AML Compliance for E‑Shops Selling Luxury Goods and Investment Gold

JUDr. Jakub Dohnal, Ph.D., LL.M.
JUDr. Jakub Dohnal, Ph.D., LL.M.
1.6.2026 | ARROWS law firm

Selling high-value goods such as jewellery, luxury watches, or investment gold shifts e-shops from the role of an ordinary retailer to that of a financial institution. Meeting the requirements of the AML Act places you under a new compliance regime, including customer identification and reporting suspicious transactions. Neglecting these obligations brings the risk of substantial fines and reputational damage. This article summarises how to comply with the AML Act and minimise risks.

In the image, we see a lawyer advising on compliance with AML obligations.

Key takeaways

The so-called AML Act (Act No. 253/2008 Coll.) applies to e‑shops selling high-value goods at the moment they become an “obliged entity” from a legal perspective—typically as a trader in goods accepting cash payments of EUR 10,000 or more, or as a trader in precious metals or precious stones.

This moment does not mean just a single formal entry in a register, but opens up an entire package of obligations: to identify and verify customers, prepare a system of internal policies and risk assessment, continuously monitor transactions, and report suspicious transactions to the FAÚ (the Czech Financial Analytical Office).

In recent months, there have been significant AML developments in the Czech Republic and in the EU—for example, an expansion of the scope of obliged entities, stricter rules for politically exposed persons (PEPs), and the adoption of a new European AML package effective from 2025–2027, which will also affect online sales of high-value goods.

The AML Act and e‑shops selling high-value goods: Where e‑commerce meets regulation

AML regulation was originally designed primarily for banks and other financial institutions, but over recent years it has shifted very strongly into the world of ordinary business, including e‑commerce. The key Czech regulation is the AML Act, the purpose of which is to prevent the misuse of the financial system for the legalisation of proceeds of crime and the financing of terrorism, while also creating conditions for the effective detection of these phenomena.

An e‑shop selling high-value goods can serve as a potential channel through which “dirty” money is converted into luxury goods that are easy to resell or move to another country, often with a minimal trace. E‑commerce in itself does not trigger AML obligations, whether in a B2C, B2B, or other e‑commerce model. What matters is the nature of the goods sold, the payment method, and the transaction amounts. The AML Act defines the group of so-called obliged entities—i.e., entities that must apply preventive measures, in particular customer identification and verification, maintain an internal system of policies, and report suspicious transactions.

In addition to banks, these entities include, for example, traders in precious metals and precious stones, as well as traders in goods in the case of cash transactions of EUR 10,000 or more. For e‑shops selling high-value goods, the key point at the boundary between an “ordinary” trader and an obliged entity is precisely the moment when they accept or are about to accept cash payments (typically upon personal collection) of at least EUR 10,000, or when they meet other conditions for inclusion among obliged entities.

This is not only about the amount of a single payment —the legislation also takes into account that transactions may be artificially split, for example through a series of smaller payments or by spreading purchases among multiple persons, and this too may be a sign of a suspicious transaction. From an AML perspective, what matters is therefore not only the e‑shop as such, but also how the payment method, delivery, and contract conclusion process are set up.

A specific role is also played by the overlap between the AML Act and the Act on Limitation of Cash Payments (the so-called ZOPH), which imposes on all persons—entrepreneurs and non-entrepreneurs alike—the obligation to make payments above CZK 270,000 cashless. ZOPH therefore applies to a broader range of entities and situations than AML, but it pursues a different objective; AML regulation, by contrast, works with a narrower group of obliged entities, but sets much deeper obligations of prevention, control, and reporting. 

For an e‑shop selling high-value goods, it is therefore important to understand both regimes at the same time and not to view AML as merely “another version” of cash limits. From 2024, extensive changes at the European Union level are taking effect: the new AML package, including the AMLR Regulation and the establishment of the EU Anti-Money Laundering Authority (AMLA).

These European rules will become fully effective around 2027, but the Czech AML Act is already gradually adapting to them—for example by expanding the scope of obliged entities and refining requirements for risk assessment, PEPs, or sanctions screening. E‑shops selling high-value goods therefore operate in an environment where regulation is clearly tightening and where increasingly professional compliance is expected, even from medium-sized and smaller businesses.

When an e‑shop selling high-value goods becomes an “obliged entity”

Trader in goods and the EUR 10,000 cash threshold

The AML Act classifies, among obliged entities, so-called traders in goods if, in the course of their business, they accept or make cash payments with a value of at least EUR 10,000, regardless of whether it is a single payment or several related payments. This structure responds to a typical money-laundering scheme where perpetrators split transactions into multiple smaller payments to avoid visible thresholds, which, from the perspective of an obliged entity under AML rules, should not lead to the exclusion of the obligation, but rather to increased vigilance.

A special subcategory is traders in precious metals and precious stones, who are obliged entities by law as soon as they carry out transactions with a value reaching or exceeding EUR 10,000, regardless of whether the payment is cash or cashless. This is not only investment gold, but also a broader range of precious metals (for example silver, platinum, palladium) and precious stones (diamonds, rubies, sapphires, emeralds), and often also jewellery made from these materials.

