Checklist de conformité KYC, KYB et AML
Tunisie KYC, KYB & AML
An implementation-focused checklist for fintechs, banks, financial institutions, payment institutions and other reporting persons operating in Tunisia. It translates the amended Organic Law No. 2015-26, current BCT sector rules, the National Register of Enterprises framework, targeted-financial-sanctions procedures and INPDP privacy formalities into operational controls and audit evidence.
- Revue le
- 15 July 2026
- Version
- 1.2
- domaines de contrôle
- 11
- contrôles d’implémentation
- 59
Réponse directe
Que couvre la checklist de conformité pour Tunisie ?
La checklist pour Tunisie traduit les principales règles KYC, KYB et AML en 11 domaines de contrôle et 59 contrôles d’implémentation, avec les autorités, obligations de déclaration et preuves à conserver.
Faits réglementaires clés
- Primary AML law
- Organic Law No. 2015-26, as amended
- Financial intelligence unit
- CTAF
- Banking and payments authority
- BCT
- Privacy authority
- INPDP
- Core AML record period
- At least 10 years
- FATF status
- Not under increased monitoring
Détail d’implémentation
Exigences et actions de conformité pour Tunisie
Ouvrez chaque domaine pour consulter l’exigence, l’action recommandée, les preuves à conserver et la source primaire utilisée.
01Confirm scope, authorities and permissionsDetermine first whether each activity falls within the general reporting-person perimeter and then add the rules of the competent sector supervisor.6 éléments+
Document whether each entity and activity is within Article 107's reporting-person perimeter.
- Action d’implémentation
- Map products and legal entities to banks and financial institutions, microfinance institutions, the National Post Office, securities intermediaries and portfolio managers, exchange offices, insurance businesses, or the specified designated non-financial businesses and professions. Do not assume that every commercial business is an Article 107 reporting person.
- Preuves à conserver
- Signed perimeter memorandum; entity-product matrix; accountable supervisor mapping.
- Source primaire
- Organic Law No. 2015-26, as amended, art. 107
Recognise CTAF as the national FIU and reporting authority.
- Action d’implémentation
- Maintain a controlled route for reports, information requests and freeze instructions. CTAF is established at BCT under Article 118 and receives and analyses suspicious reports under Article 120.
- Preuves à conserver
- CTAF reporting procedure; nominated contacts; secure access register.
- Source primaire
- Organic Law No. 2015-26, as amended, arts. 118 and 120
Obtain BCT approval before conducting regulated banking, financial or payment-institution activity.
- Action d’implémentation
- Classify the proposed service under the licensing provisions of Law No. 2016-48 and the Commission d'agrement approval procedure in Decision No. 2017-04, as amended by Decision No. 2019-20. A technology, agent or outsourcing label does not remove the licensed institution's responsibility or create an exemption.
- Preuves à conserver
- Licence or approval; legal perimeter opinion; service-to-permission mapping; approval-procedure file.
- Source primaire
- Law No. 2016-48, licensing provisions; Commission d'agrement Decision No. 2017-04, as amended by Decision No. 2019-20
Apply payment rules only to entities and services within their stated scope.
- Action d’implémentation
- For payment institutions, map accounts, cash services, transfers, remote payments and prepaid electronic-money distribution to BCT Circular No. 2018-61. The official BCT PDF filename says Cir_2018_16_fr.pdf, but the instrument's cover and operative text identify it as Circular No. 2018-61. Separately map domestic mobile-payment roles under Circular No. 2020-11.
- Preuves à conserver
- Payment-service inventory; role map; licence conditions; mobile-payment scheme assessment.
- Source primaire
- BCT Circular No. 2018-61, arts. 1-4; BCT Circular No. 2020-11, arts. 1-3
Apply the current exchange-office AML/CFT/CPF framework only to bureaux de change within its scope.
- Action d’implémentation
- Exchange offices must map BCT Circular No. 2026-02 into their sector programme, including customer due diligence, beneficial-owner and PEP controls, AML/CFT/CPF governance, immediate suspicious reporting through goAML and applicable supervisory sanctions. Do not present this exchange-office circular as a universal rule for all Article 107 reporting persons.
- Preuves à conserver
- Exchange-office licence; Circular No. 2026-02 control map; CDD and PEP procedures; goAML access; sanctions register.
- Source primaire
- BCT Circular No. 2026-02
Assign owners for AML, payments, registry, sanctions and privacy obligations.
