AML/CFT Compliance in Panama: SBP, Law 23 of 2015, and the 2026 Regulatory Landscape

Panama’s AML/CFT regime is at a crossroads. After a turbulent period that saw the country placed on the FATF grey list in 2019, a cascade of reforms - including Law 23 of 2015, the 2024 Beneficial Owner Registry, and the SBP’s January 2026 regulatory overhaul - have reshaped the compliance terrain. Yet the same reforms have also raised the stakes for banks, fiduciaries and crypto-asset service providers that must now juggle tighter due-diligence rules, real-time sanctions screening and a more aggressive supervisory stance. For compliance officers, offshore bankers and regulators, the next twelve months will determine whether Panama can sustain its reputation as a transparent financial hub or revert to a high-risk jurisdiction.

The Regulatory Landscape

Panama’s AML/CFT architecture rests on three pillars: the substantive anti-money-laundering statute (Law 23), the implementing decree (Executive Decree 363), and the supervisory framework administered by the SBP, the Superintendencia del Mercado de Valores (SMV) for securities and the Superintendencia de Seguros y Reaseguros de Panama (SSRP) for insurance. Law 23 incorporates the FATF Recommendations verbatim and establishes a risk-based approach, mandatory customer due diligence (CDD), record-keeping, and reporting obligations. Executive Decree 363 expands on the definition of “beneficial owner”, sets the minimum content of suspicious activity reports (SARs) and outlines the format for electronic filing through the UAF’s goAML portal.

In 2023 the FATF removed Panama from its grey list after the country completed an action plan that included the creation of a public Beneficial Owner Registry, the immobilisation of bearer shares and the adoption of stricter sanctions screening. The EU followed suit in March 2024, removing Panama from its list of high-risk third countries. Nevertheless, the FATF’s 2025 mutual evaluation highlighted lingering weaknesses in the supervision of fiduciary services and in the enforcement of SAR filing deadlines - weaknesses that the SBP addressed in its 2026 regulatory package.

The SBP’s 2026-01 Regulation introduced a series of prescriptive measures: (i) a mandatory annual risk-assessment report filed with the SBP; (ii) a requirement that all banks maintain a “transaction-monitoring matrix” that maps product-type risk factors to red-flag indicators; (iii) a new “stand-still” provision mirroring Article 46 of Law 23, which obliges institutions to halt execution of a flagged transaction until the UAF either clears it or three working days elapse without a prohibition; and (iv) a graduated penalty schedule that ties fines to a percentage of the institution’s annual turnover, with a minimum of US$500,000 for systemic breaches.

SBP’s 2026-01 Regulation - Key Provisions

The regulation was published on 12 January 2026 and became effective on 1 March 2026. Section 4.1 of the regulation mandates that every obliged entity develop a written AML/CFT policy that references Law 23, Executive Decree 363 and the SBP’s own “Guidelines on Risk-Based Supervision” (issued 15 February 2026). Section 5.3 requires a minimum of two independent internal audits per year, with at least one audit focusing on the adequacy of SAR filing timeliness. Section 7.2 expands the definition of “politically exposed person” (PEP) to include senior officials of state-owned enterprises, a change that aligns Panama with the EU’s 2024 PEP definition.

The SBP also introduced a new electronic filing format for SARs - the “UAF-XML” schema - which must be used for all reports submitted after 1 March 2026. Failure to use the correct schema triggers an automatic administrative fine of US$10,000 per non-compliant filing, in addition to any substantive penalty for the underlying omission.

Customer Due Diligence and KYC

Institutions must collect and verify the full name, date of birth, nationality and residential address of natural persons before establishing a business relationship, as required by Article 5 of Law 23 and reinforced by Article 12 of Executive Decree 363. For legal entities, the regulator demands a certified copy of the incorporation charter, a list of directors, and a Beneficial Owner Declaration signed by the ultimate beneficial owners (UBOs) holding at least 25 % of the equity or voting rights, in line with Law 129 of 2020.

The SBP’s 2026-01 Regulation adds a “risk-tiered verification” requirement. Low-risk customers may be subject to simplified due diligence (SDD) if the institution can demonstrate, through a documented risk assessment, that the customer’s profile, transaction pattern and geographic exposure fall below the thresholds set out in Annex II of the regulation. High-risk customers - including PEPs, non-cooperative jurisdictions and crypto-asset service providers - must undergo enhanced due diligence (EDD) that includes source-of-wealth verification, ongoing transaction monitoring and senior-management approval for onboarding.

Beneficial-owner information must be entered into the public Registry of Beneficial Owners (RBO) within ten business days of onboarding. The RBO, operational since 1 July 2024, assigns each UBO a unique identifier that must be referenced in all subsequent SARs and internal risk reports. Non-compliance with the RBO filing deadline attracts a fine of US$25,000 per missing entry, as stipulated in Article 9 of the 2026-01 Regulation.

Sanctions Screening

Panama’s sanctions regime is a hybrid of UN Security Council resolutions, United States Office of Foreign Assets Control (OFAC) designations and the EU Consolidated List, incorporated into domestic law through Law 254 of 2021. The SBP requires real-time screening of all onboarding data and ongoing transactions against these three lists, with a tolerance of no more than 0.2 % false-positive rate for automated matches, as detailed in Section 6.4 of the 2026-01 Regulation.