If an e‑shop offers a combination of luxury jewellery, investment bars, and expensive watches set with precious stones, it will in practice almost always fall under the regime of a trader in precious metals and stones as soon as it starts carrying out transactions above the stated threshold.

Importantly, the EUR 10,000 threshold for general traders in goods primarily relates to cash payments. If an e‑shop accepts exclusively cashless payments (by card, bank transfer, online payment gateway) and at the same time does not fall into another category of obliged entities (for example, a virtual asset service provider), the AML obligations of a trader in goods may not apply to it on the basis of this cash threshold.

However, for traders in precious metals and precious stones, this threshold triggers obligations regardless of the payment method. In practice, however, many e‑shops selling high-value goods also offer personal collection with the option to pay on the spot, or combine an online order with payment in a brick-and-mortar store. Once you accept cash above the stated threshold, you meet the conditions for inclusion among obliged entities.

It is important to distinguish between the different legal regimes governing financial limits. The Act on Restrictions on Cash Payments (ZOPH) sets an absolute ban on making cash payments exceeding CZK 270,000 (with certain exceptions), but it does not impose any obligations such as customer identification or reporting suspicious transactions. By contrast, the AML Act does not restrict payments as such; however, if you are an obliged entity, it requires a comprehensive preventive system including KYC, a risk‑based approach (RBA), internal policies, and a reporting obligation towards the FAÚ (the Czech Financial Analytical Office). For an e‑shop selling high‑value goods, it is therefore important to understand both regimes at the same time and not to view AML as merely “another version” of cash limits.

Customer identification: When and to what extent

Once an e‑shop becomes an obliged entity, the core obligation is to identify the customer in situations specified by law. Identification for AML purposes means establishing and verifying the identity of a natural or legal person based on an identity document or another reliable source and recording these details, including retaining them for at least 10 years from the end of the business relationship or the execution of the transaction.

The AML Act provides that an obliged entity must generally identify the customer whenever it is apparent that the value of a one‑off transaction will exceed EUR 1,000, and also whenever a business relationship is established, or where a transaction is suspicious regardless of the amount. In practice, for an e‑shop this means that if, for example, it sells luxury watches for EUR 5,000 and allows payment in cash or even cashless payment, but already as an obliged entity, it must identify the customer before the transaction is carried out.

For natural persons, the standard data collected are first name, surname, personal identification number (if assigned) or date of birth, address of permanent residence or other permitted residence, nationality, and details of the identity document.

For legal persons, in particular the name, registered office, identification number, legal form, and the person authorised to act are established, while the AML Act separately regulates the obligation to identify the ultimate beneficial owner (UBO). In practice for an e‑shop, this means that for an ordinary consumer buying jewellery for a higher amount, it is sufficient to verify their identity from an ID card or passport, whereas for a purchase made in the name of a company it is also necessary to verify who actually controls the company and whether that person is, for example, a politically exposed person.

The online nature of an e‑shop raises the specific question of how to identify a customer “remotely”. Czech regulation allows several methods of non‑face‑to‑face identification, including the use of bank identity or other electronic identification tools, provided they meet the required assurance level, or procedures under the AML Act and the related regulation.

In practice, services such as Bank iD can be used, where the customer is verified through their bank and the business receives verified identification data that it can use to meet its AML obligation. For an e‑shop selling high‑value goods, this is often the most practical solution because it does not require a physical meeting with the customer while still providing a high level of certainty regarding the buyer’s identity.

Failure to identify the customer—whether entirely or to the required extent—is among the most common breaches sanctioned by the FAÚ and other supervisory authorities. This is not merely a formal error; if the customer is not identified, the next step—customer due diligence—cannot be carried out either, and the obliged entity loses the ability to reasonably assess the risks of money laundering or terrorist financing.

The AML Act therefore expressly prohibits carrying out a transaction or establishing a business relationship if the obliged entity is not able to identify the customer to the prescribed extent.

Customer due diligence (CDD) and enhanced due diligence

Beyond customer identification itself, the AML Act requires obliged entities to perform so‑called customer due diligence (CDD). While identification focuses on the question “who is the customer”, CDD should answer a broader set of questions: what is the purpose and nature of the transaction or business relationship, what is the customer’s ownership and management structure, where the funds come from, and whether the customer or their ultimate beneficial owner is a politically exposed person or a person subject to international sanctions applied by the Czech Republic or the EU.

The Act sets out situations in which CDD is mandatory. These include, in particular, the establishment of a business relationship, one‑off transactions outside a business relationship with a value of at least EUR 15,000, and other listed situations, such as transactions involving PEPs, customers from high‑risk countries, or suspicious transactions regardless of the amount. For gambling operators, the threshold is lower (EUR 2,000), reflecting the risk profile of that sector.

In practical terms for an e‑shop selling high‑value goods, this means that for “larger” purchases or customers with a higher risk profile it must go beyond mere identification and systematically request and assess information on the source of funds, the nature of the customer’s business, or the end use of the goods.