- Action d’implémentation
- Maintain a responsibility matrix covering CTAF reporting, BCT filings, RNE checks, targeted freezes, INPDP formalities, outsourcing and regulatory change. Treat Article 115 as a direction to supervisory authorities to establish risk-based programmes and practical measures; ground each institution's policy, appointments, audit and training duties in the sector instrument applicable to that institution.
- Preuves à conserver
- RACI; appointment records; committee terms; regulatory calendar; sector-obligation map.
- Source primaire
- Organic Law No. 2015-26, arts. 115 and 120; applicable BCT or other sector instrument
02Build a risk-based AML/CFT/CPF programmeThe programme must join governance, risk assessment, controls, training and assurance while preserving sector-specific requirements.5 éléments+
Maintain written AML/CFT policies, monitoring and internal controls under the applicable sector instrument.
- Action d’implémentation
- Cover customer due diligence, beneficial ownership, PEPs, sanctions, transaction monitoring, reporting, records, new products, non-face-to-face relationships, groups and outsourcing. Article 115 directs supervisory authorities to establish risk-based programmes and practical measures; it is not, by itself, the institution-level source for every policy control.
- Preuves à conserver
- Approved policy suite; control library; procedure owners; review log; sector-rule mapping.
- Source primaire
- Organic Law No. 2015-26, arts. 108-115; BCT Circular No. 2017-08 as amended by No. 2025-17, or other applicable sector instrument
Designate responsible staff, assure controls and provide continuing training under the applicable sector instrument.
- Action d’implémentation
- Create a suspicious-activity monitoring and escalation system, appoint reporting personnel, test control effectiveness and provide role-specific continuing training to the extent required by the BCT or other sector rules governing the institution. Do not attribute these institution-level duties solely to Article 115.
- Preuves à conserver
- Appointment letters; training records; monitoring plan; control-test results; applicable-sector analysis.
- Source primaire
- BCT Circular No. 2017-08 as amended by No. 2025-17; BCT Circular No. 2026-02 for exchange offices; other applicable sector instruments; Organic Law No. 2015-26, art. 115
For BCT institutions within scope, assess money-laundering, terrorist-financing and proliferation-financing risk under the current circular.
- Action d’implémentation
- Assess customers, products, services, delivery technologies and geographies, using national assessments and reliable external information. Document risk treatment and make the report available to BCT.
- Preuves à conserver
- Institutional risk assessment; methodology; mitigation plan; BCT submission record.
- Source primaire
- BCT Circular No. 2017-08, art. 4, as replaced by BCT Circular No. 2025-17, art. 2
Apply the three-year assessment update rule only to institutions covered by BCT Circular No. 2025-17.
- Action d’implémentation
- Update the documented BCT risk assessment at least every three years and sooner after a significant event, relevant regulatory change, new authority information or updated national risk assessment. Do not present this sector interval as a universal Article 107 rule.
- Preuves à conserver
- Dated assessment cycle; event-trigger log; change analysis; governance approval.
- Source primaire
- BCT Circular No. 2025-17, art. 2 replacing Circular No. 2017-08, art. 4
Assess new technology and remote-delivery risks before use.
- Action d’implémentation
- Evaluate impersonation, fraud, cyber, data, channel and AML risks before launching new products, practices, technology or delivery methods and implement proportionate mitigating controls.
- Preuves à conserver
- Pre-launch risk assessment; threat model; control acceptance; launch decision.
- Source primaire
- Organic Law No. 2015-26, art. 112
03Identify and verify individual customersCDD must establish the customer, any representative, the beneficial owner and the purpose of the relationship using reliable evidence.6 éléments+
Do not open or maintain clearly anonymous or fictitious-name accounts.
- Action d’implémentation
- Configure onboarding and account controls to require a verified legal identity and detect placeholder, fabricated or materially inconsistent identity data.
- Preuves à conserver
- Account-opening rules; blocked test cases; exception log.
- Source primaire
- Organic Law No. 2015-26, art. 108(1)
Identify and verify regular and occasional customers from official documents and reliable independent sources.
- Action d’implémentation
- Collect the identity data needed to identify the person and verify it against valid official documents and other reliable independent information appropriate to the risk and channel.
- Preuves à conserver
- Customer file; document and database checks; verification provenance.
- Source primaire
- Organic Law No. 2015-26, art. 108(1)
Identify the person for whose benefit a transaction is conducted and verify representatives and authority.
- Action d’implémentation
- Identify the beneficiary of the operation, verify any person managing rights for that beneficiary, and verify the identity and authority of anyone acting for the customer.
- Preuves à conserver
- Beneficiary record; representative ID; mandate or power; verification result.
- Source primaire
- Organic Law No. 2015-26, art. 108(2)
Establish the purpose and intended nature of the business relationship.
