CMS Expert Guide to AML and CTF law and regulation in CEE

Overview of relevant laws and regulations

  • Act No. 253/2008 Coll., on certain measures against money laundering and financing of terrorism (the “AML Act”);
  • Decree No. 281/2008 Coll., on certain requirements for the system of internal policies, procedures and control measures against money laundering and terrorist financing (the “AML Decree”);
  • Act No. 40/2009 Coll., Criminal Code;
  • Act No. 69/2006 Coll., on carrying out of international sanctions (the “International Sanctions Act”),
  • Law No. 129/2019 on the prevention and sanctioning of money laundering and terrorism financing, in force as of 21 July 2019 and with a deadline for implementation of 21 January 2020 (the “AML Law”);
  • Law No. 535/2004 on the prevention and sanctioning of terrorism financing (the “CTF Law”);
  • National Bank of Romania Regulation No. 2/2019 on the prevention and sanctioning of money laundering and terrorism financing, in force as of 9 September 2019 (the “NBR Regulation”);
  • Financial Supervisory Authority Regulation No. 13/2019 on the implementation of measures to prevent and sanction money laundering and terrorism financing through financial sectors supervised by the Financial Supervisory Authority, in force as of 10 December 2019 (the “FSA Regulation”);
  • Norms for applying Law No. 129/2019 on the prevention and sanctioning of money laundering and terrorism financing, as well as for modifying and amending certain normative acts, for the reporting entities supervised and controlled by the National Office for Prevention and Control of Money Laundering, in force as of 3 February 2020 (the “AML Norms”).

2. Are the 4th AML Directive and the 5th AML implemented in your jurisdiction?

Yes, the 4th AML Directive was implemented into Czech law via Act No. 368/2016 Coll. which amends (i) the AML Act; (ii) the International Sanctions Act; (iii) Act No. 304/2013 Coll., on public registers of legal entities and individual persons; and other acts. 

The 5th AML Directive is currently being implemented into two separate acts: (i) an amendment act which will amend the AML Act and Act No. 186/2016 Coll., on hazardous games; and (ii) a new act on the Ultimate Beneficial Owner Registry. 

Only the provisions of the 4th AML Directive have been implemented through the adoption of the AML Law. At the time of writing, we are not aware of any draft bill on the implementation of the 5th AML Directive in Romania. For this reason, on 12 February 2020 the European Commission started a legal action against several Member States for failing to comply with their obligations under EU law. The Commission sent letters of formal notice to a number of countries including Romania for not having notified implementation measures in respect of the 5th AML Directive.

3. Which is the AML/CTF supervisory authority in your jurisdiction?

The Financial Analytics Office is the main AML/CTF supervisory authority. Other authorities authorised to monitor compliance with the key obligations under the AML Act in certain sectors include the Czech National Bank, the Ministry of Finance, and the Czech Inspection Authority. 

The National Office for Prevention and Control of Money Laundering (the “Romanian AML Office”) is the designated Financial Information Unit of Romania, which has authority to collect, store, investigate, analyse and disclose the conducted financial intelligence under the terms and procedures of the AML Law.

Other authorities authorised to monitor for compliance with the key obligations under the AML Law in certain sectors include the Romanian National Bank, the Financial Supervisory Authority, the National Office for Gambling. 

4. Who are the obliged/reporting entities in your jurisdiction? Are there any local derogations from the scope of the obliged entities as provided for in the 4th and 5th AML Directives? 

There are almost 40 categories of reporting entities under the AML Act, including banks, financial institutions, operator of hazardous games, persons active in the real estate industry and intermediaries in the field, notaries, attorneys etc. In the Czech Republic, the scope of reporting entities under the AML Directives is extended also to include persons authorised to conduct business at cultural sites or with items of cultural value, persons authorised to conduct business with used goods or intermediaries in the field, national administrators of registries of permits and persons providing services connected with virtual currencies. 

In Romania, there are no significant derogations from the scope of the obliged entities as provider for in the 4th AML Directive. The obliged/reporting entities under the AML Law include banks, financial institutions, insurance and reinsurance companies, gambling services providers. 

