How to properly maintain compliance documentation for licensed non-bank entities

Operating a licensed non-bank entity in the Czech Republic places your business in a stable EU market but requires strict compliance with Czech National Bank (CNB) rules. For foreign operators, these local requirements can be complex. This guide from an English-speaking lawyer in Prague provides clear answers on maintaining essential compliance documentation. As a leading Czech law firm based in Prague, European Union, we specialize in helping international clients meet these standards.

Need advice on this topic? Contact the ARROWS law firm by email office@arws.cz or phone +420 245 007 740. Your question will be answered by "Mgr. Jáchym Petřík", an expert on the subject.

Navigating the Czech Regulatory Landscape: Your Core Obligations

Successfully operating in the Czech financial market begins with a clear understanding of the regulatory environment. This involves recognizing the central authority you must satisfy, the key laws that govern your activities, and the critical interplay between local Czech rules and broader European Union legislation.

Who is the regulator you need to satisfy?

Your primary regulatory relationship in the Czech Republic is with the Czech National Bank (CNB). Established under the Czech Constitution and Act No. 6/1993 Coll., the CNB is a powerful and active institution. It serves not only as the nation's central bank but also as the comprehensive supervisor for the entire financial market. For non-bank entities—including payment institutions, electronic money issuers, consumer credit providers, and investment firms—the CNB is the authority that grants licenses, conducts inspections, and enforces compliance.

It is crucial for foreign operators to understand that the CNB's supervision is not a passive, check-the-box exercise. The bank actively lays down rules, monitors adherence, and issues penalties for non-compliance, which can range from significant fines to the revocation of your license.

The CNB's strict approach stems from its dual mandate. It is responsible for both the micro-supervision of individual firms and the macroprudential oversight of the entire financial system's stability. Therefore, a compliance failure at your company is not viewed in isolation; it is seen as a potential risk to the integrity of the Czech market. This perspective explains the seriousness with which the CNB approaches its supervisory duties and why robust documentation is not just a formality but a fundamental business necessity.

What are the key laws governing your non-bank entity?

Your compliance obligations are not contained in a single piece of legislation but are spread across a framework of interconnected acts. The specific laws that apply to your business depend on your activities, but several are fundamental for most licensed non-bank entities.

Key legislation includes the Act on Payment Systems (No. 370/2017 Coll.), the Consumer Credit Act (No. 257/2016 Coll.), and the Capital Market Undertakings Act (No. 256/2004 Coll.). However, the cornerstone of your internal control framework, regardless of your specific services, will be the Act on Certain Measures against the Legalisation of Proceeds from Criminal Activity and Financing of Terrorism (the AML Act, No. 253/2008 Coll.). This act sets out demanding requirements for identifying clients, monitoring transactions, and reporting suspicious activity.

These laws collectively establish a set of prudential requirements—the rules and standards designed to ensure your institution is managed soundly, maintains adequate capital, and has effective risk management systems in place. Fulfilling these requirements is essential for maintaining your license and demonstrating to the CNB that your operations are stable and secure.

How does EU law impact your operations from Prague?

The Czech Republic, as a member of the European Union, has a legal framework that is deeply integrated with EU directives. Regulations such as the Payment Services Directive (PSD2), the EU's Anti-Money Laundering Directives (AMLD), and the General Data Protection Regulation (GDPR) form the foundation of Czech law. This provides a degree of familiarity for businesses already operating within the EU. The CNB itself is part of the European System of Financial Supervision, collaborating with other national regulators.

However, relying solely on an EU-wide compliance policy is a common and costly mistake. While the EU provides the blueprint, the safe European harbour is only navigable with a local pilot. The CNB is the ultimate authority for licensing, supervision, and enforcement within the Czech Republic. Furthermore, Czech national laws often contain specific implementations and derogations that differ from those in other member states. For example, the Czech Data Processing Act adds local specifics to the GDPR framework.

This means your existing compliance documents must be carefully adapted to local requirements. For instance, an Anti-Money Laundering framework that is fully compliant with the requirements of Germany's BaFin will still need significant adjustments to meet the CNB's specific expectations for a System of Internal Rules under the Czech AML Act. ARROWS, as an international law firm operating from Prague, European Union, leverages its ARROWS International network, built over 10 years, to provide clients with a nuanced understanding of these critical cross-border legal differences.