CDD must always be proportionate to the risk—the so‑called risk‑based approach (RBA). For a low‑risk customer making a one‑off purchase in a country with low AML risk, basic identity verification and a few additional questions may be sufficient, whereas for a customer from a high‑risk state who repeatedly buys expensive gold for large amounts, much deeper scrutiny is required, including documenting the source of wealth and ongoing transaction monitoring.

The AML Act therefore works with three levels: simplified, standard, and enhanced customer due diligence. Enhanced due diligence applies in particular to politically exposed persons, customers from high‑risk countries, and other high money‑laundering‑risk situations. In practice, it includes the obligation to obtain the consent of a member of the obliged entity’s statutory body to establish the business relationship, to obtain detailed information on the origin of the customer’s assets, and to regularly review the risk profile.

For an e‑shop selling high‑value goods, this may mean that if the foreign minister wants to buy a luxury watch from you for EUR 30,000, you must not only verify their identity but also the source of their overall wealth and set up ongoing monitoring if they establish a more permanent business relationship with you. The AML Act also newly works with the concept of “not performing customer due diligence”, where in certain situations the obliged entity does not perform CDD so as not to jeopardise the investigation of a suspicious transaction or based on an instruction from the FAÚ, and must report this fact to the FAÚ. This is also practically relevant for an e‑shop, because sometimes it may be better to postpone or block a transaction and report it to the FAÚ immediately than to risk the customer receiving a signal that they are under investigation.

Internal set‑up of an e‑shop as an obliged entity: From paperwork to practice

Once an e‑shop selling high‑value goods meets the definition of an obliged entity, it is not enough to “somehow” identify customers and occasionally notice a suspicious transaction. The AML Act requires a systematic approach: a written system of internal policies, risk assessment, designation of responsible persons, employee training, and ongoing evaluation of the effectiveness of the measures adopted.

Risk assessment and the system of internal policies (SVZ)

The cornerstone of AML compliance is an assessment of the risks of money laundering and terrorist financing to which a particular obliged entity is exposed. The AML Act expressly requires obliged entities to identify and assess risks in relation to their activities, customers, products, distribution channels, and geographic areas.

Based on this assessment, they must then implement a so-called system of internal policies and procedures (SVZ) – a set of strategies and internal control and communication procedures to manage the identified risks and to ensure proper fulfilment of obligations under the AML Act. The FAÚ methodological guideline on risk assessment states that, in the analysis, it is appropriate to take into account at least four areas: clients and the transactions associated with them, services and products provided by the obliged entity, geography, and distribution channels.

For an e-shop selling high-value goods, this means, for example, distinguishing the risk level of different types of goods (investment gold vs. lower-value designer jewellery), customer segments (VIP customers, foreign clientele, B2B vs. B2C), the countries from which customers originate (including EU-designated high-risk third countries), and the sales method (online without personal contact, in-person pickup, cooperation with distributors).

The outcome of the assessment is a document that must be in writing, regularly updated, and actually used, not merely a formal attachment for an inspection. This is followed by the SVZ, which describes in detail how the e-shop identifies and verifies customers, how it evaluates suspicious transactions, what internal approval processes it has in place, who is responsible for communication with the FAÚ, how employees are trained, and how records are archived. In practice, the FAÚ and other authorities assess whether the SVZ corresponds to the nature and scope of the obliged entity’s activities, and you will not succeed if you submit a generic template downloaded from the internet that does not reflect how your e-shop actually operates.

Who can you contact?

Responsible person, contact person, and employee training

The AML Act imposes on obliged entities the obligation to designate a member of the statutory body who will be responsible for fulfilling obligations under the AML Act. Failure to designate such a person is, in itself, an administrative offence for which a fine of up to millions of Czech crowns may be imposed.

For selected obliged entities, it is also necessary to designate and notify the FAÚ of a contact person who ensures ongoing liaison with the FAÚ, in particular the reporting of suspicious transactions; the contact person must be available during the obliged entity’s business hours as well as at times when it carries out transactions. For traders in precious metals and stones, the obligation to designate a contact person does not expressly apply; however, this does not mean that the e-shop should not clearly define internally who communicates with the FAÚ.

Another key obligation is training employees who, in the course of their work, may encounter a suspicious transaction or are involved in customer identification and verification. The AML Act requires that these employees be trained regularly and that a written record of the training be kept. For an e-shop selling high-value goods, this does not concern only people in the “compliance department”, but also customer support staff, sales staff handling in-person pickups, store managers, or IT specialists who set up filters and monitoring systems.

In practice, it is often these people who are the first to spot an anomaly in a customer’s behaviour – for example, an unusually large number of orders just below the threshold, an attempt to pay in cash despite the standard of cashless payments, or an unwillingness to document the source of funds.

At this stage, attorneys from ARROWS advokátní kancelář typically help clients not only to draft SVZ and risk assessments that formally comply, but above all to define the roles of individual persons, create clear internal training, and ensure that AML processes actually work in line with the e-shop’s business model.

As a result, the risk is significantly reduced that, during a potential inspection by the FAÚ or the Czech National Bank (ČNB), the company will be criticised for having “paperwork in order” while, in reality, it does not follow the procedures.

