KYC, KYB & AML compliance checklist
Tunisia KYC, KYB & AML
An implementation-focused checklist for fintechs, banks, financial institutions, payment institutions and other reporting persons operating in Tunisia. It translates the amended Organic Law No. 2015-26, current BCT sector rules, the National Register of Enterprises framework, targeted-financial-sanctions procedures and INPDP privacy formalities into operational controls and audit evidence.
- Reviewed
- 15 July 2026
- Version
- 1.2
- control areas
- 11
- implementation checks
- 59
Direct answer
What does the Tunisia compliance checklist cover?
The Tunisia checklist translates primary KYC, KYB and AML rules into 11 control areas and 59 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Primary AML law
- Organic Law No. 2015-26, as amended
- Financial intelligence unit
- CTAF
- Banking and payments authority
- BCT
- Privacy authority
- INPDP
- Core AML record period
- At least 10 years
- FATF status
- Not under increased monitoring
Implementation detail
Tunisia compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Confirm scope, authorities and permissionsDetermine first whether each activity falls within the general reporting-person perimeter and then add the rules of the competent sector supervisor.6 items+
Document whether each entity and activity is within Article 107's reporting-person perimeter.
- Implementation action
- Map products and legal entities to banks and financial institutions, microfinance institutions, the National Post Office, securities intermediaries and portfolio managers, exchange offices, insurance businesses, or the specified designated non-financial businesses and professions. Do not assume that every commercial business is an Article 107 reporting person.
- Evidence to retain
- Signed perimeter memorandum; entity-product matrix; accountable supervisor mapping.
- Primary citation
- Organic Law No. 2015-26, as amended, art. 107
Recognise CTAF as the national FIU and reporting authority.
- Implementation action
- Maintain a controlled route for reports, information requests and freeze instructions. CTAF is established at BCT under Article 118 and receives and analyses suspicious reports under Article 120.
- Evidence to retain
- CTAF reporting procedure; nominated contacts; secure access register.
- Primary citation
- Organic Law No. 2015-26, as amended, arts. 118 and 120
Obtain BCT approval before conducting regulated banking, financial or payment-institution activity.
- Implementation action
- Classify the proposed service under the licensing provisions of Law No. 2016-48 and the Commission d'agrement approval procedure in Decision No. 2017-04, as amended by Decision No. 2019-20. A technology, agent or outsourcing label does not remove the licensed institution's responsibility or create an exemption.
- Evidence to retain
- Licence or approval; legal perimeter opinion; service-to-permission mapping; approval-procedure file.
- Primary citation
- Law No. 2016-48, licensing provisions; Commission d'agrement Decision No. 2017-04, as amended by Decision No. 2019-20
Apply payment rules only to entities and services within their stated scope.
- Implementation action
- For payment institutions, map accounts, cash services, transfers, remote payments and prepaid electronic-money distribution to BCT Circular No. 2018-61. The official BCT PDF filename says Cir_2018_16_fr.pdf, but the instrument's cover and operative text identify it as Circular No. 2018-61. Separately map domestic mobile-payment roles under Circular No. 2020-11.
- Evidence to retain
- Payment-service inventory; role map; licence conditions; mobile-payment scheme assessment.
- Primary citation
- BCT Circular No. 2018-61, arts. 1-4; BCT Circular No. 2020-11, arts. 1-3
Apply the current exchange-office AML/CFT/CPF framework only to bureaux de change within its scope.
- Implementation action
- Exchange offices must map BCT Circular No. 2026-02 into their sector programme, including customer due diligence, beneficial-owner and PEP controls, AML/CFT/CPF governance, immediate suspicious reporting through goAML and applicable supervisory sanctions. Do not present this exchange-office circular as a universal rule for all Article 107 reporting persons.
- Evidence to retain
- Exchange-office licence; Circular No. 2026-02 control map; CDD and PEP procedures; goAML access; sanctions register.
- Primary citation
- BCT Circular No. 2026-02
Assign owners for AML, payments, registry, sanctions and privacy obligations.
- Implementation action
- Maintain a responsibility matrix covering CTAF reporting, BCT filings, RNE checks, targeted freezes, INPDP formalities, outsourcing and regulatory change. Treat Article 115 as a direction to supervisory authorities to establish risk-based programmes and practical measures; ground each institution's policy, appointments, audit and training duties in the sector instrument applicable to that institution.
