Archiving internal regulations:

Operating in the Czech Republic's financial market requires mastering the specific archiving and inspection rules of the Czech National Bank (ČNB). This guide provides foreign investors and financial firms with clear answers on how to comply with Czech archiving laws, prepare for a ČNB inspection, and avoid significant penalties. Our international law firm, operating from Prague, European Union, offers the expertise you need to navigate these complex regulations.

Need advice on this topic? Contact the ARROWS law firm by email office@arws.cz or phone +420 245 007 740. Your question will be answered by "Mgr. Jáchym Petřík", an expert on the subject.

The Foundation of Compliance – Deconstructing Czech Archiving and Retention Laws

A robust compliance framework begins with a clear understanding of the legal requirements for document retention. In the Czech Republic, this is not governed by a single, monolithic act but by a multi-layered and often overlapping set of laws. Navigating this legal patchwork is the foundational step toward inspection-readiness.

The Cornerstone – Act No. 499/2004 Coll., on Archiving and Records Management

The primary legislation governing the handling of records for all entities in the Czech Republic is Act No. 499/2004 Coll., on Archiving and Records Management (the "Archiving Act"). This law establishes the fundamental principles for managing records, selecting documents of permanent value—designated as "archival records" (archiválie)—and regulating their protection and use.

A critical component of the Archiving Act that is often misunderstood by foreign entities is the formal "appraisal process" (skartační řízení). This is not an internal company procedure but a mandatory, state-supervised process. After a document's legally mandated retention period has expired, it cannot simply be destroyed. Instead, the company must formally submit a proposal (skartační návrh) to the competent state archive. 

The archive's specialists then assess the documents and issue a protocol that definitively separates records designated for permanent preservation from those that may be destroyed. This formal oversight ensures that documents of potential historical, economic, or cultural significance are preserved as part of the National Archival Heritage. Failure to follow this procedure constitutes a significant breach of the law.

The Financial Sector Overlay – A Web of Specific Retention Periods

For financial institutions, the general Archiving Act is merely the starting point. A complex overlay of sector-specific legislation imposes longer and more stringent retention periods for various types of documents. This creates a matrix of obligations that requires careful navigation.

Key sector-specific retention periods include:

• Act No. 21/1992 Sb., on Banks (Act on Banks): This law is paramount for credit institutions. It mandates a minimum 10-year retention period for all documents and records related to executed transactions.
• Act No. 235/2004 Sb., on Value Added Tax (VAT Act): This act requires all VAT payers to retain tax documents, including both issued and received invoices, for 10 years from the end of the tax period in which the transaction occurred.
• Act No. 563/1991 Sb., on Accounting (Accounting Act): This law differentiates between document types. While financial statements, annual reports, and general ledgers must be kept for 10 years, supporting documents such as individual invoices and bank statements have a shorter retention period of 5 years.
• Act No. 253/2008 Sb., on Certain Measures against Money Laundering and Terrorist Financing (AML Act): In line with the high priority placed on anti-money laundering efforts, this act also mandates a 10-year retention period for all client identification (KYC) documents and records of transactions.

This legislative web gives rise to a crucial compliance principle: the longest retention period always prevails. A foreign firm's compliance officer might see the 5-year requirement for an invoice in the Accounting Act and assume this is sufficient. However, that same invoice is almost certainly also a tax document under the VAT Act and could be a record of a transaction under the Act on Banks. In this scenario, the 10-year retention periods from the latter two laws take precedence. 

The ČNB has explicitly confirmed this principle in its official communications. For instance, it clarified that for securities traders that are also banks, the 10-year period from the Act on Banks overrides the shorter 5-year period stipulated in the Act on Capital Market Undertakings. 

This creates a significant compliance trap for the unwary. The only safe and defensible strategy is to identify all applicable laws for each document category and systematically apply the longest mandated retention period. This complexity alone underscores the necessity of expert local legal counsel to develop a compliant retention schedule.

The Digital Imperative – Requirements for Electronic Archiving

Czech law permits and encourages the use of digital archives, but the requirements are far more sophisticated than simply storing scanned documents on a server. To be compliant, any electronic record must be:

• Readable: The format must remain accessible throughout the entire retention period.
• Tamper-Resistant and Reliable: The system must prevent unauthorized alteration.
• Legally Evidentiary: The records must meet the standards required to be used as evidence in legal proceedings.