Data retention and cooperation with the FAÚ

The AML Act places great emphasis on retaining data on customer identification and executed transactions. Obliged entities must keep copies of documents and other identification data for at least 10 years from the termination of the business relationship or from the execution of a one-off transaction.

The same ten-year period also applies to records of customer due diligence, the reasons why a transaction was assessed as suspicious or, conversely, not considered suspicious, and to documentation of reports submitted to the FAÚ. For an e-shop, this means aligning AML requirements with personal data protection rules (GDPR) and internal IT systems so that data are stored securely while also remaining accessible in the event of an inspection. Cooperation with the FAÚ has two levels. The first is the reporting obligation: the obliged entity must, without undue delay, and no later than within 7 calendar days of becoming aware, report to the FAÚ every suspicious transaction, including attempted transactions.

The second level is the obligation to provide the FAÚ, upon request, with additional information and cooperation, including allowing access to documentation and internal processes. In practice, the FAÚ supports electronic submission of reports via the MoneyWeb and MoneyWeb Lite applications, which enable secure filing of a suspicious transaction report and also serve as a training tool for compliance staff.

When reporting a suspicious transaction, a strict prohibition of so-called tipping-off applies, i.e., informing the customer or third parties that their transaction has been reported to the FAÚ or that it may be subject to investigation. Breach of this obligation may have not only administrative-law but also criminal-law consequences.

In the context of an e-shop, it is therefore necessary to carefully set up internal communication – for example, how customer support staff respond to a customer’s questions about why their order was delayed or cancelled, without revealing that the reason is an AML review.

Suspicious transaction in the environment of an e-shop selling high-value goods

The AML Act defines a suspicious transaction as a transaction carried out under circumstances giving rise to suspicion of an attempt to legalise proceeds of crime or finance terrorism, or where the funds used may originate from criminal activity or serve to finance terrorism. At the same time, it sets out an illustrative list of indicators of a suspicious transaction and an exhaustive list of so-called mandatory suspicious transactions, for which the obliged entity must always submit a report to the FAÚ.

Typical “red flags” for e-shops selling high-value goods

In the environment of e-shops selling high-value goods, a number of typical situations may be encountered that indicate increased AML risk. The FAÚ and professional literature mention, for example, cases where a customer makes withdrawals or transfers to other accounts immediately after cash deposits, carries out conspicuously frequent transactions over a short period, and these transactions disproportionately exceed their usual financial circumstances or the nature of their business.

In the context of an e-shop, such behaviour may manifest, for example, as a series of orders for luxury watches and jewellery over several days, paid from different accounts and delivered to different addresses, while the name of the ordering person is always similar or the persons are clearly connected. Another signal may be the customer’s attempt to split one large order into several smaller ones so that individual payments do not exceed a certain threshold – for example, EUR 10,000 or EUR 1,000 – which would otherwise trigger an obligation to identify or verify the customer.

Such “structuring” of payments is a classic way for money launderers to try to avoid detection, and the e-shop’s AML system should be set up to uncover these links, for example by aggregating orders by IP address, device identification, delivery addresses, or payment details.

Attention is also drawn to transactions where the funds handled by the customer clearly do not correspond to the nature of their business or their financial circumstances. A typical situation is a young customer with no apparent income history who suddenly orders several pieces of investment gold or very expensive watches, refuses to provide information on the origin of the money, or submits clearly unreliable documents.

For legal entities, a complex ownership structure linked to tax havens, frequent changes in statutory bodies, recent transfers of ownership interests, or links to high-risk jurisdictions may be red flags.

A special category consists of transactions linked to international sanctions. The Czech AML Act provides that a suspicious transaction is always a transaction in which an element connected with the implementation of international sanctions is present – for example, where the client, the beneficial owner, or another person otherwise involved in the transaction is a person included on a sanctions list, or where the subject matter of the transaction is goods subject to sanctions.

For an e-shop selling high-value goods, this may mean, for example, a customer from the Russian Federation or another sanctioned jurisdiction attempting to purchase luxury goods for large amounts, often through intermediaries or companies with a concealed ownership structure.

Obligation to report a suspicious transaction and “without undue delay”

As soon as an e-shop, as an obliged entity, assesses a particular transaction as suspicious, it immediately becomes obliged to report this fact to the FAÚ, without undue delay, no later than within 7 calendar days from the date the suspicious transaction is identified.

The obligation applies to all suspicious transactions, including attempts, even if the transaction is ultimately not completed. In practice, this means that if an e-shop blocks an order because the client refused to document the source of funds or it turned out that the client is on a sanctions list, it must still report this fact to the FAÚ, even if no sale took place at all.

The wording “without undue delay” was introduced into the Czech AML Act to reflect that some cases require a very rapid response, especially where there is a risk of delay, such as the risk of transferring or siphoning off funds. If the circumstances indicate an imminent threat, the obliged entity must submit the report “immediately”.

In its methodological guidelines, the FAÚ emphasises that the obliged entity must have internal processes set up so that it is able to submit a report truly оперативно – i.e., not only within days, but, if necessary, within hours. The report should include a detailed description of the circumstances of the suspicious transaction, identification details of the client and other involved persons, information on the subject matter of the transaction, the payment instruments used, the reasons for suspicion, and the measures taken (for example, postponement of the transaction or non-execution).

