Skip to content
Insights Start expansion
Insights / BaFin / Germany
BaFin · Germany

§43 GwG — filing SARs in Germany via goAML

Fintech Passport
April 30, 2026 · 6-min read
§43 GwG — filing SARs in Germany via goAML

§43 of Germany’s Geldwäschegesetz is the SAR-filing rule — and the seam where banking-as-a-service constructions break in surprising ways. When a fintech distributes regulated payment services through a partner credit institution, the filing obligation is split: both entities are obligated subjects, both run alert-generation, and both can owe a SAR on the same underlying transaction. BaFin and FIU Germany have published explicit guidance for this construct. Misreading the guidance is one of the most common AML enforcement findings against German fintech-bank stacks.

1. What FIU Germany is

FIU Germany is the German financial-intelligence unit. It sits administratively at the Generalzolldirektion (Federal Customs Authority) — a structurally distinct choice from most EU member states, where FIUs sit under the Ministry of Finance or Justice. Its operational mandate is independent.

The legal framework is the Geldwäschegesetz (GwG) — the German transposition of the EU AML directives, most recently rewritten in 2017 and amended through the Sixth Directive transposition. The supervisor of compliance is split: BaFin for credit institutions, EMIs, PIs, investment firms, insurers and CASPs; the Federal States’ authorities for non-financial obligated subjects. FIU Germany itself does not supervise.

2. Who must file

§2 GwG lists obligated subjects (Verpflichtete). The fintech-relevant categories are:

  • Credit institutions and branches of foreign credit institutions
  • Electronic-money institutions and payment institutions, including those passporting into Germany
  • Investment firms under MiFID II
  • Crypto-asset service providers (under prior KWG registration regime, and now MiCA-authorised CASPs)
  • Crowdfunding service providers
  • Insurance intermediaries and life insurers

For passporting EMIs / PIs, German activity triggers the obligation. The home-state filing covers home-state activity; German Verdachtsmeldungen go to FIU Germany — see our AML representative across the EU piece for how the named-person obligation interacts.

3. §43 in plain terms

§43(1) GwG is the SAR rule. An obligated subject must file a Verdachtsmeldung when there are Tatsachen — facts — indicating that:

  • A transaction or asset is connected to a predicate offence relevant to money-laundering
  • A transaction is connected to terrorism-financing
  • A counterparty has failed to provide identification information consistent with the AML rules

4. The goAML Germany channel

FIU Germany uses the United Nations Office on Drugs and Crime’s goAML platform — the same software family as FIU-Nederland. The channel is mandatory: paper or email submissions are not accepted.

  • Each obligated subject registers a goAML organisation account.
  • Named individuals are authorised to file. The Geldwäschebeauftragter (the AML officer) is typically the registered submitter.
  • Submissions can be manual through the web UI or structured XML through the API.
  • Acknowledgements are returned with a FIU reference.
  • FIU Germany may request follow-up information through the platform.

5. The BaaS / fintech-bank stack — where it gets complicated

Many German fintechs operate through a partner credit institution that provides the underlying licence — a banking-as-a-service construction. Both the fintech and the partner bank are typically obligated subjects under §2 GwG, each with their own AML duties. The question of who files what was a recurring source of inconsistency until BaFin and FIU Germany published joint guidance.

The current operational principle:

  • The partner bank is the obligated subject for the regulated-payment-service activity.
  • The fintech is also an obligated subject if it independently exercises a regulated function (e.g., conducting customer due diligence on its own behalf).
  • Both run alert-generation, but the SAR is filed by the entity with the relationship to the underlying customer at the point of the suspicious facts.
  • Coordination between the two is documented in the BaaS contract — which BaFin will read in any inspection.

The Article 30 contractual clauses required under DORA overlap with the AML coordination obligations: the same contract must address both ICT-resilience and AML allocation. Drafting them in isolation produces inconsistencies that BaFin will identify.

6. Timing — without delay

§43(1) requires reporting “unverzüglich” — without culpable delay. The standard is interpreted strictly. In practice:

  • Genuine red-flag SARs — submitted within hours.
  • Investigation-derived SARs — submitted within days, not weeks.
  • Late filings are a common BaFin finding under §56 GwG and can result in administrative fines on the entity and on the named Geldwäschebeauftragter personally.