- Action d’implémentation
- Record expected products, activity, source and destination patterns, counterparties and business rationale sufficient to set a customer-risk and monitoring profile.
- Preuves à conserver
- Customer profile; expected-activity baseline; risk score and rationale.
- Source primaire
- Organic Law No. 2015-26, art. 108(4)
Apply CDD at the statutory triggers without inventing a universal monetary threshold.
- Action d’implémentation
- Trigger CDD when establishing a relationship, for occasional transactions at or above the amount set by the Finance Minister or involving electronic transfers, whenever ML/TF is suspected, and whenever existing identity data appears unreliable or insufficient. Maintain the currently applicable threshold in a controlled register.
- Preuves à conserver
- Trigger matrix; current-threshold register; workflow rules; test results.
- Source primaire
- Organic Law No. 2015-26, art. 108
Refuse or end activity when required identity data cannot be trusted or completed.
- Action d’implémentation
- Do not open or continue an account or relationship and do not execute the transaction where identity data cannot be verified, are insufficient or are manifestly fictitious; consider filing a suspicious report.
- Preuves à conserver
- Decline or exit record; investigation decision; STR consideration log.
- Source primaire
- Organic Law No. 2015-26, art. 108, final paragraph
04Verify businesses and beneficial ownersKYB must establish legal existence, management, ownership, control and the natural persons who ultimately own or control the customer.6 éléments+
Verify the legal person or arrangement and its operating identity.
- Action d’implémentation
- Obtain reliable evidence of legal form, registered office, capital distribution, managers and persons responsible for the entity, together with constitutional, registry and authority records appropriate to the customer.
- Preuves à conserver
- Current RNE extract; constitutive documents; management list; address and authority checks.
- Source primaire
- Organic Law No. 2015-26, art. 108(2)
Identify the beneficial owner and take reasonable measures to verify that identity.
- Action d’implémentation
- Trace ownership and control through every layer to natural persons, use reliable information and record why the analysis supports the identified beneficial owner.
- Preuves à conserver
- Ownership chart; control analysis; source records; verified BO files.
- Source primaire
- Organic Law No. 2015-26, arts. 3 and 108(3)
Apply the CTAF beneficial-owner cascade and threshold accurately.
- Action d’implémentation
- Under CTAF Decision No. 2018-10, identify natural persons holding directly or indirectly at least 20% of capital or voting rights; if identity remains doubtful or no one is identified, identify control by other means; if still unresolved, identify the natural person holding the senior management position. Apply the decision's separate party-based analysis for trusts and similar arrangements.
- Preuves à conserver
- Percentage calculation; other-control analysis; senior-manager fallback rationale; trust-party file.
- Source primaire
- CTAF Decision No. 2017-03, as amended by Decision No. 2018-10, arts. 6-8
Reconcile the applicable sector definition rather than silently merging thresholds.
- Action d’implémentation
- BCT Circular No. 2017-08 defines a beneficial owner for covered BCT institutions using more than 20% of capital or voting rights together with ultimate ownership or effective-control concepts. Record which legal and sector text governs the case and apply the stricter control where necessary.
- Preuves à conserver
- Threshold mapping; sector legal analysis; approved KYB rule configuration.
- Source primaire
- BCT Circular No. 2017-08, art. 2, as amended; CTAF Decision No. 2018-10
Apply the National Register of Enterprises beneficial-owner cascade.
- Action d’implémentation
- For the NRE framework, identify natural persons who directly or indirectly hold at least 20% of capital or voting rights. If no person is identified through ownership, identify control by other means; if the analysis still identifies no natural person, record the senior-manager fallback under Government Decree No. 2019-54.
- Preuves à conserver
- NRE threshold calculation; layered ownership chart; other-control analysis; senior-manager fallback rationale.
- Source primaire
- Law No. 2018-52; Government Decree No. 2019-54
Use the National Register of Enterprises without treating it as conclusive CDD.
- Action d’implémentation
- Verify registration, filings and beneficial-owner declarations under Law No. 2018-52, Government Decree No. 2019-54 and current RNE procedures; reconcile discrepancies with customer evidence and investigate rather than relying solely on a registry extract.
- Preuves à conserver
- RNE extract; BO declaration or non-filing certificate; discrepancy case; independent corroboration.
- Source primaire
- Law No. 2018-52; Government Decree No. 2019-54; RNE beneficial-owner services; Order of the Head of Government dated 13 January 2026
05Apply PEP, enhanced and remote due diligenceHigher-risk relationships require stronger approval, source and monitoring controls; sector-specific digital onboarding rules must remain distinct.5 éléments+
Identify domestic, foreign and international-organisation PEPs, including relevant relatives and connected persons.