For an e-shop, this means it must have processes in place from the outset for collecting and archiving relevant data – anonymous sales “without unnecessary questions” are practically incompatible with the AML regime.

Most common questions about suspicious transactions in e-shops

1. Where is the line between an “unusual” and a “suspicious” purchase?

Not every unusual purchase is automatically suspicious. The Czech AML Act requires all circumstances to be assessed individually. Key factors include the client’s history, profession, financial situation, and the nature of the goods. If your long-term, verified client with a clear income history makes a one-off larger purchase, pay increased attention, but do not immediately rush to report it to the Financial Analytical Office (FAÚ). Conversely, if a new customer from a high-risk country makes even a relatively “smaller” purchase, grounds for suspicion arise immediately.

2. Won’t reporting to the FAÚ deter customers? Won’t it damage relationships with them?

It should not, because the client will not find out about it at all. The law expressly prohibits informing the customer that a report has been filed about them. If you decide to complete the transaction after reporting, the client will not notice anything. If the customer refuses identification or fails to provide documents for the review, the law requires you not to carry out the transaction. In such a case, communicate neutrally. State, for example, “failure to meet internal requirements” as the reason, and do not mention the Czech AML Act or the FAÚ at all.

3. Can documentation be supplemented retroactively if we discover an older suspicious transaction?

Unfortunately not; AML obligations cannot be fulfilled retroactively. If a suspicious transaction took place in your e-shop and you did not report it, this constitutes a breach of the law. You cannot erase this misconduct by subsequently rewriting internal records. In such a situation, the best solution is to contact specialised attorneys (e.g., at ARROWS advokátní kancelář, a Prague-based law firm). They can help you prepare a strategy for the next steps, propose the form of any additional report, and help minimise the risk of financial penalties.

Sanctions and liability: What an e-shop that underestimates AML may face

AML regulation is not a “soft recommendation”, but a strictly enforceable legal framework accompanied by high sanctions. The Czech AML Act contains a broad catalogue of administrative offences and allows fines of up to CZK 130 million for financial institutions and up to tens of millions of CZK for other obliged entities.

Sanctions may also apply not only to the legal entity, but in certain cases also to individuals – members of the statutory body or employees whose actions caused the obliged entity to commit an administrative offence.

Typical sanctionable breaches

In practice, the most common breaches include failing to prepare or update the risk assessment and the system of internal policies, insufficient client identification and due diligence, failure to report a suspicious transaction, and failure to retain records in the prescribed form. Sanctions also apply for failure to appoint a responsible person, failure to provide employee training, or failure to comply with the duty of confidentiality.

For e-shops selling high-value goods, there is also frequent underestimation of the fact that an online store at a certain point effectively becomes a “financial gateway”, and is therefore subject to requirements similar to those applicable to banks or payment institutions. More recent legislative changes have tightened the sanctions regime and introduced an obligation to apply group AML strategies for obliged entities belonging to a group.

For example, if an e-shop selling high-value goods belongs to a multinational group with other regulated entities, it will be expected to apply group strategies and internal control procedures and to share relevant information on risks and suspicious transactions within the group.

Repeated breaches of these obligations may lead to higher sanctions and significant reputational damage to the entire group. In addition to administrative fines, there is also a risk of criminal liability of the legal entity and responsible individuals if the obliged entity knowingly enabled money laundering or terrorist financing. In this respect, the AML regime is the “first line” of defence – if it is set up properly and the obliged entity fulfils its obligations in good faith, the risk of being considered an accomplice to criminal activity is significantly reduced.

Conversely, ignoring AML or taking a purely formal approach without genuinely fulfilling obligations may be a materially aggravating circumstance in any criminal proceedings.

Table of practical risks and the role of ARROWS advokátní kancelář

Potential issues

How ARROWS helps (office@arws.cz)

Insufficient customer identification and verification: high-value orders without verification of identity and source of funds, missing documentation

Setting up KYC and CDD processes: attorneys from ARROWS, a Prague-based law firm, will prepare or review customer identification and due diligence procedures, including the use of electronic identification, and ensure they are aligned with the e-shop’s business model.

Missing or merely formal internal policies and risk assessment system: generic templates that do not reflect actual practice

Tailor-made internal AML policy and risk assessment: ARROWS, a Prague-based law firm, will prepare a practical, risk-based internal AML policy and risk assessment that will stand up to an inspection by FAÚ (the Czech Financial Analytical Office) and will also be clear and understandable for employees.

Failure to report suspicious transactions and incorrect communication with FAÚ: risk of high fines and reputational damage

Support with reporting suspicious transactions and communication with FAÚ: attorneys from ARROWS, a Prague-based law firm, will help assess suspicious transactions, prepare the notification to FAÚ, and represent you in any inspection or administrative proceedings.

Failure to appoint a responsible person, lack of employee training: procedural shortcomings revealed during an inspection

Governance setup and training: ARROWS, a Prague-based law firm, will ensure the proper appointment of responsible and contact persons, prepare contractual documentation, and organise regular training tailored to individual roles within the e-shop.

