Public prosecutors conducted raids targeting suspected evasion of sanctions against Russia. The new EU Anti Money Laundering Authority (AMLA) commenced its operations in Frankfurt on July 1, 2025.
Meanwhile, the criminal prosecution authorities and courts progressed large-scale proceedings regarding tax crimes, including new enquiries, indictments, and judgments in cum/ex cases. In a decision that caused a stir in the financial industry, the Higher Regional Court of Frankfurt admitted a bill of indictment regarding cum/cum to the trial stage, after the Regional Court of Wiesbaden had refused opening main proceedings.
Looking to 2026, companies should expect sustained pressure on AI, AML, crypto, sanctions, and tax compliance, more intrusive supervisory audits, and new cross border preservation and production orders introduced by the E Evidence Regulation, which will become effective on August 18, 2026.
Key developments in white-collar crime investigations by German authorities
Enforcement risks increased across many sectors in 2025. Germany has signalled a tougher stance on financial crime. A central driver is AMLA, headquartered in Frankfurt and operational as of July 1, 2025, which coordinates national supervisors and will directly oversee particularly high risk financial institutions. This is expected to raise the intensity and consistency of supervision and enforcement.
Tax related enforcement remained a priority, with a focus on cryptocurrency transactions and COVID-related fraud. Legacy clusters remained active: the cum-ex complex continues across multiple matters, including new trials in Frankfurt; diesel investigations also continued as prosecutors probe executive accountability around oversight, market communications, and product compliance. Wirecard-related criminal proceedings at the Munich Regional Court against a former manager continue, with hearings scheduled through the end of the year and the timing of any verdict uncertain.
Regulatory scrutiny intensified in parallel. At the end of 2025, BaFin imposed a record fine of EUR45 million on an international bank for deficiencies in anti-money laundering controls. BaFin also issued a landmark EUR25 million greenwashing fine against an asset manager, signalling systematic enforcement of sustainability-related misstatements and the need for closer coordination between legal, sustainability, and investor relations teams.
BaFin continues its enforcement activities into alleged failures to submit voting rights notifications. The authority has also emphasized the risks arising from sustained pressure on both commercial and residential real estate markets since mid‑2022. It has explicitly prioritized the recoverability of financial and non‑financial assets and the integrity of valuations in its audits. The insolvency of Signa Group has highlighted shortcomings in risk management and valuation practices in connection with complex real estate exposures, further reinforcing this supervisory focus. Sanctions enforcement also sharpened, with coordinated raids and arrests targeting suspected circumvention of export bans via third-country channels and distributor networks.
Recent legislative changes affecting corporate accountability
Germany missed the April 2025 deadline for transposition of the EU Sanctions Crime Directive. The new directive strengthens liability for companies and managing directors for breaches of EU sanctions and aims to harmonize legal frameworks across the Union. While much of the substantive conduct is already addressed under the Foreign Trade and Payments Act, what remains are targeted additions, such as the introduction of a criminal offense for grossly negligent breaches of the Dual-Use Regulation.
The Money Laundering Reporting Ordinance takes effect on March 1, 2026, setting formal and substantive minimum standards for Suspicious Activity Reports (SAR) and Suspicious Transactions and Order Reports (STOR) to the Financial Intelligence Unit via the goAML system, the official German electronic reporting platform. Obliged entities under the German Money Laundering Act must ensure SAR and STOR completeness, with deficiencies potentially triggering administrative fines and, in certain scenarios, criminal exposure.
AI regulation crystallized as a key theme. Under the AI Act, obligations for providers and deployers – including transparency, documentation, and risk‑management duties – are being phased in as of 2025. Providers of general‑purpose AI models face heightened requirements; violations can lead to significant penalties. These can amount to up to EUR35 million or 7% of the global annual turnover.
The German Bundestag passed the act transposing the NIS 2 Directive, which establishes an EU wide framework for a common level of cybersecurity, into national law. Core requirements for obliged entities include the implementation of effective, appropriate, and proportionate technical and organizational measures. Management may face liability for breaches of oversight and training obligations. Obliged entities which qualify as “essential entities” face fines of up to EUR10 million or 2% of global turnover for breaches of the new law, while “important entities” can be fined up to EUR7 million or 1.4% of global turnover, whichever is greater.