- Evidence to retain
- RACI; appointment records; committee terms; regulatory calendar; sector-obligation map.
- Primary citation
- Organic Law No. 2015-26, arts. 115 and 120; applicable BCT or other sector instrument
02Build a risk-based AML/CFT/CPF programmeThe programme must join governance, risk assessment, controls, training and assurance while preserving sector-specific requirements.5 items+
Maintain written AML/CFT policies, monitoring and internal controls under the applicable sector instrument.
- Implementation action
- Cover customer due diligence, beneficial ownership, PEPs, sanctions, transaction monitoring, reporting, records, new products, non-face-to-face relationships, groups and outsourcing. Article 115 directs supervisory authorities to establish risk-based programmes and practical measures; it is not, by itself, the institution-level source for every policy control.
- Evidence to retain
- Approved policy suite; control library; procedure owners; review log; sector-rule mapping.
- Primary citation
- Organic Law No. 2015-26, arts. 108-115; BCT Circular No. 2017-08 as amended by No. 2025-17, or other applicable sector instrument
Designate responsible staff, assure controls and provide continuing training under the applicable sector instrument.
- Implementation action
- Create a suspicious-activity monitoring and escalation system, appoint reporting personnel, test control effectiveness and provide role-specific continuing training to the extent required by the BCT or other sector rules governing the institution. Do not attribute these institution-level duties solely to Article 115.
- Evidence to retain
- Appointment letters; training records; monitoring plan; control-test results; applicable-sector analysis.
- Primary citation
- BCT Circular No. 2017-08 as amended by No. 2025-17; BCT Circular No. 2026-02 for exchange offices; other applicable sector instruments; Organic Law No. 2015-26, art. 115
For BCT institutions within scope, assess money-laundering, terrorist-financing and proliferation-financing risk under the current circular.
- Implementation action
- Assess customers, products, services, delivery technologies and geographies, using national assessments and reliable external information. Document risk treatment and make the report available to BCT.
- Evidence to retain
- Institutional risk assessment; methodology; mitigation plan; BCT submission record.
- Primary citation
- BCT Circular No. 2017-08, art. 4, as replaced by BCT Circular No. 2025-17, art. 2
Apply the three-year assessment update rule only to institutions covered by BCT Circular No. 2025-17.
- Implementation action
- Update the documented BCT risk assessment at least every three years and sooner after a significant event, relevant regulatory change, new authority information or updated national risk assessment. Do not present this sector interval as a universal Article 107 rule.
- Evidence to retain
- Dated assessment cycle; event-trigger log; change analysis; governance approval.
- Primary citation
- BCT Circular No. 2025-17, art. 2 replacing Circular No. 2017-08, art. 4
Assess new technology and remote-delivery risks before use.
- Implementation action
- Evaluate impersonation, fraud, cyber, data, channel and AML risks before launching new products, practices, technology or delivery methods and implement proportionate mitigating controls.
- Evidence to retain
- Pre-launch risk assessment; threat model; control acceptance; launch decision.
- Primary citation
- Organic Law No. 2015-26, art. 112
03Identify and verify individual customersCDD must establish the customer, any representative, the beneficial owner and the purpose of the relationship using reliable evidence.6 items+
Do not open or maintain clearly anonymous or fictitious-name accounts.
- Implementation action
- Configure onboarding and account controls to require a verified legal identity and detect placeholder, fabricated or materially inconsistent identity data.
- Evidence to retain
- Account-opening rules; blocked test cases; exception log.
- Primary citation
- Organic Law No. 2015-26, art. 108(1)
Identify and verify regular and occasional customers from official documents and reliable independent sources.
- Implementation action
- Collect the identity data needed to identify the person and verify it against valid official documents and other reliable independent information appropriate to the risk and channel.
- Evidence to retain
- Customer file; document and database checks; verification provenance.
- Primary citation
- Organic Law No. 2015-26, art. 108(1)
Identify the person for whose benefit a transaction is conducted and verify representatives and authority.
- Implementation action
- Identify the beneficiary of the operation, verify any person managing rights for that beneficiary, and verify the identity and authority of anyone acting for the customer.
- Evidence to retain
- Beneficiary record; representative ID; mandate or power; verification result.
- Primary citation
- Organic Law No. 2015-26, art. 108(2)
Establish the purpose and intended nature of the business relationship.
