KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

namepermanent addressdate of birthplace of birthidentification number

KYC to onboard international persons

namepermanent addressdate of birthplace of birthidentity numberidentity documentssurname

corporate requirements

registered nameregistered seatregistration number

National ID card name

Osobna iskaznica

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

Croatian Parliament Electronic Signature Act

E-sig law files

croatia.pdf

What year did the relevant AML laws and regulations become effective?

2009

Further details on AML regime

The Anti- Money Laundering and Terrorist Financing Act (Official Gazette No. 87/2008), based on the Third EU AML Directive, became effective on 1 Jan 2009. It replaced the previous Croatian AML legislation from 1997. It was amended by the Act on Amendments to the Act on Anti-Money Laundering and Terrorist Financing Act (Official Gazette 25/2012), however these amendments were of linguistic nature and did not bring any changes to the AML/TF procedures established by the original AML/TF Act. The new Criminal Code (Official Gazette 125/2011) came into force in January 2013 introducing new definitions of money laundering as a criminal offence (Article 265), terrorist financing and other related criminal offences (Articles 97 -103).

Who is the regulator for AML controls for Banking

The Croatian National Bank supervises banks and other credit institutions

Link to site

http://www.hnb.hr/novcan/pranje_novca_terorizam/e-pranje-novca-terorizam.htm

Other financial Services

The Croatian Financial Services Supervisory Agency (“HANFA”), conducts supervision of other financial services capital markets participants, funds, insurance companies, leasing and factoring companies etc. (http://www.hanfa.hr/) and the Financial Inspectorate of the Ministry of Finance regulates and supervises non-banking financial institutions such as exchange offices, money transfer services, etc. (http://www.mfin.hr/en/financial-inspectorate);

Website of Regulator

http://www.mfin.hr/en/financial-inspectorate , http://www.hanfa.hr/

Financial Sector regulator

http://www.mfin.hr/en/financialinspectorate , http://www.porezna-uprava.hr/en/Pages/default.aspx

Practical Guidance for AML

Yes

Practical guidance PDF's

Is there a requirement to verify the identity of customers retroactively?

Yes

Retroactive details

Yes, the current AML/TF Act contains provision which required customer due diligence to be conducted in relation to all existing customers where risk assessment indicated that ML/TF risk existed within one year after the effective date of Act i.e. until 01 Jan 2010. Every active customer has to be identified and the identity verified in accordance with the Act and related regulations.

Has the country been the subject of FATF mutal evaluation in the last 3 years?

Croatia has not been the subject of a FATF Mutual Evaluation or IMF assessment exercise in the last three years, however the assessment of the implementation of anti-money laundering and counterterrorist financing (AML/CFT) measures in Croatia was conducted by MONEYVAL. Please see Evaluation Report on Croatia (http://www.coe.int/t/dghl/monitoring/moneyval/evaluations/round3/MONEYVAL(2008)03Rep-HR3_en.pdf). Followed by the First Progress Report adopted on 18 Mar 2009 (http://www.coe.int/t/dghl/monitoring/moneyval/Evaluations/progress%20reports/MONEYVAL(2009)6ProgRep-HRV_en.pdf) and Second Progress report adopted on 13 Apr 2011(http://www.coe.int/t/dghl/monitoring/moneyval/Evaluations/Progress%20reports%202y/MONEYVAL(2011)4-ProgRep2HRV_en.pdf). The most recent MONEYVAL evaluation was conducted through an on-site visit from 17-23-NOV-2012 and the evaluation report on the 4th assessment visit to Croatia was adopted in Sep 2013: http://www.coe.int/t/dghl/monitoring/moneyval/Evaluations/round4/CRO4-MERMONEYVAL(2013)15_en.pdf Link to mutual evaluation of Croatia, confirming Croatia is a member of MONEYVAL: http://www.fatf-gafi.org/countries/a-c/croatia/documents/mutualevaluationofcroatia.html

PDF of FATF review

mutualevaluationofcroatia.html

Are there minimum transaction thresholds (Y/N)

Yes

More details on minimum transaction thresholds.

