HomeInsightsCustomer Due Diligence (CDD/KYC)

Customer Due Diligence (KYC/CDD) under Bulgarian AML Law — Procedure, Documents and Sanctions (2026)

Published: 23 April 2026 | Last updated: 23 April 2026

Customer Due Diligence (CDD, often referred to as KYC) is the primary tool for counteracting money laundering and terrorist financing. Under Art. 10 of the Bulgarian Law on Measures Against Money Laundering (ZMIP), every obligated entity must identify the client, establish the beneficial owner, understand the purpose of the business relationship and maintain ongoing monitoring. The procedure is also the key line of defence before SANS during inspections.

In short: CDD under Art. 10 ZMIP includes 6 components — (1) identification and verification of the client, (2) identification of the beneficial owner, (3) purpose and nature of the relationship, (4) source of funds (in higher-risk cases), (5) PEP status screening, (6) ongoing monitoring and documentation. Three levels: simplified, standard, enhanced. Each risk decision is documented. Sanctions by the State Agency for National Security (SANS) under Art. 116 ZMIP: BGN 1,000 to 10,000 for individuals (EUR 511–5,113) and up to BGN 2,000,000 (EUR 1,022,584) for entities in regulated sectors for serious violations.

When CDD applies

Under Art. 11 ZMIP, obligated entities perform CDD in the following cases:

  • Establishment of business relations with a new client.
  • Single or linked operations above EUR 15,000 (or equivalent in another currency).
  • Money transfers above EUR 1,000 (specifically for banking and payment services).
  • Suspicion of money laundering or terrorist financing — regardless of amount or client status.
  • Doubt about authenticity of identification data previously provided.
  • Real estate transactions — regardless of value.
  • Transactions involving high-risk jurisdictions on the FATF and EC lists.

In regulated sectors (banks, investment intermediaries, insurance brokers, notaries), CDD is mandatory even below these thresholds.

Obligated entities (Art. 4 ZMIP). The list covers over 40 categories — banks, payment institutions, investment firms, insurers, accountants, lawyers, notaries, bailiffs, real estate brokers, tax advisers, auditors, public-benefit foundations, crypto-asset service providers (CASPs), crowdfunding platforms and more. See our separate articles on ZMIP for accountants and ZMIP for foundations and associations.

The six mandatory components of CDD (Art. 10 ZMIP)

1. Client identification and verification

Identification is performed via an official identity document:

  • Individual — national ID card, passport or foreigner’s card. A copy is kept (with explicit GDPR consent for processing).
  • Legal entity — registration documents (Commercial Register certificate, status not older than 6 months, articles of association, resolution appointing the representative).
  • Individual acting through a proxy — notarised power of attorney + identification of the proxy.

Verification is an additional step — data is checked against reliable and independent sources: public registers (Commercial Register, BULSTAT), official databases, licensed KYC providers (e.g. Jumio, Veriff).

2. Beneficial owner identification

The beneficial owner is the individual who ultimately owns or controls the client. Recognition threshold — 25% of capital or voting rights under §2(5) of the ZMIP transitional provisions. Sources:

  • Client declaration (Art. 42 ZMIP) — mandatory written form.
  • Register of beneficial owners in the Commercial Register (see our article on beneficial owners).
  • For complex structures — corporate documents, full ownership chain.

3. Purpose and nature of the business relationship

Questions to ask the client:

  • What is the purpose of the business relationship (service)?
  • What are the expected volumes and frequency of transactions?
  • What are the sources of funds and their economic basis?

Answers are documented in the client file and serve as a benchmark for future monitoring.

4. Source of funds

For higher-risk clients or single transactions above threshold, documented justification of funds is required:

  • Salary — payslips, employment contract.
  • Dividends or capital gains — general meeting resolutions, brokerage statements.
  • Inheritance or gift — certificates, tax returns.
  • Asset sale — contracts, tax documents.
  • Business income — tax returns, bank statements, financial statements.

5. PEP screening

Politically Exposed Persons (PEPs), their family members and close associates trigger mandatory enhanced due diligence. These include:

  • Heads of state, ministers, deputy ministers.
  • Members of parliament.
  • Judges on supreme and constitutional courts.
  • Members of central bank governing bodies.
  • Ambassadors and senior military officers.
  • Heads of state-owned enterprises.
  • Directors and officials in international organisations (EC, UN).

PEP screening is performed through specialised databases (World-Check, Dow Jones Risk). On confirmation — enhanced review and senior management approval.

6. Ongoing monitoring

CDD is not a one-off event. The obligated entity conducts ongoing monitoring of business relationships:

  • Comparison of transactions with the client’s expected profile.
  • Review of ownership or management changes.
  • Periodic refresh of the client file (usually every 1–3 years based on risk).
  • Timely Suspicious Transaction Report (STR) to SANS upon suspicion.

Three levels of CDD — risk-based approach

LevelWhenDocuments
Simplified CDD (Art. 15)Low risk: listed companies, EU financial institutions, state authoritiesBasic identification, no enhanced review; monitoring at reduced frequency
Standard CDD (Art. 10)Ordinary client, no elevated riskIdentification, beneficial owner, purpose of relationship, source of funds documentation above threshold
Enhanced CDD (Art. 37)PEP, high-risk countries (FATF grey/blacklist), offshore structures, complex ownership, unclear sourceFull identification, mandatory source of funds, senior management approval, more frequent monitoring

High-risk indicators

  • Client from an EC list of high-risk third countries (Delegated Regulation 2016/1675).
  • PEP or family member of a PEP.
  • Trust companies, holding structures without substance.
  • Unusual transactions — volumes that do not match the business profile.
  • Cash payments above EUR 10,000.
  • Client who refuses or delays providing documents.

