AML Obligations of Virtual Asset Service Providers (VASP) in Preventing Financial Crimes

The use of digital currency is becoming increasingly popular. However, every valuable thing comes with a cost as digital progress comes with the risk of financial crimes.

Virtual Assets (VA) and Virtual Asset Service Providers (VASPs) are vulnerable to these crimes.

Risks can be effectively reduced by following Anti-Money Laundering (AML) regulatory requirements proposed by the Financial Action Task Force (FATF) to enhance robust Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) compliance for VASPs and Virtual Assets.

As cryptocurrency gains popularity among the public, countries are seeking ways to regulate them. VASPs have a significant impact on countries’ financial stability.

Let’s explore what VASPs are and their impact on financial stability.

What are Virtual Asset Service Providers (VASP)?

According to the FATF, a Virtual Asset is a “digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes; the representation of physical currency, securities, and other financial values already addressed in the FATF recommendation is not included in virtual assets.”

According to FATF, Virtual Asset Service Provider (VASP) is described as “Any natural or legal person not covered elsewhere under the Recommendations, who conducts business on behalf of another by exchanging virtual assets with fiat currencies, exchanging between different forms of virtual assets, transferring virtual assets, safekeeping or administering virtual assets or instruments that enable control over them, or providing financial services related to an issuer’s offer and/or sale of a virtual asset, is subject to these regulations.”

As the use of digital currencies for trading is replacing physical cash, there is a need to implement proper AML checks to ensure that money launderers don’t exploit virtual assets.

What does FATF mandate about VASPs as part of AML compliance?

FATF Recommendation for Virtual Asset Service Providers (VASPs)

The Financial Action Task Force (FATF) included two new terms in the glossary in October 2018, namely “virtual asset” (VA) and “virtual asset service provider” (VASP).

• Recommendation 15 of the FATF mandates that VASPs follow anti-money laundering and combat the financing of terrorism (AML/CFT) rules to prevent financial crimes.
• VASPs need to be approved by the government and authorized.
• Authorities will check the VASPs to ensure they follow AML/CFT regulations.

On June 15, 2019, FATF added more requirements regarding VAs and VASPs, particularly the need for a risk-based approach (RBA) was highlighted:

• VASPs should be supervised according to AML/CFT requirements.
• Their legal authorization must be done by registering them.
• They must take preventive measures to ensure AML/CFT compliance, such as “customer due diligence, recordkeeping, and suspicious transaction reporting in addition to other requirements.”
• They have to avoid breaking laws as sanctions will be imposed.
• Worldwide collaborations are necessary to ensure VASPs follow the rules.

 

The FATF recommendations mandate all countries to enforce certain AML/CFT regulations and laws on “Financial institutions (FI) and Designated Non-Financial Businesses and Professions (DNFBS)” and ensure they comply with AML/CFT requirements.

4 Critical Roles of Virtual Asset Service Providers

Virtual Asset Service Providers (VASPs) carry out several vital functions in virtual asset environments, including:

Exchanges

Online marketplaces where users can “buy, sell, and trade” virtual assets such as Coinbase, Binance, and Kraken.

Wallet Providers

Businesses provide virtual asset storage such as hot or cold wallets. The first is linked to the Internet, and the latter is offline storage.

Custodians

Organizations that protect their customers’ virtual assets ensure they are appropriately handled and keep their protection intact.

Payment Processors

Firms that make a business accept payment in cryptocurrency and enable transactions easily using virtual assets

Following AML regulations, VASP crypto firms must apply AML/CFT obligations to prevent financial crimes.

Why Must VASPs Ensure AML Compliance?

• The virtual asset ecosystem is vulnerable to financial criminals as it can be misused for illicit activities.
• Rules and AML regulations for VASPs are stricter and are continuously changing due to emerging risks.
• FATF’s recommendations are global guidelines for countries and mandates to enforce AML/CFT regulations for VASPs.
• VASPs must comply with anti-money laundering (AML)  and be monitored thoroughly to ensure they follow AML/CFT rules.
• AML obligations must be fulfilled to prevent financial crimes associated with digital currencies; for example, the VASPs must have authorization from the Financial Crimes Enforcement Network (FinCEN)  in the United States, and compliance with the Bank Secrecy Act (BSA) is needed.
• Likewise, the Fifth Anti-Money Laundering Directive (5AMLD) of the European Union includes “virtual asset service providers” in AML obligation. The directive requires license and compliance with KYC to verify the customers.

