AML/CFT Compliance for Online Marketplace Operators Under Czech and EU Law
.jpg)
Mgr. Marek Hučík
9.3.2026 |
ARROWS law firm
Operators of online marketplaces face growing requirements to comply with anti-money laundering (AML) and counter-terrorist financing (CFT) rules, but they often do not fully realise their scope and risks. In this article, you will learn what is at stake, what specific obligations you have under Czech and EU legislation, and how to effectively protect yourself against sanctions that can reach millions of Czech crowns or even lead to the closure of your business in the Czech Republic.
Article contents
Quick summary
- Operators of online marketplaces are often “obliged entities” under Czech AML legislation. If your business involves payment intermediation, crypto-asset exchange, or trading in high-value goods, you must have an Internal Rules System (an AML programme) in place.
- The most significant risks include loss of authorisation to operate (a Czech National Bank (ČNB) licence), fines in the millions of Czech crowns, freezing of bank accounts, and criminal prosecution of statutory body members.
- The attorneys at ARROWS advokátní kancelář regularly handle AML compliance for digital platforms in the Czech Republic and ensure legal compliance. Have an audit prepared, implement the mandatory systems, and pass regulatory inspections safely.
Who has AML obligations on online marketplaces
When people say “peer-to-peer marketplace” or “online marketplace”, they often think of giants such as eBay or Alza. However, the regulatory reality in the Czech Republic is broader. The Act on Certain Measures against the Legalisation of Proceeds of Crime (the “AML Act”) defines the scope of so-called obliged entities. This includes operators of online platforms if their activities meet certain criteria—typically where they participate in transfers of funds, provide services related to virtual assets (crypto), or trade in goods for cash above statutory thresholds.
Specifically, this concerns situations where your marketplace enables direct transfers of money between users and those funds pass through your accounts, or where you intermediate the purchase and sale of cryptocurrencies.
The attorneys at ARROWS advokátní kancelář deal with this issue on a daily basis and know exactly how to distinguish whether your specific activity falls under Czech AML obligations, or whether you are merely a technology provider without handling financial flows. This distinction is crucial—an incorrect classification can lead to unauthorised business activity and criminal liability in the Czech Republic.
What is considered an online marketplace from an AML perspective
From a regulatory perspective, the label “marketplace” is not decisive—the flow of money is. If your model is based on receiving money from the buyer and then (e.g., after deducting a commission) sending it to the seller, you effectively become a payment intermediary. In such a case, not only does the Czech AML Act apply, but often also regulation by the Czech National Bank (ČNB) requiring the relevant authorisation.
If you operate with cryptocurrencies, Czech legislation classifies you as a provider of services related to virtual assets (VASP).
Risk also arises where you “only” rent out space on a website but actively intervene in transactions or offer custody of funds (escrow). Underestimating your role and incorrectly assessing whether you are an obliged entity is the most common mistake. This leads to situations where a platform operates for years without rules, which—during an inspection by the Financial Analytical Office (FAÚ) or the ČNB—ends in crippling fines.
Core AML obligations on online marketplaces
If you are an online marketplace operator that qualifies as an obliged entity in the Czech Republic, you must comply with a set of obligations under the AML Act and related regulations. At EU level, the new “AML package” (in particular the AMLR Regulation) further harmonises and tightens the rules. The core obligations are as follows:
1. Internal Rules System (SVZ) and Risk Assessment – You must have a written internal rules system and a risk assessment approved by your statutory body. This document must describe how you identify and manage risks, how you perform customer checks, and how you detect suspicious transactions. It must be tailored to your business and submitted to the FAÚ.
2. Customer identification and due diligence (KYC and CDD) – You are required to identify (Know Your Customer) and verify (Customer Due Diligence) users. This is not just about collecting names, but verifying identity, establishing the purpose of the business relationship, and the source of funds. In an online environment, remote identification methods are used (e.g., bank identity, a nominal “one-crown” payment, biometrics).
3. Transaction monitoring – You must continuously monitor and assess transactions, meaning you must detect anomalies, unusually high transactions, frequent transfers, or links to high-risk countries. Without software support, this is practically impossible for online marketplaces.
