What Does the CNB Expect From the Annual Review of the Compliance Cunction
Are you managing a foreign company in the Czech Republic and need to understand what the Czech National Bank (CNB) truly expects from your compliance function? This article provides clear answers, moving beyond the myth of a simple annual checklist. As a leading Czech law firm in Prague, EU, with extensive experience assisting international clients, our English-speaking lawyers will guide you through the CNB's risk-based approach and help you avoid costly penalties.
Need advice on this topic? Contact the ARROWS law firm by email office@arws.cz or phone +420 245 007 740. Your question will be answered by "Mgr. Jáchym Petřík", an expert on the subject.
Beyond the Annual Checklist: Why the CNB Expects "Living" Compliance
Many international executives mistakenly view regulatory compliance as a task to be completed once a year. However, the Czech financial market, supervised by the Czech National Bank (CNB), operates within a dynamic legal framework where compliance is a continuous process of monitoring and adaptation, not a static, one-time event.
The CNB expects your company's internal policies, risk assessments, and client-facing documents to be "living documents," ready to be updated whenever a key trigger occurs.
Simply scheduling an "annual compliance review" is insufficient and exposes your business to significant risk. The CNB's supervisory philosophy is rooted in a risk-based approach. This means the regulator is less interested in whether you have a compliance policy and more interested in whether that policy accurately reflects the real, current risks of your business operations.
A crucial principle underpinning the CNB's scrutiny is reconstructibility (rekonstruovatelnost). This legal concept means it is not enough to simply do the right thing; you must be able to prove, with clear and contemporaneous documentation, why you made a specific compliance decision, even years after the fact. For the regulator, a simple rule applies: what is not documented, did not happen (co není zdokumentováno, to se nestalo).
This shifts a significant burden of proof onto your management. During an inspection, the CNB can challenge not just your failure to update a file, but the fundamental logic of your entire risk-assessment system. This elevates the need for expert legal support from simple document drafting to high-level strategic advisory on designing a defensible, logically sound, and provable compliance framework.
What Triggers a Compliance Update? The Three Pillars of CNB Scrutiny
To maintain a robust and defensible compliance framework, your company must actively monitor for three distinct types of events. Each one serves as a clear signal that a review and potential update of your documentation is necessary. Ignoring these triggers means your compliance framework will inevitably become outdated, irrelevant, and, most importantly, non-compliant.
Pillar 1: Legislative and Regulatory Changes
The most significant driver of compliance updates is external change in the legal environment. Your internal documentation must directly reflect your legal obligations. These changes typically come from three sources:
- Directly Applicable EU Regulations: Pan-European regulations, such as the Markets in Crypto-Assets (MiCA) Regulation, are immediately applicable across all EU member states, including the Czech Republic. When such a regulation comes into force, your firm must immediately update its internal processes and risk management frameworks.
- Transposition of EU Directives: EU directives, like the 6th Anti-Money Laundering Directive (AMLD6), set a goal that member states must implement into their national law. This often leads to amendments to key Czech laws, such as the AML Act (No. 253/2008 Coll.), introducing new obligations for your company.
- Local CNB Decrees and Communications: The CNB frequently issues its own decrees (Vyhlášky) and official communications (Úřední sdělení). These documents govern specific operational areas and often contain highly detailed requirements that are published only in Czech, directly impacting your day-to-day operations and demanding expert local guidance to interpret and implement correctly.
Pillar 2: Your Internal Risk-Based Obligations (Especially AML)
The second major trigger is not an external event, but an internal obligation mandated by the CNB: the risk-based approach. This is particularly critical in the area of Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT). The CNB does not provide a rigid update schedule; instead, it requires your firm to develop its own intelligent, risk-sensitive system for maintaining compliance.
The cornerstone of your AML compliance is a document known as the Systém vnitřních zásad (SVZ), or System of Internal Principles. This is your company's internal AML "constitution," and it must detail your specific procedures for identifying, assessing, and managing money laundering risks. Crucially, your SVZ must define how frequently you update client information, with this frequency directly linked to each client's risk profile. This leads to two types of updates:
- Regular Updates: Performed periodically, with the frequency determined by the client's risk category. High-risk clients require much more frequent reviews than low-risk clients.
