CMS Expert Guide to AML and CTF law and regulation in CEE

Overview of relevant laws and regulations

  • Act No. 253/2008 Coll., on certain measures against money laundering and financing of terrorism (the “AML Act”);
  • Decree No. 281/2008 Coll., on certain requirements for the system of internal policies, procedures and control measures against money laundering and terrorist financing (the “AML Decree”);
  • Act No. 40/2009 Coll., Criminal Code;
  • Act No. 69/2006 Coll., on carrying out of international sanctions (the “International Sanctions Act”),

The AML/CTF measures are regulated in the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing as amended (the “Polish AML Act”).

Federal Law No. 115-FZ “On Combating Money Laundering and the Financing of Terrorism” dated 7 August 2001 (the AML Law) and ancillary normative acts.

2. Are the 4th AML Directive and the 5th AML implemented in your jurisdiction?

Yes, the 4th AML Directive was implemented into Czech law via Act No. 368/2016 Coll. which amends (i) the AML Act; (ii) the International Sanctions Act; (iii) Act No. 304/2013 Coll., on public registers of legal entities and individual persons; and other acts. 

The 5th AML Directive is currently being implemented into two separate acts: (i) an amendment act which will amend the AML Act and Act No. 186/2016 Coll., on hazardous games; and (ii) a new act on the Ultimate Beneficial Owner Registry. 

Currently, the Polish AML Act implements the 4th AML Directive. However, the 5th AML Directive was scheduled to be implemented in Q2 of this year, but it seems that it will be delayed to the second half of the year due to the COVID-19 pandemic.


3. Which is the AML/CTF supervisory authority in your jurisdiction?

The Financial Analytics Office is the main AML/CTF supervisory authority. Other authorities authorised to monitor compliance with the key obligations under the AML Act in certain sectors include the Czech National Bank, the Ministry of Finance, and the Czech Inspection Authority. 

The main AML/CTF supervisory authority is the General Inspector for Financial Information (the “GIFI”), but there are also other authorities supervising compliance with the Polish AML Act, e.g. the Polish Financial Supervision Authority regarding regulated entities.

Furthermore, in the AML/CTF matters GIFI cooperates with other institutions, e.g. government administrative bodies, the bodies of local governmental units, other state organisational units, and the National Bank of Poland (NBP).

The Federal Financial Monitoring Service (the FFMS) is the main AML/CTF supervisory authority that conducts financial intelligence investigations, collects data, and monitors transactions of controlled entities in accordance with the AML Law.

Other authorities monitor compliance with the AML Law as part of their competences, including the Central Bank of Russia (the CBR), the Federal Tax Service, the Federal Bailiff Service, and the Federal Customs Service.

4. Who are the obliged/reporting entities in your jurisdiction? Are there any local derogations from the scope of the obliged entities as provided for in the 4th and 5th AML Directives? 

There are almost 40 categories of reporting entities under the AML Act, including banks, financial institutions, operator of hazardous games, persons active in the real estate industry and intermediaries in the field, notaries, attorneys etc. In the Czech Republic, the scope of reporting entities under the AML Directives is extended also to include persons authorised to conduct business at cultural sites or with items of cultural value, persons authorised to conduct business with used goods or intermediaries in the field, national administrators of registries of permits and persons providing services connected with virtual currencies. 

The Polish AML Act generally follows the 4th AML Directive, except that it extends the scope in some cases, e.g. to virtual currency entities. These entities are considered to be obliged entities under the Polish AML Act:

  1. domestic banks, branches of foreign banks, branches of credit institutions, financial institutions with their registered office in Poland, and branches of financial institutions that do not have their registered office in Poland;
  2. savings and credit unions;
  3. domestic payment institutions, domestic electronic money institutions, branches of EU payment institutions, branches of EU and foreign electronic money institutions, small payment institutions, payment service offices, and paying agents;
  4. investment firms, custodian banks, and branches of foreign investment firms within the meaning of that Act, conducting activity in Poland;
  5. foreign legal entities conducting brokerage activity in Poland, including those conducting such activity in the form of a branch, and commodity brokerage houses;
  6. companies operating a regulated market (in some cases);
  7. investment funds, alternative investment companies, investment fund corporations, AIC managers, branches of management companies, and branches of managers from the EU located in Poland;
  8. insurance undertakings (in some cases);
  9. insurance intermediaries (in some cases);
  10. Krajowy Depozyt Papierów Wartościowych S.A. (the national depository);
  11. entrepreneurs conducting exchange office activity, other entrepreneurs providing a foreign exchange service or a foreign exchange intermediation service, which are not other obliged institutions, and branches of foreign entrepreneurs conducting such activity in Poland;
  12. entities conducting economic activity consisting in providing services in the area of: (a) exchange between virtual currencies and means of payment; (b)exchanges of virtual currencies; (c) intermediation in these exchanges; (d) the operation of certain accounts;
  13. notaries within the scope of acts performed in the form of a notarial deed;
  14. attorneys, legal counsels, foreign lawyers, and tax advisors (in some cases);
  15. entrepreneurs which are not other obliged institutions, providing trust and related services;
  16. entities conducting activity in the provision of bookkeeping services;
  17. real estate agents;
  18. postal operators;
  19. entities conducting gambling activity;
  20. foundations, associations and entrepreneurs which receive or make cash payments having a value equal to or exceeding the equivalent of EUR 10,000;
  21. entrepreneurs which conduct activity consisting in providing safe deposit boxes, and branches of foreign entrepreneurs conducting such activity in Poland; and
  22. lending institutions.

The KYC requirements in the Czech Republic follow the requirements of the 4th and 5th AML Directives and include the following minimum information:

  • Individual persons: name, surname, birth certificate number, date of birth (if birth certificate number is not provided), place of birth, permanent or other residence, citizenship and if the person is the entrepreneur, also company name, place of business and the identification number;
  • Legal entities: company name, registered seat, identification number, identification data on persons who are members of the company’s statutory bodies which enable their identification;
  • Trust funds and other institutions without a legal personality: title, identification data of the administrator or of a person in a similar position. 

To facilitate the obligations of the reporting entities, the AML Act provides a general obligation on commercial companies, trust funds, associations, public legal entities, foundations, and institutes to disclose their UBOs to the court which keeps the relevant register, e.g. commercial companies will register at the court maintaining the commercial register. Please note that the UBO registry is not publicly accessible.

The Polish AML Act closely follows the 4th AML Directive regarding the KYC and the UBO register. Polish entities such as general partnerships, limited partnerships, limited joint-stock partnerships, limited liability companies, and joint-stock companies except public companies are obliged to report relevant information of their UBOs to the Central Register of Beneficial Owners. The deadline for initial reports for existing companies was 13 July 2020.

The Reporting Entities are obliged to identify their clients and obtain information regarding their UBOs, as well as collect and maintain such information.

They must provide a regulating authority (at its request) with any information regarding their clients’ transactions and their UBOs, however there is no central register for such disclosure.

6. Is there any legislation in your country allowing for online/digital onboarding of customers? What are the restrictions, if any?

Yes, the legislation in various sectors, such as the banking sector, allows for the digital onboarding of customers, provided that the requirements for customer identification and customer verification under the AML Act are observed.  

There is no specific legislation, but online onboarding is generally possible.

The AML Law provides for “simplified” identification of the client, which can be done, by sending the documents required for the client’s identification at the onboarding stage online.

Simplified identification can be undertaken by using the client’s account with the Unified System of the Identification and Authentication (maintained by Russian state authorities) or by using electronic signatures (as provided in more detail in the AML Law), without the need for the client’s physical attendance on the premises of the Reporting Entities .

However, the use of simplified identification is limited by the amount of the transaction, e.g. it can be used only for the provision of consumer loans up to RUB 15,000 (approx. EUR 200) and is available only for certain kinds of financial services, although the list of such services is regularly extended. In addition, simplified identification cannot be relied on if a transaction has the characteristics of a suspicious transaction.

7. What are the other main obligations of the reporting entities? Do the obligations of some of them go beyond those required by the 4th and 5th AML Directives in terms of internal safeguards, KYC duties, reporting obligations, etc.?

