Table of contents
What are AML obligations and why do they exist
Money laundering is a process by which criminals transfer illegally obtained money into the legal financial system. Therefore, the state requires selected businesses to screen clients and report suspicious transactions — so illegal money cannot be hidden behind common business relationships.
These obligations are set out in the AML Act, which is based on European directives (AMLD) and the new EU AMLR 2024 regulation. In the Czech Republic, the supervisory authority is the Financial Analytical Office (FAÚ).
The AML Act has been amended several times since its introduction. From 30 December 2024, the scope of obliged entities was extended to include providers of crypto-asset services (CASPs). EU Regulation AMLR 2024/1624 will introduce unified rules across the entire EU and will be fully effective from 2027 — with stricter requirements affecting even small businesses that have so far relied on staying under the radar.
Who is an obliged entity?
An obliged entity is a natural or legal person doing business in a sector defined by Section 2 of the AML Act. It's not just banks — the law applies to a wide spectrum of professions:
- Real estate brokers and persons trading in real estate
- Accountants, tax advisors, and auditors
- Lawyers, notaries, and judicial executors
- Currency exchanges and payment service providers
- Gambling operators
- Virtual asset service providers (from Dec 30, 2024)
- Persons establishing legal entities or providing registered offices
- Used goods dealers and pawnshops
- Providers of credit, leasing, or guarantees outside the banking sector
An obliged entity can be a freelancer or a large company. What matters is the nature of the activities performed — not turnover or number of employees.
Overview of AML Obligations
1. Client Identification and Control (§ 7–12)
Before establishing a business relationship or for one-off transactions over 1,000 EUR, you must:
- Verify the client's identity from a valid ID document
- Identify the ultimate beneficial owner if the client is a legal entity — and verify them in the beneficial owner register (Act No. 37/2021 Coll.)
- Determine the purpose and intended nature of the business relationship
- Assess client risks
Identification of a natural person involves verifying identity from a valid document — name, date and place of birth, nationality, address, document number and validity. For a legal entity, you must additionally identify the ultimate beneficial owner (UBO) and verify them in the Beneficial Ownership Register under Act No. 37/2021 Coll.
The method of identification must be recorded — whether it took place in person or remotely (§ 8(5)). Remote identification is permitted under statutory conditions, for example via bank identity or video verification. Identification records must be retained for 10 years.
2. Client Screening
As part of the control, you must screen the client against:
- EU, UN, and OFAC sanctions lists (Act No. 69/2006 Coll.)
- The list of politically exposed persons (PEP) according to FAÚ methodological guideline No. 7/2024
- Negative media mentions
A politically exposed person is, for example, a politician, high-ranking state official, judge, or their family members. Stricter rules apply to PEPs — enhanced identification and customer due diligence (Section 9a).
3. System of Internal Policies (§ 21)
Every obliged entity must process a system of internal policies in writing — an internal document describing the exact procedures for fulfilling AML obligations. It must contain:
- A risk assessment specific to your business (§ 21a)
- Procedures for identifying and controlling clients
- Rules for reporting suspicious transactions
- A regular employee training plan
The internal policy system must be updated whenever the business model or legislation changes, and employees must be trained on those changes. Selected obliged entities — financial institutions, currency exchange offices, gambling operators — are required to submit the system to the FAU or the CNB within 60 days of the obligation arising.
Risk assessment (§ 21a) is a mandatory component of the internal policy system. It must evaluate money laundering risks specific to your business — in terms of client types, products, geographic focus, and distribution channels. The assessment must be kept up to date on an ongoing basis.
4. Reporting Suspicious Transactions (§ 18)
If you detect a transaction or situation indicating a possible link to money laundering, you must report it to FAÚ immediately. This also applies to transactions that were ultimately not carried out.
A suspicious transaction does not need to be completed — the reporting obligation also arises for transactions that were not carried out. Section 38 of the Act also prohibits informing the client or third parties that a report has been submitted or that an investigation is under way. Breach of this prohibition may result in a fine of up to CZK 1,000,000.
5. Document Archiving
All records of client identification and control must be kept for at least 10 years after the end of the business relationship or execution of the transaction.
6. Employee Training
Employees must undergo regular AML training — at least once every 12 months.
What are the penalties for non-compliance?
FAÚ has significantly tightened its checks in recent years. Penalties for violating AML obligations:
| Offense | Maximum Fine |
|---|---|
| Failure to perform client identification | 10,000,000 CZK |
| Missing or poor quality system of internal policies | 10,000,000 CZK |
| Failure to introduce risk assessment | 1,000,000 CZK |
| Failure to report a suspicious transaction | 10,000,000 CZK |
| Natural person (employee, statutory body) | up to 100,000 CZK |
For serious, repeated, or systematic violations, fines can reach up to 130,000,000 CZK or a ban on activities. In extreme cases, there is criminal liability under Section 217 of the Criminal Code. The most common cause of a fine is not intent — it is missing documentation and unreadiness for an audit.
How to fulfill AML obligations in practice
Traditionally, this meant hiring a legal advisor, spending weeks drafting documentation, and then repeating the whole process every time the law changed. For smaller companies without a legal department, it was a financially and time-consuming process.
AML PROOF automates the entire process — from setting up the internal policy system and risk assessment, through client identification and screening, to generating documentation ready for the FAU. The result of each case is a structured report with a timestamped audit trail — exactly what inspectors look for.
Pricing starts at CZK 99 per credit. Credits never expire. The internal policy system, risk assessment, team management, and training are all included in the platform. Registration and 2 credits are free — try it at amlproof.ai.
Frequently Asked Questions
Must I fulfill AML obligations even as a freelancer?
Yes. The law applies to both natural and legal persons. If you do business in a sector listed in Section 2 of the AML Act, you are an obliged entity regardless of legal form or business size.
When does the obligation to identify a client arise?
When establishing any business relationship and for one-off transactions over 1,000 EUR. For suspicious transactions, the obligation applies regardless of the amount.
What is a PEP and why is it important?
A politically exposed person (PEP) is a person holding or who held a prominent public function in the last 12 months — a politician, judge, high-ranking state official, or their family member. The law requires enhanced due diligence for PEPs.
How long must I archive records?
For a minimum of 10 years after the end of the business relationship or execution of the transaction.
How long must I retain AML records?
A minimum of 10 years from the end of the business relationship or the execution of the transaction (§ 16 of Act No. 253/2008 Coll.). Records must be immediately available during an FAU inspection. AML PROOF ensures automatic archiving of all records for the statutory retention period.