- Action d’implémentation
- Use risk-based systems capable of determining whether the customer or beneficial owner currently or formerly holds the covered public, political or international-organisation function and assess the connected-person relationship.
- Preuves à conserver
- PEP screening record; relationship analysis; match disposition.
- Source primaire
- Organic Law No. 2015-26, art. 110
Obtain senior approval and establish source of funds for PEP relationships.
- Action d’implémentation
- Obtain approval from the legal entity's manager before starting or continuing the relationship, apply tight continuous monitoring and take reasonable measures to identify source of funds.
- Preuves à conserver
- Source-of-funds review; corroborating records; senior approval; monitoring plan.
- Source primaire
- Organic Law No. 2015-26, art. 110
Apply enhanced attention to higher-risk countries and relationships.
- Action d’implémentation
- Identify customers and relationships connected to countries that do not or insufficiently apply international AML/CFT standards and apply documented measures proportionate to the identified risk.
- Preuves à conserver
- Country-risk methodology; enhanced review; approval and monitoring settings.
- Source primaire
- Organic Law No. 2015-26, art. 112
Control non-face-to-face relationship risk.
- Action d’implémentation
- Maintain systems specifically designed to manage relationships conducted without physical presence, including document integrity, impersonation, device, fraud and escalation controls.
- Preuves à conserver
- Remote-onboarding standard; vendor assessment; control tests; exception cases.
- Source primaire
- Organic Law No. 2015-26, art. 112
For banks, meet the current electronic-enrollment standard.
- Action d’implémentation
- Where a bank enrolls customers electronically, implement board-approved procedures, risk mapping, proportionate authentication, reliable document verification, real-presence or liveness controls, biometric matching where used, screening, performance monitoring and incident management. Achieve identity assurance at least equivalent to physical presence.
- Preuves à conserver
- Board approval; end-to-end process map; liveness and matching tests; performance register; incident log.
- Source primaire
- BCT Circular No. 2025-06, arts. 1-7
06Monitor activity and report suspicionMonitoring must remain aligned with current customer information and route suspicion immediately and confidentially to CTAF.5 éléments+
Keep customer identity information current and conduct ongoing vigilance.
- Action d’implémentation
- Refresh data on risk-based and event-driven triggers, then examine transactions for consistency with known activity, risk profile and, where necessary, source of funds.
- Preuves à conserver
- Refresh rules; event triggers; completed reviews; overdue dashboard.
- Source primaire
- Organic Law No. 2015-26, art. 109
Examine complex, unusually large or apparently purposeless activity and record the result.
- Action d’implémentation
- Investigate the context and purpose of complex operations, unusually high amounts and unusual transactions lacking an apparent economic or lawful purpose; record findings in writing and make them available to supervisors and auditors.
- Preuves à conserver
- Written special-examination report; supporting data; reviewer sign-off.
- Source primaire
- Organic Law No. 2015-26, art. 126
Report covered suspicion and attempted activity immediately in writing to CTAF.
- Action d’implémentation
- File when an operation or transaction, including an attempt, is suspected of direct or indirect connection to proceeds of an unlawful act classified as an offence or crime, or to financing persons, organisations or activities connected with terrorist offences. File after execution as well if new information creates the suspicion.
- Preuves à conserver
- STR decision; filing receipt; chronology; restricted case file.
- Source primaire
- Organic Law No. 2015-26, art. 125
For institutions within BCT Circular No. 2025-17, submit immediate reports through goAML.
- Action d’implémentation
- Use the CTAF goAML platform and its current technical procedures. Do not use the unsupported ten-day timing stated in some secondary materials; the governing law and current BCT rule require immediate reporting.
- Preuves à conserver
- goAML access; filing procedure; receipt; timing audit.
- Source primaire
- BCT Circular No. 2025-17, art. 6; Organic Law No. 2015-26, art. 125
Prevent tipping off and implement CTAF temporary-freeze instructions.
- Action d’implémentation
- Do not tell the affected party about the report or resulting measures. On written CTAF instruction, temporarily freeze the assets linked to the report and place them in a suspense account until the legally prescribed outcome.
- Preuves à conserver
- Confidentiality controls; access logs; freeze workflow; regulator correspondence.
- Source primaire
- Organic Law No. 2015-26, arts. 127-132
07Implement targeted financial sanctionsUN and national designations require immediate operational controls distinct from ordinary suspicious-transaction investigations.5 éléments+
Screen customers, beneficial owners, controllers and transactions against applicable UN and national designations.