Yes, one-off transactions below HRK105,000 (approx. USD14,830) in total, whether carried out as a single operation or several linked transactions reaching the prescribed threshold. In addition, electronic money institutions from another Member State and branches of third-country electronic money institutions may be exempt from the obligation to carry out customer due diligence measures in the following cases: a) when issuing electronic money, if a single amount of a payment executed for the issuance of such money, on an electronic data carrier which may not be recharged, does not exceed the HRK equivalent of EUR150 (approx. USD160); and b) when issuing electronic money and dealing with electronic money, if the total amount of executed payments, stored on an electronic data carrier which may be recharged, does not exceed the HRK equivalent of EUR2,500 (approx. USD2,710) during a calendar year, except in the cases where the electronic money holder cashes the HRK equivalent of EUR1,000 (approx. USD1,090) or more during the same calendar year. Credit institutions may be exempt from the obligation to carry out the customer due diligence measures in the case of other products or transactions associated with them, which pose negligible ML/TF risks, provided they meet the conditions prescribed by an ordinance of the Minister of Finance. Insurance companies licensed for the performance of life insurance business, insurance companies from member-states with a business unit in Croatia or authorised to directly perform life insurance business in Croatia, pension companies, as well as legal entitles and individuals performing business or activity of insurance representation or intermediation for entering into life insurance agreements may be allowed not to carry out customer due diligence in the following cases: a) contracting life insurance policies in which the individual premium instalment or several insurance premium instalments to be paid within one year does not exceed a total HRK equivalent amount of EUR1,000 (approx. USD1,090), or in cases when single premium payment does not exceed the HRK equivalent value of EUR2,500; and b) contracting pension insurances providing that types of insurance are being contracted whereby it is not possible to transfer the insurance policy to a third person or use it as collateral for a credit or loan, and a contract is entered into with a closed-end pension fund if the employer pays the contributions into the voluntary pension fund on behalf of the fund’s members (no monetary threshold indicated). Institutions and persons may not be exempt from the obligation to carry out customer due diligence measures when there are grounds for suspicion of ML/TF with respect to a customer, product or transaction.

What are the requirements for customer identification information for individuals

a) full name and surname; b) permanent address; c) date of birth; d) place of birth; e) personal identification number; and f) name and number of the identification document, the name of the issuing authority.

Details to be Collected on Corporates

Verification of legal entities’ information is done through examining documentation from court or other public register. The following data should be collected and verified: a) registered name; b) registered seat (street and number, place and country); c) business registration number; d) full name and surname, permanent address, date of birth place of birth, personal identification number, name and number of the identification document, the name of the issuing authority of a legal representative/person acting on behalf of a legal entity on the basis of Power of Attorney; and e) name and surname, permanent address, date of birth and place of birth of the beneficial owner.

What are the high level requirements around beneficial ownership (identification and verification)?

The Croatian AML/FT Act defines beneficial owner as an individual who: a) ultimately owns or controls a legal entity through direct or indirect ownership or control of 25% plus one share of voting rights in that legal person, or otherwise exercises control over management of a legal person; b) with trust and foundations, a beneficial owner of 25% or more of the property rights of the legal transaction, or in whose main interest the transaction or legal person is set up or operates or who exercises control over 25% or more of the property rights of the legal transaction; or c) controls another natural person on whose behalf a transaction is being conducted or an activity performed. These individuals must be identified, and risk-based and adequate measures must be taken to verify their identities.

What circumstances are enhanced customer due diligence measures required?

Enhanced customer due diligence measures and enhanced ongoing monitoring is required in any situation which due to the nature of the business relationship, the form and manner of transaction execution, business profile of the customer or other circumstances associated with the customer can present a greater risk of money laundering or terrorist financing. Three specific types of relationships where enhanced due diligence measures must be applied are: a) where the customer has not been physically present for identification and identity verification purposes; b) in respect of a correspondent banking relationship with respondents from non-EU/EEA states; or c) in respect of a business relationship with a PEP.

How should FI's deal with Politically exposed persons

In any transaction or business relationship with a PEP from a country other than Croatia (‘a foreign PEP’).

What enhanced due diligence must be performed for correspondent banking relationships?

Enhanced due diligence measures must be applied in respect to correspondent relationship with a bank or other credit institution from a third country (non-Member States of the EU/EEA) and the following additional data and documentation must be gathered in the process: a) the date of issuance and validity period of authorisation to provide banking services, and the name and seat of a competent third-country authority that issued the authorisation; b) a description of the implementation of internal procedures relating to ML/TF prevention and detection, particularly the procedures of customer identity verification, beneficial owner identification, reporting to the competent bodies on suspicious transactions and customers, record keeping, internal audit and other procedures that the bank or other credit institution adopted in relation to ML/TF prevention and detection; c) a description of systemic arrangements in the field of the ML/TF prevention and detection in effect in a third country in which the bank or other credit institution has its seat or in which it has been registered; d) a written statement confirming that the bank or other credit institution does not operate as a shell bank; e) a written statement confirming that the bank or other credit institution neither has business relationships with shell banks established, nor does it establish business relationships or conduct transactions with shell banks; and f) a written statement confirming that the bank or other credit institution falls under the scope of legal supervision in the country of its seat or registration, and that it is required to apply legal and other regulations in the field of the ML/TF prevention and detection in accordance with that country's effective laws. In order to establish new correspondent banking relationships, a prior written approval of a credit institution's senior management must be sought. In the context of enhanced due diligence, credit institutions must obtain the following additional documentation: a) a written statement that the correspondent bank or other credit institution has verified the identity of a customer and that it conducts ongoing due diligence of customers who have direct access to payable-through accounts, and b) a written statement that the correspondent bank or other credit institution can provide, upon request, relevant data obtained on the basis of due diligence of customers having direct access to payable-through accounts.

