The Act for the Implementation of the 4th EU Money Laundering Directive of 23 June 2017 (Federal Law Gazette I (2017), p. 1822) has revised almost 'under the radar' the central provision for credit and financial institutions when it comes to the prevention of "other criminal acts that may endanger the institution's assets". (Bundestag Paper 18/11555 of 17 March 2017, p. 176). Looking at the comments on this in the explanatory memorandum, one could be forgiven for thinking that this is an insignificant editorial revision of the previous provisions.
That is by no means the case.
Definition of transactions to be monitored and investigated
The definition of transactions subject to monitoring and investigation, which in the case of credit institutions have to be picked up by mandatory data processing systems, is actually being completely revised. The old law stated that circumstances that appeared "peculiar or unusual" were subject to the duty to investigate. This wording was criticised, and rightly so. It has now been replaced by a much clearer and more pragmatic definition: the monitoring systems must be able to identify payments-related business relations and individual transactions that "are especially complex or large by comparison with comparable cases, do not follow the standard pattern, or have no apparent economic or lawful purpose".
Duty to investigate and document transactions
The actual obligation to investigate under paragraph 3 of the provision no longer refers to "circumstances", but to all transactions that meet the above criteria. Regardless of section 15 German Money Laundering Act, individual transactions now have to be investigated using appropriate measures to be able to monitor and assess the risks inherent in said transaction – and no longer the risks "inherent in the respective business relationship or transaction" – and examine whether criminal charges need to be brought pursuant to section 158 German Code of Criminal Procedure.
The term "circumstances" is now only used in relation to the duty to document.
The investigated transaction, the investigations carried out, and the findings of the investigation are only to be documented, however, so that the institution can demonstrate that the investigation results do not suggest that a criminal act to the detriment of the institution was performed. This restriction to non-reported circumstances appears logical to begin with because, in the other case, the criminal charges constitute sufficient documentation of the investigation carried out and its findings.
However, the wording is unfortunate in that it implies that, conversely, all circumstances that suggest that a criminal act has been committed to the detriment of the institution have to be reported. But this is not the case by law: Unlike with suspicion of money laundering, there is no duty to report. For overriding reasons – e.g. for employment-related reasons or to do with possible reputational damage, which can prove far more expensive that the criminal act itself – an institution can refrain from reporting damage resulting from criminal acts. This decision would have to be transparently documented in proper interpretation of the provision, too.
Changes regarding the transmission of information and prevention measures
As a result of the reference to section 47(5) German Money Laundering Act, institutions are additionally authorised, also in scenarios in which criminal acts are suspected, to transmit information to each other provided that such information is also required by the respective other institution for the purposes of crime prevention. The earmarking of the transmission of information under data protection law is now considerably less ambiguously worded than in the earlier version of the law, since it is sufficient that the identified peculiar or unusual circumstances suggest "other criminal acts" than money laundering, one of its predicate offences or terrorist financing.
Although the much criticised expression "peculiar or unusual circumstances" appears in this context, this recourse to vague and practically indeterminable legal terms can be tolerated in connection with the specified new definition of risk.
Finally, what is also new is that the outsourcing of prevention measures no longer requires approval by the Federal Financial Supervisory Authority (BaFin), but instead can be done after prior notification based on a decision of the institution on its own responsibility. This is only logical, given that the institution remains responsible for the performance of its duties. If the outsourced safeguards are not properly carried out, or the responsible party's ability to control is impaired, the Federal Financial Supervisory Authority can require that the safeguards be transferred back to the party originally responsible. (now para. 4).
The same applies if the Federal Financial Supervisory Authority regards its monitoring abilities as impaired.
Conclusion
In addition to these changes, which are significant in practice, section 25h German Banking Act is more clearly worded on the whole, and several overlaps with the Money Laundering Act have been removed. "Procedures and policies" are now finally referred to as internal safeguards, by means of which reference is made to the entire canon of possible measures in section 6 German Money Laundering Act. This change in wording also clarifies the integration into the risk management: Internal safeguards are part of the legal definition of risk management in section 4(2) German Money Laundering Act, which means that the incorporation of crime prevention into risk management is now also reflected in the wording of the Act. This entails the strengthening of the risk-based approach when it comes to the prevention of criminal offences.