“Unsubstantiated” suspicious transaction reports

Alert
|
7 min read
Woldemar Häring |
Dr. Daniel Zapf

While financial institutions, on the one hand, are in the process of implementing and preparing to apply the fundamental amendments and changes that will take place in upcoming years by the EU AML Package—entering into force mainly in mid-2027—there are, on the other hand, signs of a relaxation of AML compliance requirements in the US. Meanwhile, the Federal Financial Services Authority ("BaFin") published a remarkable sanctions decision in a case where a payment institution was penalized for failing to establish and maintain a proper business organization in the area of detection of suspicious transactions. BaFin, the German regulator, argued that it experienced "unsubstantiated" suspicious transaction reports filed by the obliged entity on a regular basis, which BaFin considered evidence for its allegations.

Background

Pursuant to Article 33(1) of Directive (EU) 2015/849 ("AML-Directive"), as transposed into national German law by Sec. 43(1) of the Money Laundering Act (Geldwäschegesetz – "GwG"), companies qualifying as obliged entities under the GWG must promptly inform the financial intelligence unit ("FIU") by filing a report in cases where they know, suspect or have reasonable grounds to suspect that funds of their customers are the proceeds of criminal activity or are related to terrorist financing (the so-called suspicious transaction reports, "STRs").

On March 6, 2025, BaFin published a sanctions decision that concerns a case where an obliged entity (a payment institution) was sanctioned for failing to establish and maintain a proper business organization, including an adequate data processing system ensuring compliance with AML requirements, such as the requirement to detect suspicious transactions. Surprisingly, BaFin argued that such failure was demonstrated by the submission of "unsubstantiated" STRs to the FIU. This is the first case where BaFin imposed sanctions for the submission of an excessive volume of "unfiltered" STRs. In the past, BaFin imposed sanctions several times in the opposite scenario, i.e., where BaFin concluded that STRs were not filed in a timely manner. Therefore, financial institutions especially prefer to file an STR even in situations where it is not entirely clear whether the reported transaction exhibits the characteristics of a suspicious transaction; whereby it has to be noted that the threshold set out by BaFin is very low (much lower as an initial suspicion required to open a criminal investigation by law enforcement agencies). This resulted in a substantial increase in the STR data the FIU has to process. With the above sanctions decision, BaFin demonstrated that it expects the obliged entities to put in place IT-based monitoring systems ensuring that transactions that do not exhibit any suspicious activity criteria are not reported to the FIU.

When do transactions qualify as suspicious and need to be reported?

In practice, the detection of unusual or suspicious transactions requires the establishment of effective transaction monitoring arrangements.

  • Criteria for suspicious transactions

    Pursuant to Sec. 43 GwG, a STR must be filed if the facts indicate that:

    • The assets related to the business relationship, brokerage or transaction derive from a criminal offense that could constitute a predicate offense for money laundering
    • A business transaction, a transaction or an asset is related to terrorist financing
    • The contracting party does not fulfill its obligation to disclose beneficial ownership

    In the Interpretation and Application Guidance (Auslegungs- und Anwendungshinweise zum Geldwäschegesetz—"AuA"), BaFin notes that suspicious transactions need to be determined in light of the purpose and nature of the business relationship as well as patterns of similar transactions in the market. If a transaction appears to be inconsistent with the usual activities of the customer (e.g., particularly complex or large), this is deemed sufficient to qualify the transaction as "suspicious."

    The reporting obligation exists irrespective of the amount of the transaction or the value of the underlying asset. In addition to transactions or business relationships that are imminent, ongoing, rejected or not yet executed, the reporting obligation also covers transactions that already have been processed.

  • Reporting threshold for suspicious activity

    It is important to note that the threshold for suspicion sufficient to trigger an STR to the FIU is very low: the STR requirement is already triggered if there are "reasonable grounds" to suspect that such funds are incriminated. In this respect, BaFin notes that an obliged entity is not required (and in practice even not allowed) to examine whether the fact pattern around the relevant transaction meets the conditions for a criminal offense or involves terrorist financing, nor to investigate the facts. Instead, the obliged entity must assess the fact pattern based on "general experience" and "professional knowledge," taking into account how unusual the given transaction is in the specific business context. If the assessment finds objective indicators suggesting that the underlying funds could be potentially connected to certain criminal activities (Germany has implemented the "all-crimes-approach", i.e., all criminal offenses now qualify as predicate offenses) and/or terrorism financing, the STR requirement is triggered.

Practical implications

While the precise reasons for BaFin's sanctions decision have not been disclosed, BaFin specifically refers to the fact that the obliged entity's failure to establish and maintain a proper business organization resulted in the filing of "unsubstantiated" STRs. Consequently, the decision clearly indicates that BaFin will challenge situations where obliged entities continuously file STRs with respect to transactions that do not meet the suspicion criteria. Generating too many STRs also bears the risk of internal backlogs and unclear situations regarding the execution of transactions when the FIU offers no feedback. While the GwG assumes that the transaction can be executed (normally after three business days), there are in practice several unsolved legal issues around this question.

Against this backdrop, we see the following key takeaways:

  • Calibrating criteria for suspicious activity: Depending on how the obliged entities define the criteria for unusual and suspicious transactions, the AML monitoring system can generate varying numbers of alerts. If such criteria are defined very broadly to ensure that all suspicious activity is reported with STRs, and no suspicious transactions fall through the cracks, depending on the nature and number of transactions, the detection system can generate a significant number of alerts. In any case, the chosen criteria must be documented and explained as well as recalibrated based on event-driven circumstances and general lessons learned.
  • Assessment of alerts: Once the IT monitoring system has detected potentially suspicious transactions (i.e., generated alerts), the obliged entity must assess the alert and determine whether the respective transaction exhibits characteristics that give rise to the suspicion that the customer funds are the proceeds of criminal activity or are related to terrorist financing. The transaction in question is assessed in light of the objective of the business relationship and the customer's previous transactions. Furthermore, the transaction is usually assessed in light of transaction patterns commonly observed in the context of business relationships with other customers in the respective customer segment. While using automated procedures is possible, a dedicated review process and sample checks are required.
  • Role of the MLRO: Transactions exhibiting potentially suspicious characteristics must be manually examined by the anti-money laundering officer ("MLRO"). The MLRO processes suspicious cases, verifies whether the conditions for reporting under Sec. 43 GwG are met, and, if necessary, files the STR to the FIU pursuant to Sec. 43 GwG. The MLRO is directly responsible for the assessment of whether the fact pattern requires the obliged entity to report the transaction to the FIU. In light of BaFin's decision, MLROs will not be able to apply a very broad interpretation of what constitutes suspicious activity and will have to ensure that false alerts are filtered out, and that no "unsubstantiated" STRs are reported to the FIU.

Conclusion

BaFin's decision is likely to prompt a controversial discussion among MLROs. Nevertheless, clients should review how they define suspicious activity and reassess their reporting processes in light of BaFin's stance on "unsubstantiated" reports. It is important to flag that a definition of suspicious activity that is too narrow can also expose clients to regulatory risk. Therefore, when calibrating alerts, clients must strike the right balance between over-reporting and under-reporting.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

Woldemar Häring
Woldemar Häring
Partner|Frankfurt
Services
Mergers & Acquisitions, Financial Services Regulatory, Financial Institutions
Dr. Daniel Zapf
Dr. Daniel Zapf
Partner|Frankfurt
Services
Litigation, White Collar/Investigations, Regulatory & Compliance, Financial Institutions, Life Sciences and Healthcare, Data, Privacy & Cybersecurity

Service areas

Top