thorough vetting and continuous monitoring.

This level of outsourcing adds layers to the compliance process but requires rigorous oversight to ensure adherence to the GwG’s standards.

Chapter 8 of the BaFin Interpretation and Application Guidance on the German GwG provides a comprehensive framework for fulfilling obligations through third parties and contractual outsourcing. Whether using third parties without a separate contractual basis, transferring obligations through outsourcing, or engaging in sub-outsourcing, obliged entities must navigate these options carefully to maintain compliance. Understanding these guidelines is crucial for entities operating under the German Anti-Money Laundering Act, ensuring effective and efficient adherence to AML regulations.