Council of Ministers of Bosnia and Herzegovina has enacted the Implementing Rulebook under the Anti-Money Laundering Act of Bosnia and Herzegovina (Pravilnik o provođenju zakona o sprečavanju pranja novca i finansiranja terorističkih aktivnosti) which applies as of 11 February 2026. The Rulebook sets a 90-day implementation window for entities subject to AML Act, which expires on 12 May 2026.
The reader may remember that we wrote in March 2024 Insight on the new Act on the Prevention of Money Laundering and Financing of Terrorism in Bosnia and Herzegovina (“AML Act“). We also wrote in May 2024 on its practical impact on the business operations in BiH. This update focuses on the new compliance obligations introduced by the Implementing Rulebook.
Which entities are affected?
The Rulebook applies to all AML-obliged entities specified under the AML Act. This includes a broad set of businesses that handle client funds, facilitate payments, or support transactions involving assets, such as financial institutions, gaming operators and virtual-asset services providers. The law also applies to certain professional services, most notably auditors/accountants, tax advisers, lawyers and notaries.
What must be done by 12 May 2026
The AML-obliged entities must update their internal AML acts and procedures, such as onboarding packs and checklists, risk methodologies and monitoring escalation workflows, to align with the Rulebook, and embed them into day-to-day operations.
In parallel, within the same 90-day window, the supervisory authorities must issue and/or update sector guidance on risk analysis, to specify what they expect to see in the documentation of the supervised entities. The Implementing Rulebook instructs the supervisory authorities to consider international sector standards (for example, EBA for banking and IOSCO for securities).
Risk assessments
AML-obliged entities must have four distinct risk assessment outputs reflected in one or more documents.
- Documented AML/TF risk assessment. This is a formal written assessment of the obliged entity’s exposure to the risk of money laundering and terrorist financing (“AML/TF“), which must reflect actual risks. It should also describe the policies, measures, actions and procedures to be applied to prevent and detect ML/TF. Such assessment must be reviewed, updated and (re)submitted to the supervising authority at least annually and more frequently if relevant changes occur.
- Internal risk assessment program. This is a written framework describing how the obliged entity identifies, assesses and mitigates AML/TF risks (risk factors, scoring/criteria, controls, review triggers). This program is the basis for the documented AML/TF risk assessment mentioned above and for staff training on what information must be collected from the client during the onboarding, how to assign and update risk ratings, when simplified or enhanced measures apply, and how monitoring and escalation work in practice.
- Client / relationship / transaction risk assessments. This means assigning low/medium/high risk designations and calibrating due diligence and monitoring.
- Change-triggered assessments. Such assessments are to be performed prior to material business changes or introduction of new products, outsourcing of an activity, entering a new distribution channel, or adopting new technology.
Suspicious transaction indicator list
Indicator list is a structured set of red flags that staff and systems use in day-to-day work. It flags risk signals linked to the client (e.g., ownership and control concerns or unusual representatives), the transaction (unusual size, frequency, cash elements), the business relationship (inconsistent activities), and geographic or jurisdictional exposure. These indicators should be built into the clients’ onboarding checklists and monitoring rules.
The Implementing Rulebook clarifies that the Financial Intelligence Department (“FID“) within the State Investigation and Protection Agency of Bosnia and Herzegovina, together with the competent supervisors, issues, periodically updates, and publishes sector-specific indicator lists online. FID updates its published sector lists at least every two years. AML-obliged entities must embed those sector lists into their own internal indicator lists and keep those lists updated.
Reliance on third parties
The AML Act allows reliance on a qualifying third party for limited client due diligence steps. However, the obliged entity must satisfy itself that the third party is eligible under the AML Act for client due diligence purposes. Most importantly, client identification is not permitted without the client being present. AML-obliged entity remains responsible for compliance notwithstanding outsourcing.
PEP screening
The Implementing Rulebook is explicit that PEP (politically exposed person) status cannot be determined solely based on the client’s statement. A client statement may support the assessment, but the AML-obliged entity must vet the person through additional sources (public/official records, reputable databases after a reliability check, and open-source checks). Internal/group data can support the assessment where available and permissible.
Low-risk categories
The Implementing Rulebook lists specific client types, such as public bodies and listed companies, and specific products/transactions, such as credit exposure to a client which does not exceed BAM 3,000 on annual basis or financial leasing arrangement where the total leasing fee does not exceed BAM 30,000, that may be treated as low risk if the AML-obliged entity’s underlying client/relationship risk assessment, conducted under its internal risk program, supports the low-risk classification.
Digital assets
Digital-asset activity is still widely treated as “high risk” by default in more conservative compliance environments, including in Bosnia and Herzegovina. In practice, this often translates into friction in onboarding and day-to-day operations. For example, enhanced scrutiny or refusals when opening bank accounts, stricter transaction monitoring, and constraints on servicing clients whose business model involves virtual-asset exposure.
The Implementing Rulebook introduces specific low-risk benchmark for digital-asset transactions:
- transaction value (or the value of a series of linked transactions) is below EUR 150; and
- the value of the client’s aggregate digital-asset activity with the same AML-obliged entity does not exceed EUR 300 per month and EUR 2,000/year.
Photo by Portuguese Gravity on Unsplash
