Czech Republic -- AML/CFT Compliance Regulatory Overview

**Fifth Anti-Money Laundering Directive (EU 2018/843) (5AMLD):** This directive explicitly brought virtual asset service providers under the scope of AML/CFT regulations, requiring them to comply with customer due diligence, reporting, and record-keeping obligations.

**Sixth Anti-Money Laundering Directive (EU 2018/1673) (6AMLD):** Further strengthens the legal framework by harmonizing the definition of money laundering offenses and related penalties across EU member states.

**Act No. 253/2008 Coll., on Certain Measures Against Legalisation of Proceeds of Crime and Financing of Terrorism (the "AML Act"):** This is the primary national law transposing the EU AML directives. It was amended to include VASPs as obliged entities.

**Act No. 455/1991 Coll., the Trade Licensing Act:** This act was amended to create specific categories for virtual asset service providers, requiring them to obtain a trade license to operate legally. This licensing ensures that they are formally recognized and fall under the regulatory purview for AML purposes.

**Virtual Asset Exchange Services:** Providing services for the exchange between virtual assets and fiat currencies or between one or more forms of virtual assets.

**Custodial Wallet Services:** Providing services to safeguard private cryptographic keys on behalf of customers, to hold, store, and transfer virtual assets.

**Issuance of Virtual Assets:** Certain activities related to the issuance of new virtual assets (e.g., initial coin offerings, ICOs, or security token offerings, STOs, depending on their classification).

**Transfer of Virtual Assets:** Facilitating transfers of virtual assets.

**Natural Persons:** Full name, date and place of birth, permanent address, nationality.

**Legal Entities:** Company name, registered office address, identification number (IČO), and details of their statutory representatives.

**Beneficial Owner (BO):** For legal entities and trusts, VASPs must identify and verify the beneficial owner(s) – i.e., the natural person(s) who ultimately own or control the customer, or on whose behalf a transaction is being conducted. This typically involves identifying any natural person holding more than 25% of the shares or voting rights, or otherwise exercising control.

Information must be verified using reliable, independent sources (e.g., valid government-issued identification documents for individuals like passports or ID cards; official company registration documents for legal entities).

For non-face-to-face relationships, enhanced verification measures are required.

**Understanding the Purpose and Intended Nature of the Business Relationship:**

VASPs must gather information about why the customer wants to use their services and the expected type and volume of transactions.

VASPs must continuously monitor the business relationship and transactions to ensure they are consistent with their knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.

Regular reviews of customer information and risk assessments must be conducted.

**Source of Funds/Wealth (When Applicable):**

For higher-risk customers or transactions, VASPs must take reasonable measures to establish the source of funds or source of wealth involved.

EDD is required for higher-risk situations, including:

Customers or beneficial owners who are Politically Exposed Persons (PEPs).

Customers from high-risk third countries (identified by the EU or FATF).

Complex or unusually large transactions.

Non-face-to-face business relationships (unless mitigated by other measures).

Relationships where the customer is a shell company or similar entity without clear economic purpose.

EDD measures include obtaining additional information, increased monitoring, and requiring senior management approval.

While possible in low-risk situations, SDD is rarely applicable to cryptocurrency activities due to the inherent anonymity and global reach associated with virtual assets. The default assumption for crypto is generally higher risk.

Funds or virtual assets are the proceeds of criminal activity.

Funds or virtual assets are linked to terrorist financing.

A transaction (even if not carried out) is suspicious.

**No Tipping-Off:** VASPs and their employees are prohibited from informing the customer or any third party that a report has been made or that a money laundering or terrorist financing investigation is underway.

**Reporting Thresholds:** While there are specific thresholds for cash transactions (e.g., above €15,000 for traditional financial institutions), the obligation to report *suspicious* transactions applies irrespective of the amount involved.

**CDD Records:** Copies of identification documents, verification data, and any information obtained during the CDD process.

**Transaction Records:** Details of all transactions, including amounts, dates, parties involved, and the nature of the transaction.

**Analysis and Decisions:** Records of the analysis performed for suspicious transactions, internal reports, and any decisions made regarding reporting or declining a transaction.