To achieve this, the law demands that the system ensures the authenticity of origin and integrity of content. This is typically accomplished through the systematic use of qualified electronic signatures, qualified electronic seals, and qualified electronic timestamps, which create a secure and verifiable record of the document's state at a specific point in time.

Furthermore, the Czech legal framework for digital records is continuously evolving. Recent amendments to the Archiving Act, such as Act No. 197/2024 Sb., are progressively introducing more stringent requirements for certified electronic records management systems (elektronický systém spisové služby, or eSSL), including detailed metadata standards and protocols for digital selection of archival records.

The clear implication is that a compliant digital archive is not a passive storage folder but a sophisticated, secure IT system with robust access controls, comprehensive metadata management, and a clear, unalterable audit trail. This aligns perfectly with the ČNB's overarching focus on the "reconstructibility" of an institution's actions.

FAQ – Legal tips about Archiving Laws

• What happens if we just destroy documents after our internal retention period?
  Destroying documents without following the mandatory state-supervised "appraisal process" (skartační řízení) is a serious breach of the Czech Archiving Act and can lead to penalties . For a compliant destruction protocol, email us at office@arws.cz.
• We have a 5-year retention policy for invoices. Is that enough?
  No, it is likely insufficient. Czech law requires applying the longest applicable retention period. For invoices that are also tax documents or records of bank transactions, a 10-year period applies . To ensure your retention schedule is compliant, contact our lawyers at office@arws.cz.
  

Risks and penalties	How ARROWS helps
Fines for breaching the Archiving Act (e.g., improper destruction of documents) .	Drafting legally required documentation – we create a compliant retention schedule and destruction protocol. Get tailored legal solutions by writing to office@arws.cz.
Inability to defend against claims due to missing evidence.	Legal consultations – we advise on compliant digital and physical archiving to ensure your records are legally evidentiary. For immediate assistance, write to us at office@arws.cz.
Sanctions from the ČNB for not meeting the 10-year retention period for transaction documents .	Preparation of internal company policies – we align your internal rules with all overlapping Czech laws to prevent fines. Need legal help? Contact us at office@arws.cz.

Beyond the Archive Box – Mastering Your Internal Governance and Control System (ŘKS)

While proper document archiving is the foundation, the ČNB’s supervisory focus extends far beyond it. The regulator is primarily concerned with the living, breathing framework of rules, processes, and controls that govern an institution's entire operation. In Czech regulatory parlance, this is the Řídící a kontrolní systém (ŘKS)—the Management and Control System. A robust, effective, and meticulously documented ŘKS is the single most important factor in navigating a ČNB inspection successfully.

Defining the ŘKS – The Heart of Your Compliance Framework

The ŘKS is the comprehensive internal framework of principles, policies, procedures, and control measures designed to ensure the prudent, sound, and compliant operation of a financial institution. This is not a single document but an integrated system that encompasses:

• Corporate Governance: Clear lines of responsibility, from the management body down to individual employees.
• Risk Management: Processes for identifying, assessing, managing, and reporting all material risks.
• Internal Control Functions: The three lines of defense, including an independent compliance function and a robust internal audit function.
• Operational Procedures: All internal regulations governing day-to-day activities, from client onboarding (AML/CFT) to transaction processing and IT security.

The legal basis for the ŘKS is established in § 8b of the Act on Banks and analogous provisions in legislation governing other financial entities. The ČNB expects this system to be not only implemented but also subject to regular, independent verification by an external auditor, particularly in the critical area of AML/CFT.

The Golden Rule of "Reconstructibility" – Documenting Your Actions

To understand the ČNB's supervisory philosophy, one must internalize its core principle: "co není zdokumentováno, to se nestalo"—what isn't documented, didn't happen. This concept of "reconstructibility" is the ultimate test of an effective ŘKS.

This represents a crucial conceptual leap for many foreign firms. Standard archiving practices focus on preserving the outcome of an action—the final signed contract, the transaction confirmation, the year-end financial statement. The ČNB's focus on reconstructibility, however, demands auditable evidence of the entire process leading to that outcome. The regulator wants to see a clear and retrospectively traceable audit trail for all key decisions, controls performed, and risk assessments.