- Implementation action
- Record expected products, activity, source and destination patterns, counterparties and business rationale sufficient to set a customer-risk and monitoring profile.
- Evidence to retain
- Customer profile; expected-activity baseline; risk score and rationale.
- Primary citation
- Organic Law No. 2015-26, art. 108(4)
Apply CDD at the statutory triggers without inventing a universal monetary threshold.
- Implementation action
- Trigger CDD when establishing a relationship, for occasional transactions at or above the amount set by the Finance Minister or involving electronic transfers, whenever ML/TF is suspected, and whenever existing identity data appears unreliable or insufficient. Maintain the currently applicable threshold in a controlled register.
- Evidence to retain
- Trigger matrix; current-threshold register; workflow rules; test results.
- Primary citation
- Organic Law No. 2015-26, art. 108
Refuse or end activity when required identity data cannot be trusted or completed.
- Implementation action
- Do not open or continue an account or relationship and do not execute the transaction where identity data cannot be verified, are insufficient or are manifestly fictitious; consider filing a suspicious report.
- Evidence to retain
- Decline or exit record; investigation decision; STR consideration log.
- Primary citation
- Organic Law No. 2015-26, art. 108, final paragraph
04Verify businesses and beneficial ownersKYB must establish legal existence, management, ownership, control and the natural persons who ultimately own or control the customer.6 items+
Verify the legal person or arrangement and its operating identity.
- Implementation action
- Obtain reliable evidence of legal form, registered office, capital distribution, managers and persons responsible for the entity, together with constitutional, registry and authority records appropriate to the customer.
- Evidence to retain
- Current RNE extract; constitutive documents; management list; address and authority checks.
- Primary citation
- Organic Law No. 2015-26, art. 108(2)
Identify the beneficial owner and take reasonable measures to verify that identity.
- Implementation action
- Trace ownership and control through every layer to natural persons, use reliable information and record why the analysis supports the identified beneficial owner.
- Evidence to retain
- Ownership chart; control analysis; source records; verified BO files.
- Primary citation
- Organic Law No. 2015-26, arts. 3 and 108(3)
Apply the CTAF beneficial-owner cascade and threshold accurately.
- Implementation action
- Under CTAF Decision No. 2018-10, identify natural persons holding directly or indirectly at least 20% of capital or voting rights; if identity remains doubtful or no one is identified, identify control by other means; if still unresolved, identify the natural person holding the senior management position. Apply the decision's separate party-based analysis for trusts and similar arrangements.
- Evidence to retain
- Percentage calculation; other-control analysis; senior-manager fallback rationale; trust-party file.
- Primary citation
- CTAF Decision No. 2017-03, as amended by Decision No. 2018-10, arts. 6-8
Reconcile the applicable sector definition rather than silently merging thresholds.
- Implementation action
- BCT Circular No. 2017-08 defines a beneficial owner for covered BCT institutions using more than 20% of capital or voting rights together with ultimate ownership or effective-control concepts. Record which legal and sector text governs the case and apply the stricter control where necessary.
- Evidence to retain
- Threshold mapping; sector legal analysis; approved KYB rule configuration.
- Primary citation
- BCT Circular No. 2017-08, art. 2, as amended; CTAF Decision No. 2018-10
Apply the National Register of Enterprises beneficial-owner cascade.
- Implementation action
- For the NRE framework, identify natural persons who directly or indirectly hold at least 20% of capital or voting rights. If no person is identified through ownership, identify control by other means; if the analysis still identifies no natural person, record the senior-manager fallback under Government Decree No. 2019-54.
- Evidence to retain
- NRE threshold calculation; layered ownership chart; other-control analysis; senior-manager fallback rationale.
- Primary citation
- Law No. 2018-52; Government Decree No. 2019-54
Use the National Register of Enterprises without treating it as conclusive CDD.
- Implementation action
- Verify registration, filings and beneficial-owner declarations under Law No. 2018-52, Government Decree No. 2019-54 and current RNE procedures; reconcile discrepancies with customer evidence and investigate rather than relying solely on a registry extract.
- Evidence to retain
- RNE extract; BO declaration or non-filing certificate; discrepancy case; independent corroboration.
