CompanyBelgium

KYC file in Belgium: mandatory content, format and retention

What must a complete KYC file in Belgium contain to pass an SPF Economie inspection? Exhaustive list of mandatory documents per client type, accepted formats, retention period, timestamped electronic archiving and common mistakes to avoid.

March 25, 202610 min read

In brief

A complete KYC file in Belgium must contain 6 mandatory sections: client identification, beneficial owner (UBO) identification, risk assessment, understanding of the business relationship, sanctions and PEP screening, ongoing monitoring. Every document must be retained for 10 years in a legible and integral format. The SPF Economie inspector must be able to extract a complete file in 5 minutes.

Why the KYC file is the #1 item checked during inspection

When SPF Economie inspects a firm subject to the Act of 18 September 2017, it asks for three things: your risk assessment, your AML policy, and a sample of KYC files. Among those three, the KYC file most directly reveals whether your compliance is real or cosmetic.

A complete KYC file is not just "I have a copy of an ID card". It is a structured, dated, verifiable set demonstrating that you have identified, verified, understood and tracked the business relationship.

This article details every expected piece per client type, the format to keep it in, and the legal retention period.

Mandatory KYC file structure

A well-kept KYC file is structured in 6 standardized sections. That is how the inspector looks for them, and how your AMLCO must organize them.

Section 1 — Client identification

For a natural person (individual or self-employed):

  • Legible copy of valid ID card or passport (both sides for Belgian card)
  • Full name, first names, date and place of birth, nationality(ies)
  • Main address of residence (proof if address not on the ID — bill < 3 months, residence certificate)
  • National register number for Belgian residents

For a legal person (company, non-profit, foundation):

  • Recent BCE/KBO extract (less than 6 months) with name, enterprise number, legal form, registered office, corporate purpose, directors
  • Consolidated articles of association published in the Belgian Official Journal
  • Composition of the board (appointment dates)
  • Belgian or European VAT number if different

Section 2 — Ultimate beneficial owner identification (UBO)

For legal persons, see details in our UBO article:

  • Group org chart: control chain down to the natural person
  • ID documents of identified UBOs (level 1 and 2 of the cascade)
  • Recent Belgian UBO register extract
  • Shareholders' agreement if relevant (control by other means)
  • Justification if UBO category 3 (default senior officers)
  • BCE ↔ UBO register comparison with flagged divergences

Section 3 — Risk assessment

  • Risk grade assigned: Low / Standard / High
  • Written justification of criteria leading to the grade
  • Corresponding measures to implement
  • AMLCO signature and date

Section 4 — Understanding of the relationship

  • Written description of the economic purpose of the relationship (KYC purpose statement)
  • For high-risk files: proof of source of funds (bank statement, sales contract, inheritance, dividend)
  • For PEPs: explicit management approval and documented enhanced monitoring

Section 5 — Screening and official lists

  • Result of international sanctions screening (EU, UN, OFAC), dated
  • Result of PEP screening (politically exposed persons)
  • UBO list divergence check
  • Date and screening tool (proof of operation)

Section 6 — Ongoing monitoring and events

  • Annual review log (with date and signature)
  • Reported events since onboarding (director change, UBO declaration, sanction, litigation)
  • Internal decisions taken (status quo, enhanced measure, CTIF report, termination)

Additional documents per client type

Capital company (SA, SRL, SC)

Beyond the common core:

  • Annual accounts filed with NBB (last 2 financial years)
  • Shareholders list or share register
  • Powers of attorney if signing is delegated

Non-profit / foundation

In addition:

  • Articles of association published
  • List of directors and officers
  • Main funding sources

Trust / fiduciary

  • Constitutive deed (deed of trust)
  • Identification of settlor, trustee, protector, beneficiaries

Self-employed natural person

  • Social status (INASTI/RSVZ)
  • VAT (if subject)
  • Real activity carried out

Retention format

Paper and electronic are legally equivalent, but in 2026 timestamped digital has become the norm. The Act of 18/09/2017 does not prescribe a specific format but requires:

  • Legibility throughout the retention period
  • Integrity: no modification after creation (or change history tracked)
  • Authenticity: you must be able to prove a document is the one collected
  • Accessibility: extractable on authority request within 48 hours

In practice:

  • PDF/A for finalized documents (long-term archive standard)
  • Qualified electronic signature (eIDAS) for internal documents (AMLCO decisions, risk notes)
  • TSA timestamp (Time Stamping Authority) for sensitive documents
  • Encrypted at-rest storage (AES-256 minimum)
  • Access log: who consulted, modified, exported each file

Retention period

10 years after end of business relationship or last significant transaction (Article 60 of the Act of 18/09/2017).