- Action d’implémentation
- Screen at onboarding, on list changes, on material customer changes and before relevant transactions; include aliases, transliteration and ownership or control analysis.
- Preuves à conserver
- List inventory; screening configuration; update logs; match files.
- Source primaire
- Organic Law No. 2015-26, art. 103; Government Decree No. 2019-419 as amended by No. 2019-457
Freeze covered funds and assets without delay and prevent making resources available.
- Action d’implémentation
- Create an always-available legal and technical path to freeze funds and other assets and prevent direct or indirect availability to designated persons, organisations and entities under the applicable UN or national decision.
- Preuves à conserver
- Freeze procedure; system tests; incident timeline; decision record.
- Source primaire
- Organic Law No. 2015-26, art. 103; Government Decree No. 2019-419 as amended
Notify the National Counter-Terrorism Commission and provide useful implementation information.
- Action d’implémentation
- Follow the notification, information, delisting, unfreezing and false-positive procedures in the 2019 decree framework and current CNLCT instructions.
- Preuves à conserver
- Notification template; filing record; authority correspondence; release decision.
- Source primaire
- Organic Law No. 2015-26, art. 103; Government Decrees No. 2019-419 and No. 2019-457
For BCT-covered institutions, manage proliferation-financing risk and BCT sanctions reporting.
- Action d’implémentation
- Include UN targeted-financial-sanctions evasion in proliferation-financing risk. Submit the required quarterly frozen-assets statement to BCT within 20 working days after quarter-end, covering UN, national and proliferation-financing freezes.
- Preuves à conserver
- PF risk controls; frozen-assets register; quarterly return; submission receipt.
- Source primaire
- BCT Circular No. 2025-17, arts. 2 and 8
Keep sanctions and STR decisions separate but coordinated.
- Action d’implémentation
- Execute a legally required freeze without waiting for an STR decision, then separately assess CTAF reporting and preserve confidentiality across both workflows.
- Preuves à conserver
- Decision matrix; linked case records; role-based access; audit trail.
- Source primaire
- Organic Law No. 2015-26, arts. 103, 125 and 127
08Retain records and support reconstructionRecords must permit reconstruction of transactions, customer decisions and persons involved over the statutory period.5 éléments+
Keep AML records for at least 10 years from transaction completion or account closure.
- Action d’implémentation
- Retain ledgers, books and other physical or electronic records so the stages of an operation or transaction can be reviewed, the parties identified and the reliability of the transaction assessed.
- Preuves à conserver
- Retention schedule; lifecycle configuration; sample retrieval.
- Source primaire
- Organic Law No. 2015-26, art. 113
Apply the correct retention event to each record class.
- Action d’implémentation
- Use transaction completion for transaction records and account closure for account-linked records; preserve legal holds and longer periods where another applicable law or authority instruction requires them.
- Preuves à conserver
- Record-class matrix; clock rules; legal-hold procedure.
- Source primaire
- Organic Law No. 2015-26, art. 113
For payment institutions, keep payment-operation registers for at least 10 years from execution.
- Action d’implémentation
- Preserve identifiers, amounts, dates, parties, account or wallet references, agent data, screening and decision history sufficient for full payment reconstruction.
- Preuves à conserver
- Payment register; data-lineage map; reconstruction test.
- Source primaire
- BCT Circular No. 2018-61, art. 12
Preserve written unusual-transaction analysis and reporting evidence securely.
- Action d’implémentation
- Separate STR, sanctions and special-examination files from ordinary service access while keeping them retrievable for authorised CTAF, BCT, supervisory and audit requests.
- Preuves à conserver
- Access matrix; immutable logs; disclosure register; retrieval test.
- Source primaire
- Organic Law No. 2015-26, arts. 113, 121, 124, 126 and 127
Test record completeness and recoverability.
- Action d’implémentation
- Periodically reconstruct selected onboarding, ownership, payment, alert and reporting cases from source data through final decision and remediate missing lineage.
- Preuves à conserver
- Sample test results; defects; remediation evidence; management reporting.
- Source primaire
- Organic Law No. 2015-26, arts. 113 and 115
09Protect personal and biometric dataKYC and monitoring data remain subject to Tunisia's privacy law and INPDP formalities even when processing supports a regulatory obligation.5 éléments+
Define a specific, lawful purpose for each personal-data processing operation.
- Action d’implémentation
- Map identity, biometric, contact, device, transaction, screening and investigation data to stated purposes, recipients, systems, retention and security controls; separate mandatory compliance use from optional analytics or marketing.