Institutions must retain evidence of the screening logic, vendor validation reports and any manual overrides for a minimum of five years. The regulation also obliges banks to conduct a quarterly “sanctions-risk assessment” that evaluates the effectiveness of their screening technology, the adequacy of list updates and the adequacy of staff training. Failure to meet the quarterly assessment deadline results in a discretionary fine of up to US$100,000 per missed submission.

SAR/STR Reporting

Under Article 43 of Law 23, any suspicion of money-laundering or terrorist financing must be reported to the UAF “without undue delay”. The 2026-01 Regulation clarifies that “without undue delay” means filing the SAR on the same business day the suspicion arises, or at the latest by the end of the next business day. The SAR must contain the full UAF-XML schema, a narrative description of the suspicious activity, and supporting documentation such as transaction logs, customer identification records and any internal investigation notes.

The UAF’s goAML portal now enforces a “hard-stop” for incomplete filings: if any mandatory field is left blank, the system rejects the submission and returns an error code. The portal also timestamps each submission, providing an audit trail that the SBP uses during inspections.

Risk-Based Approach

The risk-based approach (RBA) is embedded throughout Law 23 and the SBP’s 2026-01 Regulation. Section 2.1 of the regulation requires each institution to produce a full risk-assessment report that identifies: (i) product-type risk (e.g., correspondent banking, private banking, crypto-asset services); (ii) geographic risk (countries or regions with high AML deficiencies); (iii) customer-type risk (PEPs, high-net-worth individuals, non-cooperative jurisdictions); and (iv) channel risk (online onboarding, third-party service providers). The report must be updated annually and whenever a material change occurs, such as the launch of a new product line.

The SBP introduced a “risk-matrix” template that maps each risk factor to a set of red-flag indicators. For example, a high-risk jurisdiction combined with a cash-intensive product triggers a “enhanced monitoring” flag that requires daily transaction reviews and senior-management sign-off. Institutions that fail to implement the matrix or that produce a risk-assessment that is deemed “generic” by the SBP may be subject to a supervisory penalty of up to 0.5 % of annual turnover.

Crypto-Assets

Panama incorporated crypto-asset service providers (CASPs) into the scope of Law 23 through an amendment to Article 7 in December 2024. The amendment requires CASPs to conduct the same CDD, beneficial-owner verification and SAR filing obligations as traditional financial institutions. In addition, the SBP’s 2026-01 Regulation adds a specific provision - Section 8.3 - that obliges CASPs to implement blockchain-analytics tools capable of tracing the provenance of wallet addresses involved in transactions exceeding US$10,000.

The regulation also clarifies that “unhosted wallets” (self-custodied wallets) are considered high-risk. CASPs must obtain a signed declaration from the customer confirming ownership of the private key and must perform a source-of-wealth assessment before allowing transfers to or from such wallets. Non-compliance with the unhosted-wallet requirement attracted a fine of US$75,000 per breach in the first year of enforcement.

Recent Enforcement

The SBP’s enforcement activity has intensified since the 2026-01 Regulation took effect. The regulator has issued a series of administrative fines that illustrate the new penalty framework and the types of breaches that trigger supervisory action.

In addition to monetary penalties, the SBP has issued “name-and-warn” notices that publicly identify institutions with recurring AML deficiencies. The most recent notice, published on 12 February 2026, listed three banks for repeated “stand-still” violations, signalling that the regulator will not tolerate delays in halting suspicious transactions.

Practical Compliance Checklist for Panamanian Institutions

Common Pitfalls

Recent enforcement files reveal three recurring weaknesses. First, many institutions still rely on weekly compliance meetings to approve SARs, which leads to systematic breaches of the “same-day” filing rule. The SBP’s guidance makes clear that SARs must be filed as soon as the suspicion arises, not after a scheduled review.

Second, fragmented governance structures - where AML responsibilities are split between separate legal entities or business lines - create gaps in the “stand-still” process. In the Banistmo case, the bank’s retail division filed a SAR, but the corporate division continued processing the flagged transaction, resulting in a $1.5 million fine.

Third, over-reliance on commercial screening vendors without documented validation. The SBP expects institutions to retain evidence of vendor performance testing, data-quality assessments and periodic re-validation of matching algorithms. Failure to produce this evidence during an inspection can trigger a discretionary fine of up to US$100,000.

How RegMantle Helps

RegMantle produces jurisdiction-specific AML/CFT documentation that references Law 23 of 2015, Executive Decree 363, Law 129 of 2020, Law 254 of 2021 and the SBP’s 2026-01 Regulation. Generated outputs include a full AML/CFT policy manual, a risk-assessment template pre-populated with the SBP risk-matrix, KYC/CDD procedures that embed the RBO identifier field, a sanctions-screening policy aligned with OFAC, UN and EU lists, SAR/STR filing SOPs that use the UAF-XML schema, and a crypto-asset compliance annex that satisfies Section 8.3. All documents are exportable as branded DOCX files, ready for board approval and SBP inspection.