This means an institution must be able to prove, with contemporaneous documentation:

• Why a particular client was assigned a low-risk AML rating.
• How a suspicious transaction alert was investigated and the rationale for clearing it.
• Who approved a specific high-value loan, supported by the meeting minutes and credit analysis that were presented at the time.

This requires a profound integration of documentation practices into the fabric of daily operations, not as a burdensome afterthought. It is about documenting not just what was decided, but why and how. This is often the most challenging aspect of Czech financial regulation for foreign institutions to master and is an area where proactive legal guidance is invaluable.

Meeting European Standards in Prague – Aligning with EBA Guidelines

The ČNB's supervisory expectations are not developed in isolation. They are deeply rooted in and aligned with the pan-European regulatory framework, particularly the European Banking Authority's (EBA) Guidelines on internal governance. The ČNB has officially confirmed that it complies with and will enforce these EBA guidelines in its supervisory practice.

These guidelines provide detailed standards for the roles and responsibilities of the management body, the establishment of independent risk and audit committees, the management of conflicts of interest, and the overall design of the internal control framework. This alignment provides a crucial point of reassurance for foreign clients. An institution with a robust governance framework that is already compliant with the EU's Capital Requirements Directive (CRD V) and EBA standards has an excellent foundation for operating in the Czech Republic. 

However, this framework must be carefully localized, translated, and documented to meet the specific terminology, legal references (e.g., the Archiving Act), and procedural nuances (e.g., skartační řízení) of the Czech regulatory environment. Bridging this gap between a strong European standard and specific local expectations is a key function of expert legal counsel.

When the Inspector Calls – A Practical Playbook for a ČNB On-Site Inspection

A ČNB on-site inspection is not a routine audit. It is an intrusive, forward-looking, and risk-based investigation designed to identify systemic weaknesses in an institution's governance and control framework. Proactive, methodical, and thorough preparation is not merely advisable; it is non-negotiable for a successful outcome.

The Inspection Unveiled – Anatomy of a Supervisory Visit

On-site inspections are a primary supervisory tool used by the ČNB to supplement its continuous off-site monitoring activities. While each inspection is tailored to the specific institution, the process generally follows a predictable pattern:

1. Announcement: The process typically begins with an official announcement letter from the ČNB, outlining the inspection's scope, timing, and initial areas of focus.

2. Document Request: This is followed by a comprehensive request for a wide range of documents, including internal regulations, board minutes, risk assessments, and specific case files.

3. Kick-Off Meeting: The on-site phase starts with a kick-off meeting where the inspection team presents its methodology and the institution's management provides an overview of the relevant control areas.

4. Fieldwork: This is the core of the inspection, involving detailed document reviews, system walkthroughs, and interviews with key personnel at all levels of the organization.

5. Final Reporting: The inspection concludes with a final report detailing the team's findings, identifying any shortcomings or breaches, and specifying required remedial actions and deadlines for their implementation.

Throughout this process, ČNB inspectors are vested with broad legal powers. They can demand access to any and all documents, records, IT systems, archives, and even the computers of individual employees to verify information and test the effectiveness of controls.

The Supervisor's Lens – Key Areas of Focus

ČNB inspections are explicitly risk-based, meaning supervisory resources are concentrated on areas perceived to have the highest inherent risk or the weakest internal controls. Based on the ČNB's recent Financial Market Supervision Reports and other official communications, key areas of focus consistently include:

• The ŘKS as a Whole: The primary objective is to assess the overall design and practical effectiveness of the entire Management and Control System. Inspectors will test whether the written rules are actually followed in practice (a "use test").
• AML/CFT Compliance: Given the high regulatory priority, the robustness of client identification (KYC), transaction monitoring, risk assessment procedures, and staff training is always under intense scrutiny.
• IT and Cybersecurity Resilience: With the increasing digitalization of financial services, the CNB places a strong emphasis on the security of information systems, fraud prevention mechanisms, and business continuity planning.
• Risk Management Framework: The processes for identifying, measuring, managing, and reporting on all material risks—including credit, market, liquidity, and operational risks—are fundamental areas of examination.