- Preuves à conserver
- Data inventory; processing register; purpose and necessity assessment.
- Source primaire
- Organic Law No. 2004-63
Submit an INPDP declaration for each processing purpose before processing.
- Action d’implémentation
- Classify each purpose and complete the declaration required by Article 7 using the procedure and supporting documents specified by INPDP and Decree No. 2007-3004.
- Preuves à conserver
- INPDP declaration; receipt; purpose-to-filing matrix.
- Source primaire
- Organic Law No. 2004-63, art. 7; Decree No. 2007-3004; INPDP forms
Obtain additional INPDP authorisation where the processing category requires it.
- Action d’implémentation
- In addition to the declaration, seek prior authorisation for biometric processing, transfers abroad and the other categories identified by Articles 13 and 14 and current INPDP forms. Do not treat customer consent as a substitute for the authority filing.
- Preuves à conserver
- Authorisation application and decision; data-flow map; production gate.
- Source primaire
- Organic Law No. 2004-63, arts. 13-14; Decree No. 2007-3004; INPDP forms
Minimise and secure identity evidence throughout its lifecycle.
- Action d’implémentation
- Collect only necessary data, restrict access, encrypt appropriately, log use, validate deletion, manage incidents and test processors in proportion to identity, biometric and financial-crime risk.
- Preuves à conserver
- Data-minimisation review; security architecture; access logs; deletion and incident tests.
- Source primaire
- Organic Law No. 2004-63; Decree No. 2007-3004
Operationalise data-subject information and rights subject to lawful AML retention and confidentiality limits.
- Action d’implémentation
- Provide the required information, authenticate requests and document any lawful restriction arising from AML recordkeeping, STR confidentiality, investigations or sanctions controls.
- Preuves à conserver
- Privacy notice; request workflow; response log; restriction rationale.
- Source primaire
- Organic Law No. 2004-63; Organic Law No. 2015-26, arts. 113, 124 and 127
10Operate payment and mobile-payment controlsLicensed payment operations add safeguarding, governance, security, agent and scheme controls to the general AML framework.6 éléments+
Provide only the payment services and geographic-currency scope allowed by the licence and BCT rules.
- Action d’implémentation
- Map payment accounts, cash-in and cash-out, direct debits, payments, transfers, remote payments and prepaid electronic-money distribution to the approval. Circular No. 2018-61 limits covered payment-institution services to Tunisian dinars within Tunisia, subject to specific foreign-transfer authority where applicable.
- Preuves à conserver
- Licence conditions; product map; currency and geography controls.
- Source primaire
- BCT Circular No. 2018-61, arts. 2-4
Maintain payment-institution governance, control, traceability and resilience.
- Action d’implémentation
- Operate proportionate governance, audit and risk oversight, real-time transaction recording, fraud and intrusion prevention, personal-data controls, operational and cyber-risk management, a tested continuity plan and the prescribed security audit.
- Preuves à conserver
- Governance records; system architecture; continuity test; security-audit report; incident file.
- Source primaire
- BCT Circular No. 2018-61, arts. 5-10
Apply AML controls and the applicable customer-identification tier to every payment account.
- Action d’implémentation
- Treat payment institutions as subject to the BCT AML-control circular through Article 11, and configure each account level according to the identification and operating limits in Article 14. Maintain current regulatory values rather than copying thresholds into uncontrolled product code.
- Preuves à conserver
- Account-tier matrix; AML control mapping; configuration approval; test cases.
- Source primaire
- BCT Circular No. 2018-61, arts. 11 and 14; BCT Circular No. 2017-08 as amended
Safeguard customer funds in the separate global account and reconcile them.
- Action d’implémentation
- Keep the global account balance aligned with all customer payment-account balances, prohibit use for the institution's own operating needs, maintain holder-level allocation and perform the required reconciliation.
- Preuves à conserver
- Depository agreement; global-account ledger; customer allocation; reconciliation and shortfall log.
- Source primaire
- BCT Circular No. 2018-61, arts. 20-23
Control payment agents under the institution's continuing responsibility.
- Action d’implémentation
- Select, train and monitor agents, notify BCT as required, contract the permitted services, verify capacity and integrity, and ensure agents apply the same customer-identification standard. Do not use agents to open payment accounts remotely where the circular prohibits it.
- Preuves à conserver
- Agent policy; due-diligence file; BCT notice; contract; training and monitoring records.
- Source primaire
- BCT Circular No. 2018-61, arts. 24-30
Map domestic mobile-payment roles and scheme obligations.
