Belgian Act of 18 September 2017: a complete guide to AML compliance for Belgian businesses
The Belgian Act of 18 September 2017 transposes the EU's 4th Anti-Money Laundering Directive. Here are the concrete obligations for regulated professions, the sanctions for non-compliance, and how to build a robust AML framework.
In brief
The Belgian Act of 18 September 2017 imposes five fundamental obligations on all regulated professions (banks, notaries, accountants, domiciliation centers, real-estate agents…): identify and verify the client (KYC), assess individual risk, monitor the relationship over time, retain documents for 10 years, and report any suspicion to the CTIF/CFI. Penalties range up to 5 million euros in administrative fines.
The Belgian AML framework, in plain terms
The Belgian Act of 18 September 2017 on the prevention of money laundering and terrorist financing is the reference text in Belgium. It transposes the EU's 4th Anti-Money Laundering Directive (EU 2015/849), since complemented by the 5th (EU 2018/843) and 6th (EU 2018/1673).
The framework requires a whole range of regulated professions to identify their clients, assess money-laundering and terrorist-financing risks, keep records, and report any suspicious transaction to the CTIF/CFI (Financial Intelligence Processing Unit).
Beyond fifty-odd technical articles, the spirit of the text boils down to one requirement: you must know who your clients are, understand the economic logic of their operations, and document what you know.
Who is concerned?
Article 5 of the Act lists the regulated entities. In practice, two main families.
The financial sector
- Credit institutions, investment firms, brokerage firms
- Life insurance undertakings, insurance intermediaries
- Currency exchange offices, payment service providers
- Crypto-asset platforms (since the 5th Directive)
Non-financial professions
- Notaries, bailiffs, lawyers (for certain activities)
- Statutory auditors, accountants, tax advisers, certified bookkeepers
- Real-estate agents (intermediation, property management)
- Company service providers (domiciliation, incorporation, secretariat)
- Dealers in high-value goods (gold, precious metals, art) above €10,000
- Casinos, gambling operators
If you carry out any of these activities in Belgium, the Act applies — whatever the size of your structure, from the self-employed law office to the banking group.
The 5 cardinal obligations
1. Identify and verify the client (KYC)
Before entering into a business relationship, you must identify:
- The client itself — name, date of birth, address for a natural person; denomination, BCE/KBO number, legal form for a legal person
- The ultimate beneficial owner(s) — the natural person(s) who ultimately control the client (reference threshold: 25 % of capital or voting rights)
- The agent acting on behalf of the client, if any
Identification must be verified based on supporting documents: ID card, BCE/KBO extract, UBO register, articles of association. Our practical KYC guide for Belgium details the UBO cascade and enhanced measures.
2. Assess the risk
Each business relationship undergoes an individual risk assessment for money laundering and terrorist financing. Usual criteria:
- Type of client (PEP — politically exposed person, complex structure, high-risk jurisdiction)
- Type of product or service (cash, international transfers, possible anonymity)
- Distribution channel (remote vs. face-to-face)
- Geographic zone (high-risk third countries listed by the European Commission)
The outcome drives intensity of measures: standard, simplified (low risk) or enhanced (high risk).
3. Monitor the business relationship
Initial identification is not enough. You must monitor over time the consistency of transactions with what you know about the client. An SME with modest turnover suddenly receiving six-figure international transfers must trigger a review.
4. Keep records
All identification and analysis documents must be kept 10 years after the end of the business relationship or the last transaction. Paper or electronic — what matters is traceability.
5. Report suspicions to the CTIF/CFI
As soon as a transaction raises suspicion — no proof required — you must submit a suspicious transaction report to the CTIF/CFI via its dedicated platform. The client must not be informed ("tipping-off" prohibition).
The UBO register: the cornerstone
Since 2019, every Belgian company must declare its ultimate beneficial owners to the UBO register managed by the SPF Finances. The 2017 Act makes it a central support of KYC verification: you must consult the register and flag any divergence between what it indicates and what your client declares.
For listed companies, foundations, non-profits and trusts, rules differ in detail but the logic is identical: who, in flesh and blood, pulls the strings?
Sanctions: what non-compliance really costs
The sanction toolkit is heavy, and it is enforced.
- Administrative fines: from €250 to €5,000,000 for a legal person (or 10 % of annual turnover), pronounced by the competent supervisor (SPF Economie for non-financials, NBB or FSMA for the financial sector)
- Criminal penalties: up to 5 years' imprisonment and €1,250,000 fine for the most serious offences (Article 137 of the Act)
