KYC for SMEs: 7 obligations often overlooked in 2026

In 2024, 31% of the suspicious-activity reports received by Tracfin (the French anti-money-laundering financial intelligence unit, attached to the Ministry of Economy) came from non-financial businesses: real estate agencies, art dealers, precious-goods traders, regulated professions, online marketplaces. The FATF (Financial Action Task Force) report on France already flagged weaknesses in anti-money-laundering controls on these profiles. Since then, supervision has tightened, and SMEs (small and medium-sized enterprises) are on the front line.

The SMEs covered by anti-money-laundering rules (often without knowing it)

You run an SME (small and medium-sized enterprise) and wonder whether you are concerned by KYC (Know Your Customer — verifying your clients' identity) and AML/CFT (anti-money-laundering and counter-financing of terrorism)? The answer is probably yes, and more often than you'd think.

Article L561-2 of the French Monetary and Financial Code lists the obliged professionals. Beyond banks, insurers and fintechs that are already well equipped, here are the SMEs that become obliged as soon as they cross an activity threshold:

  • Precious-goods traders (jewelry, metals, stones, watches): threshold of EUR 10,000 per transaction or per linked transactions
  • Art dealers and antique dealers: threshold of EUR 10,000, with no exception even for unique works
  • Real estate agents, property managers, building syndics: obliged with no threshold from the moment there is a transaction or mandate
  • Auction platforms (physical and online)
  • B2B and B2C marketplaces hosting transactions between third parties
  • Luxury vehicle sellers (cars, boats) above the threshold
  • Notaries and lawyers for financial operations, chartered accountants
  • Statutory auditors, wealth-management advisors
  • Corporate domiciliation providers, business-services providers

These SMEs typically discover they are obliged at the time of an inspection, or at the time of a late report. Reactive compliance then costs three to five times more than a preventive framework.

::: callout-info In brief

  • 201,437 suspicious-activity reports received by Tracfin in 2024
  • 31% from non-financial businesses
  • Generic vigilance threshold: EUR 10,000 per transaction
  • Sanctions: up to EUR 5M or 10% of turnover for a legal entity

:::

Obligation 1 — Formalized anti-money-laundering risk mapping

Every obliged SME must establish a mapping of its anti-money-laundering risks (article L561-4-1). Concretely, this document describes:

  • Client typologies: individuals, professionals, foreign nationals, politically exposed persons (PEPs — elected officials, senior civil servants, public-enterprise executives and their relatives)
  • Product or service typologies: cash, wire transfer, installment payment
  • Distribution channels: in person, remote, via a platform
  • Geographic activity zones

This mapping is the foundation of the risk-based approach, the guiding principle of the ACPR guidelines (the Autorité de contrôle prudentiel et de résolution, French banking and insurance supervisor). It can be requested at any time by the supervisor. Many SMEs don't have one, or rely on a version several years out of date.

Obligation 2 — Written client identification procedures

Your KYC due diligence must rest on written procedures answering four simple questions:

  • What to identify: civil status, beneficial owner, source of funds
  • How to identify: acceptable documents, vigilance levels — standard, simplified or enhanced
  • When: at onboarding, on periodic updates, on triggering events
  • Who: a designated compliance officer, and the operational team

These procedures must be readable by anyone in charge of welcoming a client. Annual staff training is a separate obligation (article L561-33).

Obligation 3 — Beneficial owner identification

For every corporate client, you must identify the beneficial owner — the individual holding more than 25% of capital or exercising control. The mobilizable sources are the RBE (the French Beneficial Ownership Register, held by the commercial court clerks), the declarations of the client themselves, and enrichment via corporate databases.

Missing beneficial-owner identification in the KYC file is one of the most frequently sanctioned non-conformities by the ACPR on non-financial businesses.

Obligation 4 — Ongoing vigilance throughout the client relationship

KYC is not a one-shot act. Vigilance is continuous (article L561-12). That means:

  • Periodic update of client information (typically yearly)
  • Detection of atypical operations: cash use, fragmentation, unusual destinations
  • Enhanced vigilance on politically exposed persons and high-risk clients
  • Retention of vigilance evidence for five years

Many SMEs run an initial identification and then perform no further updates. This gap is typically revealed during a bank alert or an inspection.