Mandatory CDD documentation

The client file under ZMIP must contain:

  • Identification documents — ID/passport copies, registration certificate, articles of association.
  • Beneficial owner declaration under Art. 42 ZMIP, signed by the client.
  • CDD questionnaire with completed answers on purpose, expected volumes, source of funds.
  • Risk assessment — written appraisal with risk level (low/medium/high) and justification.
  • PEP screening result — even if negative.
  • Source-of-funds documents in enhanced CDD.
  • Monitoring notes — reviews, updates, changes.
  • Senior management approval for enhanced CDD or high-risk relationships.

Retention: 5 years after termination of the business relationship (Art. 67 ZMIP). SANS investigation may extend this period.

What happens when CDD cannot be completed

Under Art. 17 ZMIP, the obligated entity must not establish business relations, conduct an operation or continue an existing relationship if:

  • The client fails to provide the required identification data.
  • The beneficial owner cannot be established.
  • The client cannot explain the purpose or source of funds despite requests.
  • There is reasonable doubt about the authenticity of data presented.

In such situations:

  1. Refuse to establish/execute the transaction.
  2. Terminate existing relationships.
  3. Consider filing a Suspicious Transaction Report (STR) to SANS under Art. 72 ZMIP.
  4. Document the refusal and its grounds.

Important: the Art. 17 refusal cannot be disclosed to the client (no-tipping-off rule). Disclosure of an STR filing is a separate sanctioned violation.

SANS sanctions for violations

The Financial Intelligence Directorate of SANS enforces ZMIP. Main sanctions under Art. 116 ZMIP:

ViolationIndividual (BGN)Entity (BGN)
CDD failure per client (Art. 10–17)1,000–10,0002,000–20,000
Missing internal rules2,000–10,0005,000–50,000
Missing training1,000–5,0002,000–10,000
STR not filed despite suspicion3,000–10,00010,000–100,000
Disclosure of STR to client (tipping-off)5,000–10,00020,000–200,000
Systemic serious violations (banks, IFs)up to 2,000,000
Repeat offenceDouble sanctionDouble sanction

EUR equivalents (at 1.95583): BGN 1,000 ≈ EUR 511; BGN 10,000 ≈ EUR 5,113; BGN 2,000,000 ≈ EUR 1,022,584.

Beyond administrative sanctions, serious violations may also trigger criminal liability under Art. 253 of the Criminal Code (money laundering), with imprisonment from 1 to 8 years for participation in a criminal scheme.

Practical tips for implementing CDD

  1. Business-model risk assessment. Start by profiling your clients — predominantly individuals, corporate clients, foreign, high volumes. This determines the strictness of CDD.
  2. Standardised forms. Create a KYC questionnaire with all required fields. Avoid ad-hoc document collection.
  3. Electronic screening platform. For clients with international exposure, invest in a dedicated KYC platform (ComplyAdvantage, Refinitiv World-Check, LexisNexis).
  4. Periodic review. Define review intervals by risk — high risk every year, medium every 2, low every 3.
  5. Staff training. Mandatory under Art. 101 ZMIP — training. At least 4 hours per year.
  6. Process integration. CDD must be part of onboarding and transaction processes, not a parallel obligation.
  7. Written policy and procedures. Integrate CDD into ZMIP internal rules.
  8. Audit defence. Maintain a full audit trail per client. During SANS inspection, documentation is critical.

ZMIP text at lex.bg. SANS guidance at dans.bg.

Building or reviewing a CDD system?

From business-model risk assessment, through KYC questionnaire and procedure design, to training and defence in SANS inspections — the Innovires team supports obligated entities across the full AML framework. Tailored to your sector and client profile. Contact us for a diagnostic review of your current system.

Direct: +359 888 787 414  ·  office@innovires.com

Frequently asked questions

What do KYC and CDD mean?
KYC (Know Your Customer) and CDD (Customer Due Diligence) are the international terms for “comprehensive client verification” under Art. 10 ZMIP — identification, verification, risk assessment and ongoing monitoring.
Who must apply CDD?
Over 40 categories of obligated entities under Art. 4 ZMIP — banks, payment institutions, insurers, real-estate brokers, notaries, lawyers, accountants, crypto-asset service providers and others. Not every commercial company is obligated.
What threshold triggers CDD?
Single operation ≥ EUR 15,000 (or series of linked operations above). For bank transfers — EUR 1,000. Regardless of threshold — on establishing relationships, on suspicion, in real estate transactions.
What is a PEP?
Politically Exposed Person — head of state, minister, MP, senior judge, ambassador, central bank governor, etc. Identified via declaration and screening in international databases. PEPs trigger enhanced due diligence.
What is an STR?
Suspicious Transaction Report under Art. 72 ZMIP — written notification to SANS within 3 days. Disclosure to the client is prohibited (no-tipping-off).
How long are documents retained?
5 years after termination of the relationship (Art. 67 ZMIP). Under investigation — until closure. GDPR requires strict adherence.
What happens when a client is refused?
Refusal under Art. 17 ZMIP is lawful where CDD cannot be completed. Document the grounds in writing. In case of suspicion — file an STR to SANS.
Sanctions for non-CDD?
Individuals: BGN 1,000-10,000; entities: BGN 2,000-20,000. For banks and investment firms with systemic violations — up to BGN 2,000,000 (EUR 1,022,584). Repeat offences — double.