**Financial Analytical Unit (FAU) of the Ministry of Finance (Finanční analytický úřad (FAÚ) Ministerstva financí):** The FAU acts as the Czech Financial Intelligence Unit (FIU) and is responsible for receiving and analyzing suspicious transaction reports. It also supervises compliance with AML obligations for non-bank financial institutions and other obliged entities, including VASPs.

**Website:** https://www.fau.mfcr.cz/ (Czech only, use translation tool)

**Regulator:** The **Financial Analytical Office (Finanční analytický úřad - FAU)** is the primary AML/CTF supervisory authority.

**Requirement:** Entities providing services related to virtual assets, which includes the custody or administration of virtual assets, are considered "obliged entities" under Czech AML law. They must be registered with the FAU.

**Legal Basis:** **Act No. 253/2008 Coll., on Selected Measures Against Legitimisation of Proceeds of Crime and Financing of Terrorism (AML Act)**.

Specifically, Section 2(1)(l) defines providers of services relating to virtual assets as obliged entities. Section 4 provides for the registration obligation.

Establishment and implementation of internal AML/CTF policies and procedures.

Customer Due Diligence (CDD) measures.

Reporting suspicious transactions to the FAU.

Ensuring the fitness and probity of management.

**Act No. 253/2008 Coll. (AML Act):** While an official English translation by the government may not be readily available online, the Czech version can be found in the Collection of Laws (Sbírka zákonů). Reputable legal firms often provide summaries in English.

**Financial Analytical Office (FAU) website:** https://www.financnianalytickyurad.cz/ (Czech only, but provides official information for registration and compliance).

**Currently:** There is no specific Czech law *explicitly* mandating the segregation of client crypto assets for virtual asset service providers (VASPs) under the current AML framework. However, general commercial law principles concerning fiduciary duties and preventing the misuse of client funds would strongly suggest, as best practice, that client assets should be held separately from the firm's operational assets. Misappropriation could lead to criminal charges.

**Currently:** There are no specific Czech laws mandating insurance or bonding requirements for crypto custody providers.

**Currently:** Czech law does not define a "qualified custodian" specifically for crypto assets in the same way traditional financial regulations define custodians for securities or funds. The closest regulated entity is the "provider of services relating to virtual assets" registered with the FAU under the AML Act.

**Stablecoins (Asset-Referenced Tokens and E-money Tokens):** Rules applying to these assets and their service providers will apply from **30 June 2024**.

**Other Crypto-Assets and CASPs (including Custodians):** Rules for other crypto-assets and service providers will apply from **30 December 2024**.

CASPs, including custodians, will require a specific authorization (license) from a designated competent authority in an EU Member State. In the Czech Republic, the **Czech National Bank (Česká národní banka - CNB)** is expected to be the primary competent authority for MiCA licenses.

Establishment of robust governance arrangements, including internal control mechanisms, effective risk management, and systems to ensure data integrity and confidentiality.

Prudential requirements (sufficient own funds or professional indemnity insurance).

Suitability of management and shareholders.

Robust ICT and security arrangements.

**Segregation of Client Assets Rules:**

**Explicit Mandate:** MiCA **explicitly mandates** CASPs providing custody to segregate client crypto-assets from their own assets. They must record clients' crypto-assets in separate accounts or using other equivalent measures, ensuring clients' crypto-assets are clearly distinguishable from the CASP's own assets.

**Protection:** In the event of the CASP's insolvency, client crypto-assets must not be considered part of the CASP’s insolvency estate.

MiCA requires CASPs to hold either:

**Own funds** permanently at the disposal of the CASP that are at least the higher of:

EUR 50,000 to EUR 150,000 (depending on the services provided).

A quarter of the fixed overheads of the preceding year.

**A professional indemnity insurance policy** covering the territories in which the CASP offers services, for an amount equivalent to the required own funds.

MiCA doesn't explicitly mandate "cold storage" as a specific technology, but it requires CASPs to implement **robust security policies and procedures** to ensure the protection and integrity of clients' crypto-assets.

Procedures for the safekeeping of crypto-assets.

Safeguarding against unauthorized access to cryptographic keys.

Robust operational resilience, including backup and disaster recovery plans.

*Best practice interpretation:* Meeting these security requirements will almost certainly necessitate secure offline storage (cold storage) for a significant portion of client assets.