Obligation 5 — Tracfin suspicious-activity reporting

As soon as a serious doubt arises about the source of funds, about the beneficial owner, or about the purpose of an operation, you must file a suspicious-activity report to Tracfin via the ERMES portal (the official electronic reporting platform).

This report is confidential: you must not tip off the client. It is protected: you benefit from civil and criminal immunity provided you act in good faith. It is opposable: the evidence must be retained. In 2024, 31% of the 201,437 Tracfin reports came from non-financial businesses. A sign that compliance culture is spreading — and that non-reporting is heavily sanctioned.

Obligation 6 — KYC data retention for 5 years

All KYC elements (ID documents, supporting evidence, vigilance trails, client profile, suspicious-activity reports) must be kept five years after the end of the commercial relationship (article L561-12). Retention must also comply with GDPR, the EU's personal data regulation: proportionate duration, secure storage, client information.

The articulation between GDPR and anti-money-laundering was clarified by the CNIL (Commission nationale de l'informatique et des libertés, French data protection authority) in its 2025 guidelines. The legal basis for retention is legal obligation, the minimization principle applies, and client information must be simplified yet effective.

Obligation 7 — Designation of a Tracfin correspondent

Every obliged structure must designate a Tracfin correspondent — the operational point of contact in charge of reports. Depending on the size of the structure, a separate Tracfin reporting officer may be designated. For SMEs, the Tracfin correspondent is most often the executive themselves or the compliance officer.

This designation must be formal, communicated to Tracfin, and updated on every change.

::: callout-warning Frequent errors observed by Tracfin

  • Partial or outdated identification, without updates
  • Beneficial owner absent from the file
  • Suspicious-activity report omitted or filed late
  • Non-compliant retention: paper only, without rapid access
  • Risk mapping inexistent or not updated

:::

Applicable sanctions

The anti-money-laundering sanctions regime is graduated (article L561-32):

  • Disciplinary sanctions: warning, formal reprimand, temporary ban on practice
  • Financial sanctions: up to EUR 1M for an individual, up to EUR 5M or 10% of turnover for a legal entity
  • Complementary sanctions: publication of the decision, withdrawal of license or professional card
  • Criminal sanctions: up to 5 years in prison for established complicity in money laundering

Beyond the figure, the reputational impact of a public sanction is lastingly damaging for an SME, particularly in regulated professions (real estate, luxury trade, art).

How to comply, simply

The pitfall for an SME is to over-size the framework. An independent jewelry shop does not need the same toolkit as a bank. Five pragmatic principles:

  • Map your actual risks, not a generic template copied across
  • Document simple procedures that are usable by your teams
  • Choose an eIDV (electronic identity verification) approach sized to your volume — for example, a data-driven verification without document scanning, in most cases
  • Train staff in contact with clients on a yearly basis
  • Document the mapping, procedures, training and ongoing vigilance

Transactional-data eIDV is particularly well suited to SMEs: it avoids the client-side ID scan, processes verifications in the back office, and delivers opposable proof compliant with the European eIDAS (the EU electronic ID regulation). Client-side friction is zero.

::: callout-success Use case: independent real estate agency A five-person real estate agency structured its KYC framework in six weeks: risk mapping by transaction typology, identification procedure for seller and buyer, designation of the Tracfin correspondent, automated data-driven identity verification with no document scan. Annual cost under EUR 2,000 for opposable compliance. :::

Euroleads's role for SMEs

With 45 years of French data expertise, since 2016 we have structured an eIDV approach suited to AML/CFT obliged entities of all sizes. Transactional-data verification is particularly effective for SMEs:

  • Pooled sources across 4,000 worldwide references
  • Back-office verification, zero client friction
  • eIDAS substantial or high assurance level depending on profile
  • Documented articulation between GDPR and anti-money-laundering rules
  • Pricing proportionate to SME volumes

You can also benefit from a free audit of your existing data, to measure your current data assets and the optimum reachable against your goals.

::: cta-final Want to check your AML/CFT scope and structure a KYC framework tailored to your SME? Our free audit delivers in one hour your scope assessment, your priority obligations, and the eIDV approach suited to your volume and sector. Talk to our experts :::