Cross-border risks and group regime: sales to high-risk countries, membership in a group subject to different regulation

International AML advice: thanks to the ARROWS International network, ARROWS, a Prague-based law firm, will help align Czech and foreign requirements, set up group AML strategies, and resolve specific cases with an international element.

How to set up AML in an e-shop selling high-value goods in day-to-day operations

Theoretical understanding of AML obligations is only the first step. What matters is how these rules are reflected in the day-to-day running of the e-shop—within the ordering process, customer support, payment setup, logistics, and IT systems.

Ordering process, UX and AML

For an e-shop, it is crucial to strike a balance between a user-friendly purchasing process and AML obligations. If, for example, you know that for certain types of goods and price levels you will have to identify and verify the customer, it is advisable to adapt the order structure accordingly: request the necessary data and documents in time, clearly explain why you need them, and minimise the risk that the customer abandons the order.

A practical solution is to create a dynamic order form that responds to basket value and the type of goods. For standard lower-value orders, the customer will see standard fields, while for expensive products the form will be expanded to include the information necessary for AML identification, or it may offer verification via bank identity. This way, the customer does not have to go through a complicated process every time, but only in situations where it is required by law or by internal risk assessment.

It is also important to set up a warning system for employees who process orders. If, for example, the same customer attempts within a short period to place multiple orders for expensive goods just below the threshold, the system should flag this as a potential red flag and forward the order for manual review.

For large e-shops, it is worth investing in automated detection mechanisms that analyse behavioural patterns and alert you to anomalies without significantly interfering with normal sales.

Payment methods, cash and in-person collection

From an AML perspective, cash payments are particularly sensitive, especially for in-person collection. As soon as an e-shop selling high-value goods allows customers to pay in cash amounts reaching or exceeding EUR 10,000, it falls into the category of goods traders—obliged entities subject to the AML regime.

Many entrepreneurs try to avoid AML obligations by limiting or completely excluding cash payments and accepting only cashless payments via bank transfer or payment gateways. This may be practically effective, but it is important to bear in mind that AML obligations may also apply for other reasons, for example for dealers in precious metals or when providing certain types of services.

If you decide to keep cash payments, it is necessary to systematically monitor their value and prevent customers from deliberately splitting payments. The e-shop system should be able to recognise when the same customer or connected persons attempt to make multiple cash payments that in aggregate exceed the threshold, and in such a case automatically activate the AML regime—customer identification, due diligence and, where applicable, reporting to FAÚ.

Cooperation with employees at the in-person collection point is also important; they must be able to recognise the situation and hold the transaction if the customer refuses to cooperate. At the same time, it is advisable to contractually address the relationship with payment service providers—banks and payment gateways. They have their own AML obligations, and if they conclude that the e-shop is not sufficiently meeting AML requirements or is exposed to increased risk, they may unilaterally restrict or terminate cooperation.

This can mean an immediate paralysis of sales for the e-shop. A well-designed AML programme is therefore not only an obligation towards the state, but also a condition for maintaining banking and payment services in the long term.

Most common questions on setting up AML in e-shop operations

1. Do we have to identify every single customer, or is it enough to monitor only the statutory thresholds?

Financial thresholds cannot be applied mechanically. The AML Act does work with specific amounts, but it combines them with other factors—for example, whether the customer is a politically exposed person (PEP), whether a lasting business relationship is being established, or whether the transaction is suspicious in any way. The obligation to identify and verify a customer may arise even for a purchase “for a few coins” if the transaction shows risk indicators. You should therefore build the entire system on your own risk assessment and clear internal rules, not merely on blind monitoring of monetary thresholds.

2. How should we reconcile strict AML obligations with GDPR rules?

In this case, the AML Act takes precedence. While GDPR pushes for data to be deleted as quickly as possible, the AML Act directly imposes an obligation to retain identification data and transaction records for 10 years. Under GDPR, compliance with a legal obligation is a legitimate ground for processing. The key to success is to have the correct legal bases set out in your privacy policy, collect only the data required by law, and ensure top-tier security. 

3. How should we proceed when selling high-value goods abroad (within the EU and outside it)?

As a Czech e-shop, you primarily follow the Czech AML Act (i.e., the rules of your country of establishment). However, when selling cross-border, you must apply enhanced due diligence and monitor where your customer comes from. The customer’s country of origin fundamentally affects the risk level of the entire transaction. For customers from third countries (especially those considered high-risk from a money-laundering perspective), you must apply much stricter controls. In some specific cases, it is also necessary to take into account local market regulation in the country to which you supply the goods.

International sanctions, PEPs and “sensitive” customers

The AML regime is not only about amounts and types of goods, but also about the specific persons you do business with. Two key categories from the perspective of increased risk are politically exposed persons (PEPs) and persons subject to national or international sanctions.

Politically exposed persons (PEPs)

Under the Czech AML Act, a politically exposed person is a natural person who holds or has held a prominent public function of national or regional importance, as well as their close associates and persons in a business relationship with them. This includes, for example, a head of state, members of government, members of parliament, senators, heads of central government authorities, senior judges, or members of the governing bodies of state-owned enterprises.