4. Screening against international sanctions – You must screen users against sanctions lists (EU, UN, the Czech national sanctions list). Trading with a sanctioned person is a criminal offence, and severe penalties may apply under the Czech Act on the Implementation of International Sanctions.
5. Reporting a suspicious transaction (OPO) – If you detect a transaction that raises suspicion of money laundering or sanctions breaches, you must report it to the Financial Analytical Office without undue delay. Failure to comply with this obligation is one of the most serious offences.
6. Record-keeping and documentation – You must retain all data on identification, due diligence, and transactions for 10 years after the transaction is completed. Authorities may request it at any time.
7. Contact person and training – You must appoint a specific employee or a member of the statutory body as the contact person for the FAÚ and ensure regular training for all employees who may encounter suspicious transactions.
The attorneys at ARROWS advokátní kancelář have dozens of clients in the digital platforms sector and know how to set up processes to comply with Czech law while not paralysing the business.
Specific risk of peer-to-peer models
P2P models are risky because they can be used for so-called layering—the stage of money laundering where funds are moved through many accounts to conceal their original illegal source. An online marketplace can unknowingly serve as a “laundromat”, where fraudsters fictitiously sell goods or services to legitimise proceeds of crime.
If you operate a P2P marketplace, you must set stricter parameters for detecting fraudulent behaviour. The attorneys at ARROWS advokátní kancelář can help you set risk profiles and scenarios that protect you against misuse of your platform.
Key risks and sanctions for operators
|
Risks and sanctions |
How ARROWS can help (office@arws.cz) |
|
Unauthorised business activity (lack of a CNB licence): If you hold users’ funds without authorisation (e.g., as a small-scale payment institution), you face fines from the Czech National Bank (ČNB), a ban on activity, and criminal prosecution for unauthorised business activity in the Czech Republic. |
Licensing procedure and registration: ARROWS, a Prague-based law firm, will analyse your business model, arrange registration with the Czech National Bank (ČNB) or the trade notification for VASP, prepare the documentation for the licensing procedure, and represent you before the regulator. |
|
Missing internal rules system (AML programme) and risk assessment: Failure to implement an internal policies system may result in a fine of up to CZK 5,000,000 and being labelled a high-risk entity, which often leads to your bank terminating your bank accounts in the Czech Republic. |
Preparation of internal rules and compliance audit: ARROWS’ Czech legal team will prepare a tailored Internal Rules System and Risk Assessment, help implement it into your processes, and conduct a mock audit so you are ready for an inspection. |
|
Insufficient identification (KYC) and customer due diligence: If you do not carry out checks required by law (e.g., you do not verify the beneficial owner or the source of funds), you risk multi-million fines and liability for negligent money laundering under Czech AML legislation. |
Setting up onboarding processes: ARROWS will help you select and legally configure technologies for remote identification, and review your Terms and Conditions and procedures for collecting client data in compliance with Czech AML requirements and GDPR. |
|
Failure to report a suspicious transaction (STR): If you systematically overlook suspicious transactions or fail to report them to the Financial Analytical Office (FAÚ), the sanctions are severe. For financial institutions, they can reach up to CZK 130 million or 10% of turnover in the Czech Republic. |
Support with FAÚ reporting: ARROWS’ attorneys in Prague will consult specific suspicious cases, help draft the STR so it is factually and legally correct, and protect you against allegations of facilitating criminal activity. |
|
Breach of international sanctions: Allowing a transaction for a person on a sanctions list (EU, UN) is a criminal offence in the Czech Republic. Financial penalties for breaches of sanctions regulations are draconian. |
Sanctions compliance: ARROWS specialists will set rules for client screening, help resolve “hits” (matches against lists), and ensure legal defence in the event of an incident. |
Specific risk of liability for outsourcing
If you operate a marketplace but payments are processed by a third party (payment gateway, bank), this does not relieve you of all obligations. Under the Czech Payment System Act and Czech AML regulations, you remain liable even for activities you have outsourced if you act as the main service provider towards the client.
Regulators issue outsourcing guidelines requiring you to oversee your suppliers, because if your payment partner fails, the impact may fall on you. In addition, banks often terminate accounts for platforms that do not have robust in-house AML compliance, as they consider them too risky in the Czech Republic.