- Ad-hoc Updates: Triggered by specific events that could alter a client's risk profile, such as a large, unusual transaction, a change in the client's beneficial ownership, or negative media reports.
Pillar 3: Significant Changes in Your Business Operations
The final category of triggers is internal to your business. Your compliance documentation must be a true and fair reflection of your company's activities. When your activities change, your documentation must be reviewed and updated to maintain its relevance and effectiveness. Practical examples include:
- Launching new products or services.
- Entering new geographical markets, especially high-risk jurisdictions.
- Corporate restructuring, such as mergers or acquisitions.
- Implementing new core IT systems or client on-boarding platforms.
What Does a "CNB-Proof" Compliance System Look Like?
A compliance system that can withstand CNB scrutiny is built on a solid foundation of governance and a dynamic risk assessment process. It requires understanding not just pan-European principles, but also specific Czech legal requirements that dictate how compliance must be managed and overseen.
Your Governance and Control System: The Foundational Blueprint
The architectural standard for governance in the Czech financial sector is set by key legislation, most notably Decree No. 163/2014 Sb. (Vyhláška č. 163/2014 Sb.). This decree outlines the requirements for a firm's overarching management and control system, defining the distinct roles of the management body and the supervisory board (or equivalent controlling body, kontrolní orgán).
For foreign companies, one of the most critical and often overlooked aspects of this decree is the concept of a "special control activity." The decree imposes a highly specific and non-delegable duty on the supervisory board. It explicitly defines the evaluation of the compliance function as a "special control activity" which must be discussed and decided without the presence of executive members of the board.
This procedural requirement can be a legal minefield for foreign companies, particularly those from jurisdictions with single-tier board structures (common in the US and UK) where the lines between executive and non-executive oversight are drawn differently. Simply having the board "review" a compliance report is insufficient. If this specific Czech procedural requirement is not met and documented in the meeting minutes, the CNB can deem the entire compliance review process invalid.
FAQ – Legal tips about your Governance System
- Who is ultimately responsible for compliance failures – the Compliance Officer or the Board?
The statutory body (e.g., the Board of Directors) always holds ultimate responsibility and cannot delegate it away. However, the supervisory board has specific, legally defined oversight duties it must perform correctly. For a review of your governance structure, contact our experts at office@arws.cz. - Our parent company is in Germany. Can we just use our group-level governance policies?
No. While group policies provide a good starting point, they must be adapted to meet specific Czech requirements like the "special control activity" rule. A compliance strategy that works elsewhere cannot simply be replicated in Prague. For help with cross-border compliance, write to our team at office@arws.cz. - What does the CNB mean by a "proportionate" system?
It means your governance and control systems must be tailored to the specific character, scale, complexity, and risks of your Czech operations, not your global ones. A small payment institution faces different requirements than a large bank. For an assessment of proportionality for your business, contact us at office@arws.cz.
The Risk Assessment: Proving Your System is Effective, Not Just Formal
The risk assessment is the engine of your entire compliance program. It cannot be a generic, "off-the-shelf" document. It must be a comprehensive, documented process that identifies, analyzes, and evaluates all relevant risks associated with your specific business model, including your products, client types, distribution channels, and geographic exposure.
The CNB has formally adopted the guidelines issued by the European Securities and Markets Authority (ESMA), which detail the best practices for a compliance risk assessment. According to these standards, your risk assessment must be the foundation for defining your compliance monitoring program and allocating adequate resources, both in terms of qualified staff and effective IT systems.
A successful compliance review requires the synthesis of a multi-layered legal framework. The ESMA guidelines provide the high-level principles—the "what" to do (e.g., conduct a risk assessment). However, Czech laws like Decree No. 163/2014 Sb. provide the specific national implementation and governance context—the "how" it must be overseen (e.g., the specific role of the supervisory board).
A firm can have a technically perfect risk assessment that meets every ESMA principle, but if it cannot demonstrate that this assessment was reviewed and approved through the correct Czech corporate governance channels, the entire system is deficient from the CNB's perspective.