AML/CFT Obligations of Virtual Asset Service Providers

Amendments in FATF’s Recommendation 15 address the risks of emerging advanced technologies, particularly those linked to virtual assets and virtual asset service providers.

The modification urges countries to follow the same AML/CFT regulations for VASPs as countries do for regular financial institutions (FIs) to robust AML/CFT compliance.

Following are AML/CFT obligations of Virtual Asset Service Providers as mandated by FATF:

Licensing or Registration

• Countries must assign one or more agencies that grant licenses or approve the registration of VASPs.
• License or registration should be done in the same location or country where this business started.
• Legal requirements such as “incorporation, registration, recognition by a notary, filing bylaws/articles, or allocation of a tax number” must be fulfilled to get registered officially.
• For registration, the firm’s place can be selected according to the primary location of the business.
• The primary location can be determined by transaction records, customer data, stored financial history, or owner’s location.
• If a VASP works from home, its residence location will be selected for registration.
• Relevant authorities set specific registration/license criteria for registration  or approval of the license; VASPs have to fulfill those requirements based on the size of the business and their operations, including “having a resident executive director, substantive management presence, or financial requirements.”
• Authorities ensure VASPs are regulated and supervised thoroughly based on AML requirements for registration.

Customer Due Diligence (CDD)

• According to FATF’s recommendation 10,  financial institutions must conduct CDD measures for all customers to identify and verify their identities using reliable data and identify beneficial owners of organizations.
• CDD measures help the organization understand the type of business relationship.
• Financial institutions must conduct customer due diligence (CDD) for transactions linked with virtual assets above the USD/EUR 1,000 limit.
• If frequent transactions related to virtual assets exceed USD/EUR 1,000, then CDD checks must be applied.
• Transactions through wire transfers according to recommendation 16 above USD/EUR 1,000.
• When transactions are suspected to be linked with financial crimes such as Money Laundering (ML) or Terrorist Financing (TF), CDD must apply.
• All VA transactions are treated as cross-border qualifying wire transfers under Recommendation 16.
• Countries can set a limit as a “De minimis threshold of USD/EUR 1,000” for frequent cryptocurrency wire transfers.
• All Virtual asset-related transactions should be considered international money transfers; the same checks must apply to VA transactions.
• Businesses categorized as Designated Non-Financial Businesses and Professions (DNFBPs), that deal with Virtual Assets must have applied CDD checks if a set limit exceeds USD/EUR 1,000  for frequency transactions.

Suspicious Transaction Reporting (STR)

• According to 139 of the guide, international collaboration for oversight of VASPs is essential as some businesses get licenses in one country but offer services to clients in other countries. Hence, collaboration is necessary to ensure proper regulation.
• Financial institutions must collaborate with other countries to share data-related VASPs and inform them about suspicious transactions to their relevant authorities as an obligation in suspicious transaction reporting (STR).
• The exchange of STR-related information should be conducted with other counterparts in foreign countries to strengthen AML compliance.

• Currently, countries lack collaboration to oversee and investigate suspicious transactions; many countries lack meaningful legal frameworks that permit them to mark specific virtual asset-related money laundering and terrorist financing activities as criminal activities, leading to failures in AML compliance.

Record Keeping

• Recommendation 11 mandated countries to ensure that all virtual asset service providers (VASPs) maintain records of all the transactions and CDD requirements for at least five years for AML/CFT compliance.
• All the transaction details, such as identification of the groups/businesses engaged in the deal, public keys, accounts linked with transactions, their addresses, type of transaction, date of transaction, and the amount transfer linked with VASPs, must be kept in the keeping process.
• Basic information can be obtained by accessing public information about blockchain for record-keeping, but a CDD check must be conducted for detailed information.
• Relying on blockchain information is insufficient for keeping record requirements as it doesn’t disclose the person’s name, so additional information is required to keep the record.

AML obligations establish a solid foundation for a robust AML compliance program for VASPs. Understanding how countries comply with and enforce AML/CFT laws is vital.

Suggested Article: 9 Essentials of AML Compliance Checklist In 2024

Global Enforcement of AML Legislations in VASPs

While regulations may differ globally, each country’s main goal is securing the virtual asset landscape from illicit activities.

FATF also describes how different countries participate in the supervision and regulation of virtual assets, and VASPs enforce AML legislations in the country and set sanctions for breaching AML/CFT laws.

