AML vs KYC: differences, complementarity and obligations in Belgium (2026)
AML and KYC are often confused. Yet one frames the prevention of money laundering as a whole (AML / CTF), while the other focuses on client knowledge (KYC). Understanding the difference is the condition for real compliance — especially in Belgium, where the Act of 18 September 2017, CTIF, NBB, FSMA and the UBO register form a demanding ecosystem.
In brief
AML (Anti-Money Laundering) is the overall framework for fighting money laundering: risk assessment, KYC, transaction monitoring, CTIF reports, 10-year retention and training. KYC is a component of AML, focused on identifying the client at the start of the relationship. In Belgium, the Act of 18 September 2017 frames both, with CTIF, NBB, FSMA, SPF Economy and the UBO register as key actors.
AML and KYC: two acronyms, one goal
AML (Anti-Money Laundering) and KYC (Know Your Customer) are two complementary concepts often confused. The confusion is understandable: both appear in the same regulation, are supervised by the same authorities, and rely on the same tools (UBO register, BCE/KBO, transaction monitoring).
But they are two different things:
- AML is the overall framework: the body of legal, organisational and technical measures designed to prevent, detect and report money laundering and terrorist financing (CTF).
- KYC is a component of AML: the first step — identifying and verifying who the client is before any business relationship is entered into.
Put another way: KYC answers *"who is my client?"* — AML answers *"what is my client doing, and is it normal?"*
Comparison table: AML vs KYC
| Criterion | KYC (Know Your Customer) | AML (Anti-Money Laundering) |
|---|---|---|
| Goal | Identify and verify the client's identity | Prevent money laundering and terrorist financing |
| Scope | A subset of the AML framework | The full framework (policies, controls, reporting) |
| Timing | Before entering the relationship (onboarding) | Continuously throughout the relationship |
| Key activities | Document collection, identity verification, identification of the ultimate beneficial owner (UBO) | Transaction monitoring, suspicious-activity detection, reporting to the CTIF, 10-year retention |
| Outputs | KYC file, client record, UBO cascade | AML policy, risk-assessment register, suspicious-activity reports, audit reports |
| Belgian legal basis | Articles 21 to 34 of the Act of 18/09/2017 | Act of 18 September 2017 as a whole + Royal Decree of 30/07/2018 |
| Supervisor | SPF Economy, NBB, FSMA depending on the sector | CTIF (reports), SPF Economy, NBB, FSMA, ITAA (controls) |
| Frequency | At onboarding + periodic review | Permanent |
KYC is the entry act. AML is everything that follows to ensure the client stays within lawful operations.
AML, the full framework: 5 mandatory components
Belgian AML — framed by the Act of 18 September 2017 which transposes the EU directives 4AMLD, 5AMLD and now 6AMLD — rests on five pillars:
1. Risk assessment
Before anything else, each regulated entity must conduct an overall risk assessment (Article 16): which client types, which geographies, which products, which channels? The assessment drives the intensity of controls to apply.
2. KYC: client identification (entry vigilance)
Articles 21 to 34. This is where KYC in the strict sense takes place: collect the client's identity, verify it on supporting documents, identify the ultimate beneficial owner, and understand the purpose of the relationship. See our dedicated guide KYC in Belgium.
3. Ongoing transaction monitoring
Article 35. Once the client is onboarded, their operations must be subject to ongoing monitoring: detection of unusual flows, threshold scenarios, comparison with the declared profile. This is where we move beyond KYC into operational AML.
4. Reporting to the CTIF
Articles 47 to 54. Any operation raising a suspicion of money laundering must be reported to the CTIF (Belgian Financial Intelligence Unit). See our guide reporting to the CTIF.
5. Retention, training, audit
Articles 60 to 66. Record retention for 10 years, periodic team training, regular internal audits. Without these foundations, the framework collapses at the first inspection.
KYC is therefore one — essential — piece of a larger puzzle.
Why KYC is the most visible step
If confusion between AML and KYC is so common, it is because KYC is the visible part of the framework:
- It is the step that directly involves the client (they hand over documents and sign the form)
- It is the first thing a supervisor looks at during an inspection
- It is also the easiest to criticise: a missing document, an undocumented UBO cascade, and the sanction follows
But an excellent KYC is not enough. If transaction monitoring is poor after onboarding, or if atypical operations are not reported to the CTIF, the AML framework is in breach too — even if the entry file is perfect.
Who is concerned in Belgium?
The Act of 18/09/2017 lists about twenty categories of regulated entities. For each, AML and KYC are mandatory:
- Credit institutions and investment firms (supervised by the NBB and FSMA)
- Life insurance companies (FSMA)
- Notaries, lawyers, bailiffs, statutory auditors
- Accountants, certified accountants, tax advisors (ITAA)
- Real-estate agents (IPI)
- Trust and company service providers: domiciliation agents, fiduciaries
- High-value goods dealers (gold, precious stones, artworks above thresholds)
- Casinos and gambling operators
- Virtual-asset service providers (crypto, since 2020)
Each category is overseen by a distinct supervisor: NBB, FSMA, SPF Economy, ITAA, IPI, etc. But the endpoint remains unique: the CTIF, which receives all suspicious-activity reports regardless of sector or origin.