How to Avoid Severe Legal and Financial Risks: The Real Cost of Non-Compliance
Failing to keep your compliance documentation and systems current is not a minor administrative lapse; it is a serious breach that can have severe and cascading consequences for your business. The CNB has broad enforcement powers, and the penalties for non-compliance are designed to be a powerful deterrent.
The CNB's Escalating Enforcement Strategy
The CNB's enforcement strategy often follows a pattern of escalation. Minor procedural failures, such as late or inaccurate data reporting through the mandatory SDAT portal, are frequently treated as "red flags." These initial flags can trigger a much deeper and more intrusive inspection of your firm's entire governance, risk, and control framework.
This can create a "snowball effect," where a small administrative error escalates into a full-scale regulatory crisis, consuming hundreds of hours of management time and diverting focus from your core business. The initial penalty is often trivial compared to the cost of the subsequent investigation and any mandated remediation programs. In this context, there are no "small" compliance failures.
Governance and Internal Control Failures
Risks and penalties |
How ARROWS helps |
Failure to ensure independent oversight by the supervisory board (breach of Vyhláška č. 163/2014 Sb.). Penalty: Remedial measures ordering an overhaul of governance; potential replacement of board members. |
Legal Opinion on Governance Structure: We assess your board structure for compliance with Czech-specific rules. Need an assessment? Email us at office@arws.cz. |
Inadequate resources (staff, IT) for the compliance function. Penalty: Public warning, restrictions on business activities until rectified. |
Legal Consultations: We help you benchmark your compliance function against CNB expectations and best practices. Get tailored legal solutions by writing to office@arws.cz. |
Compliance officer lacking true independence or having a conflict of interest (e.g., also heading the legal department). Penalty: CNB can order the replacement of the officer. |
Preparation of Internal Policies: We draft clear charters and policies defining the compliance function's independence and authority. For immediate assistance, write to us at office@arws.cz. |
Inadequate Risk Assessment and AML Deficiencies
Risks and penalties |
How ARROWS helps |
Failure to perform client identification under the AML Act. Penalty: Fine of up to CZK 10,000,000 (approx. EUR 400,000). |
Drafting AML/KYC Documentation: We create a robust Systém vnitřních zásad tailored to your specific risks. Need legal help? Contact us at office@arws.cz. |
Failure to report a suspicious transaction. Penalty: Fine of up to CZK 5,000,000 (approx. EUR 200,000). |
Professional Training: We provide certified training for your management and staff on AML obligations and reporting procedures. Our lawyers are ready to assist you – email us at office@arws.cz. |
Generic, non-risk-based compliance system that fails the CNB's "use test." Penalty: Systemic breach finding, potentially leading to fines up to CZK 130,000,000 (approx. EUR 5.2 million) for financial institutions. |
Representation before Public Authorities: We defend your risk assessment methodology during CNB inspections. For immediate assistance, write to us at office@arws.cz. |
The Lasting Damage: Public Sanctions and Reputational Harm
Perhaps the most damaging consequence of a CNB sanction is the mandatory public disclosure. The law requires the CNB to publish its final enforcement decisions on its website, where they remain accessible for at least five years. This creates a permanent, public record of your firm's compliance failures, which can be devastating to your reputation. It can erode trust with clients, deter potential investors, and complicate relationships with banking partners.
The CNB's public fining of large, established domestic players like Komerční banka, Česká spořitelna, and BH Securities is a strategic communication tool. It sends a clear message to the entire market, including new foreign entrants, that no institution is too big or too reputable to escape enforcement. For a foreign company, this means you will be held to the highest standard from day one.
What Are the Key Differences for International Companies?
For international firms, a primary challenge is understanding that compliance is not a "one-size-fits-all" exercise. A successful strategy from your home market cannot be directly transferred to the Czech Republic due to fundamental differences in regulatory structure and philosophy. ARROWS, as an international law firm operating from Prague, European Union, specializes in bridging this gap.
The "Compliance Culture Clash"
Foreign companies often face a significant "compliance culture clash." A firm from a highly prescriptive, rules-based jurisdiction may implement a system that ticks all the boxes but lacks the underlying risk-based logic the CNB demands. Conversely, a firm from a more principles-based regime might have a strong risk culture but fail the CNB's stringent requirements for formal documentation and specific corporate governance procedures.
