CompanyBelgium

Belgian Act of 18 September 2017: a complete guide to AML compliance for Belgian businesses

The Belgian Act of 18 September 2017 transposes the EU's 4th Anti-Money Laundering Directive. Here are the concrete obligations for regulated professions, the sanctions for non-compliance, and how to build a robust AML framework.

May 2, 20269 min read

In brief

The Belgian Act of 18 September 2017 imposes five fundamental obligations on all regulated professions (banks, notaries, accountants, domiciliation centers, real-estate agents…): identify and verify the client (KYC), assess individual risk, monitor the relationship over time, retain documents for 10 years, and report any suspicion to the CTIF/CFI. Penalties range up to 5 million euros in administrative fines.

The Belgian AML framework, in plain terms

The Belgian Act of 18 September 2017 on the prevention of money laundering and terrorist financing is the reference text in Belgium. It transposes the EU's 4th Anti-Money Laundering Directive (EU 2015/849), since complemented by the 5th (EU 2018/843) and 6th (EU 2018/1673).

The framework requires a whole range of regulated professions to identify their clients, assess money-laundering and terrorist-financing risks, keep records, and report any suspicious transaction to the CTIF/CFI (Financial Intelligence Processing Unit).

Beyond fifty-odd technical articles, the spirit of the text boils down to one requirement: you must know who your clients are, understand the economic logic of their operations, and document what you know.

Who is concerned?

Article 5 of the Act lists the regulated entities. In practice, two main families.

The financial sector

  • Credit institutions, investment firms, brokerage firms
  • Life insurance undertakings, insurance intermediaries
  • Currency exchange offices, payment service providers
  • Crypto-asset platforms (since the 5th Directive)

Non-financial professions

  • Notaries, bailiffs, lawyers (for certain activities)
  • Statutory auditors, accountants, tax advisers, certified bookkeepers
  • Real-estate agents (intermediation, property management)
  • Company service providers (domiciliation, incorporation, secretariat)
  • Dealers in high-value goods (gold, precious metals, art) above €10,000
  • Casinos, gambling operators

If you carry out any of these activities in Belgium, the Act applies — whatever the size of your structure, from the self-employed law office to the banking group.

The 5 cardinal obligations

1. Identify and verify the client (KYC)

Before entering into a business relationship, you must identify:

  • The client itself — name, date of birth, address for a natural person; denomination, BCE/KBO number, legal form for a legal person
  • The ultimate beneficial owner(s) — the natural person(s) who ultimately control the client (reference threshold: 25 % of capital or voting rights)
  • The agent acting on behalf of the client, if any

Identification must be verified based on supporting documents: ID card, BCE/KBO extract, UBO register, articles of association. Our practical KYC guide for Belgium details the UBO cascade and enhanced measures.

2. Assess the risk

Each business relationship undergoes an individual risk assessment for money laundering and terrorist financing. Usual criteria:

  • Type of client (PEP — politically exposed person, complex structure, high-risk jurisdiction)
  • Type of product or service (cash, international transfers, possible anonymity)
  • Distribution channel (remote vs. face-to-face)
  • Geographic zone (high-risk third countries listed by the European Commission)

The outcome drives intensity of measures: standard, simplified (low risk) or enhanced (high risk).

3. Monitor the business relationship

Initial identification is not enough. You must monitor over time the consistency of transactions with what you know about the client. An SME with modest turnover suddenly receiving six-figure international transfers must trigger a review.

4. Keep records

All identification and analysis documents must be kept 10 years after the end of the business relationship or the last transaction. Paper or electronic — what matters is traceability.

5. Report suspicions to the CTIF/CFI

As soon as a transaction raises suspicion — no proof required — you must submit a suspicious transaction report to the CTIF/CFI via its dedicated platform. The client must not be informed ("tipping-off" prohibition).

The UBO register: the cornerstone

Since 2019, every Belgian company must declare its ultimate beneficial owners to the UBO register managed by the SPF Finances. The 2017 Act makes it a central support of KYC verification: you must consult the register and flag any divergence between what it indicates and what your client declares.

For listed companies, foundations, non-profits and trusts, rules differ in detail but the logic is identical: who, in flesh and blood, pulls the strings?

Sanctions: what non-compliance really costs

The sanction toolkit is heavy, and it is enforced.

  • Administrative fines: from €250 to €5,000,000 for a legal person (or 10 % of annual turnover), pronounced by the competent supervisor (SPF Economie for non-financials, NBB or FSMA for the financial sector)
  • Criminal penalties: up to 5 years' imprisonment and €1,250,000 fine for the most serious offences (Article 137 of the Act)
  • Professional sanctions: withdrawal of authorisation, ban on practising
  • Publication of sanctions on the supervisor's website (major reputational impact)

SPF Economie sanctions against company service providers are published regularly — and worth knowing: a named sanction may explicitly cite earlier anonymous sanctions against the same entity, which de facto links successive fines.

Building a compliant AML framework: the checklist

  • Appoint an AMLCO (Anti-Money Laundering Compliance Officer) — mandatory role, with direct access to management
  • Draft a global risk assessment specific to your activity (clients, products, geography, channels)
  • Set up written procedures for KYC, UBO verification, monitoring, CTIF reporting, retention
  • Train staff — initial and ongoing training, written records mandatory
  • Audit the framework annually (internal or external depending on size)
  • Keep a log of assessment decisions, rejected files, CTIF reports
  • How Company Belgium helps you comply

    For regulated professions, Company Belgium offers an integrated platform covering every obligation of the Act of 18 September 2017:

    • BCE/KBO API to instantly identify and verify your corporate clients (extracts, directors, history, NACE codes)
    • Automated UBO consultation: full cascade down to the natural person, automatic comparison with the client's declarations
    • AML/KYC module: structured client files, preconfigured risk assessment, tracking of annual reviews
    • Timestamped 10-year archiving of records and decisions
    • goAML generation for your CTIF reports, directly from the client file
    • Training and decision register to materialise the AMLCO's work

    A single workspace, compliant by design, to turn a legal requirement into a controlled routine.

    Bottom line

    The Act of 18 September 2017 is demanding but its logic is clear: know your client, assess the risk, monitor, report. The sanctions are real, the supervisor is active. For regulated SMEs and self-employed professionals, the good news is that the obligations can be handled with integrated tools — BCE/KBO access, UBO lookups, electronic archiving, automatic goAML file generation — that make compliance manageable day-to-day.

    The cost of a robust framework is nothing compared to that of a sanction.

    Frequently asked questions

    Who is considered a regulated profession in Belgium under the Act of 18 September 2017?

    The Act of 18 September 2017 subjects to its obligations any person or entity carrying out an activity listed in Article 5, regardless of size. This includes banking institutions, notaries, lawyers (for certain activities), accountants, tax advisers, statutory auditors, real-estate agents, company service providers (domiciliation centers, fiduciaries), casinos and dealers in high-value goods above 10,000 euros, and crypto-asset platforms. A one-person accounting firm is as concerned as a large bank.

    What is the difference between standard due diligence and simplified due diligence in Belgium?

    Standard due diligence applies by default to every business relationship and includes full identification of the client, its UBO, understanding of the economic purpose of the relationship, and ongoing monitoring. Simplified due diligence is reserved for clients and products with demonstrated low risk, such as Belgian public bodies or life insurance products with modest premiums. It reduces review frequency but does not exempt from initial identification or ongoing monitoring. Enhanced due diligence applies in the opposite direction for high-risk profiles.

    How does one build a global AML risk assessment compliant with the Belgian Act of 18 September 2017?

    The global risk assessment must analyse four dimensions: client risks (client categories, PEP presence, complex structures), product and service risks (cash, international transfers, anonymity), distribution channels (face to face, remote, via intermediaries) and geographic zones (high-risk third countries identified by the European Commission). The document must be signed by management, dated and reviewed at least annually. It serves as the basis for calibrating the due diligence level applicable to each client file.

    What penalties are incurred for non-compliance with the Belgian AML law in 2026?

    Administrative sanctions range from 250 euros to 5,000,000 euros for a legal person, or 10% of annual turnover if higher. Criminal penalties may be added: up to 5 years imprisonment and 1,250,000 euros fine for the most serious offences. Professional sanctions include withdrawal of authorisation and a ban on practising. Finally, sanctions are published on the competent supervisor's website, causing lasting reputational damage. SPF Economie regularly publishes its decisions against non-compliant company service providers.

    Ready to get started?

    Create your free account and get your API keys in minutes.

    Comments

    Loading comments…

    Leave a comment

    Not published — used only to notify you.

    Comments are moderated before publication.

    Related articles