German financial regulator BaFin has imposed three administrative fines totaling €140,000 on Frankfurt-based DLT Securities GmbH for violations of the Anti-Money Laundering Act. The decision became legally binding on Wednesday.
BaFin’s enforcement notice identifies four areas of failure. The firm did not establish adequate internal safeguards, did not monitor the effectiveness of those safeguards, did not update its customer risk procedures, and did not subject its digitalized customer risk assessment procedure to control measures.
The violations occurred from at least May 1, 2022, to February 18, 2025, according to BaFin’s published notice. That is a compliance gap of nearly three years.
What the regulator targeted
The most distinctive element in BaFin’s notice is the reference to a digitalized customer risk assessment procedure that lacked proper controls. The notice indicates that firms automating onboarding and risk scoring must verify the automation works as intended.
BaFin appears to be sanctioning the governance architecture around the process, not a single procedural miss. The inclusion of both “internal safeguards” and “monitor their effectiveness” in the violations suggests the regulator found a control environment that was insufficient in substance over a sustained period.
If the process is digitized, the process itself has to be tested and overseen like any other AML control.
Crypto-linked activity
DLT Securities GmbH is registered in Frankfurt am Main. Company records from NorthData list its corporate purpose as the provision of investment services with regard to financial instruments, including all crypto assets.
The firm’s terms and conditions describe it as a financial commissioning agent offering services to clients through an online product structure. Those documents reference a new client onboarding process and describe a user account environment through which clients manage holdings.
When onboarding and risk scoring are handled digitally, regulators expect robust validation, oversight, and periodic review of those systems. The BaFin notice indicates DLT Securities did not meet that standard.
The enforcement action fits BaFin’s wider stance on DLT and crypto-linked financial activity. The regulator has consistently stressed that distributed ledger technology and blockchain bring innovation potential but also create serious supervisory challenges, including cyber risk and opaque roles within DLT infrastructures.
BaFin has framed risk-appropriate treatment as central to its approach in this area. For firms operating at the intersection of digital onboarding and crypto-adjacent products, the message from this case is that digital efficiency does not reduce AML obligations. If anything, it raises the bar for demonstrable control over automated processes.
