What must the internal AML rules contain?

Under Art. 101(2) AMLA, the internal rules must include criteria for recognising suspicious transactions, an internal control system, a risk assessment system, measures proportionate to the activity, and procedures for establishing the source of funds.

What are the penalties for non-compliance?

Penalties range from EUR 511 to EUR 5,113 for natural persons and EUR 1,023 to EUR 10,226 for legal entities. For severe or systemic violations, up to EUR 1,022,584.

When must the rules be updated outside the regular cycle?

When the AMLA, AML Regulation, or ZMFT is amended, when a new National Risk Assessment is published, and when the ESA guidelines are revised.

Internal AML Rules in Bulgaria 2026 | Template, Contents, Updates

Q: Which entities must adopt internal AML rules in Bulgaria?

All entities listed in Art. 4 of the Bulgarian Anti-Money Laundering Act are obliged — banks, insurers, accountants, lawyers, notaries, real estate agents, NGOs with turnover exceeding EUR 10,226, and others. The deadline is 4 months from registration.

Q: How often must the risk assessment be updated?

For banks and financial institutions — annually. For all other obliged entities — every 3 years. When a new National Risk Assessment is published, the update must be immediate.

Q: Do the rules need to be submitted to SANS for approval?

No. The obligation is one of notification — you must notify SANS when the rules are adopted or updated.

Q: What training must be conducted?

Induction training for every new employee and ongoing training at least once a year.

Q: What are the AML requirements for NGOs?

NGOs with annual turnover exceeding EUR 10,226 (BGN 20,000) are obliged entities under the AMLA.

What you will learn

Which entities must adopt internal AML rules and within what timeframe
The mandatory contents of the rules — section by section (10-section template)
How to carry out and update the entity-level risk assessment
When and how to update the internal rules
What sanctions apply for non-compliance
Specific considerations for NGOs, accountants, and lawyers

Who must adopt internal AML rules

The full list of obliged entities is set out in Art. 4 AMLA. It covers a broad range of subjects from both the financial and non-financial sectors:

Financial sector

Banks and credit institutions
Insurance and reinsurance companies
Payment institutions and e-money issuers
Investment intermediaries and management companies
Pension insurance companies

Non-financial sector

Notaries
Lawyers — for specified activities (real estate transactions, management of client funds, formation and management of legal entities, etc.)
Accountants, auditors, and tax advisors
Trust and company service providers (Art. 4(16) AMLA)
Real estate agents
Wholesale traders
Art dealers (for transactions above EUR 5,113)
Non-profit legal entities (NGOs) — foundations and associations with annual turnover exceeding EUR 10,226 (BGN 20,000)

Important: If your activity falls within the scope of Art. 4 AMLA, you are required to adopt internal rules regardless of the size of your enterprise or the number of employees.

Deadline for adoption and updates

Adoption deadline

Under Art. 102 AMLA, newly registered obliged entities must prepare and adopt their internal rules within 4 months of registration in the relevant register.

Updates

The internal rules are subject to mandatory updates in three scenarios:

When the regulatory framework changes (Art. 103 AMLA) — amendments to the AMLA, the AML Regulation (PPZMIP), or the Counter-Terrorism Financing Act (ZMFT).
When the National Risk Assessment is updated — it is revised every 2 years and published on the SANS website.
When internal changes occur — expansion or modification of business activities, introduction of new products or services, entry into new markets, changes in the client base.

Frequency of risk assessment updates

For entities listed in Art. 4(1)–(6), (8)–(11) AMLA (banks, financial institutions, etc.) — once a year.
For all other obliged entities — every 3 years.

Mandatory contents — section by section

The internal rules under Art. 101(2) AMLA must contain clearly structured information on multiple topics. Below is a 10-section template covering all mandatory elements:

Section 1: General provisions

Legal basis, scope of application, definitions of key terms, designated compliance officer under Art. 106 AMLA.

Section 2: Risk assessment

Methodology for entity-level risk assessment, risk categories (client, product/service, geographic, channel), criteria for risk levels, update procedure, alignment with the National Risk Assessment.

Section 3: Customer due diligence (CDD)

Identification, verification, ongoing monitoring, simplified due diligence for low-risk clients (Art. 46 AMLA), timing requirements.

Section 4: Enhanced due diligence (EDD)

Politically exposed persons (PEPs), persons from high-risk third countries, complex or unusually large transactions, correspondent banking relationships, additional measures.

Section 5: Identification of beneficial owners

Procedures under Art. 59–65 AMLA, control threshold (over 25 %), three identification methods, ongoing monitoring, discrepancy notification (14-day deadline).

Section 6: Source of funds and wealth

When the source of funds must be established, how it is established, documents to request.

Section 7: Reporting suspicious transactions

Clear criteria for recognizing suspicious transactions and clients, sector-specific red flags, internal reporting procedure, procedure for notifying SANS, prohibition on tipping off the client.

Section 8: Record keeping

Retention period — 5 years after the end of the business relationship. Upon dissolution — 10 years of data access. Storage format, GDPR compliance.

Section 9: Staff training

Induction training for every new employee, ongoing training at least once a year (Art. 101(11) AMLA), topics, documentation, annual performance report.