The Belgian framework: what international competitors don't tell you
Most generic AML/KYC articles discuss the US Bank Secrecy Act or France's Tracfin. In Belgium, the ecosystem has its own actors and tools:
- CTIF (Cellule de Traitement des Informations Financières) — the Belgian financial intelligence unit, equivalent of France's Tracfin. All suspicious-activity reports converge here. Mandatory format: goAML XML since 2020.
- NBB (National Bank of Belgium) — supervises credit institutions, life insurers, investment firms, exchange offices and virtual-asset service providers.
- FSMA (Financial Services and Markets Authority) — supervises insurance intermediaries, social and "other" lenders, fund management companies.
- SPF Economy — supervises domiciliation agents, fiduciaries, dealers in valuable goods and other non-financial regulated entities.
- ITAA (Institute for Tax Advisors and Accountants) — supervises accountants and certified accountants.
- Belgian UBO Register — national centralised register of ultimate beneficial owners of Belgian companies, run by the SPF Finance. Mandatory consultation for any company KYC.
- BCE/KBO (Crossroads Bank for Enterprises) — the official source for identifying any Belgian entity: enterprise number, denomination, registered office, directors, NACE codes, establishments.
This mosaic makes Belgian AML more complex to orchestrate than a purely French or Anglo-Saxon framework. But it also offers an advantage: everything is centralised in accessible official registers, and the sources are canonical.
Client file life cycle: where KYC ends, where AML begins
To clarify the boundary, here is the typical sequence:
KYC is therefore an event; AML is a flow.
Technical tools: where the two converge
A modern AML/KYC framework relies on the same toolbox:
- BCE/KBO API to pre-fill Belgian company identities (KYC) and detect changes in real time (continuous AML)
- UBO register API for the beneficial-owner cascade (KYC) and its periodic review (AML)
- Sanctions lists (EU, UN, OFAC) consulted at KYC and then periodically
- PEP lists (politically exposed persons) — initial and ongoing verification
- Rules engine for transaction monitoring and atypical-operation detection
- Encrypted, timestamped digital vault with traceable access for 10-year retention
Modern RegTech solutions integrate all these building blocks. On the Belgian market, direct access to BCE/KBO is what sets a local solution apart from a generic tool.
Sanctions: what the confusion costs
Confusing AML and KYC in practice leads to two types of sanctionable mistakes:
- Perfect KYC, weak AML: excellent entry files, but no ongoing monitoring → breach of Article 35. Administrative sanction up to €1,250,000 per infringement for legal persons (and higher under NBB/FSMA scales), with possible publication of the sanction.
- Theoretical AML, sloppy KYC: written policies but incomplete client files → breach of Articles 21 to 34. Sanction of the same order, and reversal of the burden of proof if the authority finds the organisation did not demonstrate vigilance.
In both cases, the personal liability of designated AML officers (often directors) can be triggered. The law targets legal persons and natural persons in charge.
FAQ: the most-asked questions
What is the difference between KYC and AML?
KYC is the step of identifying and verifying the client at onboarding (who is this client? are they who they claim to be? who is their ultimate beneficial owner?). AML is the overall framework for fighting money laundering, of which KYC is only one component: it also includes ongoing monitoring, detection of suspicious operations, reporting to the CTIF, retention and training.
What is AML compliance?
AML compliance is meeting all the obligations imposed by the Act of 18 September 2017 and its implementing decrees: risk assessment, KYC, monitoring, reports to the CTIF, 10-year retention, team training, internal audit. Every regulated entity (bank, notary, accountant, domiciliation agent, etc.) must be able to demonstrate its framework to the supervisor.
What is KYC compliance?
It is compliance with Articles 21 to 34 of the Act of 18/09/2017: for every client, having a full identification file, verified on supporting documents, with UBO cascade and risk assessment, retained for 10 years. It is a subset of AML compliance.
What are the KYC obligations in Belgium?
Identify the client (name, date of birth, address, national register number for individuals; denomination, BCE number, legal form, registered office for companies), verify this information on supporting documents (ID document, BCE/KBO extract, UBO register), identify the ultimate beneficial owner, understand the purpose of the relationship, retain the file for 10 years and review it periodically.
Who supervises AML/KYC in Belgium?
Several authorities depending on the sector: the NBB for banks and life insurers, the FSMA for financial intermediaries and UCIs, the SPF Economy for domiciliation agents and dealers in valuable goods, the ITAA for accountants and certified accountants, the IPI for real-estate agents. All suspicious-activity reports converge to the CTIF.