The main obligations of the reporting entities under the AML Act follow the 4th and 5th AML Directives. These include customer due diligence (CDD), the collection of information and documents and their storage, an assessment of the risk of money laundering and terrorist financing, and the disclosure of information on suspicious operations, transactions and customers. The Czech AML Act further specifies requirements for a system of internal principles, risk assessment, staff training and information obligation.

The Polish AML Act generally closely follows the 4th AML Directive. We have not identified any     major discrepancies or obligations going beyond what is required by the Directive.

8. Is a National Risk Assessment adopted in your jurisdiction? If yes, what are the main identified risks?

Yes, the first round of the National Risk Assessment for Money Laundering and Terrorist Financing (the “NRA”) was finalised and approved on 9 January 2017 by the Government of the Czech Republic (the idea is to repeat the NRA regularly). 

The NRA report provides an assessment of the role of each public authority entrusted with the task of enforcing the AML and individual controlling mechanisms.

The NRA report provides a strategy and useful measures for monitoring and limiting the risks of money laundering and terrorist financing regarding the following bodies:

  • financial institutions;
  • mobile payment services providers;
  • insurers;
  • legal and advisory services;
  • service providers for companies and trust funds.

The main identified risks include: 

  • tax-related crimes followed by money laundering;
  • corruption followed by money laundering;
  • interference with public procurement followed by money laundering;
  • public aid crimes followed by money laundering;
  • terrorist financing; and
  • drug-related crimes followed by money laundering.

Yes, the National Risk Assessment considers the following areas to be the most exposed to AML/CTF risks:

  1. cash operations and physical transfers through borders;
  2. virtual currencies;
  3. cashless money exchange;
  4. fiscal frauds;
  5. crowdfunding.

In addition to the requirements set out in the AML Law, the Regulated Entities must develop and implement their own internal risk assessment programs, based on the FFMS Recommendations for Development of Criteria for Identification and Determination of Unusual Transactions adopted on 8 May 2009 (as amended). In addition, several CBR regulations establish requirements for internal control and client identification procedures for credit institutions.

In August 2011, the FFMS issued a regulation establishing a list of transactions that are considered to represent significant risks of money laundering. There are 27 types of activities on the list, including transactions made in cash, international economic activities, gambling, tourist activity, certain real estate transactions, etc.

9. What are the main CTF measures in your country?

The AML Act prescribes a number of key obligations that must be respected to the maximum extent by all reporting persons and all individuals and legal entities: 

  • client identification and control obligation;
  • information obligation;
  • reporting obligation;
  • obligation to postpone client’s instruction;
  • preventive measures obligation;
  • obligations related to transfers of funds;
  • reporting obligation regarding cross-border transfers;

Measures adopted in response to a breach of these obligations will depend on the nature of the breach, e.g. an assessment of whether the nature of the breach amounts to civil or criminal liability.

The main CTF measures are implemented in the Polish AML Act and include transaction suspensions and account holds, specific restrictive measures such as freezing assets without prior notice, keeping a list of persons and entities against whom restrictive measures are applied, the obligation of no criminal record for UBOs and representatives in the companies’ structures, and administrative penalties for obliged institutions which fail to fulfil AML/CTF obligations (the main obligation is to notify the GIFI immediately of all reasonable suspicions that a transaction or assets may be linked to money laundering or terrorist financing).

The main CTF measures that can be implemented under the AML Law include the mandatory control of certain transactions, freezing funds and other assets, and suspending or refusing to perform suspicious operations.

The Reporting Entities are obliged to inform the FFMS of any operation which is subject to compulsory control. In addition, they can suspend an operation and should inform the FFMS if they have information indicating that any of the parties to the contemplated operation may be participating in terrorist activities, or if it is explicitly or implicitly controlled by such a person or organisation.

10. What are the criminal and/or regulatory and/or other risks for corporate bodies/directors/employees under your national law if failing to comply with AML/CTF legislation? Is there regular enforcement of the AML/CTF legislation in your country?

Money laundering and terrorist financing are criminalised under the Czech Criminal Code as standalone crimes. The legalisation of the proceeds of crime is subject to imprisonment up to ten years. Terrorist financing is subject to imprisonment up to 15 years. Further sanctions, such as forfeiture of property etc., can be imposed.