7. The 3-day freeze rule (§46 GwG)

Unlike most EU jurisdictions, §46 GwG includes an explicit short-term freeze obligation. When a transaction is reported under §43 and FIU Germany has not provided a release, the obligated subject must not execute the transaction for up to three working days. This gives the FIU time to assess and, where appropriate, instruct law enforcement to seize.

The operational implications:

  • Payment-processing systems must support a “hold” state on transactions associated with an open SAR.
  • Customer communications must respect tipping-off rules (the customer cannot be told the transaction is held because of a SAR).
  • Release after three working days is automatic if FIU Germany has not extended the hold.

8. Tipping-off rules

§47 GwG criminalises informing the customer (or any third party) that a SAR has been filed or is being considered. The penalty is up to five years’ imprisonment and a fine. The prohibition extends to internal communications and customer-facing tooling — see our FIU-Nederland piece for the parallel Dutch regime.

9. BaFin’s role

FIU Germany receives and analyses SARs. BaFin supervises whether the firm has the right framework to detect and file them. The split mirrors the Dutch DNB / FIU-Nederland and French ACPR / TRACFIN architectures.

  • BaFin inspections look at the SAR-filing track record, sample alert investigations, and assess the adequacy of the AML governance.
  • The named Geldwäschebeauftragter can be sanctioned personally under §56 GwG.
  • FIU Germany feedback to BaFin on data-quality issues is a recognised input into supervisory ratings.

10. FAQ

I am a fintech using a partner bank’s licence — must I file SARs myself?

If you exercise an independent regulated function (notably running your own customer due diligence) you are an obligated subject under §2 GwG and you have a §43 obligation. The partner bank is also obligated. Coordination of who files what is documented in the BaaS contract; BaFin will read it.

What is the difference between §43 and §44 GwG?

§43 is the obligation to file a SAR. §44 is the protection from civil and criminal liability for filings made in good faith — a “safe harbour” for the obligated subject and the named individual.

Is the Geldwäschebeauftragter mandatory?

Yes, under §7 GwG, for most obligated subjects. The role carries personal liability. Outsourcing is permitted only where BaFin accepts the arrangement, and it is the strictest of the six core EU jurisdictions on this point.

Does the freeze apply to all SARs?

§46 applies to transactions where execution is imminent and the SAR is filed before settlement. SARs filed after the transaction has settled do not trigger the freeze — the FIU must proceed via other measures.

How do German SARs interact with EU sanctions screening?

Sanctions matches are a separate regime, supervised by BaFin and the federal authorities. A sanctions match triggers an asset freeze under EU sanctions law, not a §43 SAR — though the same fact pattern may also produce a §43 SAR. The two run in parallel; see our sanctions-screening at instant-payment speed piece.

How long must SAR records be kept?

Five years from the date of the report under §8 GwG. Records of investigations that did not result in a SAR follow the general AML retention period of five years from the end of the customer relationship.

11. What to do, today

  • Designate the Geldwäschebeauftragter and a deputy before German activity starts; notify BaFin.
  • Register a goAML Germany organisation account and configure the named submitter.
  • Calibrate transaction-monitoring rules to the §43 “Tatsachen” standard — concrete factual triggers, not generic suspicion patterns.
  • If you operate as part of a BaaS / fintech-bank stack, document who-files-what in the contract and align with the partner bank’s AML team.
  • Build the §46 three-day-freeze capability into payment processing — this is a German specificity that most EU-multi-country systems do not handle out of the box.

Related: AML representative across the EU · FIU-Nederland UTR via goAML · TRACFIN — filing in France

Related reads.

Branch vs Freedom of Services: when each is the right EU passporting model
EU-wide

Branch vs Freedom of Services: when each is the right EU passporting model

06.05.2026
DORA Article 30: the mandatory clauses for ICT contracts
EU-wide

DORA Article 30: the mandatory clauses for ICT contracts

06.05.2026
UIF Italy and the Archivio Unico Antiriciclaggio
Banca d'Italia · Italy

UIF Italy and the Archivio Unico Antiriciclaggio

06.05.2026