CMS Expert Guide to AML and CTF law and regulation in CEE

• Act No. 253/2008 Coll., on certain measures against money laundering and financing of terrorism (the “AML Act”);
• Decree No. 281/2008 Coll., on certain requirements for the system of internal policies, procedures and control measures against money laundering and terrorist financing (the “AML Decree”);
• Act No. 40/2009 Coll., Criminal Code;
• Act No. 69/2006 Coll., on carrying out of international sanctions (the “International Sanctions Act”),

The AML/CTF measures are regulated in the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing as amended (the “Polish AML Act”).

Yes, the 4^th AML Directive was implemented into Czech law via Act No. 368/2016 Coll. which amends (i) the AML Act; (ii) the International Sanctions Act; (iii) Act No. 304/2013 Coll., on public registers of legal entities and individual persons; and other acts. 

The 5th AML Directive is currently being implemented into two separate acts: (i) an amendment act which will amend the AML Act and Act No. 186/2016 Coll., on hazardous games; and (ii) a new act on the Ultimate Beneficial Owner Registry. 

Currently, the Polish AML Act implements the 4^th AML Directive. However, the 5th AML Directive was scheduled to be implemented in Q2 of this year, but it seems that it will be delayed to the second half of the year due to the COVID-19 pandemic.

The Financial Analytics Office is the main AML/CTF supervisory authority. Other authorities authorised to monitor compliance with the key obligations under the AML Act in certain sectors include the Czech National Bank, the Ministry of Finance, and the Czech Inspection Authority. 

The main AML/CTF supervisory authority is the General Inspector for Financial Information (the “GIFI”), but there are also other authorities supervising compliance with the Polish AML Act, e.g. the Polish Financial Supervision Authority regarding regulated entities.

Furthermore, in the AML/CTF matters GIFI cooperates with other institutions, e.g. government administrative bodies, the bodies of local governmental units, other state organisational units, and the National Bank of Poland (NBP).

There are almost 40 categories of reporting entities under the AML Act, including banks, financial institutions, operator of hazardous games, persons active in the real estate industry and intermediaries in the field, notaries, attorneys etc. In the Czech Republic, the scope of reporting entities under the AML Directives is extended also to include persons authorised to conduct business at cultural sites or with items of cultural value, persons authorised to conduct business with used goods or intermediaries in the field, national administrators of registries of permits and persons providing services connected with virtual currencies. 

The Polish AML Act generally follows the 4^th AML Directive, except that it extends the scope in some cases, e.g. to virtual currency entities. These entities are considered to be obliged entities under the Polish AML Act:

1. domestic banks, branches of foreign banks, branches of credit institutions, financial institutions with their registered office in Poland, and branches of financial institutions that do not have their registered office in Poland;
2. savings and credit unions;
3. domestic payment institutions, domestic electronic money institutions, branches of EU payment institutions, branches of EU and foreign electronic money institutions, small payment institutions, payment service offices, and paying agents;
4. investment firms, custodian banks, and branches of foreign investment firms within the meaning of that Act, conducting activity in Poland;
5. foreign legal entities conducting brokerage activity in Poland, including those conducting such activity in the form of a branch, and commodity brokerage houses;
6. companies operating a regulated market (in some cases);
7. investment funds, alternative investment companies, investment fund corporations, AIC managers, branches of management companies, and branches of managers from the EU located in Poland;
8. insurance undertakings (in some cases);
9. insurance intermediaries (in some cases);
10. Krajowy Depozyt Papierów Wartościowych S.A. (the national depository);
11. entrepreneurs conducting exchange office activity, other entrepreneurs providing a foreign exchange service or a foreign exchange intermediation service, which are not other obliged institutions, and branches of foreign entrepreneurs conducting such activity in Poland;
12. entities conducting economic activity consisting in providing services in the area of: (a) exchange between virtual currencies and means of payment; (b)exchanges of virtual currencies; (c) intermediation in these exchanges; (d) the operation of certain accounts;
13. notaries within the scope of acts performed in the form of a notarial deed;
14. attorneys, legal counsels, foreign lawyers, and tax advisors (in some cases);
15. entrepreneurs which are not other obliged institutions, providing trust and related services;
16. entities conducting activity in the provision of bookkeeping services;
17. real estate agents;
18. postal operators;
19. entities conducting gambling activity;
20. foundations, associations and entrepreneurs which receive or make cash payments having a value equal to or exceeding the equivalent of EUR 10,000;
21. entrepreneurs which conduct activity consisting in providing safe deposit boxes, and branches of foreign entrepreneurs conducting such activity in Poland; and
22. lending institutions.

