Compliance requirements by country

Jurisdiction briefs

Select a jurisdiction to review onboarding obligations, sanctions authorities, and record retention requirements. All pages include FAQ structured data to support search discoverability.

• European Economic Area

  EEA firms follow the EU’s Anti-Money Laundering Directives (AMLD IV, V, and forthcoming AMLD VI), requiring risk-based CDD, beneficial ownership verification through national registers interconnected under the Beneficial Ownership Register Interconnection System (BORIS), and harmonised screening obligations across EU and EEA states.

  PEP scope

  The EU definition in Article 20 of AMLD IV applies, covering prominent public functions in EU institutions, member states, and third countries, including family members and close associates. Member states may set shorter de-risking periods once a PEP leaves office.

  Record retention

  AMLD IV Article 40 sets a minimum retention of five years for customer due diligence records, with member states able to add five additional years when proportionate. Firms must document retention rationales in their AML policies.

  View European Economic Area guide

• France

  French Monetary and Financial Code (Code monétaire et financier, Articles L561-1 to L561-45) mandates identification, beneficial ownership verification, and risk scoring before onboarding. ACPR and Tracfin require written procedures and customer risk segmentation aligned with EU AMLD standards.

  PEP scope

  Politically exposed persons follow Article R561-18, covering national and foreign public officials, members of parliament, senior executives of state enterprises, and high-ranking judicial officers, including close family and associates. Enhanced scrutiny continues for at least 12 months after a PEP exits public office.

  Record retention

  Article L561-12 requires retaining KYC files, copies of supporting documents, and transactional evidence for five years following the termination of the business relationship, after which information must be deleted unless another legal basis exists.

  View France guide

• Germany

  The German Anti-Money Laundering Act (Geldwäschegesetz – GwG) obliges obligated entities to identify customers, determine beneficial ownership, and assess risk before establishing a business relationship. BaFin guidance requires risk-based verification, video-identification standards, and screening against multiple AML data sources.

  PEP scope

  Politically exposed persons include individuals entrusted with prominent public functions domestically or abroad, their family members, and close associates as defined in §1(12) GwG. Enhanced measures apply for state-level officials, federal parliamentarians, supervisory board members of state-owned enterprises, and EU institution leadership.

  Record retention

  Record-keeping under §8 GwG and §12 GwG requires retaining identification data, supporting documents, and transaction records for five years after the end of the business relationship, with secure deletion afterwards unless other laws require retention.

  View Germany guide

• Lithuania

  The Law on the Prevention of Money Laundering and Terrorist Financing (No. VIII-275) and Bank of Lithuania guidance require risk-based customer identification, verification through national eID or equivalent, and screening of ultimate beneficial owners using the JANGIS register.

  PEP scope

  Article 2(18) defines PEPs to include heads of state, ministers, MPs, Supreme Court judges, military leaders, and management of state-owned enterprises, along with immediate family members and close associates. Obliged entities must update risk assessments annually for domestic PEP relationships.

  Record retention

  Article 19 stipulates retention of customer identification data, account files, and transaction records for eight years after the business relationship ends, with a possible extension to ten years subject to Money Laundering Prevention Commission approval.

  View Lithuania guide

• Spain

  Law 10/2010 on the prevention of money laundering and terrorist financing, supported by Royal Decree 304/2014, requires financial institutions and designated non-financial businesses to verify identity before establishing business relationships, classify customer risk, and maintain documented AML programs reviewed by SEPBLAC.

  PEP scope

  Article 14 of Law 10/2010 mirrors FATF guidance, covering national and foreign public officials, senior judiciary, armed forces leadership, state enterprise executives, and close family and associates. Enhanced due diligence extends for two years after the individual leaves office.

  Record retention

  Article 25 mandates retaining copies of identification and transaction records for ten years from the termination of the relationship, ensuring immediate availability to SEPBLAC upon request.

  View Spain guide

• United Kingdom

  The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 require firms to apply risk-based customer due diligence, verify beneficial ownership via Companies House or equivalent data, and document policies aligned with FCA and HM Treasury guidance.

  PEP scope

  Regulation 35 aligns with FATF definitions, covering UK and non-UK PEPs, family members, and known associates. The FCA expects proportionate treatment for domestic PEPs while still applying enhanced ongoing monitoring.

  Record retention

  Regulation 40 requires keeping CDD records for five years from the end of the business relationship, after which personal data must be deleted unless other UK legal obligations require retention.

  View United Kingdom guide

Next steps for regulated teams

• Platform teams: Connect AML data providers to AutoKYC’s unified API and configure rules for domestic screening intervals.
• Operations leaders: Route ODD and EDD workloads to AutoKYC managed analysts with documented SLAs and escalation voting.
• Risk owners: Export immutable audit logs and consent artefacts for regulators and banking partners.