Is KYC enough to be AML compliant?
No. An excellent KYC without ongoing monitoring, without suspicious-operation detection, without CTIF reporting in case of suspicion, and without retention/training remains an incomplete — therefore sanctionable — AML framework.
How long must a KYC file be kept in Belgium?
Ten years after the end of the business relationship (Article 60 of the Act of 18/09/2017). This obligation covers the KYC file, ID documents, UBO cascade, operations register and any CTIF reports.
How Company Belgium connects AML and KYC
Company Belgium unifies the AML/KYC chain for Belgian regulated professions:
- Accelerated KYC: automatic pre-fill from a BCE/KBO number — denomination, legal form, registered office, directors, NACE codes, history
- UBO cascade retrieved across 3 levels and automatically compared with the Belgian UBO register — discrepancies flagged
- Remote identification aligned with recognised Belgian standards (eID, itsme®, eIDAS)
- Ongoing monitoring: real-time alerts on BCE changes (new director, registered-office move, accounts filing, dissolution)
- Built-in risk assessment — client/product/geography matrix driving simplified or enhanced vigilance
- Encrypted, timestamped retention for 10 years, accessible during audit
- Full audit trail — every consultation, decision and update is logged
The goal: allow a lawyer, notary, accountant, domiciliation agent or fiduciary to move in a few minutes from an enterprise number to a complete KYC file, and keep that file alive throughout the relationship — without having to build and maintain the ongoing monitoring machinery themselves.
In summary
- KYC = who is my client? Entry step, Articles 21 to 34 of the Act of 18/09/2017.
- AML = my overall anti-money-laundering framework. Includes KYC, but also ongoing monitoring, CTIF reporting, retention, training and audit.
- In Belgium, the ecosystem involves CTIF, NBB, FSMA, SPF Economy, ITAA, IPI, the UBO register and BCE/KBO — a more specific framework than international generalities.
- Confusing the two exposes you to heavy administrative sanctions and personal liability for directors.
The right reflex: think of KYC as the foundation of AML, and invest as much in the quality of the entry file as in the monitoring that follows. The tools exist — they just need to be tuned to the Belgian framework, and that is precisely Company Belgium's focus.
Frequently asked questions
What is the difference between AML and KYC in Belgium?
KYC is the step of identifying and verifying the client at onboarding: who is this client, are they who they claim to be, who is their ultimate beneficial owner. AML is the overall anti-money-laundering framework of which KYC is only one component: it also includes ongoing transaction monitoring, detection of suspicious operations, reporting to the CTIF, 10-year file retention and team training. KYC answers who is my client, AML answers what is my client doing and is it normal.
What are the KYC obligations for regulated entities in Belgium in 2026?
Regulated entities must identify the client (name, date of birth, address, BCE number or national register number), verify this information on supporting documents, identify the ultimate beneficial owner via the 3-level UBO cascade, understand the purpose of the relationship, assess the risk, and retain the file for 10 years. For PEPs or high-risk clients, enhanced due diligence measures apply. The legal basis is in Articles 21 to 34 of the Act of 18 September 2017.
Which authorities supervise AML and KYC in Belgium?
The NBB supervises banks and life insurers, the FSMA financial intermediaries and UCIs, the SPF Economy domiciliation agents and dealers in valuable goods, the ITAA accountants and certified accountants, the IPI real-estate agents. All suspicious-activity reports converge to the CTIF regardless of the sector supervisor. From 2027, technical standards will be harmonised at European level by AMLA from Frankfurt.
Is an excellent KYC enough to be AML-compliant in Belgium?
No. A perfect entry file without ongoing transaction monitoring, without suspicious-activity detection and without CTIF reporting when suspicion arises remains an incomplete and sanctionable AML framework. The administrative sanction can reach 1,250,000 euros per infringement for legal persons, and personal liability of directors can be triggered. AML is a permanent flow; KYC is only the entry act.
Comments
Related articles

Notaries: verifying beneficial owners before an authentic act
Notaries are on the front line to block money-laundering setups via companies. Incorporation, merger, share transfer, real estate sale: every act demands enhanced UBO due diligence. Here is the complete checklist to secure an authentic act without burdening practice.

The Belgian trial period is back: what the Clarinval reform changes for SMEs from day one
On 21 May 2026, the Belgian Chamber voted to reinstate a trial regime covering the first six months of the employment contract. Notice cut to one week, written reasoning, scope limited to new contracts: what employers need to grasp before publication in the Moniteur belge.

Branch in Belgium and the UBO register: what the foreign company must do
A foreign company opening a branch in Belgium is not a Belgian company: the branch has no separate legal personality. That changes everything for the UBO register. Find out who must declare what, and why a Belgian SRL subsidiary offers a cleaner compliance footprint.