The Czech system represents a unique hybrid that requires bespoke localization, not simple translation. It blends EU principles with a demand for deep, bespoke risk analysis and a Central European emphasis on formal, documented procedure. Through our ARROWS International network, built over more than 10 years, we provide the dual local and international expertise needed to navigate these complex cross-border challenges.
FAQ – Legal tips for Cross-Border Compliance
- Our group compliance reports are in English. Is that acceptable for the CNB?
While day-to-day communication with the CNB may often be in English, key legal documentation and official submissions must typically be in Czech. We can ensure your documentation meets all language and legal requirements. For help with your documentation, write to our team at office@arws.cz. - How does the CNB view outsourcing compliance functions?
Outsourcing is permitted but highly regulated. The ultimate responsibility for compliance always remains with your company's statutory body. We can advise on structuring a compliant outsourcing arrangement that satisfies the CNB's expectations. Do not hesitate to contact our firm for guidance – office@arws.cz.
What Is Your Next Step to Ensure Full Compliance?
Navigating the CNB's requirements demands more than just a template; it requires expert local knowledge and international perspective. At ARROWS, a leading Czech law firm in Prague, EU, we provide end-to-end support to ensure your business is not just compliant, but defensible. Our team regularly helps over 150 joint-stock companies and 250 limited liability companies with these exact issues.
Our services are designed to address every aspect of your compliance needs:
- Preparation of internal company policies: Including the crucial Systém vnitřních zásad (SVZ) and governance charters.
- Drafting all legally required documentation: To ensure full "reconstructibility" and pass the CNB's scrutiny.
- Legal consultations and opinions: To perform a gap analysis of your existing systems against Czech law and CNB expectations.
- Representation in court or before the CNB: Defending your interests during inspections and administrative proceedings.
- Professional training for management and employees: Providing certified courses to build a strong, demonstrable compliance culture.
Don't wait for a letter from the regulator. Proactively secure your operations and reputation. To schedule a consultation with our legal experts, contact us today at office@arws.cz.
FAQ – Most Common Legal Questions About CNB Compliance Reviews
- How often should our supervisory board formally review the compliance function?
At least annually, and always as a "special control activity" without executive members present, as required by Czech law. To ensure your board meetings are procedurally correct and fully documented, get tailored legal solutions by writing to office@arws.cz.
- What is the first thing we should do if the CNB announces an on-site inspection?
Immediately contact experienced legal counsel. Do not attempt to manage the inspection alone. Quick, expert preparation, including reviewing documentation and preparing key personnel for interviews, is critical to a successful outcome. For immediate assistance, write to us at office@arws.cz.
- Is an "annual compliance report" a formal requirement to be submitted to the CNB?
While you must have a robust internal review process, there is not a single, standardized "annual compliance report" that all firms must file with the regulator. The CNB's focus is on your continuous, risk-based monitoring and the provability of your system, not a specific form. Need legal help clarifying your reporting duties? Contact us at office@arws.cz.
- Our company is small. Do these complex governance rules still apply?
Yes, but they apply proportionally. The core principles of independent oversight and a risk-based approach are mandatory for all, but the implementation can be scaled to the size and complexity of your business. Our lawyers can help define what is "proportionate" for your operations – email us at office@arws.cz. - What are the most common mistakes you see foreign companies make?
The most common errors are underestimating the CNB's focus on detailed, localized documentation and trying to apply a generic, group-level compliance policy without adapting it to specific Czech legal and procedural requirements. Do not hesitate to contact our firm to avoid these pitfalls – office@arws.cz
Can ARROWS help us train our local Czech team on these requirements?
Absolutely. We provide professional, certified training for both management and employees to ensure your entire team understands their roles and responsibilities in maintaining a robust compliance culture that will stand up to regulatory scrutiny. Get in touch to discuss a training plan at office@arws.cz.
Don't want to deal with this problem yourself? More than 2,000 clients trust ARROWS Law Firm, and we have been named Law Firm of the Year 2024. Take a look HERE at our references, and we will be honored to help you solve your problem. The inquiry is free of charge.