- Primary citation
- Law No. 2018-52; Government Decree No. 2019-54; RNE beneficial-owner services; Order of the Head of Government dated 13 January 2026
05Apply PEP, enhanced and remote due diligenceHigher-risk relationships require stronger approval, source and monitoring controls; sector-specific digital onboarding rules must remain distinct.5 items+
Identify domestic, foreign and international-organisation PEPs, including relevant relatives and connected persons.
- Implementation action
- Use risk-based systems capable of determining whether the customer or beneficial owner currently or formerly holds the covered public, political or international-organisation function and assess the connected-person relationship.
- Evidence to retain
- PEP screening record; relationship analysis; match disposition.
- Primary citation
- Organic Law No. 2015-26, art. 110
Obtain senior approval and establish source of funds for PEP relationships.
- Implementation action
- Obtain approval from the legal entity's manager before starting or continuing the relationship, apply tight continuous monitoring and take reasonable measures to identify source of funds.
- Evidence to retain
- Source-of-funds review; corroborating records; senior approval; monitoring plan.
- Primary citation
- Organic Law No. 2015-26, art. 110
Apply enhanced attention to higher-risk countries and relationships.
- Implementation action
- Identify customers and relationships connected to countries that do not or insufficiently apply international AML/CFT standards and apply documented measures proportionate to the identified risk.
- Evidence to retain
- Country-risk methodology; enhanced review; approval and monitoring settings.
- Primary citation
- Organic Law No. 2015-26, art. 112
Control non-face-to-face relationship risk.
- Implementation action
- Maintain systems specifically designed to manage relationships conducted without physical presence, including document integrity, impersonation, device, fraud and escalation controls.
- Evidence to retain
- Remote-onboarding standard; vendor assessment; control tests; exception cases.
- Primary citation
- Organic Law No. 2015-26, art. 112
For banks, meet the current electronic-enrollment standard.
- Implementation action
- Where a bank enrolls customers electronically, implement board-approved procedures, risk mapping, proportionate authentication, reliable document verification, real-presence or liveness controls, biometric matching where used, screening, performance monitoring and incident management. Achieve identity assurance at least equivalent to physical presence.
- Evidence to retain
- Board approval; end-to-end process map; liveness and matching tests; performance register; incident log.
- Primary citation
- BCT Circular No. 2025-06, arts. 1-7
06Monitor activity and report suspicionMonitoring must remain aligned with current customer information and route suspicion immediately and confidentially to CTAF.5 items+
Keep customer identity information current and conduct ongoing vigilance.
- Implementation action
- Refresh data on risk-based and event-driven triggers, then examine transactions for consistency with known activity, risk profile and, where necessary, source of funds.
- Evidence to retain
- Refresh rules; event triggers; completed reviews; overdue dashboard.
- Primary citation
- Organic Law No. 2015-26, art. 109
Examine complex, unusually large or apparently purposeless activity and record the result.
- Implementation action
- Investigate the context and purpose of complex operations, unusually high amounts and unusual transactions lacking an apparent economic or lawful purpose; record findings in writing and make them available to supervisors and auditors.
- Evidence to retain
- Written special-examination report; supporting data; reviewer sign-off.
- Primary citation
- Organic Law No. 2015-26, art. 126
Report covered suspicion and attempted activity immediately in writing to CTAF.
- Implementation action
- File when an operation or transaction, including an attempt, is suspected of direct or indirect connection to proceeds of an unlawful act classified as an offence or crime, or to financing persons, organisations or activities connected with terrorist offences. File after execution as well if new information creates the suspicion.
- Evidence to retain
- STR decision; filing receipt; chronology; restricted case file.
- Primary citation
- Organic Law No. 2015-26, art. 125
For institutions within BCT Circular No. 2025-17, submit immediate reports through goAML.
- Implementation action
- Use the CTAF goAML platform and its current technical procedures. Do not use the unsupported ten-day timing stated in some secondary materials; the governing law and current BCT rule require immediate reporting.
- Evidence to retain
- goAML access; filing procedure; receipt; timing audit.
- Primary citation
- BCT Circular No. 2025-17, art. 6; Organic Law No. 2015-26, art. 125
Prevent tipping off and implement CTAF temporary-freeze instructions.
- Implementation action
- Do not tell the affected party about the report or resulting measures. On written CTAF instruction, temporarily freeze the assets linked to the report and place them in a suspense account until the legally prescribed outcome.
- Evidence to retain
- Confidentiality controls; access logs; freeze workflow; regulator correspondence.
