In the past week, a number of important events have taken place in the area of compliance that are significant for companies and compliance officers. Here are the most important announcements.
Table of Contents
- Stricter rules for more transparency: How the new real estate regulation is intended to combat money laundering
- More secure through standards: BSI publishes new guideline for financial applications
- EDPB report: Progress and challenges in implementing the right of access under the GDPR
- New EDPB guidelines: Strengthening data protection through pseudonymization
- BaFin publishes new form for plausibility checks in accordance with DORA
- BaFin intensifies special audits on money laundering prevention: need for action identified in risk analyses
- Newsletter: Receive the most important compliance reports every week free of charge
Stricter rules for more transparency: How the new real estate regulation is intended to combat money laundering
The ordinance amending the Money Laundering Reporting Obligations Ordinance – Real Estate was issued on January 15, 2025 and comes into force on February 17, 2025. It regulates new requirements and adjustments to strengthen the fight against money laundering in the real estate sector. Key changes include:
- Extended reporting obligations: New criteria for transactions over €10,000, regardless of whether they are made in cash, through precious metals, cryptocurrencies or via foreign bank accounts.
- Adjustment of reporting obligations: Obligated parties must also report conspicuous price deviations or resales within two years without a comprehensible reason.
- Stricter identity checks: Participants must provide evidence in accordance with the requirements of the Money Laundering Act; failure to do so will result in reporting obligations by the notary.
- Further technical changes: Clarifications and simplifications in terminology.
Our opinion:
The issue is highly relevant as the real estate sector is a prime target for money laundering worldwide. Real estate purchases enable criminals to conceal illegal funds as they move large sums of money and often offer insufficient transparency. The introduction of stricter regulations is an attempt to
- Curb criminal activity: The measures make it more difficult for cash and cryptocurrencies to be used and concealed by third parties.
- Strengthen trust in the real estate market: Transparency and compliance protect legitimate players and minimize the risk of market manipulation.
- Meet international standards: The regulation ensures that Germany complies with its obligations under global anti-money laundering initiatives.
More secure through standards: BSI publishes new guideline for financial applications
The German Federal Office for Information Security (BSI) has presented the Technical Guideline TR-03174, which supports fintech companies in the secure development of applications. The guideline provides clear testing aspects for mobile apps, web applications and background systems, based on international standards such as ASVS and WSTG. The aim is to create a high level of security for banking apps, payment services and other financial technologies. The directive is applicable to applications that process sensitive data and enables certification to demonstrate compliance with security requirements.
Our opinion
The publication of TR-03174 is significant as it strengthens security in a highly sensitive area: finance. In the face of increasing cyber threats, the directive aims to minimize vulnerabilities and protect consumers and businesses from attacks. It creates trust in digital financial services and promotes innovation by establishing clear security standards. The possibility of certification also ensures transparency, which is particularly essential when processing sensitive data.
EDPB report: Progress and challenges in implementing the right of access under the GDPR
The report of the European Data Protection Board (EDPB) highlights the results of a coordinated enforcement action to implement the right of access under Article 15 GDPR. In 2024, 1,185 companies and public institutions in 30 European countries were checked for compliance with the right of access. The results show a mixed picture: While some organizations shine through good practices such as user-friendly request forms or self-service portals, others lack basic procedures and awareness of applicable guidelines. Especially small organizations and those with few access requests often show deficits. The report makes recommendations to improve implementation of the law, including updating internal processes and training, as well as greater alignment with EDPB Guidelines 01/2022.
Our opinion
The right of access is central to the transparency and control of personal data and therefore a cornerstone of the GDPR. It enables citizens to review the handling of their data and to challenge unlawful processing. In the face of ever-increasing data processing and rising data protection concerns, correct implementation is essential to strengthen trust in digital services.
The novelty of this report lies in the comprehensive analysis of the state of implementation and the identification of weaknesses, especially in the awareness and application of the EDPB Guidelines 01/2022. These findings will help to develop targeted measures to improve data protection in Europe and raise awareness among both data controllers and citizens.