A Checklist for Readiness – Practical Preparation Steps

A successful inspection is the result of diligent preparation, not improvisation. Key practical steps include:

• Appoint a Single Point of Contact: Designate a senior individual to coordinate all communication and logistics with the ČNB inspection team.
• Prepare a "Data Room": Proactively assemble all anticipated documentation in a dedicated physical or virtual data room. This demonstrates organization and transparency.
• Brief Key Personnel: Conduct preparation sessions for all staff members likely to be interviewed. They must be able to not only describe the relevant internal rules but also provide specific, documented examples of their application.
• Review Governance Records: Scrutinize the minutes of the management body and its committees. These documents must reflect active oversight, meaningful discussion, and constructive challenge of management's decisions, proving that governance is a dynamic process, not a passive formality.

It is essential to recognize that an inspection is also a test of an institution's compliance culture. The EBA Guidelines, which the ČNB follows, explicitly emphasize the importance of a sound "risk culture and business conduct". A disorganized, defensive, or evasive response during an inspection signals a poor compliance culture to the regulator. 

This will almost certainly lead to deeper scrutiny and a more critical final report. Conversely, a professional, transparent, and well-organized approach builds trust and demonstrates a strong culture, which can positively influence the regulator's assessment even if minor deficiencies are discovered.

FAQ – Legal tips about ČNB Inspections

• What is the ČNB's main focus during an inspection?
  The ČNB focuses on the practical effectiveness of your Management and Control System (ŘKS) and the "reconstructibility" of your actions—meaning you must have a documented audit trail for all key decisions. To prepare for an inspection, contact us at office@arws.cz.
• Can our staff be interviewed directly by ČNB inspectors?
  Yes, inspectors have broad powers to interview staff at all levels to test their knowledge of internal rules and verify that procedures are followed in practice. We offer professional training for employees to prepare them for such interviews. Email us at office@arws.cz for details.

The High Cost of Non-Compliance – A Sober Look at Risks and Sanctions

Deficiencies in archiving and internal governance are not viewed by the ČNB as minor administrative lapses. They are considered serious systemic failures that undermine prudent operation and can pose risks to clients and the financial market as a whole. The resulting sanctions can be severe, impacting not only an institution's bottom line but also its public reputation and, ultimately, its license to operate.

The ČNB's Enforcement Arsenal

The ČNB is equipped with a full spectrum of enforcement tools to address regulatory breaches. The sanction imposed is tailored to the severity and nature of the violation. These tools include:

• Warning (Napomenutí): A formal warning for less severe offenses, serving as an official notice to remedy the issue.
• Remedial Measures: Legally binding orders requiring the institution to take specific actions to correct identified deficiencies within a set timeframe.
• Fines (Pokuty): The most common sanction, with financial penalties that can reach millions of Czech crowns, and in some cases, are capped as a percentage of the firm's annual turnover.
• Restriction or Revocation of License: In the most serious cases of systemic failure or repeated non-compliance, the ČNB has the power to restrict an institution's permitted activities or revoke its operating license entirely.

The sanctioning process itself is a formal administrative procedure governed by the Administrative Code. It involves a first-instance decision by the relevant ČNB supervisory department and a second-instance appeal to the ČNB Bank Board. Final decisions of the Bank Board can be challenged in the Czech administrative courts.

Risks and penalties	How ARROWS helps
Significant fines for a deficient Management and Control System (ŘKS).	Legal analysis – we perform a gap analysis of your ŘKS against ČNB and EBA standards to identify and fix weaknesses. Want to understand your legal options? Email us at office@arws.cz.
Reputational damage and stricter supervision resulting from a poorly handled ČNB inspection.	Representation before public authorities – we prepare you for the inspection and represent you in communications with the ČNB. Our lawyers are ready to assist you – email us at office@arws.cz.
Personal liability for management due to failures in corporate governance.	Drafting documentation to prevent fines – we help define clear responsibilities and draft legal opinions to strengthen your governance structure. Do not hesitate to contact our firm – office@arws.cz.

Transforming Compliance from a Burden into a Strategic Advantage

Navigating the Czech regulatory landscape requires more than rote adherence to a checklist of rules; it demands a proactive, systemic, and deeply embedded approach to governance and documentation. A robust Management and Control System (ŘKS) and a meticulously managed archive are not mere operational costs. 