- Primary citation
- Organic Law No. 2015-26, arts. 127-132
07Implement targeted financial sanctionsUN and national designations require immediate operational controls distinct from ordinary suspicious-transaction investigations.5 items+
Screen customers, beneficial owners, controllers and transactions against applicable UN and national designations.
- Implementation action
- Screen at onboarding, on list changes, on material customer changes and before relevant transactions; include aliases, transliteration and ownership or control analysis.
- Evidence to retain
- List inventory; screening configuration; update logs; match files.
- Primary citation
- Organic Law No. 2015-26, art. 103; Government Decree No. 2019-419 as amended by No. 2019-457
Freeze covered funds and assets without delay and prevent making resources available.
- Implementation action
- Create an always-available legal and technical path to freeze funds and other assets and prevent direct or indirect availability to designated persons, organisations and entities under the applicable UN or national decision.
- Evidence to retain
- Freeze procedure; system tests; incident timeline; decision record.
- Primary citation
- Organic Law No. 2015-26, art. 103; Government Decree No. 2019-419 as amended
Notify the National Counter-Terrorism Commission and provide useful implementation information.
- Implementation action
- Follow the notification, information, delisting, unfreezing and false-positive procedures in the 2019 decree framework and current CNLCT instructions.
- Evidence to retain
- Notification template; filing record; authority correspondence; release decision.
- Primary citation
- Organic Law No. 2015-26, art. 103; Government Decrees No. 2019-419 and No. 2019-457
For BCT-covered institutions, manage proliferation-financing risk and BCT sanctions reporting.
- Implementation action
- Include UN targeted-financial-sanctions evasion in proliferation-financing risk. Submit the required quarterly frozen-assets statement to BCT within 20 working days after quarter-end, covering UN, national and proliferation-financing freezes.
- Evidence to retain
- PF risk controls; frozen-assets register; quarterly return; submission receipt.
- Primary citation
- BCT Circular No. 2025-17, arts. 2 and 8
Keep sanctions and STR decisions separate but coordinated.
- Implementation action
- Execute a legally required freeze without waiting for an STR decision, then separately assess CTAF reporting and preserve confidentiality across both workflows.
- Evidence to retain
- Decision matrix; linked case records; role-based access; audit trail.
- Primary citation
- Organic Law No. 2015-26, arts. 103, 125 and 127
08Retain records and support reconstructionRecords must permit reconstruction of transactions, customer decisions and persons involved over the statutory period.5 items+
Keep AML records for at least 10 years from transaction completion or account closure.
- Implementation action
- Retain ledgers, books and other physical or electronic records so the stages of an operation or transaction can be reviewed, the parties identified and the reliability of the transaction assessed.
- Evidence to retain
- Retention schedule; lifecycle configuration; sample retrieval.
- Primary citation
- Organic Law No. 2015-26, art. 113
Apply the correct retention event to each record class.
- Implementation action
- Use transaction completion for transaction records and account closure for account-linked records; preserve legal holds and longer periods where another applicable law or authority instruction requires them.
- Evidence to retain
- Record-class matrix; clock rules; legal-hold procedure.
- Primary citation
- Organic Law No. 2015-26, art. 113
For payment institutions, keep payment-operation registers for at least 10 years from execution.
- Implementation action
- Preserve identifiers, amounts, dates, parties, account or wallet references, agent data, screening and decision history sufficient for full payment reconstruction.
- Evidence to retain
- Payment register; data-lineage map; reconstruction test.
- Primary citation
- BCT Circular No. 2018-61, art. 12
Preserve written unusual-transaction analysis and reporting evidence securely.
- Implementation action
- Separate STR, sanctions and special-examination files from ordinary service access while keeping them retrievable for authorised CTAF, BCT, supervisory and audit requests.
- Evidence to retain
- Access matrix; immutable logs; disclosure register; retrieval test.
- Primary citation
- Organic Law No. 2015-26, arts. 113, 121, 124, 126 and 127
Test record completeness and recoverability.
- Implementation action
- Periodically reconstruct selected onboarding, ownership, payment, alert and reporting cases from source data through final decision and remediate missing lineage.
- Evidence to retain
- Sample test results; defects; remediation evidence; management reporting.
- Primary citation
- Organic Law No. 2015-26, arts. 113 and 115
09Protect personal and biometric dataKYC and monitoring data remain subject to Tunisia's privacy law and INPDP formalities even when processing supports a regulatory obligation.5 items+
Define a specific, lawful purpose for each personal-data processing operation.
