AML Internal Policies System 2026 – A Guide for Obliged Entities

What is the AML internal policies system?

The internal policies system (SVZ) is an internal document — in practice an AML manual — that defines how your company fulfils its obligations under the AML Act (Act No. 253/2008 Coll. on certain measures against the legalisation of proceeds of crime and financing of terrorism).

The SVZ is not just a formality left in a drawer. It is a living operational document describing specific procedures for client identification, risk assessment, screening, reporting suspicious transactions, and employee training. It must reflect the reality of your business — not generic templates downloaded from the internet.

The obligation to have an SVZ applies to all obliged entities regardless of company size. It applies equally to a real estate agent with two employees and to a large financial institution.

The legal basis: § 21 of the AML Act

The obligation to create an internal policies system is imposed directly by § 21 of Act No. 253/2008 Coll. The Act states that an obliged entity must implement and apply internal policies, procedures and control measures to prevent money laundering and terrorist financing.

These internal policies must in particular include:

• Procedures for client identification and due diligence (KYC/CDD)
• Risk assessment at the company level and for individual business relationships
• Procedures for reporting suspicious transactions to the Financial Analytical Office (FAU)
• Rules for retaining documentation
• An employee training programme
• Designation of the person responsible for AML compliance

The SVZ must be tailored to the specific nature, scope and character of the obliged entity's business. Generic templates that ignore the specifics of your sector do not meet the legal standard — and this will become apparent during an FAU inspection.

What must the SVZ contain?

Neither the Act nor implementing regulations prescribe a fixed structure for the SVZ, but practice and FAU guidelines define what a functional SVZ should include. Here is an overview of the key areas:

AML risk assessment as the foundation

AML risk assessment is the backbone of the entire internal policies system. Without a functional risk assessment it is impossible to set proportionate measures — and this is precisely what the Act requires (the risk-based approach).

Risk assessment operates at two levels:

• Business risk assessment: An overall assessment of your company's risks with regard to client type, geography, products and distribution channels.
• Client risk assessment: Individual assessment of each client and transaction — assigning a risk score (low / medium / high risk).

Key risk factors you must assess include:

• Geography — where the client comes from and operates (high-risk jurisdictions per FATF, EU grey/black lists)
• Client type — natural person, legal entity, PEP, beneficial owner
• Products and services — what type of transaction or relationship is being entered into
• Distribution channels — direct contact vs. intermediated onboarding
• Source of funds — where the client's money comes from
• Complexity of ownership structure — chains of companies, offshore structures

The outcome of the risk assessment is a documented justification of why a specific client was assigned a specific risk rating — and why enhanced due diligence was or was not applied.

Who is responsible for the SVZ?

The AML Act provides that overall responsibility for fulfilling AML obligations rests with the obliged entity — the legal entity or sole trader. Within the company, specific people bear responsibility for the internal policies system:

• Member of the statutory body — must be formally designated with full responsibility for the AML programme. This responsibility must be documented.
• Designated person (compliance officer) — the person who handles day-to-day AML operations: screening clients, evaluating suspicious transactions, coordinating training. Must be registered with the FAU (within 30 days of appointment; changes within 15 days).
• Employees — every employee who has contact with clients or transactions must be trained and know how to respond when identifying suspicious situations.

In small companies it is common for the member of the statutory body to also act as the designated person. This does not mean the responsibilities merge — both roles must be clearly described in the SVZ.

How to keep the SVZ up to date

The SVZ is not a one-off document. It is a living system that must reflect the current state of your business and changes in legislation. The FAU pays close attention during inspections to whether the SVZ is current — or whether it is a document created once and left untouched ever since.

You should review and update the SVZ whenever:

• There is a change in AML legislation or FAU guidance
• You expand or change your business activities or product portfolio
• You enter new geographic markets or acquire new categories of clients
• Responsible persons change (designated person, member of statutory body)
• The FAU or another authority conducts an inspection and issues recommendations
• You carry out an internal AML audit and identify gaps

As a minimum standard, a thorough review of the SVZ at least once a year is recommended, with each review documented — including the date and the person who carried it out.

Most common mistakes when creating an SVZ

The same types of deficiencies repeatedly appear during FAU inspections. Knowing the most common mistakes will help you avoid them:

• Generic template without customisation: A downloaded template that has not been adapted for the specific type of business does not meet the legal proportionality requirement. The FAU identifies this immediately.
• Missing or purely formal risk assessment: A risk assessment that merely states the risk is low, without any justification or methodology, is inadequate.
• Outdated document: An SVZ valid as of 2021 that has not been updated following amendments to the Act or changes in business will be assessed as non-compliant during an inspection.
• Unrealistic procedures: The SVZ describes procedures the company does not actually follow in practice. A mismatch between the document and reality is a red flag for the FAU.
• No evidence of training: The SVZ describes employee training, but the company cannot demonstrate that training actually takes place — no records, attendance sheets or tests.
• Unclear designation of the responsible person: The SVZ does not specify the person responsible for AML, or that person is not registered with the FAU.

Penalties for a missing or inadequate SVZ

The absence of an internal policies system or serious deficiencies in it constitute an administrative offence under the AML Act. The FAU may impose a fine of up to CZK 1 million for this. In more serious cases or repeated violations, penalties may be higher — or a prohibition on carrying out the relevant activity may be imposed.

Overview of relevant penalties:

• Absence of SVZ or risk assessment: fine up to CZK 1 million
• Failure to designate or register the designated person: fine up to CZK 1 million
• Inadequate client identification: fine up to CZK 10 million
• Inability to prove training: fine up to CZK 5 million
• Failure to report a suspicious transaction: fine up to CZK 5 million, up to CZK 30 million for repeat offences

Important: penalties do not require proof that the company facilitated money laundering. It is sufficient to establish that obligations were formally not fulfilled — even if no suspicious case arose.

Conclusion and practical recommendations

The AML internal policies system is a legal obligation for every obliged entity — and your best line of defence during an FAU inspection. A well-prepared SVZ that truly reflects your business and is kept up to date gives you confidence: you know what to do and you can prove it.

Practical recommendations in summary:

• Create your SVZ tailored to your business — not from a generic template.
• Ensure the SVZ covers all legally required areas — from risk assessment to training.
• Designate and register the designated person with the FAU.
• Conduct and document regular employee training.
• Review the SVZ at least once a year and at every relevant change.
• Ensure all AML steps are demonstrable — from client identification to risk assessment.

AML PROOF helps you manage the entire SVZ — from risk assessment through client identification to preparation for FAU inspection — in one comprehensive tool.