Table of contents
- What is an internal policies system and why does the law require it?
- Who must have an SVZ — and who must have it in writing?
- Who must submit the SVZ to the FAU or the Czech National Bank?
- What must the SVZ contain under Section 21(5) of the AML Act?
- Risk assessment as the foundation of the SVZ: what must it include?
- Whistleblowing — a mandatory SVZ element that cannot be outsourced
- How and when should the SVZ be updated?
- The most common SVZ mistakes according to the FAU
- What sanctions apply for a missing or poor-quality SVZ?
- Frequently asked questions about SVZ
What is an internal policies system and why does the law require it?
The internal policies, procedures and controls system (SVZ) is an internal document of an obliged entity. In a clear and binding form, it sets out how the obliged entity fulfils the obligations arising from Act No. 253/2008 Coll. (the AML Act). The legal basis is Section 21 of the AML Act.
SVZ is not just a formal paper for the drawer. It is an operating manual for employees — it describes how to identify a client, perform due diligence, recognize a suspicious transaction, report it and proceed when a client refuses to cooperate. SVZ always includes an ML/TF risk assessment under Section 21a of the AML Act.
The reason for the legal requirement is practical: during an inspection, the FAU does not assess only whether procedures exist. It assesses whether they are set correctly, whether employees really follow them and whether they are up to date. SVZ is therefore the primary evidence, both for the FAU and for the obliged entity, that AML obligations are being fulfilled.
Who must have an SVZ — and who must have it in writing?
Section 21(1) of the AML Act requires all obliged entities to introduce and apply an SVZ, except for insolvency administrators (Section 27a), traders in art and precious metals for transactions above EUR 10,000 (Section 28) and cross-border providers (Section 29b).
Only selected obliged entities under Section 21(2) of the AML Act must have the SVZ in writing:
| Type of obliged entity | Written SVZ required |
|---|---|
| Credit institutions — Section 2(1)(a) | Yes, always |
| Financial institutions — Section 2(1)(b) | Yes, always |
| Gambling operators — Section 2(1)(c) | Yes, always* |
| Real estate intermediaries, auctioneers and persons trading in real estate — Section 2(1)(d) | Yes, always* |
| Trust and company service providers — Section 2(1)(h) | Yes, always* |
| Accountants, tax advisers, auditors — Section 2(1)(e) | Not mandatory in writing — strongly recommended |
| Lawyers and notaries — Section 2(1)(g) | Not mandatory in writing — strongly recommended |
| Judicial executors — Section 2(1)(f) | Not mandatory in writing — strongly recommended |
*The SVZ must be approved by the obliged entity's statutory body (Section 21(2) of the AML Act).
Two statutory exceptions to the written requirement (Section 21(3) and (4) of the AML Act):
- An obliged entity under Section 2(1)(b), (c), (d) or (h) does not have to prepare the SVZ in writing if, in AML-related areas, it does not employ any other persons and no other persons are otherwise active for it.
- A written SVZ is also not required where the person contractually performs AML activities exclusively for one other obliged entity and follows that entity's SVZ, provided its activity is sufficiently described there.
These exceptions are narrow. If there is any doubt, the FAU will assess whether the conditions were actually met.
Who must submit the SVZ to the FAU or the Czech National Bank?
The duty to notify the supervisory authority of the SVZ does not apply to everyone. It applies only to selected obliged entities under Section 21(8) of the AML Act. Real estate agents, TCSPs and professions such as accountants or tax advisers do not have to notify their SVZ.
| Type of obliged entity | Recipient | Deadline |
|---|---|---|
| Gambling operator (Section 2(1)(c)) | FAU | 60 days from the obligation arising |
| Payment service provider, EMI, postal services, exchange office, insurance intermediary (selected Section 2(1)(b) entities) | FAU | 60 days |
| VASP — virtual asset service provider (Section 2(1)(b), point 15) | FAU | 60 days |
| Credit institutions, fund managers, investment firms, market operators, pension companies (Section 2(1)(b), points 1–4) | Czech National Bank | 60 days |
| Real estate intermediaries and TCSPs (Section 2(1)(d), (h)) | No notification | — |
| Accountants, tax advisers, lawyers and notaries (Section 2(1)(e), (g)) | No notification | — |
Changes to the SVZ must be notified within 30 days of their adoption.
What must the SVZ contain under Section 21(5) of the AML Act?
Section 21(5) of the AML Act sets out the mandatory contents of the SVZ. The list is not closed — an obliged entity may include additional measures and duties. The statutory minimum consists of these ten areas:
- a) Signs of suspicious transactions — an illustrative list of discretionary and mandatory signs, including Section 6(2) of the AML Act.
- b) Method of client identification — including procedures for identifying PEPs and sanctioned persons.
- c) Client due diligence procedure — scope and method of due diligence, including enhanced and simplified due diligence.
- d) Procedure for not carrying out a transaction — when and how to refuse a transaction or terminate a business relationship under Section 15 of the AML Act.
- e) Procedure for making retained data available — to the FAU, law enforcement authorities and the supervisory authority.
- f) Procedure from detecting a suspicious transaction to filing a report — who evaluates it, within which deadlines and through which channel it is reported.
- g) Rules for third parties — agents or intermediaries offering the obliged entity's products on its behalf.
- h) Measures preventing frustration of securing proceeds — how immediate execution of a client's order does not endanger securing of proceeds.
- i) Technical and personnel measures for delaying execution of a client's order — procedure under Section 20 of the AML Act, including designation of a contact person.