Risks and Penalties for Deficiencies in Internal Controls and Risk Management

Risks and penalties	How ARROWS helps
CNB-mandated remedial measures, forcing costly and disruptive changes to your business processes.	Preparation of Internal Policies: We design a robust System of Internal Rules based on a thorough risk assessment. Do not hesitate to contact our firm – office@arws.cz.
Inability to demonstrate a Risk-Based Approach (RBA), resulting in regulatory censure for a box-ticking culture.	Legal Analysis: We help you implement a dynamic RBA that satisfies CNB expectations. Want to understand your legal options? Email us at office@arws.cz.
Operational failures due to unclear lines of responsibility, leading to financial losses or fraud.	Contract Drafting: We clarify roles and responsibilities in employment contracts and internal governance documents. Do you need a contract prepared? Contact us at office@arws.cz.
License suspension or revocation for systemic failures in the internal control framework.	Representation before Public Authorities: We represent you in all dealings with the CNB. Need legal representation? Write to office@arws.cz.

Building Your Compliance Framework: The System of Internal Policies

A robust compliance framework is not an abstract concept; it is a tangible set of documents that guide every aspect of your regulated activities. At its core is the System of Internal Policies, a comprehensive rulebook that must be meticulously drafted, implemented, and maintained to satisfy the CNB.

What documentation forms the heart of your compliance?

The cornerstone of your compliance obligations is a written System of Internal Rules (SIR), also referred to as a system of internal policies. This is not a single document but a comprehensive, interconnected framework that serves as your company's operational constitution for all regulated activities. It is the first thing a CNB inspector will demand to see during an audit.

This system must be built upon a bespoke and thorough risk assessment of your specific business activities. It must clearly define your procedures for risk management, customer due diligence, transaction monitoring, internal controls, and adherence to all relevant laws. The European Banking Authority (EBA) provides extensive guidelines on what constitutes robust Internal Governance—the complete set of rules, processes, and structures for directing and controlling a financial institution—and your SIR is the primary documented expression of this governance.

What are the mandatory elements of your Anti-Money Laundering (AML) policy?

Under the Czech AML Act (No. 253/2008 Coll.), your SIR must contain a detailed and practical AML policy. This policy must, at a minimum, include procedures for:

• Client Identification and Verification (KYC): A clear process for identifying every client and verifying their identity before establishing a business relationship.
• Customer Due Diligence (CDD): Procedures for assessing the risk posed by each client and applying appropriate due diligence. This includes defining triggers for enhanced due diligence for high-risk clients, such as Politically Exposed Persons (PEPs).
• Transaction Monitoring: A system for monitoring client transactions to detect unusual or suspicious activity that does not align with their known profile.
• Suspicious Activity Reporting (SAR): A clear protocol for escalating and reporting suspicious transactions to the Czech Financial Analytical Office (FAÚ) without delay.
• Appointment of an AML Officer: The designation of a specific, qualified individual responsible for overseeing the firm's AML compliance.
• Regular Employee Training: A documented program for training all relevant staff on their AML obligations and the latest money laundering typologies.

Your AML documentation is not just for internal use. It must be designed to integrate with a national information supply chain aimed at combating financial crime. Your firm is a critical link in this chain, providing essential data to authorities like the FAÚ and contributing to national systems such as the Central Register of Accounts. A failure in your internal systems is a failure for the entire network, which is why the CNB treats AML deficiencies so seriously.

How do you implement the CNB's required Risk-Based Approach (RBA)?

The CNB explicitly mandates a Risk-Based Approach (RBA) to compliance, particularly for AML. This means that a generic, one-size-fits-all compliance policy is unacceptable. Instead, you must demonstrate that you have actively identified, assessed, and implemented controls that are proportionate to the specific risks your business faces.

Implementing an RBA involves:

1. Conducting a Risk Assessment: Systematically analyzing your business to identify ML/TF risks related to your specific clients, the geographic regions you operate in, your products and services, and your transaction delivery channels.
2. Developing Tailored Controls: Designing and applying customer due diligence, monitoring, and other preventative measures that are directly linked to the risks identified. High-risk areas require more stringent controls (enhanced due diligence), while low-risk areas may allow for simplified measures.
3. Documenting Your Rationale: Clearly documenting the methodology behind your risk assessment and the reasons for the specific controls you have chosen.
4. Continuous Monitoring and Updating: The RBA is not a one-time exercise. Your risk assessment and control measures must be reviewed regularly and updated whenever there are changes to your business or the external risk environment.

