Know Your Client (“KYC”) procedures have assumed an increasingly central role in anti-money laundering and counter-terrorism financing (“AML/CFT”) compliance programs. Entities are expected not only to identify their customers, but also to understand the nature of their activities and to assess whether transactions are consistent with the customer’s financial profile, and to identify any red flags that may trigger an obligation to report to the authorities.

In Brazil, Federal Law No. 9,613/1998 (the “Brazilian AML Law”) provides the primary AML/CFT framework, imposing a range of obligations on entities that operate in high-risk sectors (the “regulated entities”) to prevent, detect, and report potentially unlawful activity.

The subject has gained renewed relevance following reports of an investigation into the Brazilian operations of a leading global luxury fashion conglomerate and its alleged failure to report a high-value transaction to the Financial Activities Control Council (“COAF”). The case offers a timely illustration of the practical challenges that KYC poses for regulated entities.

The investigation

According to publicly available reports, the Brazilian Federal Police is investigating whether transactions carried out at the Brazilian operations of a leading global luxury fashion conglomerate should have triggered the filing of a suspicious transaction report to COAF. The investigation centers on a purchase of approximately BRL 196,000 (one hundred and ninety-six thousand reais), allegedly made by an individual with declared share capital of BRl 6,000 (six thousand reais) who is registered as a microentrepreneur.

Investigators also found that the same individual reportedly received transfers totaling approximately BRL 180,000 (one hundred and eighty thousand reais). Those funds allegedly originated from a production company linked to a musician who is himself under investigation in a separate federal police operation targeting an alleged criminal network accused of laundering billions of reais derived from drug trafficking and illegal online gambling schemes.

The conglomerate, like any regulated entity, should have identified this red flag. The disparity between the value of the purchase and the customer’s publicly known financial profile, that of a microentrepreneur with minimal declared capital, is precisely the kind of indicator that a risk-based KYC framework is designed to capture. The situation is all the more serious because the entity had reportedly been sanctioned by COAF on a previous occasion for failures in customer identification and suspicious transaction reporting.

KYC and the risk-based approach

KYC procedures serve a function that extends well beyond the mere collection of customer identification data. A well-designed KYC framework requires entities to assess whether a given transaction is consistent with the customer’s known economic and financial profile, and to apply enhanced due diligence wherever risk indicators emerge. This is, ultimately, the risk-based approach recommended by the Financial Action Task Force (“FATF”).

Entities operating in sectors such as luxury retail, art, and high-value goods are expected to calibrate their controls in proportion to the specific risks they face. A transaction above the threshold COAF sets at BRL 10,000 (ten thousand reais), carried out by a customer whose financial profile is inconsistent with that amount, or who is connected directly or indirectly to a known criminal investigation, will call for enhanced due diligence to verify the legitimacy of the ultimate beneficial owner (“UBO”) and to assess whether a report to COAF is necessary.

Equally important is the temporal dimension of KYC. An effective framework does not end at client’s onboarding. Ongoing transaction monitoring, and the capacity to identify anomalies against established customer profiles, are key components of a functioning AML/CFT compliance program. The case illustrates a specific vulnerability in this respect: the use of third-party transfers as a payment mechanism, where the UBO of the funds goes unverified, creates an exposure that a static KYC assessment would fail to capture.

It is worth noting that the reporting threshold is lower than many entities assume, and that there is no need to prove the funds are illicit in order to trigger the reporting obligation; reasonable suspicion is enough.

Conclusion

The investigation is a concrete illustration of the compliance risks that arise when KYC frameworks are applied as a formality rather than as a substantive, risk-based management tool. The gap between a customer’s declared financial profile and the value of a transaction, particularly where third-party fund flows and criminal associations are present, is precisely the kind of indicator that a robust KYC program must be designed to detect and escalate.

In our experience, the most consequential KYC decisions are not made at the moment of onboarding, but in the ongoing monitoring of transactions and the readiness to act on red flags as they emerge. For precisely this reason, entities increasingly choose to work alongside specialized outside counsel, both to strengthen their compliance and AML frameworks and to manage regulatory and reputational risks that are, ultimately, as foreseeable as they are avoidable.

Authors: Salim Saud, Caroline Rosa, Leonardo Kozlowski, Maria Clara Hardman.

More from Saud Advogados