They are fundamental investments in an institution's operational resilience, its reputational integrity, and its long-term success in the competitive Czech and European financial markets. With the right legal partner, these complex requirements can be managed efficiently and effectively, allowing an institution's leadership to focus on its core business objectives with confidence and peace of mind.

Your Partner in the Czech Financial Market

The Czech regulatory environment is demanding, but you do not have to navigate it alone. ARROWS law firm, a leading Czech law firm in Prague, EU, combines deep, specialized knowledge of Czech financial law with a nuanced understanding of the unique challenges and opportunities faced by foreign institutions entering or operating in this market. 

Our team of experts is ready to partner with you to build a compliance framework that is not just defensible under scrutiny, but a genuine strategic asset.

We provide comprehensive legal support, including:

• Regulatory Gap Analysis and ŘKS Fortification.
• Drafting and Review of all Internal Policies and Procedures.
• Creation of Legally Compliant Document Retention Schedules.
• On-Site Inspection Preparation and Mock Audits.
• Direct Representation in Proceedings with the Czech National Bank.

Contact our team of experts today at office@arws.cz to schedule a confidential consultation and ensure your operations are secure, compliant, and ready for any regulatory scrutiny.

FAQ – Most common legal questions about ČNB regulations

1. As a foreign bank branch operating in Prague, do all Czech archiving laws apply to us?

Yes, absolutely. While a branch may operate under a single EU banking license, it is fully subject to Czech conduct-of-business rules upon establishing a presence in the country. This includes all local archiving and record-keeping laws, such as Act No. 499/2004 Coll. and the specific retention periods in the Act on Banks. The ČNB has explicit supervisory authority over branches of foreign banks and will conduct inspections to verify compliance with these local regulations. For help aligning your branch operations with Czech law, contact us at office@arws.cz.

2. What is the most common mistake foreign firms make when facing a ČNB inspection?

The most common and costly mistake is underestimating the depth of the inspection and the critical importance of "reconstructibility." Many firms are prepared to present their written policies and procedures, but they fail when asked to provide a documented, contemporaneous audit trail of those policies in action. The ČNB is not interested in a theoretical framework; it wants to see tangible evidence of a living, breathing compliance culture that permeates the organization's daily activities. Get tailored legal solutions for your inspection readiness by writing to office@arws.cz.

3. Can our existing EU-compliant internal policies be used in the Czech Republic?

They serve as an excellent foundation. The ČNB aligns its supervisory approach with EBA guidelines, so a robust framework that is already compliant with directives like CRD V is a significant advantage.  However, these policies cannot be adopted wholesale. They must be meticulously reviewed and adapted to incorporate the specific requirements, terminology, and procedures of Czech law (e.g., the 10-year retention periods, the formal skartační řízení process) to be considered fully compliant. Need legal help reviewing your EU policies for the Czech market? Contact us at office@arws.cz.

4. How should we handle documents containing personal data under both archiving laws and GDPR?

This is a key area of legal complexity where expert advice is crucial. The legally mandated retention periods stipulated by Czech financial laws (e.g., 10 years under the Act on Banks or the AML Act) provide the legal basis for processing personal data under Article 6(1)(c) of the GDPR ("processing is necessary for compliance with a legal obligation"). Therefore, an institution cannot and must not delete personal data that is subject to a statutory retention period before that period expires . However, once the retention period ends, the GDPR's principle of data minimization takes effect. At that point, the data must be securely destroyed as part of the formal appraisal process (skartační řízení), unless it has been officially selected by the state archive for permanent preservation . For immediate assistance with GDPR and archiving law compliance, write to us at office@arws.cz.

5. What role does the board of directors (or equivalent management body) play during a ČNB inspection?

The management body plays a critical and central role. Both ČNB regulations and the EBA guidelines place ultimate responsibility for the establishment and effectiveness of the ŘKS squarely on the management body . During an inspection, the regulator will scrutinize board and committee minutes for evidence of active oversight, informed discussion, and constructive challenge of executive decisions. Passive "rubber-stamping" is a major red flag. The board must be able to demonstrate that it is actively steering the institution's risk and compliance culture, not merely reacting to it. Our lawyers are ready to assist your management body – email us at office@arws.cz.

Don't want to deal with this problem yourself? More than 2,000 clients trust us, and we have been named Law Firm of the Year 2024. Take a look HERE at our references.