Source: https://www.edpb.europa.eu/our-work-tools/our-documents/other/coordinated-enforcement-action-implementation-right-access_en
New EDPB guidelines: Strengthening data protection through pseudonymization
The European Data Protection Board (EDPB) has published the guidelines 01/2025 on pseudonymization. These clarify the use and benefits of pseudonymization as a data protection measure under the GDPR. Pseudonymization is used to protect personal data from unauthorized access by preventing direct attribution to individuals. It is particularly effective in complying with principles such as data minimization, protection by design and security. The guidelines emphasize that pseudonymization often needs to be complemented by additional measures to minimize risks and ensure the protection of personal data. In addition, technical and organizational requirements as well as concrete application examples are presented to support implementation in practice.
Our opinion
The topic is particularly relevant as pseudonymization plays a central role in the protection of sensitive personal data and at the same time enables the analysis and processing of this data. It reduces risks such as unauthorized disclosure and promotes compliance with data protection regulations, which is particularly essential in data-intensive industries.
The novelty of this news lies in the publication of Guidelines 01/2025, which for the first time provide uniform standards and detailed instructions on pseudonymization in accordance with the GDPR. These guidelines strengthen the implementation of data protection principles by providing clear definitions, technical measures and practical examples. They also show how pseudonymization can be used as a complementary measure in international data transfers to ensure protection in third countries as well. The EDPB invites interested parties to comment and provide input before the final publication of the document.
BaFin publishes new form for plausibility checks in accordance with DORA
BaFin has published a new form for reporting and reviewing incidents under the Digital Operational Resilience Act (DORA). This form, based on a standardized table, is designed to help financial institutions report incidents efficiently and compliantly. It covers a variety of fields, including details of reporting entities, affected financial institutions, incident classifications and impact on customers and business processes. In addition, specific input restrictions and mandatory fields are defined to ensure the quality of the reported data. The requirements are supplemented by practical tips on how to fill in the fields correctly, for example when entering telephone numbers or email addresses.
Our opinion
The introduction of this form is an important step towards improving digital resilience in the financial sector, as it simplifies and standardizes the reporting of incidents such as cyberattacks or systemic disruptions. The clear structure and guidelines for plausibility checks help companies to efficiently fulfill legal requirements and increase transparency in dealing with incidents.
The novelty is that this form is specifically aligned with the requirements of DORA, a new EU regulatory framework that strengthens cybersecurity and operational resilience in the financial sector. It implements international standards and enables uniform, cross-border reporting that benefits both authorities and companies.
BaFin intensifies special audits on money laundering prevention: need for action identified in risk analyses
The German Federal Financial Supervisory Authority (BaFin) has intensified its supervision in the area of anti-money laundering and carried out more special audits in the financial sector. It was found that many companies do not sufficiently differentiate their specific risks and, in particular, do not adequately consider the risks of terrorist financing. Risks from money laundering and terrorist financing are often analyzed together, which makes it difficult to take a targeted approach. BaFin emphasizes the need for a clear separation and detailed analysis of these risks in order to ensure effective preventive measures.
Our opinion
The relevance of this topic lies in the increasing threat of money laundering and terrorist financing, which can have a significant impact on the integrity of the financial system. Effective prevention is essential to stop criminal activities and strengthen confidence in the financial markets.
Through its intensive special audits, BaFin has identified specific weaknesses in the companies’ risk analyses. In particular, the inadequate differentiation between money laundering and terrorist financing risks is a key problem. BaFin is therefore calling for a more precise and separate analysis of these risks in order to be able to implement targeted and effective preventive measures. Even though we generally agree with the assessment, we believe that the statements on the assessment system in the context of money laundering risk with regard to probability of occurrence and amount of loss are worthy of discussion. Both Section 25h (1) KWG and Section 56 GwG are not limited to ssH and provide a basis for a quantitative assessment of the amount of loss. We see possible contradictions here with the risk-based approach as well as with the interpretation and application notes. In our opinion, for example, there is a direct correlation between the probability of occurrence of breaches on the one hand and the appropriateness and effectiveness of the measures on the other. This then also has a direct impact on the quantifiable amount of damage. This in turn has a direct interaction with Section 25a (1) sentence 1 KWG and Section 4 (1) GwG.
Newsletter: Receive the most important compliance reports every week free of charge
Many compliance officers already use our free newsletter and receive the most important news from the areas of compliance, money laundering prevention, data protection and IT security. We provide a weekly overview of the most important reports and categorize them.
Would you like to be up to date every day? Our legal rights monitoring software gives you access to all notifications and allows you to filter them by relevance, type and area. You can create and download summaries. Get in touch with us.