CompanyBelgium

KYC in Belgium: how to identify and verify your clients to meet AML obligations

"Know Your Customer" is no longer a marketing slogan: it is a legal obligation with heavy penalties. Here is how to build an operational KYC process in Belgium, from the documents to collect to enhanced due diligence and remote identification.

May 5, 20268 min read

In brief

KYC (Know Your Customer) is the central legal obligation of the Belgian Act of 18 September 2017: identify the client, verify their identity based on supporting documents (BCE/KBO extract, UBO register, ID document) and understand the economic purpose of the relationship. For a Belgian company, the 3-level UBO cascade is essential, and documents must be kept for 10 years.

KYC: the first line of AML defence

Client identification and identity verification — commonly called KYC (Know Your Customer) — is the cornerstone of the Belgian AML framework. The Act of 18 September 2017 makes it an unavoidable obligation for all regulated professions: lawyers, notaries, accountants, real-estate agents, banks, company service providers.

A sloppy KYC, and the whole anti-money-laundering edifice crumbles. And the supervisor (SPF Economie, NBB, FSMA depending on sectors) does not forgive: sanctions hit as soon as a client file lacks documents or consistency.

What the law says: a three-step obligation

Article 21 of the Act of 18 September 2017 breaks the obligation into three distinct actions:

  • Identify the client (and its UBO): collect the declared identity
  • Verify that identity based on supporting documents
  • Understand the purpose and nature of the intended business relationship
  • Each step must leave a written trace. No oral KYC, no "I've met the client in person so I know who they are" — documentation is the rule.

    For a natural person: what to collect

    For an individual client (or a director acting on behalf of a company), you must collect:

    • First name and surname
    • Date and place of birth
    • Main address of residence
    • Nationality
    • National register number (for Belgian residents)

    And verify via:

    • A legible copy of a valid ID card or passport
    • Where applicable, a recent proof of address (less than 3 months old) if the address does not appear on the ID document

    For politically exposed persons (PEPs) — heads of state, ministers, MPs, judges, senior military officers, leaders of state-owned enterprises, and their close relatives and associates — enhanced measures automatically apply: senior management approval, documented source of funds, increased monitoring.

    This is where KYC becomes investigative work. For a company, you must identify:

    • Company name
    • BCE/KBO number
    • Legal form
    • Registered office address
    • Legal representatives (directors, managers)
    • Corporate purpose

    This information is verifiable via the Crossroads Bank for Enterprises (BCE/KBO) — the Company Belgium API retrieves in one request an up-to-date extract with directors, denomination history, establishments and NACE codes.

    The ultimate beneficial owner (UBO)

    The UBO is the natural person who, ultimately, controls or owns the client. Reference threshold: more than 25 % of capital or voting rights, or any other means of control.

    Determining the UBO may require climbing several layers of holding companies — hence the term UBO cascade. The methodology has 3 steps:

  • Level 1 — Direct beneficiaries: natural-person shareholders holding >25 %
  • Level 2 — Indirect beneficiaries: climb the holding chains (parent companies, funds, trust structures) until reaching a natural person
  • Level 3 — Default beneficiaries: if no UBO can be identified, the senior officers are designated as "default" UBOs
  • The Belgian UBO register centralises declarations. You must consult it and compare with what your client declares. Any divergence → mandatory flag.

    Verification: supporting documents, not declarations

    The nuance matters. Identification is what the client says. Verification is what you prove based on documents issued by an authority or a trusted third party:

    • Recent BCE/KBO extract (< 6 months) → legal form, registered office, directors
    • Consolidated articles of association published in the Belgian Official Journal → corporate purpose, capital structure
    • UBO register → declared beneficial owners
    • ID document of the natural persons identified
    • Where applicable: annual accounts, group org chart, shareholders' agreement

    Keep everything 10 years after the end of the relationship. Paper or digital — most regulated entities now switch to timestamped electronic archives.

    Remote KYC: what is allowed

    Since 2020, fully remote identification is explicitly framed. Accepted methods:

    • eID + card reader (Belgian ID card with cryptographic authentication)
    • itsme® (mobile electronic identity recognised by the Belgian state)
    • Video-identification with live reading of the ID document by a trained operator, with retained recording
    • Electronic identification system notified at EU level (eIDAS)

    Sending a simple photo of an ID card by email is not a valid KYC. Supervisors systematically check this.

    The obligation to understand the relationship

    Beyond identity, you must understand the economic purpose of the relationship: what will this client do with your services? Where do the funds they handle come from? Is the consistency between their profile and their operations plausible?