Our ARROWS specialists in AML matters:
.jpg)
ARROWS’ attorneys at our Prague-based law firm help clients set up contractual relationships with payment processors and carry out partner due diligence so your platform is not jeopardised by a third party’s failure.
Legislative outlook and the new EU AML package
The European Union has approved a new legislative package that will directly affect all Member States. The AMLR (Anti-Money Laundering Regulation) will be directly applicable and will harmonise rules across the EU.
What this means for marketplaces:
- Harmonisation of cash limits: Introduction of an EU-wide limit for cash payments (EUR 10,000), while the Czech Republic already has a stricter limit.
- Stricter rules for crypto-assets (TFR): The Regulation on the transfer of funds and certain crypto-assets introduces the so-called “Travel Rule” – the obligation to share information about the sender and recipient even for crypto transactions.
- Focus on the beneficial owner (UBO): Rules for uncovering ownership structures of legal entities are being tightened.
ARROWS’ attorneys at our Prague-based law firm monitor legislative developments and will help you adapt your processes in advance, which is cheaper than making rushed system changes under the threat of sanctions.
Related legislative questions
1. If I am only a classifieds portal and payments do not go through me, do I need an AML programme?
If you only display advertisements and do not participate in the transfer of money in any way (you neither hold it nor facilitate it via a gateway in your name), you are probably not an obliged entity under the Czech AML Act. However, the boundary is thin. We recommend a legal assessment by ARROWS so you can be certain.
2. What if I have low transaction volumes?
The law does not differentiate the obligation to have internal rules based on turnover volume if you meet the definition of an obliged entity. However, simplified identification and due diligence procedures exist for lower-risk products. You must still have a programme and a risk assessment.
3. Who specifically in my company should be responsible for AML?
Czech law requires designating a member of the statutory body responsible for AML and appointing a contact person for communication with the Financial Analytical Office (FAÚ) (it may be the same person). Responsibility for compliance always lies with the company and its statutory body.
Risk management and monitoring in practice
Transaction monitoring is not just about software, but about processes. If you operate a marketplace, you must have rules (scenarios) set up that the system monitors.
This mainly concerns transactions just below identification thresholds, rapid turnover of funds (money comes in and immediately goes out), transactions to high-risk third countries, or purchases of goods that do not match the client’s profile. The system generates a so-called “alert”, which must be reviewed by a human employee.
ARROWS, a Prague-based law firm, will advise you on how to set up an effective screening system that complies with Czech law.
FAÚ and ČNB inspections
The Financial Analytical Office (FAÚ) and, for regulated entities, also the Czech National Bank (ČNB) carry out thorough inspections in the Czech Republic. Regulators check whether your internal rules are up to date and examine how they work in practice, not just the documentation. They focus on specific client files—whether you performed due diligence, identified the source of funds, and why you may not have reported a suspicious transaction.
They also check record-keeping—whether you can evidence data from 5–10 years back—and they review sanctions screening.
Czech law allows for a fine of up to CZK 5,000,000 for standard obliged entities, and for financial institutions up to CZK 130,000,000 or 10% of net annual turnover. In addition to fines, a ban on activity may also be imposed.
Cryptocurrencies and digital assets
If your marketplace enables crypto payments or exchange, you fall under VASP (Virtual Asset Service Provider) regulation and, in the future, CASP (under the MiCA Regulation). This brings specific obligations.
You must file a trade notification, because providing services related to a virtual asset is a regulated trade in the Czech Republic. You must also comply with the Travel Rule (TFR), i.e., the obligation to transmit identifying details of the sender and recipient together with the transaction. Blockchain analytics using tools to detect proceeds of crime is also essential.
The ARROWS legal team can assist you with registration and setting up compliance in the crypto sector in the Czech Republic.
How to defend yourself effectively
If you find that there are gaps in your compliance, proceed as follows:
Step 1: Legal audit and GAP analysis – have an audit prepared by ARROWS, a Prague-based law firm. We will determine whether you are an obliged entity under Czech AML legislation, to what extent, and where you fall short compared to the current legal requirements.