- Implementation action
- Map identity, biometric, contact, device, transaction, screening and investigation data to stated purposes, recipients, systems, retention and security controls; separate mandatory compliance use from optional analytics or marketing.
- Evidence to retain
- Data inventory; processing register; purpose and necessity assessment.
- Primary citation
- Organic Law No. 2004-63
Submit an INPDP declaration for each processing purpose before processing.
- Implementation action
- Classify each purpose and complete the declaration required by Article 7 using the procedure and supporting documents specified by INPDP and Decree No. 2007-3004.
- Evidence to retain
- INPDP declaration; receipt; purpose-to-filing matrix.
- Primary citation
- Organic Law No. 2004-63, art. 7; Decree No. 2007-3004; INPDP forms
Obtain additional INPDP authorisation where the processing category requires it.
- Implementation action
- In addition to the declaration, seek prior authorisation for biometric processing, transfers abroad and the other categories identified by Articles 13 and 14 and current INPDP forms. Do not treat customer consent as a substitute for the authority filing.
- Evidence to retain
- Authorisation application and decision; data-flow map; production gate.
- Primary citation
- Organic Law No. 2004-63, arts. 13-14; Decree No. 2007-3004; INPDP forms
Minimise and secure identity evidence throughout its lifecycle.
- Implementation action
- Collect only necessary data, restrict access, encrypt appropriately, log use, validate deletion, manage incidents and test processors in proportion to identity, biometric and financial-crime risk.
- Evidence to retain
- Data-minimisation review; security architecture; access logs; deletion and incident tests.
- Primary citation
- Organic Law No. 2004-63; Decree No. 2007-3004
Operationalise data-subject information and rights subject to lawful AML retention and confidentiality limits.
- Implementation action
- Provide the required information, authenticate requests and document any lawful restriction arising from AML recordkeeping, STR confidentiality, investigations or sanctions controls.
- Evidence to retain
- Privacy notice; request workflow; response log; restriction rationale.
- Primary citation
- Organic Law No. 2004-63; Organic Law No. 2015-26, arts. 113, 124 and 127
10Operate payment and mobile-payment controlsLicensed payment operations add safeguarding, governance, security, agent and scheme controls to the general AML framework.6 items+
Provide only the payment services and geographic-currency scope allowed by the licence and BCT rules.
- Implementation action
- Map payment accounts, cash-in and cash-out, direct debits, payments, transfers, remote payments and prepaid electronic-money distribution to the approval. Circular No. 2018-61 limits covered payment-institution services to Tunisian dinars within Tunisia, subject to specific foreign-transfer authority where applicable.
- Evidence to retain
- Licence conditions; product map; currency and geography controls.
- Primary citation
- BCT Circular No. 2018-61, arts. 2-4
Maintain payment-institution governance, control, traceability and resilience.
- Implementation action
- Operate proportionate governance, audit and risk oversight, real-time transaction recording, fraud and intrusion prevention, personal-data controls, operational and cyber-risk management, a tested continuity plan and the prescribed security audit.
- Evidence to retain
- Governance records; system architecture; continuity test; security-audit report; incident file.
- Primary citation
- BCT Circular No. 2018-61, arts. 5-10
Apply AML controls and the applicable customer-identification tier to every payment account.
- Implementation action
- Treat payment institutions as subject to the BCT AML-control circular through Article 11, and configure each account level according to the identification and operating limits in Article 14. Maintain current regulatory values rather than copying thresholds into uncontrolled product code.
- Evidence to retain
- Account-tier matrix; AML control mapping; configuration approval; test cases.
- Primary citation
- BCT Circular No. 2018-61, arts. 11 and 14; BCT Circular No. 2017-08 as amended
Safeguard customer funds in the separate global account and reconcile them.
- Implementation action
- Keep the global account balance aligned with all customer payment-account balances, prohibit use for the institution's own operating needs, maintain holder-level allocation and perform the required reconciliation.
- Evidence to retain
- Depository agreement; global-account ledger; customer allocation; reconciliation and shortfall log.
- Primary citation
- BCT Circular No. 2018-61, arts. 20-23
Control payment agents under the institution's continuing responsibility.
