In the digital business landscape, with a growing need for remote user identity verification, the term KYC (Know Your Customer) has become synonymous with security and trust.

KYC encompasses remote and automated user identification and verification, determining whether the individual is indeed who he claims to be. The process involves collecting personal and identity data, verifying the authenticity of the data and identification document, cross-checking information with external databases, and performing a biometric comparison to confirm that the person on the other side is genuine. This enables users to access services faster, more easily, and securely, while companies protect themselves from fraud and reduce administrative burden. At the same time, KYC ensures regulatory compliance, particularly with Anti-Money Laundering (AML) requirements.

Whether operating in a highly regulated sector, such as banking, fintech, or digital identity provision, or offering any financial services, customer identification and due diligence are statutory obligations.

Croatian Legislative Framework

In Croatia, KYC regulation is a part of the broader system for anti-money laundering and counter-terrorist financing (AML/CFT). Every organisation operating in the financial or digital ecosystem must have clearly defined customer identification and remote verification procedures in place.

The primary legal act governing KYC in Croatia is the Anti-Money Laundering and Counter-Terrorist Financing Act, which defines the obligations of obliged entities to conduct customer due diligence, including:

• Identification and verification of clients’ identity;
• Establishment of the beneficial owner;
• Ongoing monitoring of business relationships and transactions;
• Reporting suspicious activities to the Office for the Prevention of Money Laundering.

Obliged entities include all natural and legal persons exposed to money laundering or terrorism financing risks, such as:

1. Financial institutions – banks, savings banks, credit unions, insurance and leasing companies, investment fund management firms, and payment service providers.
2. Non-financial entities involved in high-risk transactions – auditors, accountants, tax advisors, lawyers, notaries, real estate and precious asset dealers, auction houses, galleries, and trust service providers.
3. Other obliged entities include virtual asset service providers (such as crypto exchanges and wallet providers), casinos, online gaming platforms, fintech companies offering financial services, digital wallets, providers of electronic identification or payment functionalities, and providers of digital identity or e-signature services involved in user verification processes.

In addition to the primary law, several bylaws provide detailed guidance on how KYC must be implemented in practice:

1. Regulation on the procedure for risk assessment of money laundering and terrorist financing – defines methods for assessing and categorising clients according to risk levels and establishes documentation and monitoring requirements.
2. Regulation on Reporting Suspicious Transactions, Funds, and Persons – outlines the format and deadlines for reporting suspicious transactions to the competent authorities.
3. Regulation on reporting cash transactions exceeding HRK 200,000 – specifies thresholds and procedures for reporting large cash transactions.

Remote identification and Digital Verification Standards

When a business relationship is established remotely, obliged entities must reliably confirm the client’s identity using valid and trusted sources (identity documents or public registers). The key bylaw governing this process is the Regulation on Remote Customer Onboarding and Minimum Requirements for Digital Identification Solutions. This regulation outlines the conditions for remote onboarding, establishes internal policies, controls, and procedures to be implemented by obligated entities, and sets forth methods for verifying the identity of natural and legal persons, as well as requirements for involving third parties in the process.

In practice, KYC processes can be securely carried out via video calls and AI-based document and biometric verification systems, provided that all relevant regulatory standards are strictly adhered to.

The regulation requires that:

• Video and audio quality must be sufficient for reliable facial recognition (if the connection fails or quality drops, the process must be aborted). Recordings must be timestamped and retained as prescribed by law.
• Document authenticity must be verified.
• Face matching and liveness detection must confirm that the person is real and matches the ID photo.
• Additional checks may be used, such as one-time SMS codes, extra biometric verification, short phone calls, or email confirmations.
• When video interviews are used, internal guidelines must define red flags and recommend randomisation of steps to mitigate fraud risks.

Third-Party Engagement for Digital Identification

Companies may outsource KYC procedures to external partners or third-party service providers, but under strict regulatory oversight.

According to the Act, the obliged entity must ensure that any third party:

• Complies with the regulation and internal procedures;
• Has the technical and organisational capacity to conduct KYC processes;
• Ensures secure and limited data storage;
• Provides regular updates on any changes to the system or procedures.

The obliged entity must also perform its own technical resilience and security assessment, document all test results, and maintain full audit trails.

Every company operating online must know its customers and verify their identities, not only to prevent money laundering and terrorist financing but also to maintain compliance with the legal and regulatory ecosystem governing remote identification. A structured and compliant KYC process ensures trust, security, and operational efficiency.

Find out how to establish a fully compliant and secure digital identification process aligned with Croatian and EU regulatory standards.