Italy

• AML legislation of Itlay (Decree No. 231 of 2007), modified by  Decree No. 90 of 2017, includes “virtual currency exchangers” and VASPs under its AML/CFT regulations.
• VASPs must enroll with a special division of the  Organismo degli Agenti e dei Mediatori (OAM) to continue their operations in the country and comply with all AML obligations.
• To reduce AML risks associated with VASPs, such as money laundering and terrorist financing, customer due diligence (CDD), transaction monitoring, and suspicious transaction reporting must be conducted.
• Banks, casino operators, and payment firms must detect and report suspicious transactions.
• The Italian FIU (UIF) upgraded its guidelines on suspicious transaction reports (STR) in 2019 linked with virtual assets.
• Italy’s National Risk Assessment of 2019 evaluates money laundering and terrorist financing risks that arise from Virtual assets.
• UIF gathers data about VASPs, their transactions, and client’s profiles.
• Warnings about virtual assets-related risks have been issued since 2015 to clients and financial intermediaries.

Norway

• Since 15 October 2018, VASPs have been included in the Norwegian AML Act.
• 26 VASPs have been under legal supervision, with 20 applications pending registration approval due to deficiencies in AML compliance. Six VASPs have been approved since June 2019.
• According to the AML Act of Norway, VASPs are required to be authorized by the Financial Supervisory Authority.
• The AML legislation implies “virtual currency exchanges and custodians” to comply with AML/CFT obligations such as CDD and STR.
• This risk-based approach reduces the financial crimes linked with virtual assets in the country.
• The Norwegian Financial Supervisory Authority (FSA) has commanded the cessation of operations at three VA ATMs, and since then, no new VA ATMs have been opened.
• FSA is now investigating the VASPs to check their registration, size, and AML knowledge of the business.

Sweden

• The Swedish Financial Supervisory Authority (FSA) has officially categorized Bitcoin and Ethereum as valid means of payment.
• Like Financial institutions, VASPs must comply with similar AML/CFT laws.
• Registration is compulsory with official authority for operating in the country.
• Once a VASP gets a license, all their operations will be supervised according to AML/CFT requirements, even though VAs are not explicitly highlighted in the law.
• Virtual currency exchanges must implement similar obligations such as CDD measures, record keeping, and reporting suspicious transactions.
• FSA has focused on supervising the VASPs and can cease operations if any deficiencies are found.
• VASPs have delivered their STRs to the Financial Intelligence Unit (FIU)  of Sweden as an AML obligation.

Mexico

• According to the Federal Law of Mexico (Money Laundering Act), operations related to virtual assets outside financial organizations and credit firms were considered vulnerable in March 2018.
• The law was issued to permit financial organizations to work with virtual assets under the legal permit from Mexico Bank and use the VAs as asked by the bank.
• The AML/CFT requirements for VA were announced publicly in September 2018.
• The central bank declared the internal rules for VA operations for FIs and credit institutions in March 2019.
• The central bank described the risks associated with money laundering and Terrorist financing because of easy transfer across the globe, lack of proper supervision, and working under AML/CFT obligations.
• Reforms were made for AML/CFT compliance in March 2019.

AML legislation related to VASPs and VAs with Japan, Finland, and the United States are also discussed in the guidance. Breaching AML Laws for VASPs leads to severe penalties.

FinCEN Penalty Case Study

FinCEN penalized Larry Dean Harmon, Owner of Helix and Coin Ninja, $60 million for several violations, as depicted below.

 

What are the main challenges that VASPs encounter when implementing effective AML compliance measures? Let’s find out in the following section.

Challenges in Implementing AML Compliance for VASPs

• Rules for virtual assets are still established; unknown factors can create obstacles to operation and systemic planning.
• Virtual asset service providers (VASPs) are vulnerable to cyberattacks and hackers who invade the cyber security environment quickly and need to invest money in these measures.
• Supervising AML requirements worldwide is a complex and time-consuming task that requires money to monitor AML/CFT obligations.
• The asset’s value can be changed at any time without a specific ratio, which affects the country’s financial stability by impacting VASPs and their customers.

Are you a Virtual Asset Service Provider looking to strengthen your AML compliance? AML Watcher provides crypto wallet screening to ensure safe virtual asset transactions.

Here’s a virtual tour of how the crypto wallet screening feature works!