Important:

  • 10 years = not 5, not 7, not "as long as we have room"
  • Countdown starts at the end of the relationship, not at file opening
  • Beyond 10 years, deletion must be controlled and documented (GDPR compatible)
  • Historical archives from before 2017 must still be accessible per prior law

Preparing a KYC file audit

The AMLCO must be able to present a complete file in 5 minutes during an inspection. Internal quarterly test:

  • Pick 3 files at random
  • Ask a trained colleague to retrieve all pieces of the 6 sections
  • Time it
  • Verify no piece is missing or obsolete
  • If it takes more than 15 minutes, your archive is failing.

    Frequent inspection findings

  • Illegible ID card copy — rejected as identification proof
  • BCE extract too old (> 6 months) — must be current at onboarding
  • No UBO register consultation — automatic finding
  • Incomplete UBO cascade — level 2 missing when there is a holding chain
  • No risk assessment note — no matrix = risk measure not demonstrated
  • No PEP/sanctions screening or very old screening
  • No annual review log — file appears frozen at opening day
  • Documents disorganized — inspector loses patience and stamps "non-compliant"
  • No AMLCO signature on sensitive decisions
  • Retention < 10 years or undocumented deletion
  • How Company Belgium structures your KYC files

    The Company Belgium KYC module natively imposes the structure expected by SPF Economie:

    • 6-section file template pre-filled from the BCE/KBO API
    • Automatic UBO cascade over 3 levels, cross-checked with the Belgian register
    • Sanctions and PEP screening integrated, dated and tracked
    • Risk note generated by the configured matrix
    • Review log: automatic reminders, electronic AMLCO signature
    • PDF/A archiving with TSA timestamp, encrypted 10-year retention
    • Full file export in 1 click for inspection

    See also: the full KYC guide, the 2026 compliance checklist and the risk assessment methodology.

    Bottom line

    A compliant KYC file rests on 6 non-negotiable sections: client identification, UBO, risk assessment, economic purpose, screening, ongoing monitoring. Each section has its list of documents, accepted format, and retention period.

    The ultimate test: an SPF Economie inspector points at a random file. In 5 minutes, your AMLCO must produce everything. If yes, you are ready. If not, this article tells you what is missing.

    Frequently asked questions

    Which documents are mandatory in a KYC file for a company in Belgium?

    For a legal person, the KYC file must include a BCE/KBO extract less than 6 months old, consolidated articles of association, the composition of the board of directors, the UBO org chart down to natural persons, extracts from the Belgian UBO register, the risk note signed by the AMLCO, results of sanctions and PEP screening, and a description of the economic purpose of the relationship. For capital companies, the last two annual accounts filed with the NBB are also required.

    How long must a KYC file be retained in Belgium?

    The Act of 18 September 2017 requires retention for 10 years from the end of the business relationship or the last significant transaction. This period starts from the end of the relationship, not from the opening of the file. Beyond 10 years, deletion must be documented and GDPR-compliant. Archives predating 2017 remain subject to the rules applicable when they were created.

    What format is accepted for archiving a KYC file in Belgium?

    The law does not prescribe a specific format but requires legibility, integrity, authenticity and accessibility throughout the retention period. In practice, PDF/A with a TSA timestamp is recommended for finalized documents. Internal AMLCO decisions must be electronically signed at qualified level (eIDAS). Storage must be encrypted at rest (AES-256 minimum) with a complete access log.

    Which KYC file errors are most often sanctioned during an SPF Economie inspection?

    The most frequent errors at inspection are: an illegible ID card copy, a BCE extract that is too old (more than 6 months), no UBO register consultation, an incomplete UBO cascade (level 2 missing), no signed risk assessment note, absent or outdated PEP and sanctions screening, and no annual review log. A disorganized file or one without an AMLCO signature almost systematically leads to a non-compliance finding.

    Ready to get started?

    Create your free account and get your API keys in minutes.

    Comments

    Loading comments…

    Leave a comment

    Not published — used only to notify you.

    Comments are moderated before publication.

    Related articles