MiCA defines "custody and administration of crypto-assets on behalf of third parties" as a specific crypto-asset service requiring authorization. Any entity authorized to provide this service under MiCA would effectively function as a "qualified custodian" in the EU, subject to the comprehensive set of rules outlined above.

**Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

**Czech National Bank (ČNB) website:** https://www.cnb.cz/en/ (Expected to be the competent authority for MiCA licenses in the Czech Republic).

Require specific authorization for crypto custody providers.

Mandate clear segregation of client assets.

Introduce prudential requirements (own funds or insurance).

Demand robust security measures that will likely necessitate advanced storage solutions.

Effectively create a definition for a regulated "crypto custodian" within the EU.

**Adopted:** Yes, the FATF Travel Rule for crypto-assets has been formally adopted through **Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets**, often referred to as the new TFR or TFR 2.0 (part of the EU's MiCA and AML package). As an EU Regulation, it is directly applicable in all Member States, including the Czech Republic, without requiring separate national transposition into law, although national legislation will designate competent authorities and set out penalties.

**Effective Date:** The Regulation (EU) 2023/1113 was published in the Official Journal on 9 June 2023. It will apply from **30 December 2024**.

**For transfers between two Crypto-Asset Service Providers (CASPs/VASPs) or from a CASP to another hosted wallet:**

**No threshold (€0):** For *all* transfers of any amount, the originating CASP must obtain and transmit complete originator and beneficiary information to the beneficiary CASP. The beneficiary CASP must receive and hold this information.

**For transfers from a CASP to an unhosted wallet (or vice-versa):**

The CASP must collect and hold full originator (when sending) or beneficiary (when receiving) information from its customer, regardless of the amount.

If the value of the transaction is **€1,000 or more**, the CASP must take reasonable measures to verify that the unhosted wallet is owned or controlled by the originator or beneficiary. This can be done using various methods, including on-chain analysis or proof of control.

Exchanges between crypto-assets and fiat currencies.

Transfer of crypto-assets (on behalf of customers).

Custody and administration of crypto-assets on behalf of customers.

Execution of orders for crypto-assets on behalf of customers.

Reception and transmission of orders for crypto-assets.

**Interoperable Solutions:** CASPs must implement technical solutions that allow them to send and receive the required originator and beneficiary information securely and reliably with other CASPs globally.

**Data Accuracy and Verification:** CASPs must ensure the accuracy of the collected information and verify it based on reliable and independent sources.

**Data Retention:** Information must be retained for five years, in line with general AML requirements.

**Data Protection (GDPR):** All technical implementations must comply with the EU's General Data Protection Regulation (GDPR) regarding the collection, processing, and storage of personal data.

**No Prescribed Protocol:** The TFR does not mandate a specific technical protocol (e.g., TRISA, Sygna, Travel Rule Protocol), allowing the market to develop interoperable solutions. However, it requires that the information must be sent "immediately and securely."

**Administrative Fines:** Substantial monetary fines, which can reach millions of CZK (Czech Koruna) or a percentage of the annual turnover for serious or repeated breaches.

**Withdrawal or Suspension of License/Registration:** For severe or persistent non-compliance, the ČNB can revoke or suspend a CASP's license or registration.

**Public Sanctions:** The ČNB may publicly disclose information about non-compliant entities.

**Criminal Charges:** In cases involving deliberate and severe breaches or involvement in money laundering activities, individuals responsible within the CASP may face criminal prosecution.

**Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets:**

**Regulation (EU) 2023/1114 on markets in crypto-assets (MiCA):**

**Czech AML Act (Zákon č. 253/2008 Sb., o některých opatřeních proti legalizaci výnosů z trestné činnosti a financování terorismu):**

Currently, you would typically find the consolidated version on legal information portals. An official source for Czech legislation is "Zákony pro lidi" (Laws for People) or the e-Sbírka (e-Collection).

Example (unofficial but widely used consolidation, in Czech): https://www.zakonyprolidi.cz/cs/2008-253

**Czech National Bank (ČNB) - AML/CFT Supervision:**

ČNB website (English AML section): https://www.cnb.cz/en/financial-market-supervision/aml-cft/