- Implementation action
- Select, train and monitor agents, notify BCT as required, contract the permitted services, verify capacity and integrity, and ensure agents apply the same customer-identification standard. Do not use agents to open payment accounts remotely where the circular prohibits it.
- Evidence to retain
- Agent policy; due-diligence file; BCT notice; contract; training and monitoring records.
- Primary citation
- BCT Circular No. 2018-61, arts. 24-30
Map domestic mobile-payment roles and scheme obligations.
- Implementation action
- Identify the wallet issuer, acquirer, participant, agent and mobile-switch roles and implement Circular No. 2020-11 controls for interoperability, security, customer protection, AML and operational responsibility.
- Evidence to retain
- Scheme role map; participant agreements; control matrix; operational tests.
- Primary citation
- BCT Circular No. 2020-11
11Launch, oversee and evidence complianceA publication-ready policy is not enough; each control needs an owner, system implementation and evidence that can survive supervisory review.5 items+
Run a documented pre-launch regulatory gate.
- Implementation action
- Confirm perimeter, licence, CTAF registration and reporting access, CDD and BO rules, PEP and sanctions controls, monitoring, records, RNE access, INPDP filings, safeguarding, agents, outsourcing and incident readiness before production.
- Evidence to retain
- Launch checklist; accountable approvals; unresolved-risk register.
- Primary citation
- Organic Law No. 2015-26; applicable BCT, RNE, CNLCT and INPDP instruments
Control reliance and outsourcing without transferring legal responsibility.
- Implementation action
- Assess providers, obtain required customer data immediately, ensure prompt access to identity records, contract security and audit rights and maintain the reporting person's responsibility for verification.
- Evidence to retain
- Provider assessment; contract; data-access test; exit plan.
- Primary citation
- Organic Law No. 2015-26, art. 108(5); applicable BCT outsourcing rules
Maintain regulatory-change monitoring with sector ownership.
- Implementation action
- Track CTAF decisions, BCT circulars and notes, RNE procedures, CNLCT lists and decrees, INPDP formalities and FATF statements; assess each change against product configuration and customer files.
- Evidence to retain
- Legal inventory; change alerts; impact assessments; implementation tickets.
- Primary citation
- CTAF, BCT, RNE, CNLCT, INPDP and FATF official publications
Test controls independently and remediate findings.
- Implementation action
- Use risk-based compliance monitoring and independent audit to test onboarding, BO, PEP, sanctions, payment, monitoring, STR, privacy and recordkeeping controls; report material issues to governance bodies.
- Evidence to retain
- Monitoring plan; audit reports; issue register; closure evidence.
- Primary citation
- Organic Law No. 2015-26, art. 115; applicable BCT internal-control circulars
Preserve a defensible implementation record.
- Implementation action
- For each material rule, retain the source, interpretation, configuration, test, owner, approval and effective date so the organisation can explain not only what the control is, but why it is correctly implemented.
- Evidence to retain
- Obligations register; control-to-law map; approvals; release and test history.
- Primary citation
- Organic Law No. 2015-26, arts. 113 and 115; BCT Circular No. 2025-17

11 control areas and 59 implementation checks, with direct regulatory sources.