Step 2: Preparation of documentation (SVZ and Risk Assessment) – based on the audit, we will prepare or update your System of Internal Policies (SVZ) and Risk Assessment so that they reflect the reality of your operations and meet statutory requirements under Czech law.
Step 3:Implementation of technologies – we will advise on the legal aspects of selecting tools for AML monitoring and remote identification so that they comply with Czech law and the GDPR.
Step 4: Employee training – we will train your staff and your designated contact person. We will issue a training record, which serves as evidence for supervisory authorities in the Czech Republic.
Step 5: Ongoing support – AML is not a one-off exercise. We offer ongoing legislative monitoring and ad-hoc consultations on suspicious transactions.
To address your situation, email us at office@arws.cz.
Conclusion
Online marketplaces and peer-to-peer platforms are under increasingly strict scrutiny. Legislation is developing towards zero tolerance for anonymity in financial flows. If you facilitate payments, trade in cryptocurrencies, or deal in high-value goods, AML applies to you under Czech law.
The attorneys at ARROWS, a Prague-based law firm, have extensive experience in setting up compliance processes for fintechs, e-shops, and crypto projects. They know how to set the rules effectively and safely.
ARROWS, a Prague-based law firm, is insured for professional liability up to CZK 400,000,000. This gives you the assurance of a strong and responsible partner.
To address your AML risks, contact ARROWS, a Prague-based law firm, at office@arws.cz.
FAQ for an online marketplace (peer-to-peer)
1. If we use a payment gateway, do we need our own AML programme?
Often yes. Even if the gateway technically executes the transaction, you as the platform operator have the relationship with the customer and the obligation to identify and screen them (so-called onboarding) under Czech AML rules. In addition, the payment gateway will require AML compliance from you contractually. Contact ARROWS at office@arws.cz to assess your specific situation.
2. How often do I have to update the System of Internal Policies (SVZ)?
You must update the SVZ whenever legislation changes or when your risks change (new products, new markets). At the same time, you should regularly (at least once a year) evaluate its effectiveness.
3. What is “structuring” and how can I recognise it?
Structuring is the intentional splitting of transactions into smaller amounts so that the customer avoids identification or reporting thresholds. In the Czech Republic, any conduct that clearly aims to conceal the purpose of a transaction is considered suspicious. Your monitoring must be able to aggregate a single customer’s transactions over time.
4. Are we at risk of criminal prosecution for AML compliance failures?
Yes. In the Czech Republic, there is a criminal offence of negligent money laundering (legalisation of proceeds of crime through negligence). If, as an obliged entity, you neglect your obligations (e.g., you fail to identify the customer) and enable money laundering, you and your company may be prosecuted.
5. If an inspection by the FAÚ takes place, should I communicate on my own?
We recommend contacting legal counsel immediately. An incorrectly worded response or submitting incomplete documents may worsen your position. ARROWS, a Prague-based law firm, will represent you professionally in proceedings with the FAÚ (the Czech Financial Analytical Office).
6. How much does the preparation of AML documentation cost?
The price depends on the complexity of your model and the risk profile of your products. It is an investment in the tens of thousands of Czech crowns, but it protects you against fines in the millions. Email office@arws.cz for a non-binding estimate.
Notice: The information contained in this article is of a general informational nature only and is intended for basic orientation in the topic. Although we take maximum care to ensure accuracy, legal regulations and their interpretation evolve over time. To verify the current wording of the regulations and their application to your specific situation, it is therefore necessary to contact ARROWS, a Prague-based law firm, directly (office@arws.cz). We accept no liability for any damages or complications arising from the independent use of the information in this article without our prior individual legal consultation and professional assessment. Each case requires a tailored solution, so please do not hesitate to contact us.
Read also:
- Digital Inspections and AI in 2026: New EU Compliance Duties for Firms
- Criminal Liability of Companies and Legal Entities in 2026:
- Legal Validity and Risks of Simple Electronic Signatures in Czech Law:
- Cybersecurity, Drone Hijacking, and Liability for Damage:
- Foreign Ownership Restrictions and Sector Licences in the Czech Republic: