Skip to content
Case studiesPricingSecurityCompareBlog
GlossaryCountry guidesChecklistsROI Calculator

Europe

Americas

Oceania

All guides
🇵🇹

KYC Obligations in Portugal — Complete 2026 Guide

Comprehensive guide to KYC and anti-money laundering obligations in Portugal: Banco de Portugal requirements, Lei 83/2017, document verification, and best practices for obligated entities.

Regulators:Banco de Portugal
Key laws:Lei 83/2017, AMLD6
Last updated 2026-03-28

Regulatory Framework

Portugal has considerably strengthened its anti-money laundering framework in recent years, driven by European directives and FATF mutual evaluations. The foundational text is Lei n.º 83/2017 de 18 de agosto (Law No. 83/2017 of 18 August), which transposed the 4th EU Anti-Money Laundering Directive (AMLD4) and replaced the former Law No. 25/2008. This law was amended by Lei n.º 58/2020 to incorporate AMLD5 requirements, and by subsequent modifications for the transposition of AMLD6.

Banco de Portugal is the prudential supervisory authority for credit institutions, financial companies, payment institutions, and electronic money institutions. It is responsible for supervising AML/CFT compliance in the financial sector and has supervisory and sanctioning powers. ASF (Autoridade de Supervisão de Seguros e Fundos de Pensões) supervises the insurance and pension funds sector. CMVM (Comissão do Mercado de Valores Mobiliários) supervises securities markets and management companies.

UIF (Unidade de Informação Financeira), attached to the Polícia Judiciária, is Portugal's financial intelligence unit. It receives and analyses suspicious transaction reports (comunicações de operações suspeitas) transmitted by obligated entities and decides on referral to judicial authorities.

DCIAP (Departamento Central de Investigação e Ação Penal) is the public prosecutor's department specialising in the prosecution of economic and financial offences, including money laundering. The Portuguese system is characterised by close coordination between the UIF, DCIAP, and sectoral supervisory authorities.

Who Must Comply

Article 4 of Lei 83/2017 defines obligated entities (entidades obrigadas):

  • Credit institutions: commercial banks, savings banks (caixas económicas), mutual agricultural credit banks (caixas de crédito agrícola mútuo)
  • Financial companies: specialised credit companies, factoring companies, leasing companies
  • Payment institutions and electronic money institutions: fintechs, payment service operators
  • Insurance and reinsurance companies: for life insurance and capitalisation activities
  • Asset management companies and investment firms: SGFIM, venture capital companies
  • Virtual asset service providers: crypto-asset exchange platforms registered with the Banco de Portugal
  • Legal professions: lawyers (advogados), solicitadores, notaries (notários)
  • Accounting professions: official auditors (revisores oficiais de contas), certified accountants (contabilistas certificados)
  • Real estate agents: mediadores imobiliários
  • High-value goods dealers: for cash transactions exceeding EUR 10,000
  • Casinos and gaming operators: land-based casinos, online gaming operators authorised by the SRIJ
  • Non-profit organisations: foundations and public utility associations, under certain conditions

Portugal has also extended obligations to trust and company service providers, in accordance with AMLD5.

Customer Due Diligence Requirements

Standard Due Diligence (CDD)

Standard due diligence obligations (dever de identificação e diligência) are detailed in Articles 23 to 34 of Lei 83/2017:

Customer identification: for Portuguese residents, the Cartão de Cidadão (Citizen's Card, which combines identity card, social security card, health card, and tax card) is the reference document. For foreigners residing in Portugal, the residence permit or passport. For legal persons, registration in the Registo Comercial and the legal entity identification number (NIPC).

Identity verification: verification must be carried out through reliable and independent means. The Banco de Portugal has issued specific instructions (Aviso n.º 2/2018) detailing acceptable verification methods, including in-person verification, remote video identification verification under strict conditions, and the use of the Chave Móvel Digital (Portuguese digital mobile signature) system for electronic identification.

Beneficial owner identification (beneficiário efetivo): any natural person who directly or indirectly holds more than 25% of the capital or voting rights, or who exercises effective control by any other means. Portugal has established the RCBE (Registo Central do Beneficiário Efetivo), a central register of beneficial owners accessible to obligated entities, administered by the IRN (Instituto dos Registos e do Notariado).

Assessment of the purpose and nature of the business relationship: understanding the customer's activity, source of funds, and purpose of transactions.

Ongoing monitoring: regular updating of information and transaction monitoring to detect any inconsistency.

Enhanced Due Diligence (EDD)

Enhanced due diligence measures (medidas reforçadas de diligência) apply in the following situations:

  • Politically Exposed Persons (PEPs — pessoas politicamente expostas): the definition covers national, foreign, and international functions, as well as close family members and known associates. Management approval, clarification of source of wealth and funds, enhanced monitoring.
  • High-risk third countries: countries identified by the European Commission or the FATF.
  • Correspondent banking with third-country institutions: assessment of the correspondent institution's AML/CFT framework.
  • Complex or unusual transactions: transactions whose amount, modalities, or parties do not match the customer's profile.
  • Golden Visa programme: Portugal applies specific enhanced due diligence measures to the residence permit for investment (ARI) programme, due to identified money laundering risks in this sector. Additional source of funds checks and investor identity verification are required.

Required Documents

For natural persons:

  • Cartão de Cidadão (Portuguese residents) or passport/residence permit (foreign nationals)
  • NIF (Número de Identificação Fiscal)
  • Recent proof of address (comprovativo de morada)
  • Where applicable, source of funds documentation (for PEPs and ARI programme investors)

For legal persons:

  • NIPC (Número de Identificação de Pessoa Coletiva)
  • Certidão permanente from the Registo Comercial (online commercial register extract)
  • Up-to-date pacto social (articles of association)
  • Identity documents of gerentes (managers) or administradores (directors)
  • Registration in the RCBE (Registo Central do Beneficiário Efetivo)
  • Where applicable, powers of attorney

For non-resident entities:

  • Equivalent of commercial register extract from the country of origin, apostilled or legalised
  • Beneficial owner identification in accordance with Portuguese law requirements

Retention period: 7 years after the end of the business relationship or execution of the transaction (Portugal has opted for a period longer than the EU minimum of 5 years).

Reporting Obligations

Suspicious transaction reporting: obligated entities must report to the UIF (via the online system) any transaction or attempted transaction which they know, suspect, or have reasonable grounds to suspect is related to money laundering or terrorist financing. The report must be made immediately after the suspicion is formed.

Non-execution obligation: when a suspicion exists, the obligated entity must refrain from executing the suspicious transaction until it has reported to the UIF, unless abstention would compromise the pursuit of the customer or the transaction cannot reasonably be deferred.

Systematic reporting: certain operations must be systematically reported to the Banco de Portugal, including cross-border fund transfers above certain thresholds and cash operations exceeding EUR 15,000.

Non-disclosure obligation (dever de não divulgação): the obligated entity may not inform the customer or third parties of the report made to the UIF.

In 2024, the UIF received approximately 8,000 suspicious transaction reports, a volume in constant growth reflecting increased awareness across the Portuguese financial sector.

Penalties for Non-Compliance

Administrative sanctions:

  • Very serious offences: fine of EUR 50,000 to EUR 5,000,000 for legal persons, or up to 10% of annual turnover. For natural persons, fine of EUR 25,000 to EUR 5,000,000. Prohibition from holding management positions.
  • Serious offences: fine of EUR 25,000 to EUR 2,500,000 for legal persons. Temporary activity suspension.
  • Minor offences: fine of EUR 5,000 to EUR 500,000.

Criminal sanctions:

  • Money laundering (Article 368-A of the Código Penal) is punishable by 2 to 12 years' imprisonment
  • Terrorist financing (Article 5-A of Lei 52/2003) is punishable by 8 to 15 years' imprisonment
  • Failure to report a suspicious transaction may constitute a criminal offence

Publication of sanctions: sanction decisions are published on the websites of supervisory authorities, with identification of the sanctioned entity.

How CheckFile Helps

Portugal's KYC framework has specificities including the multi-function Cartão de Cidadão, the RCBE beneficial owner register, and enhanced requirements related to the Golden Visa programme. CheckFile offers an AI-powered document verification solution adapted to these particularities.

The platform automatically verifies the authenticity of the Portuguese Cartão de Cidadão, residence permits, and more than 6,000 international document types. The AI analyses document security features (chip, holograms, optically variable inks), extracts biographical data, and performs cross-validation with declared information. For Golden Visa-related verifications, CheckFile enables enhanced analysis of financial documents attesting to the origin of investment funds.

CheckFile generates a complete, timestamped audit trail, archived for the 7 years required by Portuguese legislation. API integration adapts to Portuguese banking systems and onboarding platforms, automating the verification process while maintaining the quality required by the Banco de Portugal. Processing complies with the GDPR with European data hosting.

FAQ

What documents are required for KYC in Portugal?

For Portuguese residents, the Cartão de Cidadão is the reference document, accompanied by the NIF. For foreign nationals, a residence permit or passport with NIF are required. For legal persons, the NIPC, certidão permanente from the commercial register, articles of association, directors' identity documents, and RCBE registration are needed. The retention period is 7 years after the end of the business relationship.

What are the penalties for KYC non-compliance in Portugal?

Penalties for very serious offences can reach EUR 5 million or 10% of annual turnover. Money laundering is punishable by 2 to 12 years' imprisonment. Terrorist financing carries 8 to 15 years' imprisonment. Sanctions are published with identification of the sanctioned entity, creating significant reputational risk.

How often must KYC checks be updated in Portugal?

Update frequency is risk-based. High-risk customers (PEPs, Golden Visa investors, high-risk countries) are reviewed annually. Standard-risk customers are reviewed every 3 years and low-risk customers every 5 years. Trigger events (change of beneficial owner, unusual transaction, external source information) require an immediate file update.

Frequently asked questions

Automate your compliance

CheckFile simplifies document verification compliant with local requirements.