SDD, CDD, and EDD under Czech AML Law: How to Conduct Proper Client Due Diligence and Avoid Costly Mistakes
Since January 1, 2021, the Czech Republic has implemented the provisions of the 5th Anti-Money Laundering Directive (AMLD5) into national legislation. Act No. 253/2008 Coll., on Certain Measures Against the Legalization of Proceeds of Crime (commonly referred to as the AML Act), governs the obligations of obliged entities with respect to customer identification and the prevention of money laundering.
At the heart of this framework is a risk-based approach to customer, which includes three escalating levels:
SDD – Zjednodušená kontrola (Simplified Due Diligence)
CDD – Standardní kontrola (Standard Due Diligence)
EDD – Zesílená kontrola (Enhanced Due Diligence)
The correct application of each level is essential not only for regulatory compliance, but also to protect businesses from reputational, financial, and supervisory risks.
1. Simplified Due Diligence (SDD)
According to §13 of the AML Act, simplified due diligence (SDD) may only be applied when:
The risk of money laundering or terrorist financing is objectively low;
The product is simple and low-risk (e.g., prepaid cards with strict usage and value limits);
There are no signs of anonymity, opacity, or cross-border complexity.
To be eligible for SDD, these conditions must be fulfilled cumulatively. If any one element is missing or uncertain, SDD must be applied instead.
Common Misconception in Practice
Some obliged entities assume that a Czech (or more broadly, EU) residential address automatically qualifies a client for SDD. However, §13 of the AML Act requires a holistic risk assessment — and residency alone is not a sufficient risk-reducing factor.
In one documented case by the FAÚ, a Czech crypto exchange applied SDD uniformly to all clients with Czech addresses. One such client was later found to be involved in a structured laundering scheme using repeated transactions and third-party wallets. The lack of an individual risk assessment led to an official compliance investigation and forced the exchange to revise its AML framework.
Key takeaway: Czech or EU residency does not automatically equate to low risk. Risk must be evaluated based on the customer’s full profile — including behavioral patterns, transactional conduct, and country connections.
Illustrative Case: C. W. s.r.o. (Czech Republic)
A Czech-based crypto platform was mentioned in FAÚ reports in 2022 for applying SDD without adequate assessment of jurisdictional or behavioral risk factors. The platform applied simplified due diligence to all transactions under €1,000, without considering the clients’ country of origin or transaction patterns.
FAÚ identified evidence of structuring, i.e., payment fragmentation across multiple small transactions designed to evade standard due diligence thresholds. It was also found that the platform was being used to bypass basic KYC and monitoring controls.
Outcome: Even for low-value transactions, companies must assess and document the risk profile. SDD must never be applied solely based on transaction amounts — or based on residency alone — without a reasoned and documented risk assessment.
2. Standard Due Diligence (CDD)
Under §§9–11 of the AML Act, standard due diligence is mandatory in several key situations. It must be applied when a business relationship is established, for transactions of €1,000 or more, whenever there is suspicion of money laundering or terrorist financing, or when neither simplified nor enhanced due diligence is applicable.
Common Mistakes in Practice
In practical application, many obliged entities misinterpret or incorrectly apply CDD obligations. A common error is delaying customer identification until after the €1,000 threshold is exceeded, rather than carrying it out at the point of the transaction. Others mistakenly assume that repeated low-value transactions do not require CDD, even when the pattern clearly suggests structuring or so-called “smurfing” to avoid detection. Some businesses fail to reassess existing customers over time, despite changes in transaction behavior or volume. In the virtual asset sector, it is not uncommon for companies to treat online or remote relationships as casual interactions rather than formal business relationships—incorrectly bypassing full CDD requirements. Another frequent issue is the application of simplified due diligence without satisfying its legal prerequisites, such as assuming that a Czech residential address alone constitutes low risk.
The key takeaway is that CDD is not a one-time formality. It must be applied consistently, promptly, and in a manner that reflects the actual risk profile of the client, the transaction context, and evolving patterns of activity.
Case: A. P. Exchange s.r.o. (Czech Republic)
A small virtual asset exchange based in Prague allowed users to purchase cryptocurrencies via its website by conducting repeated transactions under €1,000, thereby avoiding identity verification and CDD. The platform treated each transaction separately and failed to identify that this behavior constituted a clear pattern of structuring. In one example, a single client completed fifteen €950 transactions within 72 hours, with no KYC check or verification of the source of funds.
Although the firm argued that each transaction remained below the legal reporting threshold, FAÚ found that it had breached its obligations under §9 of the AML Act—specifically, the duty to recognize a business relationship, to detect suspicious activity, and to apply CDD based on behavioral risk. As a result, the exchange received a regulatory warning and was required to redesign its transaction monitoring system and implement automated structuring detection mechanisms. FAÚ emphasized that risk does not arise solely from the value of individual transactions but from behavioral patterns observed over time.
3. Enhanced Due Diligence (EDD)
When is it necessary?
