Entering into force in February 2026, the Rulebook significantly modernizes supervisory expectations, compliance duties, and risk‑management obligations for all obligated entities in both the financial and non‑financial sectors.
A Risk‑Based Framework
A central pillar of the Rulebook is a detailed risk‑assessment architecture that obligated entities must adopt and maintain. It sets out criteria for assessing inherent and residual risks, covering client profiles, products and services, geographic exposure, transaction types, and distribution channels. Obligated entities must adopt a written internal program that classifies clients by risk category: low, medium, or high. These assessments must be continuously updated in line with changes in client behavior, regulatory developments, and information from domestic and international bodies such as the Financial Action Task Force (FATF) and the European Banking Authority (EBA).
Industry-specific regulators, such as entity-level Banking Agencies, are obligated to issue sector‑specific guidelines within 90 days of the Rulebook’s entry into force, ensuring harmonized application across industries.
Enhanced and Simplified Identification Measures
The Rulebook elaborates on both enhanced and simplified identification measures. Enhanced measures apply to high‑risk clients and situations, including politically exposed persons (“PEPs”), complex or unusual transactions, and operations involving jurisdictions with strategic deficiencies. Obligated entities must verify sources of funds and property, obtain senior‑management approval for business relations with PEPs, and perform frequent transaction monitoring.
Simplified measures can be applied only where a low level of risk is present, such as relations with public institutions or operations regarding low‑value financial products. Nonetheless, even under simplified regimes, entities must maintain sufficient oversight to detect unusual patterns.
Reporting Duties and Transaction Monitoring
The Rulebook stipulates detailed procedures for identifying and reporting suspicious, cash, and connected transactions to the State Investigation and Protection Agency. It clarifies exemptions, reporting thresholds, and documentation standards. It also requires obligated entities to establish systems capable of detecting connected cash transactions without time limitations.
Internal Controls, Training, and Governance
Robust internal governance is emphasized through mandatory internal‑control systems, annual internal audits, and compulsory employee training programs tailored to job functions. Entities must appoint authorized persons responsible for AML/CFT compliance and maintain detailed records for supervisory inspection.
The 2026 Rulebook represents a substantial regulatory modernization, aligning Bosnia and Herzegovina’s framework with international AML/CFT standards. It reinforces risk‑based compliance, increases transparency, and demands higher-quality oversight from institutions, marking an important step toward stronger financial‑system integrity.
