Deutscher Bundestag [DEU] ¦ Risk-Based Intelligence in Financial Crime Control: What Germany’s FIU Debate Reveals

A Shift From Formality to Risk

In financial crime prevention, the phrase “risk-based approach” (RBA) has become a central term. It means that authorities and obliged entities should not treat every case in exactly the same way, but instead focus their limited resources where the threat is highest and where action is most effective. In practice, this is meant to replace a purely rule-based, box-ticking mindset with a more targeted method that follows the actual danger posed by money laundering (ML) and terrorist financing (TF).

Germany’s Financial Intelligence Unit, the FIU, sits at the center of this debate. The Bundestag’s Wissenschaftliche Dienste have described a system in which the FIU receives suspicious transaction reports and other relevant information, filters them, analyses them, and forwards material to law enforcement when a link to money laundering, terrorist financing, or another offense appears sufficiently plausible. That design is meant to increase efficiency, but it also raises a difficult legal and practical question: how far may a risk-based method shape the FIU’s work before it starts to conflict with the duty to examine and forward relevant reports?

Why risk-based methods matter in anti-money laundering

A risk-based approach is not unique to anti-money laundering. It is also used in areas such as quality management, data protection, and supply chain compliance. The core idea is simple: identify the main risks, assess them, and direct effort and resources toward the most serious threats. The Financial Action Task Force, or FATF, has made this principle a key part of the global anti-money laundering framework.

In FATF’s view, risk-based work is not static. It must adapt as threats change. A country should identify the main risks, understand them, and then allocate resources accordingly. This matters because financial crime methods evolve quickly. Criminals move funds through different sectors, use new payment methods, exploit companies or real estate, and adapt to weaknesses in supervision. A rigid system can miss these shifts.

Germany’s first national risk assessment (NRA), published by the Federal Ministry of Finance in 2019, confirmed that the country faces a comparatively high money laundering risk. The reasons include the attractiveness of Germany as an economic center, the complexity of its economy, and the high use of cash. The assessment also highlighted risks in the banking sector, money transfer services, real estate, and trade-based money laundering (TBML).

Bastian Schwind-Wagner _Follow

"The German debate over the FIU’s risk-based approach shows how anti-money laundering work depends on more than just strict legal rules. It also depends on whether authorities can use their resources in a targeted way without missing suspicious activity that falls outside preset priorities.

For financial crime compliance, the key point is balance. A risk-based model can improve efficiency and focus, but it must not become a shortcut that weakens analysis, delays reporting, or leaves relevant cases in the data pool for too long."

The FIU’s role and its operational pressure

The German FIU is the national central office for preventing, detecting, and supporting the fight against money laundering and terrorist financing. It receives reports, collects information, analyses it, and passes relevant findings to domestic authorities. On paper, this sounds straightforward. In reality, the FIU sits between prevention and law enforcement, without being a criminal investigation authority itself.

This position creates operational pressure. The FIU receives large volumes of reports. It cannot investigate every case in the same depth. The Bundestag analysis notes that the FIU began describing its own work as risk-oriented from 2018 onward. It used automated basic checks, first-level categorization, and prioritization rules to determine which reports should receive deeper review. Reports linked to defined risk priorities were pushed into more detailed analysis. Others were placed into monitoring and could later be revisited if new information emerged.

The FIU also introduced risk priorities in specific fields, such as real estate, cash use in high-value purchases, trade-based money laundering, gambling, organized crime, tax crimes, new payment methods, misuse of NGOs and NPOs, and misuse of financial transfer services. In 2020, the FIU said it was using semi-automated pre-filtering and even an AI-supported component called “FIU-Analytics” to handle reports more efficiently.

The legal tension: duty to act or room to prioritize?

This is where the legal dispute becomes sharp. Under German criminal procedure, the Legalitätsprinzip usually requires prosecutors and certain authorities to act when there is an initial suspicion of a crime. By contrast, the Opportunitätsprinzip allows discretion in some contexts. The FIU does not fit neatly into either category. It is not a criminal prosecutor, but it is also not merely a passive data repository.

The legal question is whether the FIU may use a risk-based approach when deciding how deeply to analyse a report and when to forward it. The Bundestag material shows that this issue has been contested in doctrine, among the government, and even in criminal investigations. One side argues that the FIU must analyse every suspicious report in a substantive way and forward relevant cases whenever even low-threshold indications exist. The other side argues that the FIU, as an administrative filtering body, must be allowed to prioritize reports based on risk, especially because it is not making a criminal law decision and should not be forced to treat all incoming material identically.

The Federal Ministry of Finance and the FIU have argued that risk-based prioritization is compatible with the law and necessary for effective performance. They point to the FIU’s role as a filter, the national risk analysis, EU standards, and the wider anti-money laundering strategy. Critics, however, warn that broad use of risk filters may cause relevant reports to remain unprocessed for too long or never reach law enforcement at all.

Why the controversy became so visible

The controversy intensified because the German Money Laundering Act, after the introduction of section 3a, states that prevention and combating of money laundering and terrorist financing follow a risk-based approach. But the question remained whether this general principle also applies to the FIU’s operational analysis and forwarding duties.