Contact our experts:

The CNB considers a static, box-ticking approach to be insufficiently prudent. Your documentation must prove that your compliance system is a living, dynamic process that adapts to new and evolving threats. Unsure if your current policies meet the CNB's dynamic Risk-Based Approach? Our lawyers can conduct a gap analysis to identify vulnerabilities. Get tailored legal solutions by writing to office@arws.cz.

FAQ – Legal tips on drafting AML policies

• How often must we update our internal AML risk assessment?
  Your risk assessment should be reviewed at least annually, and immediately updated following any significant event, such as the launch of a new product, expansion into a high-risk country, or a major change in your client base. For a review of your current assessment, write to us at office@arws.cz.
• What is the difference between standard and enhanced Customer Due Diligence?
  Standard CDD involves verifying a client's identity and understanding the nature of the business relationship. Enhanced CDD is a more intensive process required for high-risk clients (e.g., PEPs) and involves gathering additional information on the source of wealth and funds, and obtaining senior management approval. Need help defining your CDD procedures? Contact us at office@arws.cz.
• Can we use the same AML policy we use in another EU country?
  No. While the principles may be similar, your policy must be specifically tailored to the Czech AML Act and the CNB's expectations, including the specific requirements for your System of Internal Rules and risk assessment. Our lawyers can adapt your global policies for the Czech market – email us at office@arws.cz.

From Theory to Practice: Maintaining and Auditing Your Documentation

Creating your compliance documentation is only the first step. To satisfy the CNB, you must treat these documents as living instruments that are regularly maintained, consistently applied, and ready for inspection at any time. This requires establishing practical processes for updates, audit preparation, and data retention.

How can you ensure your documents are always up-to-date?

The financial regulatory environment is not static. The CNB and the EBA frequently issue new guidelines, amend regulations, and update their supervisory priorities. An effective internal control system requires ongoing monitoring and must be revised to address new or previously uncontrolled risks. Your System of Internal Policies can quickly become obsolete if not actively maintained.

To ensure your documentation remains current and effective, implement a formal review process. This should include a scheduled, comprehensive review of all compliance policies at least annually. Additionally, you should define specific triggers for ad-hoc reviews, such as the launch of a new service, entry into a new market, a significant change in legislation, or findings from an internal or external audit. This proactive approach demonstrates to the CNB that your compliance framework is a dynamic and integral part of your business management.

What happens during a CNB inspection?

The CNB possesses broad supervisory powers, including the authority to conduct on-site inspections to verify your adherence to laws and the conditions of your license. During an inspection, regulators are not just looking for the existence of a policy document on a shelf. Their primary focus is on effective oversight and implementation—they want to see evidence that your policies are understood by staff, integrated into daily operations, and consistently enforced.

A key concept that inspectors will test is reconstructability. This means your records must be so clear and comprehensive that an auditor can, months or even years later, reconstruct a specific transaction or decision and understand why it was made and how it complied with your internal policies at the time. This requires meticulous record-keeping, clear audit trails for decisions, and organized, accessible documentation. Being prepared for an inspection is not about last-minute scrambling; it is the natural result of a well-maintained compliance system.

What are your data retention and archiving duties?

Your compliance documentation, particularly records related to client identification and transactions, is subject to strict retention rules. The AML Act, for example, specifies requirements for recording and retaining documents for a set period to ensure they are available for review by authorities.

This obligation must be carefully balanced with your duties under data protection laws, primarily the GDPR and the Czech Data Processing Act. While AML laws require you to keep data, GDPR's principle of data minimization requires you to not keep personal data for longer than is necessary. Navigating this apparent conflict—retaining enough information for AML compliance while not retaining too much under GDPR—requires a carefully drafted data retention policy that clearly defines the legal basis and timeframes for storing different categories of data.

The High Cost of Non-Compliance: A Practical Risk Assessment

Understanding the regulatory requirements is essential, but appreciating the severe consequences of failure is what drives effective compliance. The CNB is transparent about its enforcement actions, often publishing final administrative decisions and penalties, which can lead to significant financial loss and irreparable damage to your brand's reputation. The following tables outline the concrete risks and demonstrate how ARROWS provides targeted solutions to mitigate them.