Section 10: Internal controls and annexes

Designation of the compliance officer, internal audit procedures, measures for remedying deficiencies, annexes (client identification forms, beneficial owner declaration, CDD checklist, suspicious transaction reporting form, training record template).

Entity-level risk assessment

The entity-level risk assessment is a mandatory element of the internal rules (Art. 98(4)–(5) AMLA). It differs from the National Risk Assessment, although it must take the latter into account.

Steps for preparation

Identify risk factors — client-related, product-related, geographic, channel-related.
Assess probability and impact — on a scale (low, medium, high).
Determine risk management measures — proportionate to the identified risk level.
Document — the assessment is formatted as an annex to the internal rules.
Update — for banks: annually; for others: every 3 years; when the National Risk Assessment changes: immediately.

How to update the rules

Monitor regulatory changes — track the State Gazette for amendments to the AMLA, AML Regulation, and ZMFT.
Impact analysis — identify which sections of the internal rules are affected.
Draft amendments — prepare a revised version of the affected sections.
Approval — the internal rules are adopted/updated by the governing body of the obliged entity.
Notification to SANS — in accordance with Art. 106(5) and Art. 107(4) AMLA.
Staff training — conduct training on the changes.
Documentation — retain previous versions and adoption protocols.

Penalties for non-compliance

Violation	Natural person	Legal entity
Failure to adopt or update internal rules	EUR 511 – 5,113	EUR 1,023 – 10,226
Failure to conduct training	EUR 1,023 – 10,226	EUR 1,023 – 10,226
Repeat violation (natural person)	EUR 1,023 – 10,226	—
Repeat violation (legal entity)	—	EUR 2,556 – 25,565
Severe or systemic violations	Up to EUR 1,022,584	Up to EUR 1,022,584

Special rules for NGOs

NGOs with annual turnover exceeding EUR 10,226 (BGN 20,000) fall within the scope of the AMLA. They must adopt internal rules, conduct training, and carry out entity-level risk assessments. Non-compliance subjects them to the general sanctions regime.

Practical tips

Do not copy generic templates — the internal rules must reflect the specifics of your particular business activities.
Clearly designate responsible persons — under Art. 106 AMLA, a person in a senior management position must be designated.
Document everything — retain training protocols, previous versions of the internal rules, correspondence with SANS, and risk assessments.
Conduct real training — formally signing an attendance sheet without actual training does not meet the requirements.
Align with the National Risk Assessment — it is publicly available on the SANS website.
Include specific red flag examples — generic references to “suspicious transactions” are insufficient.
Plan a budget — for expert appraisals, training, legal assistance, and technical solutions.
Consider unified rules — if you have branches or subsidiaries, unified internal rules (Art. 101(4) AMLA) will save resources.

Frequently asked questions

Which entities must adopt internal AML rules and within what timeframe?

All entities listed in Art. 4 AMLA are obliged — banks, insurers, accountants, lawyers, notaries, real estate agents, NGOs with turnover exceeding EUR 10,226, and others. The deadline for adoption is 4 months from the entity’s registration (Art. 102 AMLA).

What must the internal rules contain?

Under Art. 101(2) AMLA, the internal rules must include: criteria for recognising suspicious transactions, an internal control system, an internal risk assessment system, measures proportionate to the activity, and procedures for establishing the source of funds. The recommended structure comprises 10 sections.

How often must the entity-level risk assessment be updated?

For banks and financial institutions — annually. For all other obliged entities — every 3 years. When a new National Risk Assessment is published, the update must be immediate.

Do the internal rules need to be submitted to SANS for approval?

No. The internal rules are not submitted to SANS for prior approval. The obligation is one of notification — you must notify SANS when the rules are adopted or updated (Art. 106(5) and Art. 107(4) AMLA).

What training must be conducted and how often?

Obliged entities must conduct induction training for every new employee and ongoing training at least once a year (Art. 101(11) AMLA, Art. 67(1) AML Regulation). Training must cover the regulatory framework, red flags, and reporting procedures.

What are the penalties for failing to adopt or update internal rules?

Penalties range from EUR 511 to EUR 5,113 for natural persons and from EUR 1,023 to EUR 10,226 for legal entities. For repeat violations — up to EUR 25,565. For severe or systemic violations, the penalty may reach EUR 1,022,584.

What are the specific requirements for NGOs under the AMLA?

NGOs with annual turnover exceeding EUR 10,226 (BGN 20,000) are obliged entities under the AMLA. They must adopt internal rules, carry out entity-level risk assessments, conduct training, and report suspicious transactions.

When must the internal rules be updated outside the regular cycle?

The internal rules must be updated when: (1) the AMLA, AML Regulation, or ZMFT is amended; (2) a new National Risk Assessment is published by SANS; (3) the guidelines of the European Supervisory Authorities are revised.

Conclusion

Internal AML rules are not a formality — they are the primary tool for managing money laundering and terrorist financing risks. Well-structured and up-to-date rules not only protect you from significant penalties (up to EUR 1,022,584) but also demonstrate a commitment to lawful and responsible business practices.

This article is for informational purposes only and does not constitute legal advice. For questions specific to your situation, please consult a qualified lawyer. The information is current as of the date of publication — 26 March 2026.

Internal AML Rules in Bulgaria — Template & Guide (2026)