- j) Additional measures for third countries — only where Section 24a(2) applies to the obliged entity.
SVZ tailored exactly to your sector — without starting from an empty template
AML PROOF generates an internal policies system based on your obliged entity profile, client types and business model — individualized, approvable and continuously updated.
Try the SVZ generatorRisk assessment as the foundation of the SVZ: what must it include?
The ML/TF risk assessment under Section 21a of the AML Act is not an optional annex to the SVZ. It is a mandatory part of it, and the SVZ must be built on it. The obliged entity must identify and assess the money laundering and terrorist financing risks to which it is exposed in its activities.
Section 21a(2) of the AML Act sets out five mandatory risk factors:
- Type of client — non-business individual, self-employed person, legal entity, PEP, foreign national from a third country.
- Purpose, regularity and duration of the business relationship or transaction.
- Type of product or service.
- Value and method of carrying out the transaction — cash vs. non-cash payment.
- Risk level of countries or geographical areas — high-risk third countries according to FATF and the National Risk Assessment.
The risk assessment must be regularly updated, especially following a new National Risk Assessment (NRA), amendments to the AML Act or new FAU methodological guidance. The latest NRA was approved by Czech Government Resolution No. 3 of 5 January 2026.
Whistleblowing — a mandatory SVZ element that cannot be outsourced
For selected obliged entities (Section 2(1)(a), (b), (c), (d), (h)), Section 21(6)(b) of the AML Act requires a component of the SVZ that is often forgotten in practice: a system for anonymous reporting of AML obligation breaches.
The law sets two key conditions:
- The system must allow anonymous reports.
- The system must not be operated by a third party. Outsourcing is prohibited by law; the obliged entity must operate it itself or through a tied agent under Section 2(4) of the AML Act.
This is an area where commercial SaaS solutions cannot operate the whistleblowing system on behalf of the obliged entity. The SVZ must therefore contain the entity's own internal procedure for receiving and handling anonymous reports.
How and when should the SVZ be updated?
Section 21(2) of the AML Act expressly requires the obliged entity to keep the SVZ continuously updated. Updating is not optional — it is a legal duty.
An obliged entity should update the SVZ whenever there is:
- an amendment to the AML Act or new FAU methodological guidance,
- a new or updated National Risk Assessment (NRA),
- introduction of a new product, service or technology,
- a change in the business model — new client types, new markets or a new branch,
- a deficiency identified during internal control or after an FAU inspection.
After each update, the obliged entity must ensure employee training on the changes (Section 23(3) of the AML Act). For obliged entities subject to notification under Section 21(8), changes must be notified to the FAU or the Czech National Bank within 30 days of their adoption.
The most common SVZ mistakes according to the FAU
FAU Methodological Guideline No. 11, effective from 5 September 2025, expressly highlights recurring deficiencies detected during supervision:
- The obliged entity alone is responsible for SVZ quality. Even if an external specialist or law firm prepares the SVZ, the obliged entity remains fully responsible for its content and currentness.
- The SVZ does not match the real business model. A generic internet template or a document not adapted to the specific obliged entity is insufficient for the FAU.
- The SVZ is a template, not an individualized document. The FAU repeatedly sanctions entities whose SVZ was identical to dozens of others, with only the company name changed.
- The risk assessment is insufficient or missing entirely. An SVZ without a risk assessment does not meet the statutory requirements.
- The SVZ is not updated. A document from 2022 that nobody has updated since is a problem during an FAU inspection in 2026.
What sanctions apply for a missing or poor-quality SVZ?
| Offence | Legal basis | Fine |
|---|---|---|
| Failure to introduce or apply an SVZ | Section 48(1) of the AML Act | up to CZK 10,000,000 |
| Failure to prepare a written SVZ within 60 days | Section 48(2) of the AML Act | up to CZK 1,000,000 |
| Failure to notify the SVZ or changes to the FAU/CNB | Section 48(3) of the AML Act | up to CZK 1,000,000 |
| Failure to prepare or update the risk assessment | Section 48(4) of the AML Act | up to CZK 1,000,000 |
In serious, repeated or continuous breaches, the limits increase — for non-financial institutions up to CZK 30,000,000.
The key distinction: the fine for not applying an SVZ (Section 48(1)) is ten times higher than the fine for not preparing a written SVZ (Section 48(2)). Having an SVZ on paper but not using it in practice is therefore more serious from a sanctions perspective than not having it at all.
SVZ as a living system — not a static document in a drawer
AML PROOF connects SVZ with daily work: client identification, risk assessment, PEP screening and training, so SVZ is not just a document but a functioning compliance system.
Start for freeFrequently asked questions about SVZ
Must the managing director approve the SVZ, or is approval by a responsible employee enough?
The SVZ must be approved by the obliged entity's statutory body (Section 21(2) of the AML Act), such as the managing director of an s.r.o., the board of directors of an a.s. or another statutory representative.
Can a company have two SVZ documents for two different activities?
No. FAU Methodological Guideline No. 11 expressly states that an obliged entity always prepares one SVZ covering all of its AML obligations.
Can I use a model SVZ from the FAU website?
The FAU provides a model structure as an orientation aid, not as a ready-to-use document. It must always be adapted to the specific obliged entity.
How long must I keep the SVZ and risk assessment?
The AML Act does not set a special retention period for the SVZ itself. Older versions should nevertheless be retained for a possible FAU inspection, which may review previous periods.
Must the SVZ include international sanctions procedures?
Yes. The SVZ should include procedures for international sanctions, including screening and the process to follow when a sanctioned person is detected.