Money laundering prevention at capital management companies

With the "Act to Further Strengthen Investor Protection" of 9 July 2021, Section 45a, among others, was newly included in the German Investment Code (KAGB). This results in the obligation to audit the financial statements of alternative investment fund capital management companies (AIF-KVGen) subject to registration within the meaning of Section 1 (3) KAGB, which also includes an audit of compliance with money laundering requirements. The obligation to audit concerns annual financial statements and management reports for financial years beginning after 31 December 2020 (section 363 KAGB).

KVGs have been included in the group of obligated parties under the Money Laundering Act (GwG) since 2007 (Section 2 (1) No. 9 GwG). However, unlike KVGs that are subject to licensing, AIF KVGs that are only subject to registration are confronted with the money laundering-related audit obligation of an auditor for the first time as a result of the amendment to the law. According to the explanatory memorandum, this is intended to take into account the results of the First National Risk Analysis (2018/2019). This showed that there was no widespread awareness of the risks of money laundering and terrorist financing, even though these KVGs can manage alternative investments that pose an increased risk - for example in the real estate sector.

Auditors must check compliance with the obligations under the Money Laundering Act as part of the annual audit of the KVG (§ 45a para. 6 KAGB). The Federal Ministry of Finance (BMF) or the BaFin can issue a more specific regulation on the scope of the reporting, but this has not yet been done. Therefore, the auditor used the requirements of the Capital Investment Audit Report Ordinance (KAPrüfbV) for the first audit of the AIF-KVGs.

Pursuant to Section 13 of the KAPrüfbV, the auditor must determine whether the risk analysis prepared by the KVG corresponds to the specific money laundering risk situation of the KVG. In addition, the auditor must ensure that appropriate organisational measures have been taken to prevent money laundering and the financing of terrorism. In particular, the internal principles developed and updated by the KVG as well as the business and customer-related security systems and controls are to be mentioned here. In addition, the auditor must assess, among other things, whether the relevant employees have been sufficiently trained on the subject of money laundering and to what extent the KVG has fulfilled its customer-related due diligence obligations as well as its recording, storage and reporting obligations.

The auditor thus not only examines the mere existence of a comprehensive money laundering prevention system, but also whether it is risk-appropriate and effective.

In accordance with the risk-oriented approach of the AMLA, the required scope of the mandatory preventive measures is measured according to the individual risk of the German IMI with regard to money laundering and terrorist financing. The determination of this risk thus forms the starting point for the design of the individual measures. This requires a risk analysis in accordance with Section 5 AMLA, which in principle must be carried out in documented form by each party obligated under the AMLA with regard to its specific business.

In determining the respective risk, obligated parties must in particular take into account the risk factors listed in AMLA Annexes 1 and 2, which are supplemented by the Risk Factor Guidelines of the European Banking Authority (EBA). The information from the First National Risk Analysis (2018/2019) as well as the sector-specific risk analysis (2020) of the Federal Ministry of Finance based on it and the sub-national risk analysis of BaFin (2021) are also of importance. According to this, the money laundering risk of the securities sector as a whole was classified as "medium" and the risk specifically for the KVG sector as "medium to high". However, the National Risk Analysis also states that due to the considerable differences in the KVG business models, general statements on the money laundering threat of the sector do not allow any direct conclusions to be drawn on the threat situation of an individual KVG. For example, a particular threat situation is assumed for open-ended special real estate funds. Overall, the threat situation for money laundering and terrorist financing of the KVGs results from the specific business that is pursued. Concrete risks exist, for example, if an investor of the KVG or an invested property is domiciled in a country with a high risk of money laundering as defined by the European Commission. Furthermore, an increased risk may also result from the industry of the companies included in the KVG's portfolio.

The general duties of due diligence with regard to customers (Section 10 AMLA) include in particular the duty to identify contractual partners and, if applicable, for the appearing persons and beneficial owners before establishing a business relationship or carrying out a transaction. This requires a corresponding process that takes into account the requirements for proper identification under Section 11 and Section 12 AMLA. In addition to the investors, who are natural persons, in the case of legal persons it must be ensured that the acting person and the beneficial owner are also identified.

In practice, there is always uncertainty in this context as to whether other groups of persons must be identified in addition to the investors. These would be, for example, companies in which the KVG has invested or other contractual partners, such as external consultants. The uncertainties in this regard can be attributed above all to the wording of the AMLA, which only speaks generally of "contracting parties" in this context. However, in view of the title of the relevant 3rd section of the AMLA ("Due diligence obligations in relation to clients"), it can be assumed that these are purely client-related obligations. This is also in line with the EU Money Laundering Directive (2015/849), according to which the due diligence obligations explicitly relate only to customers. In this respect, the Risk Factor Guidelines (as of March 2021) published by the EBA and recognised by BaFin as administrative practice must also be taken into account, according to which only investors and distribution partners, for example credit or insurance institutions, are to be regarded as "customers" of a KVG. With regard to these, the due diligence obligations must therefore be fulfilled in a comprehensible manner.

KVGs subject to registration should take the extended audit obligations as an opportunity to subject their money laundering-related internal security measures to a critical review. Particular attention should be paid to the money laundering-related risk analysis. This forms the foundation of the money laundering prevention system and is an essential building block for the assessment of its adequacy and effectiveness by the auditor of the annual financial statements. If a risk analysis has not yet been carried out, the first step towards establishing compliance with money laundering law is to comprehensively document the risk situation and to derive risk-oriented internal security measures. These measures must adequately control and mitigate money laundering-related risks.

KPMG will be happy to support you in determining the specific money laundering risks in relation to your individual business and in developing a tailor-made protection concept. Contact us.