The KYC requirements in the Czech Republic follow the requirements of the 4^th and 5^th AML Directives and include the following minimum information:

• Individual persons: name, surname, birth certificate number, date of birth (if birth certificate number is not provided), place of birth, permanent or other residence, citizenship and if the person is the entrepreneur, also company name, place of business and the identification number;
• Legal entities: company name, registered seat, identification number, identification data on persons who are members of the company’s statutory bodies which enable their identification;
• Trust funds and other institutions without a legal personality: title, identification data of the administrator or of a person in a similar position. 

To facilitate the obligations of the reporting entities, the AML Act provides a general obligation on commercial companies, trust funds, associations, public legal entities, foundations, and institutes to disclose their UBOs to the court which keeps the relevant register, e.g. commercial companies will register at the court maintaining the commercial register. Please note that the UBO registry is not publicly accessible.

The Polish AML Act closely follows the 4^th AML Directive regarding the KYC and the UBO register. Polish entities such as general partnerships, limited partnerships, limited joint-stock partnerships, limited liability companies, and joint-stock companies except public companies are obliged to report relevant information of their UBOs to the Central Register of Beneficial Owners. The deadline for initial reports for existing companies was 13 July 2020.

Yes, the legislation in various sectors, such as the banking sector, allows for the digital onboarding of customers, provided that the requirements for customer identification and customer verification under the AML Act are observed.  

There is no specific legislation, but online onboarding is generally possible.

The main obligations of the reporting entities under the AML Act follow the 4^th and 5^th AML Directives. These include customer due diligence (CDD), the collection of information and documents and their storage, an assessment of the risk of money laundering and terrorist financing, and the disclosure of information on suspicious operations, transactions and customers. The Czech AML Act further specifies requirements for a system of internal principles, risk assessment, staff training and information obligation.

The Polish AML Act generally closely follows the 4^th AML Directive. We have not identified any     major discrepancies or obligations going beyond what is required by the Directive.

Yes, the first round of the National Risk Assessment for Money Laundering and Terrorist Financing (the “NRA”) was finalised and approved on 9 January 2017 by the Government of the Czech Republic (the idea is to repeat the NRA regularly). 

The NRA report provides an assessment of the role of each public authority entrusted with the task of enforcing the AML and individual controlling mechanisms.

The NRA report provides a strategy and useful measures for monitoring and limiting the risks of money laundering and terrorist financing regarding the following bodies:

• financial institutions;
• mobile payment services providers;
• insurers;
• legal and advisory services;
• service providers for companies and trust funds.

The main identified risks include: 

• tax-related crimes followed by money laundering;
• corruption followed by money laundering;
• interference with public procurement followed by money laundering;
• public aid crimes followed by money laundering;
• terrorist financing; and
• drug-related crimes followed by money laundering.

Yes, the National Risk Assessment considers the following areas to be the most exposed to AML/CTF risks:

1. cash operations and physical transfers through borders;
2. virtual currencies;
3. cashless money exchange;
4. fiscal frauds;
5. crowdfunding.

The AML Act prescribes a number of key obligations that must be respected to the maximum extent by all reporting persons and all individuals and legal entities: 

• client identification and control obligation;
• information obligation;
• reporting obligation;
• obligation to postpone client’s instruction;
• preventive measures obligation;
• obligations related to transfers of funds;
• reporting obligation regarding cross-border transfers;

Measures adopted in response to a breach of these obligations will depend on the nature of the breach, e.g. an assessment of whether the nature of the breach amounts to civil or criminal liability.