In an expansion of due diligence obligations, the German Government plans to prohibit obliged entities from entering into or executing legal transactions valued at more than EUR10,000 with legal persons if one or more beneficial owners cannot be identified.
Internal investigations
AI is now a major factor in investigative workflows. Companies using AI for review or analytics should implement model use governance and ensure role clarity between “provider” and “deployer” obligations, as defined under the AI Act.
A decision of the Higher Regional Court of Munich highlighted the need to act quickly upon learning of employee misconduct during an internal investigation. The Higher Regional Court of Munich upheld the immediate dismissal (fristlose Kündigung) of a board member for including his private email address in sensitive business emails. Under German law, decisions regarding potential employment-related remedial actions often cannot be deferred until an internal investigation is concluded, because knowledge of misconduct triggers a two-week period for immediate dismissal.
Compliance with data protection obligations remains essential during an internal investigation. Article 15 GDPR grants data subjects a right of access to their personal data and may be invoked by employees whose data is under review. However, in a 2025 decision, the German Federal Labor Court clarified that a mere delay in responding to an access request does not, by itself establish a compensatable “loss of control” over personal data.
The trend toward an increase in whistleblower reports has continued since the Whistleblower Protection Act entered into force in 2023, and companies should ensure compliance with the law’s requirements, such as establishing an internal reporting office, to avoid regulatory scrutiny and potential fines.
Targeted sectors
Financial services, fintech and crypto, as well as export oriented manufacturing were the most exposed sectors in 2025. Banks, payment institutions, and crypto asset service providers face concurrent supervisory and criminal scrutiny on AML/KYC effectiveness, sanctions screening, and transaction monitoring.
Export intensive industries – particularly machinery, automotive, electronics, and chemicals – are under heightened review for sanctions and export control compliance, including suspected circumvention through distributors and after sales channels in third countries. Authorities are increasingly triangulating data to identify anomalies.
Looking to 2026, we expect continued attention to sanctions evasion risks and crypto transactions, as well as more coordinated actions combining regulator led reviews with prosecutorial measures.
Cross-border coordinated investigation or enforcement activity
Cross‑border enforcement momentum in relation to cum/ex as well as cum/cum persisted. German criminal prosecution authorities continue to reach out to foreign authorities in mutual legal assistance procedures and to share information on cross-border crime with their counterparts.
German authorities have also continued to team up with authorities in other countries, including the U.S., to investigate, prosecute, and counter the activities of organized cybercrime groups.
Finally, the European Public Prosecutor’s Office, which investigates and prosecutes crimes that harm the EU’s financial interests, such as large-scale cross-border VAT fraud, has ramped up its activities in 2025.
Predictions for 2026
Enforcement priorities will focus on money laundering, sanctions and export controls, cybercrime, and AI-related risks. Tax investigations will also remain a priority. More stringent reviews are expected as BaFin expands its supervisory audit capacity by increasing the number of examinations and expanding resources for this purpose. This is especially true in the crypto-asset sector.
The E‑Evidence Regulation, which will take effect on August 18, 2026, allows authorities in the EU to issue orders to certain service providers, for example email and social media companies. Authorities may compel these companies to produce evidence cross-border if they offer services within the EU, regardless of where the data is physically stored. Other companies should be aware that authorities may obtain evidentiary data directly from the companies’ service providers.
AI use in board decision-making and in relation to data privacy and security is becoming a necessary component of any compliance program, especially with the EU AI Act fully in force by August 2, 2026. The debate over directors’ duties concerning the use of AI will intensify.
Further ahead
The EU AML package adopted in 2024 is scheduled to become fully effective from mid 2027, further harmonizing AML supervision and strengthening investigative tools. AMLA’s role and the ongoing consolidation of supervisory expectations point to sustained regulatory pressure beyond 2026.
The German Supply Chain Act is likely to be replaced, with new legislation on international corporate responsibility in the works to implement the Corporate Sustainability Due Diligence Directive. Meanwhile, the German Supply Chain Act will be adjusted to limit administrative burdens and improve usability during transition time.
Further AI regulation is expected, including rules on the creation and distribution of “deepfakes”, especially where such content is disseminated to third parties. At the same time, companies will face heightened obligations to account for these requirements and to mitigate enforcement risk through robust internal compliance structures.
Directory quotes
.jpg%3Fh%3D1520%26iar%3D0%26w%3D2026&w=256&q=90)