- Action d’implémentation
- Identify the wallet issuer, acquirer, participant, agent and mobile-switch roles and implement Circular No. 2020-11 controls for interoperability, security, customer protection, AML and operational responsibility.
- Preuves à conserver
- Scheme role map; participant agreements; control matrix; operational tests.
- Source primaire
- BCT Circular No. 2020-11
11Launch, oversee and evidence complianceA publication-ready policy is not enough; each control needs an owner, system implementation and evidence that can survive supervisory review.5 éléments+
Run a documented pre-launch regulatory gate.
- Action d’implémentation
- Confirm perimeter, licence, CTAF registration and reporting access, CDD and BO rules, PEP and sanctions controls, monitoring, records, RNE access, INPDP filings, safeguarding, agents, outsourcing and incident readiness before production.
- Preuves à conserver
- Launch checklist; accountable approvals; unresolved-risk register.
- Source primaire
- Organic Law No. 2015-26; applicable BCT, RNE, CNLCT and INPDP instruments
Control reliance and outsourcing without transferring legal responsibility.
- Action d’implémentation
- Assess providers, obtain required customer data immediately, ensure prompt access to identity records, contract security and audit rights and maintain the reporting person's responsibility for verification.
- Preuves à conserver
- Provider assessment; contract; data-access test; exit plan.
- Source primaire
- Organic Law No. 2015-26, art. 108(5); applicable BCT outsourcing rules
Maintain regulatory-change monitoring with sector ownership.
- Action d’implémentation
- Track CTAF decisions, BCT circulars and notes, RNE procedures, CNLCT lists and decrees, INPDP formalities and FATF statements; assess each change against product configuration and customer files.
- Preuves à conserver
- Legal inventory; change alerts; impact assessments; implementation tickets.
- Source primaire
- CTAF, BCT, RNE, CNLCT, INPDP and FATF official publications
Test controls independently and remediate findings.
- Action d’implémentation
- Use risk-based compliance monitoring and independent audit to test onboarding, BO, PEP, sanctions, payment, monitoring, STR, privacy and recordkeeping controls; report material issues to governance bodies.
- Preuves à conserver
- Monitoring plan; audit reports; issue register; closure evidence.
- Source primaire
- Organic Law No. 2015-26, art. 115; applicable BCT internal-control circulars
Preserve a defensible implementation record.
- Action d’implémentation
- For each material rule, retain the source, interpretation, configuration, test, owner, approval and effective date so the organisation can explain not only what the control is, but why it is correctly implemented.
- Preuves à conserver
- Obligations register; control-to-law map; approvals; release and test history.
- Source primaire
- Organic Law No. 2015-26, arts. 113 and 115; BCT Circular No. 2025-17

11 domaines de contrôle et 59 vérifications d'implémentation avec sources réglementaires directes.
Téléchargez la checklist KYC, KYB et AML pour Tunisie
Partagez vos coordonnées professionnelles pour accéder immédiatement à la checklist d'implémentation sourcée pour Tunisie. Date de revue réglementaire : 15 July 2026.
Recevez le PDF immédiatement
Envoyez vos coordonnées pour démarrer automatiquement le téléchargement
Revue et sourcée
Version 1.2, revue le 15 July 2026
Approuvé par des équipes conformité de premier plan
Registre des sources primaires
24 sources utilisées pour cette checklist
Utilisez ces liens pour vérifier la législation, les lignes directrices, les procédures de déclaration et les statuts internationaux.