    A client suddenly opening multiple accounts for activities unrelated to its declared corporate purpose → red flag. A Walloon SME negotiating with counterparties in opaque jurisdictions without any visible commercial reason → red flag. Initial KYC feeds the ongoing monitoring required by Article 35.

    Enhanced measures: when and how

    Article 19 imposes enhanced measures in several cases:

    • High-risk client (PEP, risk jurisdiction, opaque structure)
    • Unusual or complex transaction with no clear economic justification
    • Remote relationship without recourse to a substantial-level electronic identification system
    • High-risk third countries identified by the European Commission

    In practice: senior management approval, additional verification of the source of funds, increased review frequency (annual at a minimum, sometimes quarterly).

    Building an operational KYC process: the checklist

  • Map client types (individuals, Belgian companies, foreign companies, trusts) and the required documents per type
  • Standardise a digital KYC form with mandatory fields, partly fed by the BCE/KBO API to pre-fill Belgian companies
  • Automate the consultation of the UBO register and comparison with the client's declarations
  • Define a risk matrix (low / standard / high) that triggers the corresponding measures
  • Archive documents for 10 years with timestamping and traceable access
  • Review each client file at a frequency tailored to the risk (annual, semi-annual, quarterly)
  • How Company Belgium speeds up your KYC

    Company Belgium automates the full KYC chain for regulated professions:

    • Pre-fill company files from a BCE/KBO number: denomination, legal form, registered office, directors, NACE codes, history
    • UBO cascade retrieved across 3 levels and automatically compared with the Belgian register — divergences flagged in plain sight
    • Remote identification aligned with recognised Belgian standards (eID, itsme®)
    • Built-in risk matrix triggering simplified or enhanced measures based on the profile
    • Continuous monitoring: automatic alerts on BCE changes (new director, denomination change, accounts filing)
    • Encrypted, timestamped archiving over 10 years, accessible during audit

    KYC of a Belgian company drops from several hours to a few minutes, with no concession on control quality.

    Bottom line

    KYC is the backbone of AML compliance. Done well, it protects the professional, secures operations and nurtures trust. Done poorly, it is the first thing the supervisor will look for during an inspection — and the easiest to fault.

    For Belgian domiciliation centers, KYC obligations sit within the broader framework of AML compliance for company service providers, which also covers monitoring, CTIF reporting and 10-year data retention.

    Tooling matters: direct access to BCE/KBO and the UBO register, plus a platform that archives and timestamps, turns a time-consuming process into a controlled formality. That is exactly what Company Belgium aims to provide for its regulated clients.

    Frequently asked questions

    What documents are mandatory for the KYC of a Belgian company in 2026?

    For a Belgian legal entity, the KYC file must contain at minimum: a BCE/KBO extract less than 6 months old (legal form, registered office, directors), the consolidated articles of association published in the Belgian Official Journal, a consultation of the UBO register with comparison between the client's declarations and the register, and the identity document of each identified natural person (directors, UBOs). In the case of enhanced measures (PEP or complex structure), annual accounts and a group org chart are also required.

    How does the UBO cascade work in Belgium and how far up must one trace?

    The Belgian UBO cascade has 3 levels: at level 1, natural-person shareholders directly holding more than 25% of capital or voting rights are identified; at level 2, holding chains are climbed until the ultimately controlling natural person is reached; at level 3, if no UBO can be identified, the senior officers are designated as default UBOs. Any divergence between the client's declarations and the Belgian UBO register must be reported to the CTIF/CFI.

    Is remote identification via itsme or eID valid for KYC in Belgium?

    Yes. Since 2020, fully remote identification is legally framed in Belgium. Accepted methods are: the Belgian ID card with eID reader and cryptographic authentication, the itsme app recognised by the Belgian state as a substantial-level electronic identity, video-identification with live reading of the ID document by a trained operator with retained recording, and European eIDAS systems. Sending a simple photo of an ID card by email is not a valid KYC.

    For how long must KYC documents for a client be retained in Belgium?

    The Act of 18 September 2017 requires retention for 10 years after the end of the business relationship or the last transaction carried out. This period applies to all identification documents, verification records, risk assessment reports and correspondence related to the relationship. The format may be paper or electronic, but electronic documents must be timestamped and their access traced to be probative during an inspection.

    Ready to get started?

    Create your free account and get your API keys in minutes.

    Comments

    Loading comments…

    Leave a comment

    Not published — used only to notify you.

    Comments are moderated before publication.

    Related articles