The main CTF measures are implemented in the Polish AML Act and include transaction suspensions and account holds, specific restrictive measures such as freezing assets without prior notice, keeping a list of persons and entities against whom restrictive measures are applied, the obligation of no criminal record for UBOs and representatives in the companies’ structures, and administrative penalties for obliged institutions which fail to fulfil AML/CTF obligations (the main obligation is to notify the GIFI immediately of all reasonable suspicions that a transaction or assets may be linked to money laundering or terrorist financing).

Money laundering and terrorist financing are criminalised under the Czech Criminal Code as standalone crimes. The legalisation of the proceeds of crime is subject to imprisonment up to ten years. Terrorist financing is subject to imprisonment up to 15 years. Further sanctions, such as forfeiture of property etc., can be imposed.

Czech law recognises corporate criminal liability, therefore companies may also be criminally liable for money laundering and terrorist financing. There is a wide range of sanctions which can be imposed on legal entities, e.g. dissolution of the company, forfeiture of property, monetary penalty, and publishing the judgment. 

The AML Act provides a range of sanctions for non-compliance with the key obligations and sets out individual fines and penalties depending on the type of infringement, the type of infringer (an individual or entity or type of entity, banks, insurers, etc.).

Legal entities and obliged institutions may be subject to both criminal and regulatory liability while their representatives may be individually subject to criminal liability.

Pursuant to the Polish Criminal Code, any individual person who receives, possesses, uses, conveys or transports abroad, conceals, transfers or converts legal tenders, financial instruments, securities, foreign exchange, property rights or other movable or immovable property, which are connected to criminal offence, is liable to imprisonment of between six months to ten years. This sanction also applies to an employee or anyone acting in the name of or for the benefit of a bank, financial or credit institution, or another entity legally obliged to register transactions who receives legal tenders, financial instruments, securities, foreign exchange, transfers or converts them, or receives them in circumstances raising a reasonable suspicion that they have been the object of money laundering.

A representative acting in the name of an obliged institution who fails to comply with the obligation of reporting to the GIFI or who provides the GIFI with false data or fails to disclose true data concerning transactions, accounts or persons, may be subject to imprisonment for from three months to five years. The same penalty applies to unauthorised disclosing or using information gathered in accordance with the Polish AML Act. Additionally, whoever prevents or inhibits the performance of inspection or controlling the institutions may be subject to a fine.

Representatives of legal entities may also potentially face criminal liability based on AML-specific provisions for inflicting substantial material damage (more than PLN 200,000) by abusing granted authority or failing to fulfil duties, subject to imprisonment between three months and five years. For example, this may apply if the representative fails to comply with AML/CTF regulations and then the authorities freeze funds, which cause damage to the entity.

The quasi-criminal liability of legal entities is regulated by the act of criminal liability of collective entities for punishable offences. The collective entity may be responsible, provided other prerequisites are met, for offences related to economic activity, penal and fiscal offences, public corruption and corruption of business, including crimes of money laundering. The act provides a range of sanctions such as a monetary penalty ranging from PLN 1,000 to PLN 5,000,000 (which however cannot exceed 3% of the revenue earned in the business year in which the offence was committed), or the forfeiture of proceeds of the crime.

An obliged institution that fails to fulfil its obligations under the Polish AML Act may be subject to an administrative penalty, which may take various forms, including the publication of information about the breach in the public information bulletin, an order to stop undertaking certain activities, the withdrawal of a licence or permit, deletion from a regulated activity register, a prohibition on performing duties in a managerial position by a person responsible for the breach, or a financial penalty. The financial penalty may be imposed up to twice the amount of the benefit achieved or the loss avoided by the obliged institution as a result of a breach or where it is impossible to determine this amount, up to EUR 1m. For financial institutions the limits are higher, and the penalty is up to EUR 5m or 10% of the turnover reported in the preceding financial statement.