Download the Tunisia KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Tunisia implementation checklist. Regulatory review date: 15 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.2, reviewed 15 July 2026
Trusted by leading compliance teams
Primary-source register
24 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- Organic Law No. 2015-26 as amended by Organic Law No. 2019-9, English consolidationCTAF · Primary legislation
- CTAF mandate, Article 107 scope and Article 125 reporting guidanceCTAF · Official FIU portal
- BCT circulars and notes, including 2025 and 2026 instrumentsCentral Bank of Tunisia · Official regulatory register
- BCT Circular No. 2017-08 on AML/CFT internal controlsCentral Bank of Tunisia · Primary regulation
- BCT Circular No. 2025-17 on AML/CFT/CPF internal controlsCentral Bank of Tunisia · Primary regulation
- BCT Circular No. 2025-06 on electronic customer enrollmentCentral Bank of Tunisia · Primary regulation
- BCT Circular No. 2018-61 governing payment institutions (the official filename misleadingly reads Cir_2018_16_fr.pdf)Central Bank of Tunisia · Primary regulation
- Commission d'agrement Decision No. 2017-04 on approval procedures, as amended by Decision No. 2019-20Central Bank of Tunisia · Primary licensing procedure
- BCT Circular No. 2026-02 governing bureaux de changeCentral Bank of Tunisia · Primary sector regulation
- BCT Circular No. 2020-11 on domestic mobile-payment servicesCentral Bank of Tunisia · Primary regulation
- Law No. 2018-52 on the National Register of EnterprisesCTAF / Republic of Tunisia · Primary legislation
- Government Decree No. 2019-54 establishing the NRE beneficial-owner cascadeRepublic of Tunisia · Primary regulation
- National Register of Enterprises legal framework and beneficial-owner servicesNational Register of Enterprises · Official registry guidance
- Order of the Head of Government of 13 January 2026 on access to beneficial-owner informationNational Register of Enterprises / Republic of Tunisia · Primary regulation
- Government Decree No. 2019-419 as amended by No. 2019-457National Counter-Terrorism Commission · Primary sanctions framework
- Tunisian personal-data protection textsINPDP · Official legislation portal
- Organic Law No. 2004-63 on personal-data protectionINPDP · Primary legislation
- Decree No. 2007-3003 on the operation of INPDPINPDP · Primary regulation
- Decree No. 2007-3004 on declarations and authorisationsINPDP · Primary regulation
- Personal-data declarations and prior-authorisation formsINPDP · Official compliance procedure
- Jurisdictions under increased monitoring, 19 June 2026FATF · Official FATF statement
- Tunisia no longer subject to FATF monitoring, 18 October 2019FATF · Official FATF statement
- Tunisia country page and assessment historyFATF · Official country profile
- AML Compliance in Tunisia: A 2026 Guide for Fintechs and Regulated BusinessesVOVE ID · Contextual implementation guide; not legal authority
Direct answers
Tunisia KYC, KYB and AML questions
Who must report suspicious activity in Tunisia?+
The persons and professions listed in Article 107 of the amended Organic Law No. 2015-26 must report within their professional scope. The list includes specified financial institutions and designated non-financial businesses and professions; it does not automatically cover every business operating in Tunisia.
When must a suspicious report be filed?+
Article 125 requires an immediate written report to CTAF for covered suspected operations, transactions and attempts, including where new information creates suspicion after execution. Institutions covered by BCT Circular No. 2025-17 file immediately through goAML under CTAF procedures. A general ten-day filing period is not the governing rule.
What beneficial-owner threshold applies?+
CTAF Decision No. 2018-10 uses at least 20% of capital or voting rights, followed by control through other means and then the senior-management fallback. Government Decree No. 2019-54 establishes the same ownership-or-voting threshold, other-control test and senior-manager fallback for the NRE framework. The BCT Circular No. 2017-08 definition for covered BCT institutions uses more than 20% together with ultimate ownership and effective control. Firms should document the applicable instrument and must not treat the percentage test as the only route to beneficial ownership.
How long must AML records be retained?+
Article 113 requires at least 10 years from completion of the transaction or closure of the account. Payment institutions also retain payment-operation registers for at least 10 years from execution under BCT Circular No. 2018-61. The BCT-hosted official PDF has a misleading Cir_2018_16_fr.pdf filename, but the instrument's operative number is 2018-61.
Can customers be onboarded fully online?+
The general AML law requires systems that manage non-face-to-face risk. Banks using electronic enrollment must also comply with BCT Circular No. 2025-06, including board-approved procedures, proportionate authentication, document checks, real-presence or liveness controls, screening, performance oversight and incident management. Other sectors must confirm their own supervisory rules rather than assuming the bank circular applies.
Do KYC biometrics or foreign cloud hosting require INPDP approval?+
Potentially yes. INPDP states that each processing purpose requires a declaration and that biometric processing and transfers of personal data abroad require an additional authorisation process. Complete the applicable filing before production and verify actual data locations and processor flows.
Is Tunisia on the FATF grey list?+
No. FATF removed Tunisia from monitoring in October 2019, and Tunisia is not listed among jurisdictions under increased monitoring in FATF's 19 June 2026 statement. Domestic and risk-based enhanced controls still apply where warranted.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 15 July 2026 · Version 1.2
This checklist is general information, not legal advice. It reflects official materials available on 15 July 2026. Applicability depends on the entity, licence, product and sector. Confirm current requirements, reporting procedures, thresholds and approvals with CTAF, BCT, the relevant sector supervisor, INPDP, the National Register of Enterprises, the National Counter-Terrorism Commission and qualified Tunisian counsel before launch.