From an AML perspective, PEPs are considered higher-risk because they may have access to public funds and the ability to abuse their position for corrupt or other criminal activities. Obliged entities must therefore, before executing a transaction or establishing a business relationship, determine whether the client or the client’s beneficial owner is a PEP and keep this information updated throughout the duration of the relationship.

PEP status alone is not a reason to automatically refuse a transaction, but it triggers an obligation to apply enhanced identification and control measures, including establishing the source of all of the PEP’s assets and obtaining approval from senior management. For an e-shop selling high-value goods, this may mean that if a prominent politician or a member of the management of a state-owned enterprise repeatedly buys very expensive jewellery, you must examine in detail the sources from which these purchases are funded.

There is no single publicly available list of PEPs, so obliged entities must combine multiple methods—internal checks, specialised databases, the client’s declaration, and other information sources. A record of the checks performed must always be made.

Attorneys at ARROWS advokátní kancelář often help clients set up a PEP screening process so that it is effective while not unduly interfering with day-to-day operations.

Sanctions screening and dealings with “sanctioned” persons

Obliged entities must also verify whether the Czech Republic or the European Union imposes international sanctions on the client, the client’s beneficial owner, or other persons involved in the transaction. Sanctions may take the form of asset freezes, bans on providing financial services, embargoes on the export of certain goods, or entry bans.

In recent years, sanctions regimes have expanded significantly, in particular in connection with Russia’s aggression against Ukraine, the situation in Belarus, Iran, North Korea, and other countries. To facilitate sanctions screening, various tools exist, including official EU and Czech databases and commercial solutions that allow searching for persons and entities on sanctions lists and generating a record of the result.

The obligation to screen for sanctions applies to all obliged entities and must be fulfilled in a demonstrable manner—meaning not only performing the check, but also retaining evidence that the verification took place. For an e-shop selling high-value goods, this means in practice that for higher-value orders or for clients from high-risk countries, the system must automatically perform sanctions screening and, in the event of a positive match, block the transaction and report it to the FAÚ (the Czech Financial Analytical Office) as a suspicious transaction.

A specific area involves sanctions on certain types of goods—for example, luxury products—towards certain countries or persons. In such cases, the sale of goods to a sanctioned person may be prohibited regardless of how the payment was made. An e-shop that supplies such goods risks not only a penalty under the Czech AML Act, but also a breach of sanctions regulations with potential criminal-law consequences.

In situations where sanctions rules change dynamically, it is therefore advisable to have a notification system in place for changes to sanctions lists and, in case of uncertainty, to consult the specific transaction with the attorneys at ARROWS advokátní kancelář.

The future of AML for e-shops: the European AML package and digitalisation

AML regulation is not static; in recent years it has been significantly strengthened at both EU level and national level. In June 2024, the so-called new AML package was published in the Official Journal of the EU, comprising in particular the AMLR Regulation, a new AML Directive, and the establishment of the European AML supervisory authority (AMLA).

The aim is to harmonise rules across the EU and strengthen cross-border supervision, which will also affect e-shops selling high-value goods, especially those operating in multiple countries or selling abroad. The AMLR Regulation will be directly applicable and will replace part of the national rules in the areas of CDD, the risk-based approach, and internal controls. It will introduce more detailed and more uniform rules for KYC, identification of beneficial owners, treatment of PEPs, and sanctions screening.

E-shops that align their AML processes with European standards already today will have an advantage once the AMLR becomes fully effective, as they will not face a major restructuring of their compliance system.

Digitalisation also brings new opportunities and challenges in client identification and transaction monitoring. Remote electronic identification, the use of bank identity, automated transaction monitoring systems and real-time data analytics are becoming the standard not only in the financial sector but also in e-commerce. E-shops selling high-value goods can use these technologies to ensure that AML processes place as little burden as possible on the customer and the internal team, while remaining effective and auditable.

For management and investors, it is important to view AML not only as a regulatory burden, but as part of broader risk management and corporate governance. A properly designed AML programme protects not only against fines, but also against reputational damage, loss of bank financing and the risk of criminal liability.

In an environment of increasing pressure from regulators, banks, business partners and the public, robust AML compliance is one of the factors that increases a company’s value and its attractiveness to investors. The attorneys at ARROWS advokátní kancelář have been active in this area for a long time, monitor developments in Czech and European legislation, and help clients respond in time to upcoming changes.

Final summary

E-shops selling high-value goods are now at the centre of AML regulation. Once they meet the conditions to be classified as obliged entities—typically as dealers in precious metals and stones or as traders in goods accepting cash payments of EUR 10,000 or more—a comprehensive set of obligations applies to them: to identify and verify customers, assess risks, prepare and implement an internal policies and procedures system, train employees, and report suspicious transactions to the Financial Analytical Office (Finanční analytický úřad).

Neglecting these obligations may lead to significant administrative sanctions, reputational harm, restrictions on banking services and, in extreme cases, criminal liability.