- Professional sanctions: withdrawal of authorisation, ban on practising
- Publication of sanctions on the supervisor's website (major reputational impact)
SPF Economie sanctions against company service providers are published regularly — and worth knowing: a named sanction may explicitly cite earlier anonymous sanctions against the same entity, which de facto links successive fines.
Building a compliant AML framework: the checklist
How Company Belgium helps you comply
For regulated professions, Company Belgium offers an integrated platform covering every obligation of the Act of 18 September 2017:
- BCE/KBO API to instantly identify and verify your corporate clients (extracts, directors, history, NACE codes)
- Automated UBO consultation: full cascade down to the natural person, automatic comparison with the client's declarations
- AML/KYC module: structured client files, preconfigured risk assessment, tracking of annual reviews
- Timestamped 10-year archiving of records and decisions
- goAML generation for your CTIF reports, directly from the client file
- Training and decision register to materialise the AMLCO's work
A single workspace, compliant by design, to turn a legal requirement into a controlled routine.
Bottom line
The Act of 18 September 2017 is demanding but its logic is clear: know your client, assess the risk, monitor, report. The sanctions are real, the supervisor is active. For regulated SMEs and self-employed professionals, the good news is that the obligations can be handled with integrated tools — BCE/KBO access, UBO lookups, electronic archiving, automatic goAML file generation — that make compliance manageable day-to-day.
The cost of a robust framework is nothing compared to that of a sanction.
Frequently asked questions
Who is considered a regulated profession in Belgium under the Act of 18 September 2017?
The Act of 18 September 2017 subjects to its obligations any person or entity carrying out an activity listed in Article 5, regardless of size. This includes banking institutions, notaries, lawyers (for certain activities), accountants, tax advisers, statutory auditors, real-estate agents, company service providers (domiciliation centers, fiduciaries), casinos and dealers in high-value goods above 10,000 euros, and crypto-asset platforms. A one-person accounting firm is as concerned as a large bank.
What is the difference between standard due diligence and simplified due diligence in Belgium?
Standard due diligence applies by default to every business relationship and includes full identification of the client, its UBO, understanding of the economic purpose of the relationship, and ongoing monitoring. Simplified due diligence is reserved for clients and products with demonstrated low risk, such as Belgian public bodies or life insurance products with modest premiums. It reduces review frequency but does not exempt from initial identification or ongoing monitoring. Enhanced due diligence applies in the opposite direction for high-risk profiles.
How does one build a global AML risk assessment compliant with the Belgian Act of 18 September 2017?
The global risk assessment must analyse four dimensions: client risks (client categories, PEP presence, complex structures), product and service risks (cash, international transfers, anonymity), distribution channels (face to face, remote, via intermediaries) and geographic zones (high-risk third countries identified by the European Commission). The document must be signed by management, dated and reviewed at least annually. It serves as the basis for calibrating the due diligence level applicable to each client file.
What penalties are incurred for non-compliance with the Belgian AML law in 2026?
Administrative sanctions range from 250 euros to 5,000,000 euros for a legal person, or 10% of annual turnover if higher. Criminal penalties may be added: up to 5 years imprisonment and 1,250,000 euros fine for the most serious offences. Professional sanctions include withdrawal of authorisation and a ban on practising. Finally, sanctions are published on the competent supervisor's website, causing lasting reputational damage. SPF Economie regularly publishes its decisions against non-compliant company service providers.
Comments
Related articles

Notaries: verifying beneficial owners before an authentic act
Notaries are on the front line to block money-laundering setups via companies. Incorporation, merger, share transfer, real estate sale: every act demands enhanced UBO due diligence. Here is the complete checklist to secure an authentic act without burdening practice.

The Belgian trial period is back: what the Clarinval reform changes for SMEs from day one
On 21 May 2026, the Belgian Chamber voted to reinstate a trial regime covering the first six months of the employment contract. Notice cut to one week, written reasoning, scope limited to new contracts: what employers need to grasp before publication in the Moniteur belge.

Branch in Belgium and the UBO register: what the foreign company must do
A foreign company opening a branch in Belgium is not a Belgian company: the branch has no separate legal personality. That changes everything for the UBO register. Find out who must declare what, and why a Belgian SRL subsidiary offers a cleaner compliance footprint.