The KYC requirements in the Czech Republic follow the requirements of the 4th and 5th AML Directives and include the following minimum information:

  • Individual persons: name, surname, birth certificate number, date of birth (if birth certificate number is not provided), place of birth, permanent or other residence, citizenship and if the person is the entrepreneur, also company name, place of business and the identification number;
  • Legal entities: company name, registered seat, identification number, identification data on persons who are members of the company’s statutory bodies which enable their identification;
  • Trust funds and other institutions without a legal personality: title, identification data of the administrator or of a person in a similar position. 

To facilitate the obligations of the reporting entities, the AML Act provides a general obligation on commercial companies, trust funds, associations, public legal entities, foundations, and institutes to disclose their UBOs to the court which keeps the relevant register, e.g. commercial companies will register at the court maintaining the commercial register. Please note that the UBO registry is not publicly accessible.

The KYC requirements in Romania broadly follow the requirements of the 4th AML Directive. However, we note that, for gambling services providers other than casinos, arguably the standard CDD obligation is only triggered when the client collects winnings of at least EUR 2,000, through a single transaction, as opposed to casinos which must also perform standard CDD when the client buys or exchanges chips of at least this amount. It is unclear whether this is a derogation intended by the lawmaker or an error in implementing the 4th AML Directive in national legislation. 

The reporting entities are obliged to disclose their UBOs in the central registries organised by the National Trade Registry Office (for companies), the Ministry of Justice (for associations and foundations) or the National Agency for Fiscal Administration (for trusts). 

Companies are obliged to file a declaration of beneficial owners: (i) when registering with the National Trade Registry Office; (ii) annually; and (iii) every time a modification regarding the beneficial owner occurs. Legal entities that are already established must file declarations of beneficial owners before 21 July 2020. Failure to meet this deadline may result in a fine between RON 5,000 and RON 10,000.

6. Is there any legislation in your country allowing for online/digital onboarding of customers? What are the restrictions, if any?

Yes, the legislation in various sectors, such as the banking sector, allows for the digital onboarding of customers, provided that the requirements for customer identification and customer verification under the AML Act are observed.  

Yes, e.g. according to specific industry legislation, online gambling operators are allowed to use the digital onboarding of customers under strict conditions in line with the requirements for customer identification and customer verification under the AML Law. In this respect, on registration, the customer must provide his/her identification details (name, date of birth, home address, email address) and can deposit a maximum of EUR 200 in his/her gaming account unless he/she provides supporting documents for this information. Withdrawals are not permitted until this verification is performed and the gaming account will be closed if the supporting documents are not provided in 30 days as of the registration date. 

7. What are the other main obligations of the reporting entities? Do the obligations of some of them go beyond those required by the 4th and 5th AML Directives in terms of internal safeguards, KYC duties, reporting obligations, etc.?

The main obligations of the reporting entities under the AML Act follow the 4th and 5th AML Directives. These include customer due diligence (CDD), the collection of information and documents and their storage, an assessment of the risk of money laundering and terrorist financing, and the disclosure of information on suspicious operations, transactions and customers. The Czech AML Act further specifies requirements for a system of internal principles, risk assessment, staff training and information obligation.

The main obligations of reporting entities under the AML Law are in line with the 4th AML Directive. These include customer due diligence (CDD); reporting suspicious transactions and cash transactions of at least EUR 10,000 irrespective of their suspicious nature; document retention; performing a risk assessment regarding the reporting entity’s exposure to money laundering and terrorism financing; designating a money laundering responsible officer (MLRO).  

8. Is a National Risk Assessment adopted in your jurisdiction? If yes, what are the main identified risks?

Yes, the first round of the National Risk Assessment for Money Laundering and Terrorist Financing (the “NRA”) was finalised and approved on 9 January 2017 by the Government of the Czech Republic (the idea is to repeat the NRA regularly). 

The NRA report provides an assessment of the role of each public authority entrusted with the task of enforcing the AML and individual controlling mechanisms.