- Organic Law No. 2015-26 as amended by Organic Law No. 2019-9, English consolidationCTAF · Primary legislation
- CTAF mandate, Article 107 scope and Article 125 reporting guidanceCTAF · Official FIU portal
- BCT circulars and notes, including 2025 and 2026 instrumentsCentral Bank of Tunisia · Official regulatory register
- BCT Circular No. 2017-08 on AML/CFT internal controlsCentral Bank of Tunisia · Primary regulation
- BCT Circular No. 2025-17 on AML/CFT/CPF internal controlsCentral Bank of Tunisia · Primary regulation
- BCT Circular No. 2025-06 on electronic customer enrollmentCentral Bank of Tunisia · Primary regulation
- BCT Circular No. 2018-61 governing payment institutions (the official filename misleadingly reads Cir_2018_16_fr.pdf)Central Bank of Tunisia · Primary regulation
- Commission d'agrement Decision No. 2017-04 on approval procedures, as amended by Decision No. 2019-20Central Bank of Tunisia · Primary licensing procedure
- BCT Circular No. 2026-02 governing bureaux de changeCentral Bank of Tunisia · Primary sector regulation
- BCT Circular No. 2020-11 on domestic mobile-payment servicesCentral Bank of Tunisia · Primary regulation
- Law No. 2018-52 on the National Register of EnterprisesCTAF / Republic of Tunisia · Primary legislation
- Government Decree No. 2019-54 establishing the NRE beneficial-owner cascadeRepublic of Tunisia · Primary regulation
- National Register of Enterprises legal framework and beneficial-owner servicesNational Register of Enterprises · Official registry guidance
- Order of the Head of Government of 13 January 2026 on access to beneficial-owner informationNational Register of Enterprises / Republic of Tunisia · Primary regulation
- Government Decree No. 2019-419 as amended by No. 2019-457National Counter-Terrorism Commission · Primary sanctions framework
- Tunisian personal-data protection textsINPDP · Official legislation portal
- Organic Law No. 2004-63 on personal-data protectionINPDP · Primary legislation
- Decree No. 2007-3003 on the operation of INPDPINPDP · Primary regulation
- Decree No. 2007-3004 on declarations and authorisationsINPDP · Primary regulation
- Personal-data declarations and prior-authorisation formsINPDP · Official compliance procedure
- Jurisdictions under increased monitoring, 19 June 2026FATF · Official FATF statement
- Tunisia no longer subject to FATF monitoring, 18 October 2019FATF · Official FATF statement
- Tunisia country page and assessment historyFATF · Official country profile
- AML Compliance in Tunisia: A 2026 Guide for Fintechs and Regulated BusinessesVOVE ID · Contextual implementation guide; not legal authority
Réponses directes
Questions KYC, KYB et AML pour Tunisie
Who must report suspicious activity in Tunisia?+
The persons and professions listed in Article 107 of the amended Organic Law No. 2015-26 must report within their professional scope. The list includes specified financial institutions and designated non-financial businesses and professions; it does not automatically cover every business operating in Tunisia.
When must a suspicious report be filed?+
Article 125 requires an immediate written report to CTAF for covered suspected operations, transactions and attempts, including where new information creates suspicion after execution. Institutions covered by BCT Circular No. 2025-17 file immediately through goAML under CTAF procedures. A general ten-day filing period is not the governing rule.
What beneficial-owner threshold applies?+
CTAF Decision No. 2018-10 uses at least 20% of capital or voting rights, followed by control through other means and then the senior-management fallback. Government Decree No. 2019-54 establishes the same ownership-or-voting threshold, other-control test and senior-manager fallback for the NRE framework. The BCT Circular No. 2017-08 definition for covered BCT institutions uses more than 20% together with ultimate ownership and effective control. Firms should document the applicable instrument and must not treat the percentage test as the only route to beneficial ownership.
How long must AML records be retained?+
Article 113 requires at least 10 years from completion of the transaction or closure of the account. Payment institutions also retain payment-operation registers for at least 10 years from execution under BCT Circular No. 2018-61. The BCT-hosted official PDF has a misleading Cir_2018_16_fr.pdf filename, but the instrument's operative number is 2018-61.
Can customers be onboarded fully online?+
The general AML law requires systems that manage non-face-to-face risk. Banks using electronic enrollment must also comply with BCT Circular No. 2025-06, including board-approved procedures, proportionate authentication, document checks, real-presence or liveness controls, screening, performance oversight and incident management. Other sectors must confirm their own supervisory rules rather than assuming the bank circular applies.
Do KYC biometrics or foreign cloud hosting require INPDP approval?+
Potentially yes. INPDP states that each processing purpose requires a declaration and that biometric processing and transfers of personal data abroad require an additional authorisation process. Complete the applicable filing before production and verify actual data locations and processor flows.
Is Tunisia on the FATF grey list?+
No. FATF removed Tunisia from monitoring in October 2019, and Tunisia is not listed among jurisdictions under increased monitoring in FATF's 19 June 2026 statement. Domestic and risk-based enhanced controls still apply where warranted.
Méthode de recherche et de revue
VOVE ID Compliance Research cartographie le périmètre réglementaire, traduit les obligations en contrôles opérationnels, relie les affirmations importantes aux sources et date chaque revue.
VOVE ID Compliance Research · Revue le 15 July 2026 · Version 1.2
This checklist is general information, not legal advice. It reflects official materials available on 15 July 2026. Applicability depends on the entity, licence, product and sector. Confirm current requirements, reporting procedures, thresholds and approvals with CTAF, BCT, the relevant sector supervisor, INPDP, the National Register of Enterprises, the National Counter-Terrorism Commission and qualified Tunisian counsel before launch.