At the same time, the legal reality is more complex than mere monetary thresholds. The obligation to identify and verify a customer may also be triggered at lower amounts if the transaction is suspicious or involves a politically exposed person or a customer from a high-risk country. In addition, an e-shop must manage the alignment of AML requirements with UX, GDPR, cross-border sales, the requirements of banks and payment service providers, and internal processes.

Without professional setup, AML compliance in practice often turns either into inefficient formalism or into a dangerous gap in risk management. If you do not want to risk errors, damage, delays or fines and need certainty that your e-shop selling high-value goods handles AML obligations effectively and in line with current Czech legislation, it is sensible to turn to experts.

The attorneys at ARROWS advokátní kancelář have extensive experience with AML in e-commerce and can help you set up internal processes, prepare documentation, train your team, review specific transactions, and represent you in dealings with the Financial Analytical Office (FAÚ) or other authorities. For a non-binding consultation, you can contact office@arws.cz at any time.

FAQ – most frequently asked questions

1. Is it enough if we prohibit cash payments in our e-shop to avoid AML obligations?
Prohibiting cash payments above a certain amount may reduce the risk that your e-shop becomes an obliged entity as a trader in goods, but it does not address all situations. If you trade in precious metals and stones or other high-value goods, you may fall within the category of obliged entities even without cash, and other AML rules may also apply to you, including the obligation to identify and verify customers in suspicious transactions. It is always necessary to assess the specific business model and product structure; the attorneys at ARROWS advokátní kancelář can assist you with this and can be contacted at office@arws.cz.

2. Do we have to identify every customer who buys jewellery or a watch above a certain price?
The Czech AML Act generally imposes an obligation to identify the customer in the case of a one-off transaction exceeding EUR 1,000, upon establishing a business relationship, and always where the transaction is suspicious, regardless of the amount. In practice, you therefore do not have to identify every small order, but for higher-value goods or higher-risk customers, identification is mandatory. It is recommended to set internal rules so that the system automatically requires identification in line with the law and your risk assessment. The attorneys at ARROWS advokátní kancelář can help you design such rules and are available at office@arws.cz.

3. How do we know that a transaction is “suspicious” and must be reported to the FAÚ?
A suspicious transaction is one that, in the specific circumstances, gives rise to suspicion of money laundering or terrorist financing; the Czech AML Act provides a non-exhaustive list, such as clearly unjustified splitting of payments, unusual transaction frequency, inconsistency with the customer’s assets, or links to high-risk countries. For e-shops selling high-value goods, this typically includes unusually large purchases, repeated orders just below the threshold, or customers who refuse to document the source of funds. In uncertain situations, it is advisable to consult the specific case with an AML specialist; the attorneys at ARROWS advokátní kancelář can quickly help you assess the situation and prepare any notification to the FAÚ—contact them at office@arws.cz.

4. How long must we retain identification and transaction records, and does this conflict with the GDPR?
The AML Act imposes an obligation to retain identification data and records of executed transactions for at least ten years from the end of the business relationship or the completion of a one-off transaction. This long retention period is justified by investigative needs and is consistent with the GDPR, as it constitutes compliance with the controller’s legal obligation. It is important to set up processes so that, after the period expires, the data are securely deleted or anonymised, and access is restricted only to persons who genuinely need them for AML purposes. Our attorneys in Prague at ARROWS advokátní kancelář can assist you with aligning AML and GDPR documentation and processes and are available at office@arws.cz.

5. What should we do if we may have breached AML obligations in the past?
If you suspect that in the past there was a transaction that should have been reported to the FAÚ but was not, or that your client identification and due diligence were not compliant with the law, this situation cannot simply be “rewritten” back into compliance. AML obligations cannot be fulfilled retroactively, and any adjustments to documentation must reflect the actual course of events. In such a situation, it is crucial to carry out an internal audit, implement remedial measures, and carefully choose a strategy towards regulators, which typically requires expert legal support. Our attorneys in Prague at ARROWS advokátní kancelář have experience both in defending against fines and in remediating AML systems after inspections, and you can contact them at office@arws.cz.

6. How should we prepare for upcoming European changes (AMLR, AMLA) if we also sell high-value goods abroad?
The new European AML package will gradually harmonise rules across the EU, including detailed requirements for client identification, risk assessment, and internal controls. If you set up your AML programme now in line with European standards and take into account the cross-border elements of your business, you will significantly reduce the risk of having to rebuild the entire system in two or three years’ time. For e-shops selling high-value goods to multiple countries, it is advisable to consider group AML strategies and coordination with local legal counsel. Thanks to the ARROWS International network, ARROWS advokátní kancelář offers clients precisely this kind of cross-border support and is ready to walk you through the specific impacts of the European changes—contact them at office@arws.cz.

Notice: The information contained in this article is of a general informational nature only and is intended to provide basic guidance on the topic under the legal framework as of 2026. Although we take the utmost care to ensure accuracy, legal regulations and their interpretation evolve over time. We are ARROWS advokátní kancelář, an entity registered with the Czech Bar Association (our supervisory authority), and for maximum client security we maintain professional liability insurance with a limit of CZK 400,000,000. To verify the current wording of regulations and their application to your specific situation, it is necessary to contact ARROWS advokátní kancelář directly (office@arws.cz). We accept no liability for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also: