Criminal Lawyers Austria 2026: Corporate Criminal Liability, AML Rules and Defence

Austria’s corporate criminal-law landscape shifted markedly in early 2026. The FATF mutual-evaluation cycle placed fresh scrutiny on how the country supervises money-laundering controls, the EU’s Anti-Money-Laundering Authority (AMLA) framework began reshaping supervisory expectations, and Austrian legislators tightened both administrative penalties and beneficial-ownership transparency requirements. For in-house counsel, compliance officers, CFOs and company directors, the central question is now unavoidable: what immediate compliance changes and defence preparations must Austrian corporates make in 2026? This guide, written for practitioners who need to act, not merely read, delivers a step-by-step playbook covering obligations, timelines, corporate criminal liability triggers, and white collar defence Austria strategies.

Executive Summary

The following six points capture what every Austrian corporate stakeholder needs to know right now. Each is explored in depth in the sections that follow.

• Immediate AML obligations. Austria’s transposition of the EU’s Sixth Anti-Money-Laundering Directive (AMLD 6) and the accompanying Austrian Financial Markets Anti-Money Laundering Act (FM-GwG) amendments impose stricter customer due diligence (CDD), tighter beneficial-ownership verification deadlines and expanded suspicious-transaction reporting duties. All obliged entities must review their procedures against the updated rules.
• Corporate criminal liability triggers. The Verbandsverantwortlichkeitsgesetz (VbVG), Austria’s Corporate Criminal Liability Act, remains the statutory backbone. Under the 2026 enforcement climate, prosecutors are expected to pay closer attention to whether management tolerated compliance gaps, making a documented, effective compliance management system (CMS) a critical shield.
• Penalty ranges. Administrative fines under the FM-GwG can reach multiples of the benefit gained from a breach, while corporate fines under the VbVG are calculated as daily rates linked to revenue. Directors face personal criminal sanctions under the Austrian Criminal Code (StGB) for facilitation or wilful blindness.
• Compliance programme priorities. Risk assessments, governance frameworks, enhanced due diligence for politically exposed persons (PEPs) and high-risk jurisdictions, and transaction-monitoring technology must be updated within 90 days to align with FATF expectations.
• Internal investigation readiness. Companies should pre-position investigation protocols, including external-counsel appointment triggers, evidence-preservation procedures, and a clear decision tree for voluntary disclosure to the Wirtschafts- und Korruptionsstaatsanwaltschaft (WKStA), Austria’s anti-corruption prosecution service.
• Recommended next actions. Launch a focused gap analysis within 30 days, remediate identified weaknesses within 60 days, and complete board-level training and documentation by day 90. Where exposure is already suspected, seeking specialist criminal lawyers in Austria without delay is the prudent course.

FATF 2026 Mutual Evaluation, Key Findings Affecting Austria

The Financial Action Task Force conducts periodic mutual evaluations of its member jurisdictions to assess compliance with its 40 Recommendations on anti-money-laundering and counter-terrorist financing (AML/CTF). Austria’s most recent evaluation cycle, the findings of which have been circulating in draft form through early 2026, carries significant weight for every company operating in the jurisdiction. The FATF’s assessments directly inform the regulatory priorities of the Austrian Financial Market Authority (FMA) and shape prosecutorial focus at the WKStA.

Top 5 Takeaways from FATF Austria 2026

• Beneficial-ownership transparency gaps. The evaluation flagged ongoing weaknesses in Austria’s enforcement of beneficial-ownership registration requirements, noting that verification mechanisms need strengthening, particularly for complex corporate structures involving trusts and foreign holding entities.
• Supervisory effectiveness across sectors. While the FMA’s supervision of banks received generally positive marks, the FATF identified inconsistencies in how non-financial obliged entities, including real-estate agents, dealers in high-value goods, and certain professional-service providers, are supervised for AML compliance.
• Suspicious-transaction reporting quality. Austrian reporting entities file a comparatively high volume of suspicious-transaction reports (STRs), but the evaluation questioned their analytical quality. Industry observers expect this will drive the Financial Intelligence Unit (FIU, housed within the Bundeskriminalamt) to issue updated guidance on reporting standards.
• Cross-border cooperation. Austria’s mutual legal assistance framework was deemed generally effective, but delays in responding to complex international requests were noted, a finding with implications for companies involved in cross-border investigations.
• Risk-based approach implementation. The evaluation underscored that Austria’s risk-based approach needs deeper embedding at entity level, with documented, entity-specific risk assessments rather than reliance on generic sectoral templates.

These findings set the backdrop for Austrian legislative and regulatory action through the first half of 2026. For compliance officers asking “What are Austria’s new AML / financial-crime obligations in 2026?”, the answer begins here and continues in the sections below.

AML Changes in Austria 2026, What Companies Must Do Now

Multiple legislative and administrative instruments came into effect or were materially amended between January and May 2026. The table below provides a consolidated timeline of the key changes affecting financial crime compliance Austria obligations. Dates and instruments are drawn from the Austrian Legal Information System (RIS) and Finance Ministry (BMF) communications.

Tax and VAT Amendments with Criminal Implications (Jan–May 2026)

The Abgabenänderungsgesetz 2026, which took effect on 2026-01-01, is not solely a revenue measure. By raising the ceiling on administrative penalties under the Finanzstrafgesetz for intentional VAT misreporting, the legislature signalled that tax-fraud conduct previously handled through administrative channels may now more readily cross the threshold into criminal prosecution. Companies with complex VAT arrangements, particularly those involving intra-group cross-border supplies, should treat this as a prompt for a focused review of their VAT compliance processes.

FMA and Supervisory Updates

The FMA’s March 2026 circular on transaction-monitoring standards represents a step-change for supervised entities. The practical effect is that institutions relying on manual review processes alone will need to invest in technology upgrades. The April 2026 enforcement notice on STR quality adds a further layer: AML Austria 2026 obligations now require not just timely filing but demonstrably analytical, structured reporting. Together, these supervisory instruments mean that the FMA is operationalising the FATF’s recommendations in near-real time.

Corporate Criminal Liability in Austria: Scope, Triggers and Practical Implications

The question “How does corporate criminal liability apply to Austrian companies under the 2026 changes?” requires starting with the Verbandsverantwortlichkeitsgesetz (VbVG), in force since 2006. The VbVG provides that legal entities, companies, partnerships, and other associations (Verbände), can be criminally liable for offences committed by decision-makers (Entscheidungsträger) acting on behalf of the entity, or by employees where the offence was enabled by a failure of management to implement adequate organisational and supervisory measures.

Corporate criminal liability Austria exposure does not require that the entity itself possessed criminal intent. It is sufficient that a natural person committed the underlying offence in the course of business activities and that the entity failed to take reasonable steps to prevent it. This “organisational fault” standard makes the quality and documentation of compliance systems a central defence issue.

Who Can Be Liable, Companies, Management, Legal Entities?

Under the VbVG, liability attaches to the entity (Verband) rather than to individual directors, though individual criminal liability under the StGB runs in parallel. In practice, prosecutors often pursue both tracks simultaneously: the company faces VbVG proceedings while individual managers or directors face personal charges under anti-corruption criminal law Austria provisions (§§ 302–309 StGB for bribery offences) or financial-crime provisions (§§ 146 ff. StGB for fraud, § 165 StGB for money laundering).

The table below summarises how corporate criminal liability Austria obligations differ by entity type:

Defence Considerations: Corporate Compliance as Mitigation

The VbVG expressly provides for mitigation where the entity can demonstrate that it maintained an effective compliance management system. Industry observers expect that, in the wake of the FATF Austria 2026 findings, Austrian courts will scrutinise the substance of compliance programmes more rigorously, moving beyond mere paper policies to evidence of implementation, monitoring, and remediation. A documented CMS that meets the standards described in the compliance checklist below is the single most effective defence tool available to Austrian corporates.

Compliance Programme Update: Immediate Steps and Internal-Investigation Playbook

In response to the FATF 2026 findings and legislative changes, every Austrian company subject to AML obligations should undertake a structured compliance-programme update. The checklist below is organised by timeline and responsible owner.

Template Timeline and Owners (CFO / GC / MLRO)

Within 30 days (immediate priorities):

1. Entity-specific risk assessment. Conduct or refresh a documented, entity-specific money-laundering and terrorist-financing risk assessment. Do not rely on generic sectoral templates, the FATF explicitly flagged this deficiency. Owner: MLRO / Compliance Officer.
2. Beneficial-ownership data. Verify that all WiEReG filings are current and accurate, reflecting the shortened two-week notification deadline. Owner: Company Secretary / GC.
3. PEP screening update. Shift PEP screening to a quarterly cycle (at minimum) and document the updated procedure. Owner: MLRO.

Within 60 days:

1. Transaction-monitoring technology. Assess whether current transaction-monitoring systems meet the FMA’s March 2026 minimum standards. If not, initiate procurement or upgrade. Owner: CFO / IT.
2. STR quality review. Audit the last 12 months of STR filings for structured risk-scoring data. Implement templates that comply with the FMA’s April 2026 notice. Owner: MLRO.
3. Policy and procedure update. Revise internal AML/KYC policies to reflect all 2026 changes, including enhanced CDD triggers and the expanded high-risk third-country list. Owner: GC / Compliance.

Within 90 days:

1. Board and senior-management training. Deliver targeted training to the Vorstand or Geschäftsführer on updated obligations, personal liability risks, and the VbVG defence framework. Document attendance and content. Owner: GC.
2. Record-retention review. Confirm that document-retention schedules meet the statutory minimum of five years for CDD records and ten years for transaction records, as required under the FM-GwG. Owner: Compliance / Records Management.

Within 6 months:

1. Independent compliance audit. Commission an independent review of the updated CMS to verify effectiveness. Retain the audit report as evidence of the entity’s good faith, this documentation is directly relevant to VbVG mitigation arguments. Owner: CFO / GC.

Documentation to Evidence “Effective” Measures

Austrian courts evaluating a compliance defence under the VbVG will look for tangible evidence, not aspirational policy documents. The following documentation standards should be treated as baseline requirements for financial crime compliance Austria purposes:

• Written risk-assessment reports with entity-specific risk ratings and methodology descriptions.
• Board minutes recording approval of compliance policies and discussion of key risks.
• Training registers with dates, attendees, content summaries and post-training assessment results.
• Transaction-monitoring system configuration records and alert-disposition logs.
• STR filing records with internal review notes and quality-assurance sign-offs.
• Remediation action plans with status tracking and evidence of completion.

Internal Investigations and White Collar Defence Playbook

When a potential compliance failure or suspected offence is identified, the response in the first 48 to 72 hours is critical. Austrian criminal procedure and administrative penal law Austria create a dual-track exposure: the same conduct may trigger administrative proceedings before the FMA and criminal proceedings before the WKStA or a regional Staatsanwaltschaft. Managing both tracks simultaneously, without inadvertently waiving rights or compromising evidence, requires specialist criminal lawyers Austria practitioners from the outset.

When to Appoint External Counsel

External criminal-defence counsel should be appointed immediately when any of the following red-flag indicators are present:

• A suspicious-activity report has been filed that implicates company insiders or senior management.
• The FMA has initiated a supervisory enquiry or requested documents under its inspection powers.
• An employee has raised an internal whistleblower report alleging financial-crime conduct.
• Cross-border regulators or law-enforcement agencies have issued information requests or mutual legal assistance requests.
• Media reporting suggests that the company or its directors are under investigation.

Early engagement of external counsel preserves the ability to claim legal privilege over investigation work product, though it must be noted that privilege protections in Austria are narrower than in common-law jurisdictions. Attorney-client privilege (Verschwiegenheitspflicht) under § 9 RAO (Rechtsanwaltsordnung) protects communications with Austrian-admitted lawyers, but internal investigation notes prepared by non-lawyers (compliance staff, forensic accountants) generally do not benefit from equivalent protection.

Managing Cross-Border Data and Mutual Legal Assistance

Austrian companies operating across borders face additional complexity. Evidence located in Austria may be sought by foreign authorities through mutual legal assistance treaties (MLATs) or the European Investigation Order (EIO). Conversely, Austrian prosecutors may request evidence from abroad. The practical implications include:

• Data-localisation considerations. Ensure that evidence-preservation holds are issued promptly across all jurisdictions where relevant data is stored, including cloud environments.
• GDPR and data-transfer restrictions. Cross-border evidence-sharing must comply with the General Data Protection Regulation. Legal bases for transfer, such as the law-enforcement processing exemption under Article 49(1)(d) GDPR, should be assessed before responding to foreign requests.
• Voluntary disclosure strategy. Where the evidence suggests a reportable offence, the decision to self-report to the WKStA or FMA is one of the most consequential choices a company can make. Self-reporting can yield mitigation under the VbVG and may forestall more aggressive enforcement, but it also crystallises the company’s exposure. This decision should never be made without detailed advice from experienced white collar defence Austria practitioners.

Penalties, Administrative Fines and Suspension Risks, 2026 Outlook

Companies and their directors face a graduated penalty framework under Austrian law. Understanding the full range of potential consequences is essential for anyone asking “What penalties and administrative fines can companies face after the 2026 reforms?”

Corporate fines under the VbVG: Fines are imposed using a daily-rate system (Tagessätze), where each daily rate is calculated based on the entity’s revenue. The number of daily rates depends on the severity of the underlying offence. For serious financial-crime offences, courts may impose up to 180 daily rates, which, for large corporates, can translate into multi-million-euro fines.

Administrative fines under the FM-GwG: The FMA may impose fines of up to twice the benefit derived from the breach, or up to EUR 5 million for particularly serious AML failures by credit institutions. For other obliged entities, maximum administrative fines can reach EUR 1 million. The 2026 amendments increased these ceilings for repeat offenders.

Personal criminal sanctions: Directors and senior managers face personal prosecution under the StGB for offences including money laundering (§ 165 StGB, up to three years’ imprisonment, or up to ten years for aggravated cases), bribery (§§ 307–309 StGB), and fraud (§§ 146–148 StGB). Conviction carries not only imprisonment but also potential disqualification from serving as a director.

Reputational and operational consequences: Beyond fines, the FMA may publish enforcement decisions, suspend licences, or impose conditions on business operations. For regulated entities, the reputational damage from a published enforcement action often exceeds the financial penalty itself. Industry observers expect the FMA to increase its use of public enforcement notices as part of its post-FATF supervisory strategy.

Negotiating administrative fines is possible in certain circumstances, particularly where the entity can demonstrate prompt remediation, cooperation with authorities, and the existence of an effective compliance programme. Early engagement with administrative penal law Austria specialists is critical to achieving favourable outcomes in settlement discussions.

EU Directives, Transposition and Cross-Border Implications for Austrian Companies

Austria’s 2026 obligations do not exist in a vacuum. They are shaped substantially by EU-level developments, and companies must track both Austrian transposition measures and direct-effect EU instruments.

The EU Anti-Money-Laundering Regulation (AMLR), part of the comprehensive AML package adopted by the European Parliament, will apply directly across all Member States and is expected to become fully operational in the coming period. Unlike directives, the AMLR requires no national transposition: its provisions on CDD, beneficial-ownership transparency, and supervisory cooperation will apply uniformly. Austrian companies should prepare for a single, directly applicable EU rulebook that will sit alongside, and in some areas supersede, the FM-GwG.

The Directive on criminal penalties for the violation of Union restrictive measures further expands the scope of criminalised sanctions-evasion conduct. Austria must transpose this directive into national law, and early indications suggest that the implementing legislation will broaden the range of conduct triggering criminal liability for companies and individuals involved in sanctions circumvention.

For multinational groups, the practical effect is that compliance programmes must be harmonised across jurisdictions. A programme that meets Austrian requirements but falls short of the AMLR’s direct standards, or vice versa, will leave the group exposed. The likely practical effect will be an increase in demand for cross-border compliance audits and coordinated legal advice involving criminal lawyers Austria specialists working alongside counsel in other EU Member States.

How to Prepare for Enforcement, Audit, Remediation and Self-Reporting Strategy

Proactive preparation is the most cost-effective defence. Companies that wait for an enforcement action before addressing compliance gaps face dramatically worse outcomes, both financially and reputationally. The following steps form a practical remediation plan:

• Conduct a focused compliance audit. Engage external specialists to review AML, anti-corruption, and financial-crime compliance against the 2026 legislative changes and FATF expectations. Prioritise high-risk areas: beneficial-ownership records, CDD on PEPs, and transaction-monitoring effectiveness.
• Remediate identified gaps promptly. Assign clear ownership, deadlines, and budget to each remediation item. Document progress meticulously, remediation evidence is directly relevant to penalty mitigation under both the VbVG and administrative penal law Austria frameworks.
• Train senior management. Board-level awareness of criminal-liability triggers and personal exposure is non-negotiable. Training must be documented, substantive, and repeated at least annually.
• Assess voluntary-disclosure options. Use the following decision criteria when evaluating whether to self-report:
  • Is there a reasonable likelihood that the conduct will be discovered independently (e.g., through an STR, regulatory inspection, or media inquiry)?
  • Does the evidence suggest systemic failure or isolated misconduct?
  • What is the likely mitigation benefit under the VbVG for voluntary disclosure versus the risk of crystallising liability?
  • Has external criminal-defence counsel assessed the strength of available defences?
• Document everything. In enforcement proceedings, the entity’s ability to demonstrate a culture of compliance, through contemporaneous records, not after-the-fact reconstructions, is the single most persuasive factor in penalty mitigation.

Conclusion and Recommended Next Steps for Criminal Lawyers Austria Mandates

The convergence of FATF evaluation findings, Austrian legislative amendments, and EU-level regulatory reform means that 2026 is a defining year for corporate criminal compliance in Austria. The window for proactive remediation is measured in weeks, not months. Companies that act decisively, launching gap analyses within 30 days, completing remediation within 60, and documenting board-level training by day 90, will be best positioned to defend against enforcement action and demonstrate the effective compliance systems that the VbVG rewards.

For organisations facing suspected exposure, existing investigations, or complex cross-border compliance challenges, engaging experienced criminal lawyers Austria practitioners is the essential first step. Specialist counsel can navigate the dual-track administrative and criminal procedure, protect privilege, and advise on voluntary-disclosure strategy with the precision that these high-stakes situations demand.

Sources

1. FATF, Financial Action Task Force (Mutual Evaluation Reports)
2. Austrian Legal Information System (RIS), Consolidated Legislation
3. Austrian Financial Market Authority (FMA), Guidance and Notices
4. Austrian Federal Ministry of Finance (BMF)
5. EUR-Lex, Access to European Union Law
6. European Commission
7. Schoenherr, Legal Insights