Are relationships with banks who might be considered a 'shell' and without substance permitted?

Yes, they are specifically prohibited. Credit institutions are not allowed to establish or continue a correspondent relationship with a bank which operates or might operate as a shell bank or with another similar credit institution known to enter into agreements on opening and keeping accounts with shell banks.

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

Non-face-to-face transactions and/or relationships are considered higher risk of ML/TF by the Croatian AML/TF Act and other relevant regulations. Where a customer has not been physically present for identification purposes, enhanced customer due diligence must always be performed. In such cases, institutions and persons covered by the Croatian AML/FT Act must apply one or more of the following supplementary enhanced due diligence measures: a) obtain additional documents, data or information on the basis of which the customer’s identity shall be verified; b) additionally verify the submitted documents or additionally certify them by a foreign credit or financial institution; and/or c) apply a measure whereby the first payment within the business activity is carried out through an account opened in the customer’s name with the given credit institution. Establishing a business relationship without physical presence of the customer is not permitted, unless a reporting entity applied those additional measures. Pursuant to the Croatian AML/FT Act credit and financial institutions are obliged to pay special attention to any ML and/or TF risk which may stem from new technologies enabling anonymity (Internet banking, ATM use, tele-banking, etc.) and put policies in place and take measures aimed at preventing the use of new technologies for the ML/or TF purposes. They must have policies and procedures in place for risks attached with a business relationship or transactions with non-face-to-face customers and to apply them at the establishment of a business relationship with a customer and during the course of conducting customer due diligence measures which include the supplementary measures described above.

To whom are SAR's made? (suspicious activity reports)

Croatian Financial Intelligence Unit, Anti-Money Laundering Office

Link to website of SAR reporting

http://www.mfin.hr/en/anti-money-laundering-office

Other Suspicious or unusual transactions obligations.

Yes, besides an obligation to report suspicious transactions, there is an obligation to report to the Anti-Money Laundering Office on each transaction being conducted in cash totalling HRK200,000 (approx. EUR28,000 or USD30,430) and more immediately, and no later than within three days upon the execution of the transaction. The Act also mandates that a special attention is paid to all complex and unusually large transactions, as well as to each unusual transaction without an apparent economic or visible lawful purpose even when the reasons for suspicion of the ML/TF have not been detected. However if the reasons for suspicion are detected in relation to such transactions, they should be reported to the Office. In all instances when the customer seeks an advice from persons involved in the performance of professional activities on money laundering or terrorist financing, the persons involved in the performance of professional activities must immediately notify the Office thereof, and no later than within three business days from the date the customer sought for such an advice.

Are there any de-minimis thresholds below which transactions do not need to be reported?

No, every suspicious transaction, irrespective of its value or execution manner must be reported.

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

Yes, there are penalties prescribed by the AML/TF for failure to comply with reporting requirements ranging from HRK25,000 (approx. EUR4,000 or USD4,350) to HKR700,000 (approx. EUR100,000 or USD108,700) for legal entities. In addition, monetary fines ranging from HRK1,500 (approx. EUR200 or USD218) to HRK30,000 (approx. EUR4,000 or USD4,350) are envisaged for members of the management board or other legal persons responsible for non-compliance with reporting requirements.

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

Yes. The institutions or persons are required to refrain from conducting of a suspicious transaction and to notify the AML Office of such a transaction without any undue delay before executing the transaction, indicating the reasons for suspicion of money laundering or terrorist financing as well as the deadline within which the transaction is to be conducted. Only in exceptional circumstances the reporting entity can proceed with a current/ongoing transaction before notifying the Office, if the Office could not be notified due to the nature of the transaction or due to the fact that the transaction was not executed or for other justified reasons. Nevertheless, the reporting entity is obliged to report the Office subsequently, and no later than the next business day following the execution of such transaction.

Does the local legislation allow transactions to be monitored outside the jurisdiction?

There are no provisions on monitoring transactions outside Croatia in the relevant AML/TF legislation.

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

No. Only a regular internal AML audit is required by the law.

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

N/A

To whom should the report on AML systems be submitted?

N/A

Is an AML system part of the financial statement audit?

