CompanyBelgium

AML module: SPF Economie compliance for company service providers

3-step UBO cascade, daily-synced sanctions lists, training register, domiciliation contracts: everything required by the Belgian AML Act of 18 September 2017 and the Royal Decree of 31 July 2020 is now wired into Company Belgium.

May 8, 20269 min read

In brief

Company Belgium's AML module fully covers the obligations of the Belgian Act of 18 September 2017 for company service providers (CSPs): a 3-step UBO cascade, daily sanctions list screening, a training register and domiciliation contracts compliant with the Royal Decree of 31 July 2020. It is designed so that an SPF Economie inspection goes without surprises.

Why this module exists

If your activity is listed under the Belgian Act of 29 March 2018 (registered-office domiciliation, providing a business address, share-cession brokerage), you are a company service provider (CSP) — and an obligated entity under the Act of 18 September 2017 on prevention of money laundering and terrorist financing.

The Economic Inspectorate of the SPF Economie can audit your compliance at any time. Penalties reach €1,250,000 (administrative) or €2,250,000 (criminal). When you run a fiduciary office or a domiciliation business, the operational risk isn't the audit itself — it's discovering on audit day that you forgot to log UBO register consultations across 18 months of files.

That's exactly the gap we just closed.

The five pillars, and where they live in Company Belgium

SPF Economie groups obligations into three families: organisation, vigilance, retention. Our module now covers all of them.

1. Organisation (art. 3)

  • Risk assessment — global (internal procedure) and per-client (AMLAssessment with score 1.0–10.0, level LOW/MEDIUM/HIGH)
  • AML Officer — dedicated AML_OFFICER company role, appointed by OWNER, electronic signature with one-time code
  • TrainingAMLTrainingRecord log: who was trained, on what topic, by whom, with uploadable proof

2. Vigilance (art. 4)

The hardest part to audit, and the heart of the module:

  • Client identification (NP/LE): first name, last name, date and place of birth (often missed), address, BCE number, etc.
  • Mandataries: dedicated AMLMandataire model for lawyers, accountants, fiduciaries representing the client. Identity + mandate scope + supporting document.
  • Beneficial owners (UBO) — 3-step cascade: the most common pitfall. Detailed below.
  • Sanctions screening: against EU consolidated, UN, OFAC, SPF Finances. Daily. Trail kept 10 years.
  • Ongoing vigilance: periodicities aligned with law (HIGH = 12 months, MEDIUM = 36, LOW = 60). Cron notifications 30 days before expiry.
  • CTIF declaration: PDF generation + goAML XML export (CTIF's official format for electronic submission).

3. 10-year retention (art. 5 + Royal Decree 31/07/2020)

  • AMLAssessment.retentionUntil set to createdAt + 10 years
  • AMLAuditLog append-only (never deleted, even after 10 years — it's the forensic journal)
  • GDPR purge cron after the retention window
  • For domiciliation specifically: contract + amendments + mail-carrier invoices + phone call log, all kept 10 years after relationship ends

The 3-step UBO cascade — the most common mistake

Art. 4.1.3 mandates a sequential cascade:

  • ≥ 25% of capital or voting rights (DIRECT_25 or INDIRECT_25)
  • Failing that: control by other means (shareholder agreement, statutes)
  • Last resort only: senior managers
  • Many fiduciaries directly identify directors as UBO — which doesn't survive an audit. Our submission flow blocks if:

    • no UBO is recorded for a legal entity
    • the cascade only contains SENIOR_MANAGER entries without EDD justification ≥ 30 characters
    • the UBO register has never been consulted

    Three technical guardrails for an audit-ready outcome.

    Sanctions screening: 4 sources, auto-updated

    Manual screening via a yes/no question is no longer defensible. The module now ingests:

    SourceUpdateTargets covered
    EU consolidated (CFSP/FSF)Daily~6,000 entities, Russia/Ukraine, terrorism
    UN Security CouncilDaily~1,000 individuals + entities (Al-Qaida, ISIS, DPRK...)
    OFAC SDN List (US Treasury)Daily~19,000 entries
    SPF Finances Belgian national listSemi-annual~165 Belgian designations

    A cron job (04:45 daily) fetches the official sources, hashes the payload, only imports on actual change. Each AMLSanctionsCheck records the list version used and the outcome (CLEAR / POTENTIAL_MATCH / CONFIRMED_MATCH) — dated evidence kept for 10 years.

    Matching is intentionally conservative: substring + normalised Levenshtein (threshold 0.8) → every potential hit surfaces for human decision. No silent matches.

    Domiciliation: the extra obligations from RD 31/07/2020

    If you provide a business address, the Royal Decree adds three mandatory artefacts that SPF Economie systematically checks:

    • The domiciliation contract + all amendments → DomiciliationContract (10 years after termination)
    • Detailed carrier invoices for mail forwarding → MailForwardingInvoice
    • Phone call log for calls made/received on behalf of the client → ClientCallLog

    All linked to the partner (CRM) and the corresponding AML assessment. A contract cannot be deleted — it must be terminated (terminatedAt), with retention auto-recomputed to terminatedAt + 10 years.

    Who is this for?

    • Fiduciaries and accountants wanting to industrialise their KYC files without missing a step
    • Domiciliation offices that must prove real services (not just rent an address)
    • Lawyers acting as mandataries who need to log their interventions
    • Any director of an SRL/SA who wants an SPF audit to go smoothly

    Getting started

  • Enable the AML / KYC module from the "Modules" tab in your workspace
  • Designate your AML Officer (OWNER only)
  • Validate the structured internal procedure (template provided)
  • Launch your first assessment — the BCE record is auto-filled via the Company Belgium API
  • Everything is designed so an SPF Economie audit unfolds like a tax audit: open the screen, export the artefacts, answer the questions. No more hunting for misplaced PDFs.

    See also our guide on politically exposed persons verification and the full domiciliation center support page.

    Frequently asked questions

    What AML obligations apply to company service providers (CSPs) in Belgium?

    CSPs are subject to the Belgian Act of 18 September 2017 and the Royal Decree of 31 July 2020. They must identify clients and beneficial owners (UBOs) through a 3-step cascade, maintain a training register, screen sanctions lists daily and keep all documents for 10 years. SPF Economie is the competent supervisory authority.

    How does the mandatory 3-step UBO cascade work under Belgian AML law?

    The sequential UBO cascade first requires identifying persons holding 25% or more of capital or voting rights. Failing that, control by other means such as a shareholder agreement is sought. Only as a last resort can senior managers be designated as UBO, provided a documented justification of at least 30 characters is supplied.

    What are the sanctions for AML non-compliance for a domiciliation center in Belgium?

    Administrative sanctions can reach 1,250,000 euros and criminal sanctions 2,250,000 euros. On recurrence, amounts are doubled and named publication on the SPF Economie website amplifies the reputational impact. Missing AMLCO, unverified UBO cascade or failure to report to CTIF are the most frequently sanctioned breaches.

    How does Company Belgium automate AML compliance for Belgian CSPs?

    Company Belgium pre-fills client records from the BCE, tracks UBO register consultations and blocks submission until all mandatory steps are complete. Sanctions screening (EU, UN, OFAC, SPF Finances) runs daily at 04:45 and each result is retained for 10 years with the list version used. goAML generation for CTIF reporting is also built in.

    Ready to get started?

    Create your free account and get your API keys in minutes.

    Comments

    Loading comments…

    Leave a comment

    Not published — used only to notify you.

    Comments are moderated before publication.

    Related articles