← Regulations / Serbia / aml
Grade A AI-Researched

Serbia -- AML/CFT Compliance Regulatory Overview

Published: 2026-04-22 Updated: 2026-04-22 Author: SearXNG+LLM Version 1 Sources cited in: English (2)

Methodology

AI-generated synthesis from web search results.

Limitations

  • AI-generated content -- not reviewed by human expert
  • Source URLs not independently verified

Serbia has established a comprehensive regulatory framework for virtual assets (cryptocurrencies) and Virtual Asset Service Providers (VASPs), primarily through its Law on Digital Assets, which came into effect in June 2021. This framework aligns with the recommendations of the Financial Action Task Force (FATF) and aims to prevent money laundering and terrorist financing.

Here's a breakdown of the AML and KYC requirements for VASPs in Serbia:

I. AML/CFT Legislation

The primary legislative acts governing AML/CFT for VASPs in Serbia are:

  1. Law on Digital Assets (Zakon o digitalnoj imovini)

    • Official Name: Закон о дигиталној имовини
    • Published: "Official Gazette of RS", No. 153/2020 (came into effect June 29, 2021)
    • This law defines digital assets, regulates their issuance and trading, and explicitly designates Virtual Asset Service Providers (VASPs) as obliged entities under the general AML/CFT law. It also sets out the licensing requirements for VASPs.

  2. Law on the Prevention of Money Laundering and Terrorist Financing (Zakon o sprečavanju pranja novca i finansiranja terorizma)

    • Official Name: Закон о спречавању прања новца и финансирања тероризма
    • Published: "Official Gazette of RS", No. 113/2017, 91/2019, 153/2020 (last amended)
    • This is the overarching AML/CFT law in Serbia, applying to all obliged entities, including VASPs. It sets out the general rules for customer due diligence, suspicious transaction reporting, record-keeping, and internal controls.

II. Definition of VASP and Obliged Entities

Under the Law on Digital Assets, a Virtual Asset Service Provider (VASP) is defined broadly to include entities that, as part of their business, provide any of the following services:

  • Exchange between virtual assets and fiat currencies.
  • Exchange between one or more forms of virtual assets.
  • Transfer of virtual assets.
  • Custody and/or administration of virtual assets or instruments enabling control over virtual assets.
  • Participation in and provision of financial services related to the offer and/or sale of virtual assets (e.g., initial coin offerings - ICOs, initial exchange offerings - IEOs).

VASPs are considered "obliged entities" under the Law on the Prevention of Money Laundering and Terrorist Financing and are therefore subject to all its provisions.

III. Customer Due Diligence (CDD) Requirements

VASPs must apply a risk-based approach (RBA) to CDD, meaning the intensity of measures should be commensurate with the identified money laundering and terrorist financing risks.

A. Standard CDD Measures:

For every customer (and beneficial owner), VASPs must:

  1. Identify and Verify the Identity of the Customer:
    • For natural persons: Obtain and verify identity based on official documents (e.g., passport, national ID card) including name, surname, address, date and place of birth, and unique identification number.
    • For legal entities: Obtain and verify identity based on official documents (e.g., excerpt from the company register) including name, registered address, registration number, legal form, details of statutory representatives, and information on the ownership and control structure.
  2. Identify and Verify the Identity of the Beneficial Owner (BO):
    • Identify the natural person(s) who ultimately own or control the customer (typically 25% ownership threshold for legal entities) or on whose behalf a transaction is being conducted.
    • Verify their identity using reliable, independent sources, as per natural person requirements. Serbia also has a Central Register of Beneficial Owners that obliged entities can consult.
  3. Obtain Information on the Purpose and Intended Nature of the Business Relationship: Understand why the customer wants to use the VASP's services.
  4. Perform Ongoing Monitoring of the Business Relationship:
    • Scrutinize transactions throughout the course of the relationship to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.
    • Regularly update customer information and risk assessments.