Risks and Penalties for Failures in AML & KYC Documentation

Risks and penalties	How ARROWS helps
Heavy fines from the CNB for incomplete or missing Customer Due Diligence (CDD) records.	Drafting Documentation: We draft fully compliant AML/KYC policies. Need legal help? Contact us at office@arws.cz.
Suspicious Activity Report (SAR) failures, leading to investigation by the Financial Analytical Office (FAÚ).	Professional Training: We train your staff and AML officer on their reporting obligations. For immediate assistance, write to us at office@arws.cz.
Public naming and shaming on the CNB's list of final administrative decisions, causing severe brand damage.	Legal Consultations: We provide ongoing advice to prevent inspections and penalties. Our lawyers are ready to assist you – email us at office@arws.cz.
Criminal liability for management in cases of willful negligence or complicity in money laundering.	Legal Opinions: We provide expert legal opinions on complex cases to ensure defensible decision-making. Get tailored legal solutions by writing to office@arws.cz.

Your Next Step: Securing Your Business with Expert Legal Support

Navigating the Czech Republic's complex regulatory environment requires more than just a template policy; it demands specialized legal expertise and a deep understanding of the CNB's expectations. As a leading Czech law firm in Prague, EU, ARROWS provides the dedicated support that foreign-owned non-bank entities need to operate with confidence and security. Our firm supports over 150 joint-stock companies and 250 limited liability companies, giving us unparalleled experience in this field.

Through our extensive ARROWS International network, operating in 90 countries, we possess a unique ability to handle complex cross-border matters, translating global business strategies into locally compliant operational frameworks. We offer a comprehensive suite of services designed to protect your business from regulatory risk.

Our expert legal team can provide:

• Preparation of a complete, audit-ready System of Internal Policies tailored to your business.
• Drafting of all legally required documentation to prevent fines and penalties.
• Professional training for your management and employees, complete with certificates.
• Representation in all proceedings before the CNB and other public authorities.
• Ongoing legal consultations to ensure you remain compliant with evolving regulations.

Protect your investment and ensure seamless operations in the Czech market. For a comprehensive review of your compliance documentation by an expert English-speaking lawyer, contact our team in Prague today at office@arws.cz.

FAQ – Most common legal questions about non-bank compliance

1. We are a small non-bank entity. Do all these documentation rules still apply to us?

Yes, the core obligations apply to all licensed entities. However, the CNB expects the complexity of your documentation to be proportionate to the size and risk of your business. We can help you create a streamlined yet fully compliant system. For tailored advice, please email us at office@arws.cz.

2. Who in our company is legally responsible if our compliance documentation is found to be inadequate?

Responsibility ultimately lies with the company's statutory body (e.g., the executive directors). Inadequate compliance can lead to corporate fines and, in serious cases, personal liability for management. Ensure your leadership is protected by getting expert legal help at office@arws.cz.

3. How long does it take to prepare a fully compliant System of Internal Policies?

The timeframe depends on the complexity of your business. A basic framework can be developed in a few weeks, but a comprehensive system for a larger institution may take several months. For a specific timeline estimate for your business, contact our lawyers at office@arws.cz.

4. What is the first step we should take if we receive a notice of inspection from the CNB?

Do not panic, but act immediately. Contact your legal counsel to review the notice, understand the scope of the inspection, and begin preparing and organizing the required documentation. For urgent assistance with a CNB inspection, write to us at office@arws.cz.

5. Can ARROWS also help us obtain the initial license from the CNB?

Absolutely. We guide clients through the entire licensing process, from preparing the application and supporting documentation to communicating with the CNB on your behalf. To start your licensing process, please contact us at office@arws.cz.

6. Our headquarters provides a global compliance policy. Is that enough for the Czech Republic?

No, a global policy is a good starting point but is insufficient on its own. It must be localized to comply with specific Czech laws, such as the AML Act, and tailored to the CNB's explicit requirements for a Risk-Based Approach. Let us help you adapt your global policies by writing to office@arws.cz.

Don't want to deal with this problem yourself? More than 2,000 clients trust us, and we have been named Law Firm of the Year 2024. Take a look HERE at our references.