The NRA report provides a strategy and useful measures for monitoring and limiting the risks of money laundering and terrorist financing regarding the following bodies:

  • financial institutions;
  • mobile payment services providers;
  • insurers;
  • legal and advisory services;
  • service providers for companies and trust funds.

The main identified risks include: 

  • tax-related crimes followed by money laundering;
  • corruption followed by money laundering;
  • interference with public procurement followed by money laundering;
  • public aid crimes followed by money laundering;
  • terrorist financing; and
  • drug-related crimes followed by money laundering.

Since the adoption of the AML Law, we are not aware of any National Risk Assessment having been issued by the Romanian AML Office.

9. What are the main CTF measures in your country?

The AML Act prescribes a number of key obligations that must be respected to the maximum extent by all reporting persons and all individuals and legal entities: 

  • client identification and control obligation;
  • information obligation;
  • reporting obligation;
  • obligation to postpone client’s instruction;
  • preventive measures obligation;
  • obligations related to transfers of funds;
  • reporting obligation regarding cross-border transfers;

Measures adopted in response to a breach of these obligations will depend on the nature of the breach, e.g. an assessment of whether the nature of the breach amounts to civil or criminal liability.

As a Member State of the European Union, Romania enforces the sanctions imposed through Common Positions adopted within the Common Foreign and Security Policy. The sanctions include asset freezing, prohibition on making funds available, prohibition on certain financial actions, restrictions on services, restrictions on goods, and prohibition on arms procurement.

10. What are the criminal and/or regulatory and/or other risks for corporate bodies/directors/employees under your national law if failing to comply with AML/CTF legislation? Is there regular enforcement of the AML/CTF legislation in your country?

Money laundering and terrorist financing are criminalised under the Czech Criminal Code as standalone crimes. The legalisation of the proceeds of crime is subject to imprisonment up to ten years. Terrorist financing is subject to imprisonment up to 15 years. Further sanctions, such as forfeiture of property etc., can be imposed.

Czech law recognises corporate criminal liability, therefore companies may also be criminally liable for money laundering and terrorist financing. There is a wide range of sanctions which can be imposed on legal entities, e.g. dissolution of the company, forfeiture of property, monetary penalty, and publishing the judgment. 

The AML Act provides a range of sanctions for non-compliance with the key obligations and sets out individual fines and penalties depending on the type of infringement, the type of infringer (an individual or entity or type of entity, banks, insurers, etc.).

As a general rule, it should be noted that a simple failure to comply with AML/CTF legislation gives rise to administrative liability and not criminal liability of the individual/legal entity, unless the individual/legal entity participated in a crime either as an author, aider or abettor. 

For individuals, the administrative sanctions may consist of a warning or an administrative fine between RON10,000 (EUR 2,100) and RON 150,000 (EUR 31,000). 

For legal entities, the administrative sanctions may consist of a warning or an administrative fine of 10% of the total revenue declared for the previous fiscal period plus the aforementioned fine applicable to individuals. It should be noted that separate sanctions may also apply to the members of the management bodies or other individuals responsible for the breach.

In addition to the above financial sanction, entities that breach AML legislation may also be subject to one or more of the following complementary sanctions:

  1. confiscation of the assets resulting from the breach;
  2. suspension of the permit or authorisation to perform a certain activity or, as the case may be, suspension of the company’s activity for from one to six months;
  3. withdrawing the licence or permit for certain operations or for foreign trade activities for from one to six months;
  4. blocking the bank account for from ten days to one month;
  5. annulling the permit, approval or authorisation to perform a certain activity;
  6. closing the branch or another secondary headquarter;
  7. public statement identifying the individual or legal entity and the nature of the breach;
  8. issuing an order instructing the entity to cease the default;
  9. a temporary prohibition to exercise managerial functions in any reporting entity, issued against a person with managerial functions in the defaulting entity or any individual person that is responsible for the breach.
Picture of Tomas Matejovsky
Tomáš Matĕjovský
Lukas Valusek
Lukas Valusek
Senior Associate
Cristina Popescu
Cristina Popescu
Senior Counsel and Head of CEE Insurance Practice Group
Anna Radnev
Ana Radnev