B. Enhanced Due Diligence (EDD) Measures:

EDD must be applied in situations of higher risk, including:

  • Politically Exposed Persons (PEPs): For customers who are PEPs, their family members, or close associates.
  • High-risk jurisdictions: Customers from countries identified by FATF or other credible sources as having weak AML/CFT regimes.
  • Complex, unusually large, or unusual patterns of transactions: Those with no apparent economic or lawful purpose.
  • Non-face-to-face relationships: Unless adequate safeguards are in place.
  • Transactions involving new or developing technologies: Where the risks are not yet fully understood.
  • VASPs must take additional steps, such as:
    • Obtaining additional information on the customer and BO.
    • Obtaining additional information on the intended nature of the business relationship.
    • Obtaining information on the source of funds or wealth.
    • Obtaining approval from senior management to establish or continue the business relationship.
    • Conducting enhanced ongoing monitoring of the business relationship.

C. Simplified Due Diligence (SDD) Measures:

SDD may be applied in specific, clearly defined low-risk situations, where allowed by the Law and internal risk assessment. However, due to the inherent risks associated with virtual assets, SDD application for VASPs is highly restricted and subject to strict conditions.

IV. Suspicious Transaction Reporting (STR)

VASPs are obliged to report to the Financial Intelligence Unit (FIU) any transaction (or attempted transaction), irrespective of the amount, where there are reasonable grounds to suspect money laundering or terrorist financing.

  • Reporting Obligation: Reports must be submitted without delay, typically within 24-48 hours of forming a suspicion.
  • No Tipping-Off: VASPs and their employees are prohibited from disclosing to the customer or any third party that a suspicious transaction report has been or will be submitted.
  • Internal Procedures: VASPs must establish internal policies and procedures for identifying, assessing, and reporting suspicious activities.

V. Record-Keeping Obligations

VASPs must retain records of all CDD information, transaction data, and internal and external suspicious transaction reports.

  • Duration: All records must be kept for a minimum of 10 years after the completion of a transaction or the termination of a business relationship.
  • Accessibility: Records must be maintained in a way that allows them to be retrieved and provided to the competent authorities (FIU, supervisory bodies) without delay upon request.

VI. Oversight & Compliance Authorities

Compliance with AML/CFT requirements for VASPs in Serbia is overseen by multiple authorities:

  1. Administration for the Prevention of Money Laundering (Uprava za sprečavanje pranja novca - USPN)

    • Role: This is Serbia's Financial Intelligence Unit (FIU) and the central authority for AML/CFT supervision. It oversees compliance with the Law on the Prevention of Money Laundering and Terrorist Financing across all obliged entities, including VASPs. It also receives and analyzes suspicious transaction reports.
    • URL: https://www.apml.org.rs/ (Official website, primarily in Serbian)

  2. Securities Commission of the Republic of Serbia (Komisija za hartije od vrednosti - KHOV)

    • Role: Under the Law on Digital Assets, the Securities Commission is responsible for licensing and supervising VASPs, ensuring their adherence to the specific provisions of the digital assets law, including organizational requirements, capital adequacy, and certain aspects of their AML policies as required for licensing.
    • URL: https://www.sec.gov.rs/ (Official website, available in English)

Note: The National Bank of Serbia (NBS) also plays a role in the broader financial system and may be involved in the supervision of specific types of digital assets if they are deemed to fall under its purview (e.g., stablecoins resembling electronic money).

In summary, VASPs in Serbia face stringent AML/KYC obligations, requiring robust internal controls, risk assessment frameworks, and adherence to specific customer due diligence, reporting, and record-keeping requirements, all overseen by the USPN and the Securities Commission. It's crucial for any entity operating or planning to operate as a VASP in Serbia to obtain legal counsel to ensure full compliance with the evolving regulatory landscape.

Sources & Attribution

This article was generated by SearXNG+LLM .

Primary Sources

[1] https://www.apml.org.rs/ (editorial)
[2] https://www.sec.gov.rs/ (government-public)

Edit History

2026-04-22 — auto-publish-pipeline: published — Auto-published: grade A

This article is maintained by AI research workers and reviewed by human editors. Learn about our methodology →