Czech law recognises corporate criminal liability, therefore companies may also be criminally liable for money laundering and terrorist financing. There is a wide range of sanctions which can be imposed on legal entities, e.g. dissolution of the company, forfeiture of property, monetary penalty, and publishing the judgment. 

The AML Act provides a range of sanctions for non-compliance with the key obligations and sets out individual fines and penalties depending on the type of infringement, the type of infringer (an individual or entity or type of entity, banks, insurers, etc.).

Legal entities and obliged institutions may be subject to both criminal and regulatory liability while their representatives may be individually subject to criminal liability.

Pursuant to the Polish Criminal Code, any individual person who receives, possesses, uses, conveys or transports abroad, conceals, transfers or converts legal tenders, financial instruments, securities, foreign exchange, property rights or other movable or immovable property, which are connected to criminal offence, is liable to imprisonment of between six months to ten years. This sanction also applies to an employee or anyone acting in the name of or for the benefit of a bank, financial or credit institution, or another entity legally obliged to register transactions who receives legal tenders, financial instruments, securities, foreign exchange, transfers or converts them, or receives them in circumstances raising a reasonable suspicion that they have been the object of money laundering.

A representative acting in the name of an obliged institution who fails to comply with the obligation of reporting to the GIFI or who provides the GIFI with false data or fails to disclose true data concerning transactions, accounts or persons, may be subject to imprisonment for from three months to five years. The same penalty applies to unauthorised disclosing or using information gathered in accordance with the Polish AML Act. Additionally, whoever prevents or inhibits the performance of inspection or controlling the institutions may be subject to a fine.

Representatives of legal entities may also potentially face criminal liability based on AML-specific provisions for inflicting substantial material damage (more than PLN 200,000) by abusing granted authority or failing to fulfil duties, subject to imprisonment between three months and five years. For example, this may apply if the representative fails to comply with AML/CTF regulations and then the authorities freeze funds, which cause damage to the entity.

The quasi-criminal liability of legal entities is regulated by the act of criminal liability of collective entities for punishable offences. The collective entity may be responsible, provided other prerequisites are met, for offences related to economic activity, penal and fiscal offences, public corruption and corruption of business, including crimes of money laundering. The act provides a range of sanctions such as a monetary penalty ranging from PLN 1,000 to PLN 5,000,000 (which however cannot exceed 3% of the revenue earned in the business year in which the offence was committed), or the forfeiture of proceeds of the crime.

An obliged institution that fails to fulfil its obligations under the Polish AML Act may be subject to an administrative penalty, which may take various forms, including the publication of information about the breach in the public information bulletin, an order to stop undertaking certain activities, the withdrawal of a licence or permit, deletion from a regulated activity register, a prohibition on performing duties in a managerial position by a person responsible for the breach, or a financial penalty. The financial penalty may be imposed up to twice the amount of the benefit achieved or the loss avoided by the obliged institution as a result of a breach or where it is impossible to determine this amount, up to EUR 1m. For financial institutions the limits are higher, and the penalty is up to EUR 5m or 10% of the turnover reported in the preceding financial statement.

The Russian Criminal Code provides for criminal liability for breaches of the legislation on anti-money laundering, including penalties and imprisonment for a Reporting Entity’s management.

The CBR may also take preventative and enforcement measures against a Regulated Entity involved in transactions which are contrary to the AML Law. These measures include: 

  • informing the Regulated Entity of the CBR’s concern regarding its activities; 
  • suggesting that the Regulated Entity provides the CBR with a programme for improvement; and
  • establishing additional monitoring measures over the Regulated Entity.

CBR enforcement measures may also include the imposition of a penalty and the withdrawal of the relevant licence from a Regulated Entity.

Picture of Tomas Matejovsky
Tomáš Matĕjovský
Lukas Valusek
Lukas Valusek
Senior Associate
Photo of Iain Batty
Iain Batty
Michał Mężykowski
Michał Mężykowski
Zubarev Leonid
Leonid Zubarev
Senior Partner
Baranov Konstantin
Konstantin Baranov
Darya Lukoyanova