According to §11 of the AML Act, enhanced due diligence (EDD) must be applied in situations where the client or transaction poses a higher-than-usual risk of money laundering or terrorist financing. This includes dealings with politically exposed persons (PEPs), their close associates or family members, as well as clients from high-risk third countries or those using offshore entities. It also applies when the client’s transaction behavior is inconsistent with their known profile or where risk is elevated due to the nature of the product, geographic exposure, or delivery channel.
Common Mistakes in Practice
One of the most frequent errors is failing to recognize and classify a customer as a PEP—especially when the individual holds public office in a non-EU country, or when the PEP relationship is indirect (such as a spouse or business associate). Some obliged entities also neglect to apply EDD to clients with offshore ownership structures or to those transacting from or into jurisdictions identified by FATF or EU lists as high-risk. Another recurring issue is the assumption that a standard CDD process is sufficient for high-value transactions, as long as initial KYC documents are collected. However, when the source of funds is not clearly verified and senior management approval is missing, such practices fall short of EDD standards. Many firms also rely too heavily on automated systems that may fail to trigger EDD flags, especially in cases involving complex behavior or sophisticated actors.
The essence of EDD lies in a deeper and more proactive investigation. It must not only verify identity but also substantiate the legitimacy of the client’s financial activity and the provenance of their assets.
Case: Anonymized Crypto Exchange (Czech Republic)
A Czech-based exchange onboarded a high-net-worth client identified later as a PEP from a Central Asian country. Although the client submitted Czech residency documents and conducted several large crypto transactions totaling over €100,000, the platform failed to classify the individual as a PEP. No source of funds verification was performed, nor was the onboarding decision escalated to senior management as required. FAÚ initiated an administrative review. The firm was instructed to revise its PEP-screening procedures and implement a tiered EDD protocol for high-risk profiles.
Case: B. (EU / Czech Republic)
A major international crypto exchange operating across several EU jurisdictions came under scrutiny when regulators in Germany, Belgium, and the Netherlands found that its automated KYC/CDD system did not reliably detect PEPs or identify beneficial owners hidden behind offshore structures. The company had allowed clients from high-risk third countries to access services without performing enhanced checks. As a result, the firm withdrew from several markets, including the Czech Republic, and was forced to restructure its EU operations. It also redesigned its internal EDD processes, introducing human oversight for high-risk accounts.
Case: R. (Lithuania / United Kingdom)
A prominent fintech platform was criticized by Lithuanian and UK regulators for failing to apply EDD to clients with links to offshore jurisdictions. Several high-volume users were onboarded without documented verification of their source of wealth or funds. Following the regulatory intervention, the firm implemented manual EDD reviews for certain categories of clients, revised its risk-scoring model, and added additional PEP screening filters to its onboarding workflow.
Case: N. M. E. L. (Cyprus)
A licensed investment firm in Cyprus was fined €150,000 by CySEC for failing to apply EDD in cases where clients were using complex offshore structures with undisclosed beneficial owners. The company had relied on basic CDD, despite obvious red flags concerning transparency and jurisdictional risk. In addition to the monetary penalty, the firm was restricted from onboarding clients from several high-risk regions until internal compliance procedures were overhauled. The company was fined €150,000, had to revise its onboarding policies, and faced restrictions on onboarding clients from certain jurisdictions.
SDD, CDD, and EDD:
Applying Risk-Based Due Diligence Correctly
In the Czech Republic, as across the EU, customer due diligence is the cornerstone of AML compliance. The AML Act mandates a risk-based approach, requiring obliged entities to apply Simplified (SDD), Standard (CDD), or Enhanced (EDD) due diligence depending on the customer’s risk profile, transaction type, and other contextual factors.
Each level serves a distinct purpose and must be applied with care:
SDD may only be used in strictly low-risk scenarios where all legal criteria are simultaneously met. It is not meant for broad application and must be supported by documented, individualized risk assessments. Misuse of SDD — for example, based solely on residency or transaction size — has led to regulatory findings and enforcement actions.
CDD is the default standard and must be applied consistently when establishing a business relationship, processing transactions of €1,000 or more, or where SDD or EDD are not applicable. Delaying CDD, overlooking cumulative risks, or failing to reassess clients over time are common mistakes that weaken AML controls.
EDD is a mandatory safeguard for high-risk relationships — such as with PEPs, clients from high-risk third countries, or cases involving complex or unusual financial behavior. It requires deeper investigation into source of funds, beneficial ownership, and must often include senior management approval.
The misapplication of any of these levels — whether through overreliance on automation, failure to detect structuring, or neglecting jurisdictional and behavioral risk — can result in regulatory sanctions, audit failures, and reputational damage. Supervisory authorities like FAÚ and ČNB are increasingly proactive in monitoring how firms apply due diligence in practice.
Need help with building a compliant onboarding process?
Disclaimer
This article is intended for informational purposes only.
Company references are anonymized and based on publicly available regulatory events or media coverage.
The author makes no claim regarding liability or wrongdoing by any entity mentioned. Interpretations should not be taken as legal conclusions unless confirmed by final regulatory or judicial decisions.