A large part of the literature says no, or at least not in a way that would allow the FIU to ignore reports outside its chosen risk priorities. According to this view, the FIU may use risk methods to organize its workflow and determine the depth of analysis, but it may not use risk-based reasoning to decide that certain reports need no substantive treatment at all if they still show signs of crime.

The Federal Ministry of Finance took a broader view. It considered the FIU’s risk-based prioritization legitimate and argued that the FIU must be able to use filtering tools, including automated ones, to focus on cases with real value for anti-money laundering work. The Ministry also pointed to the need for operational efficiency and the danger of overwhelming the FIU with volume.

The State Prosecutor’s Office in Osnabrück took a more restrictive position and even opened an investigation in connection with alleged attempted obstruction of justice. Although that case was later closed due to lack of sufficient suspicion, it showed how serious the legal disagreement had become.

Data protection adds another layer of difficulty

The FIU’s information pool creates a separate issue: data protection. Publicly available material indicates that the FIU stores incoming information, including reports that were not immediately forwarded and reports that were later deemed not to have sufficient value. These data remain available for later matching and analysis.

This raises questions under the principles of data minimization and storage limitation. The Federal Commissioner for Data Protection and Freedom of Information criticized the broad, blanket retention of suspicious transaction reports in a data pool for later use. The concern is that if reports are kept indefinitely or without sufficient differentiation, the FIU may be building a data reservoir rather than storing only what is needed for a specific purpose.

At the same time, legal scholars note that the FIU must be able to process data further when necessary to detect links between cases and to understand broader criminal structures. That is consistent with the anti-money laundering purpose and, in some cases, with data protection law and the GDPR’s public-interest basis. The real challenge lies in drawing a line between useful operational retention and unlawful storage on a precautionary basis.

What international standards actually require

Internationally, the FATF is the main driver of the risk-based model. Its standards require states to apply a risk-based approach and allocate resources accordingly. But FATF’s recommendation on FIUs does not explicitly say that FIUs themselves must use a risk-based approach in exactly the same way as banks or supervisors. Instead, FATF emphasizes that FIUs should analyse information in a way that adds value, may focus on selected information depending on volume and type, and may use analytical software, while human judgment remains essential.

The Egmont Group, which links FIUs worldwide, has also encouraged digital and risk-based methods, including machine learning and AI tools to help identify emerging risks. Yet it does not impose a single model. Different countries use administrative, police-based, judicial, or mixed FIU structures.

The EU anti-money laundering directives largely frame the risk-based approach around obliged entities and supervision, while separately requiring member states to establish FIUs that receive, analyse, and disseminate suspicious transaction reports. The directives do not clearly state that FIUs must themselves operate under a risk-based model in the same way as banks do. That leaves room for legal debate in Germany.

The global picture

Germany is not alone in using risk-based tools at FIU level. FATF reports identify countries such as Belgium, Greece, Israel, Luxembourg, and the United States as using risk-based approaches in their FIU workflows. In those systems, risk filters, prioritization tools, and automated classification support the handling of large data volumes. In the United States, for example, FinCEN uses a risk-based approach to manage a very large number of suspicious activity reports (SARs) and employs automated rules to identify priority cases.

This suggests that risk-based FIU work is not unusual. But the institutional design differs from country to country. Some FIUs have broader access to databases and stronger direct ties to law enforcement. Others act more as administrative hubs. These structural differences matter because they shape what “risk-based” can mean in practice.

The core lesson for financial crime compliance

For financial crime professionals, the German FIU debate is important for one simple reason: it shows how hard it is to balance volume, efficiency, legality, and effectiveness. A risk-based approach can make anti-money laundering systems more useful and better targeted. It can also create blind spots if prioritization becomes too narrow or if reporting is filtered too aggressively before meaningful review.

The strongest takeaway is that risk-based work is not a license to ignore information. It is a method for using resources intelligently. That method must still be anchored in legal duties, data protection safeguards, and a clear understanding of the FIU’s role. In Germany, the current reform debate aims to clarify that balance by making the FIU’s risk-based working method more explicit while narrowing uncertainty about its analysis and forwarding duties.

For those in the financial crime community, this is a practical reminder that anti-money laundering systems only succeed when risk models help the authorities to focus more effectively, rather than providing them with an excuse to look the other way.

Dive deeper

• Deutscher Bundestag ¦ WD-4-052-23, Ausarbeitung, Zum Risikobasierten Ansatz bei Financial Intelligence ¦ Link
• Handelsblatt ¦ Durchsuchungen bei der Zoll-Spezialeinheit FIU, 14.07.2020 16:08 Uhr ¦ Link
• Staatsanwaltschaft Osnabrück ¦ Pressemitteilung vom 31.05.2023 ¦ Link
• Süddeutsche Zeitung ¦ Durchsuchung im Finanzministerium: Verfahren eingestellt, 31. Mai 2023 16:17 Uhr ¦ Link