N/A

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

N/A

Data Protection Laws And Personal Data

yes

Data Protection for Corporate Data

Data protection for "sensitive Data" and additional protections.

yes; sensitive data is defined as information covering the racial or ethnic origin of the data subject, political opinions, religious or other beliefs of a similar nature membership of trade unions, physical or mental health or condition, sexual life and personal data regarding criminal and misdemeanour proceedings. In principle, such data cannot be processed, and derogation is tolerated under very specific circumstances. These circumstances include the data subject’s explicit consent to process sensitive data, carrying out legal obligations to which personal data filing system controller is subject, or if the data subject discloses such data on his/her own. Such data has to be specifically labelled and protected. Therefore, any information assets (information systems, computers) that store or process sensitive data are also assigned a high level of protection. The additional protections of sensitive data are set forth in the Regulation on the manner of storing and special measures of technical protection of the special categories of personal data (Official Gazette, No. 139/04).

Do any restrictions on the transfer of credit reports exist?

There is no specific reference in the law to the transfer of these reports for KYC purposes. However, any transfer of credit reports, criminal records and medical data should be done with strict observation of processing conditions set forth in the Personal Data Protection Act and other relevant data protection regulations e.g. credit reports transfer for credit risk analysis purposes to other credit institutions or to an institution established to collect and disseminate information on the creditworthiness of legal entities and individuals is not considered a violation of and secrecy obligations. Personal data contained in criminal records can only be processed under supervision of the competent authority. Medical record data must not be collected, processed or used without a prior written consent from a patient and can only be used for an in accordance with the purpose for which they were collected.

Regulator Acronym

HANFA

Year of last FATF mutual evaluation

2008, 2009, 2011, 2013, 2016

Field 67

additional documentsfirst payment in business activity

National ID card details

Compulsory for citizens of Croatia who have a permanent residence in Croatia and are at least 16 years old.

Compulsory?

National ID source

https://en.wikipedia.org/wiki/Croatian_identity_card

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Requirement to proceed

Yes

requirement to use automated suspicious transaction tools

Who are SARS made to?

CFIU

shell banks

Yes

EDD for correspondent banking

Yes

PDF of case law

Minimum transactions

HRK 105,000

Min transaction USD

14830

Personal Data protection

Personal Data Protection Act

http://www.ceecprivacy.org/doc/law_croatia.pdf

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

N/A

Non financial sector (e.g. casinos, high value goods etc.)

The Financial Inspectorate of the Ministry of Finance supervises professional activities sector (lawyers, notaries public, accountants, auditors, tax advisers) (http://www.mfin.hr/en/financialinspectorate) and the Tax Administration – organisers of games of chance and checking of domestic legal entities and individual's compliance with the prescribed limitation of cash payments in an amount exceeding HRK105,000, i.e. amount exceeding EUR15,000 in the arrangements with non-residents (http://www.porezna-uprava.hr/en/Pages/default.aspx).

Does the country have a risk based approach?

Yes.

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

Identification and verification of an individual’s identity is done through examination of the original customer’s personal identification documents in the customer’s presence. In case of legal entities, identification and verification is performed by examining an original or a notarised copy of documentation from court or other public register presented by the legal person’s legal representative or person authorised by power of attorney. At the time of submission, the originals or the notarised copies of the required documentation must not be more than three months old. The legal entity’s identity can be also identified and verified by gathering the required data through a direct examination of court or other public register. The copy of the excerpt from the register examined directly must be endorsed i.e., the examiner must put date, time, his/her name and surname. While verifying customer’s identity, the institutions and persons performing identification and verification must first check the nature of a register from which data for the identity verification purposes are obtained. Identification and verification of the legal representatives of legal entities, persons who act on behalf of a legal entity on the basis of the Power of Attorney and representatives of the trust, foundations or NGOs is done thorough the examination of original personal identification documents of those persons in their presence. If the documents are insufficient to collect all prescribed data, the missing data are collected from other valid public document submitted by those persons i.e. from those persons directly. Beneficial owner’s identification and verification is done by examining the originals or notarised copies of documents from a court or other public register not more than three months old at the time of their submission. If those documents are insufficient for collecting data on beneficial ownership, then examination of the original or notarised documents and other business documentation supplied by the legal representative or person authorised by power of attorney is performed or data is collected directly from a written statement given by the customer’s legal representative or the person authorised by power of attorney.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

EU case law on data protection (European Court of Justice cases) has applied to Croatia since 01 Jul 2013 (accession date) and may impact on the transfer of information.

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

Yes there is a bank secrecy section in the Credit Institutions Act and it is aimed at protecting the confidentiality of all information, facts and circumstances of which a credit institution becomes aware in the course of providing services to clients or in the course of business with individual clients. Banking secrecy obligations do not apply where confidential information is disclosed to the Anti-Money Laundering Office pursuant to the law governing the prevention of money laundering and terrorist financing.