7 Things you need to know about the AML/CFT Implementing Procedures to the Virtual Financial Assets Sector

It is the moment all MLROs and Com­pli­ance Offi­cers with­in the local Vir­tu­al Finan­cial Asset sphere have been wait­ing for – the pub­li­ca­tion of the legal­ly bind­ing Imple­ment­ing Pro­ce­dures (IPs) (Part II) in rela­tion to the VFA sec­tor!

Issued on the 3rd of Feb­ru­ary by the Finan­cial Intel­li­gence Analy­sis Unit, these Imple­ment­ing Pro­ce­dures set out how VFA Agents, VFA Ser­vice Providers and any­one con­duct­ing VFA offer­ings to the pub­lic are to com­ply with the AML/CFT oblig­a­tions aris­ing from the Pre­ven­tion of Mon­ey Laun­der­ing and Fund­ing of Ter­ror­ism Reg­u­la­tions.

Here are sev­en things you need to know about the Imple­ment­ing Pro­ce­dures in terms of the AML/CFT oblig­a­tions to the Vir­tu­al Finan­cial Assets Sec­tor:

1. It is not a stand-alone document

Read­ing, under­stand­ing and fol­low­ing Part II of the Imple­ment­ing Pro­ce­dures with regards to the VFA Sec­tor is a good start towards ful­fill­ing your AML/CFT oblig­a­tions towards local law. How­ev­er, if you real­ly want become pro­fi­cient in this area, then Part II of the Imple­ment­ing Pro­ce­dures will need to be read in con­junc­tion with Part I of the FIAU’s Imple­ment­ing Pro­ce­dures, as well as the rel­e­vant sec­tions of the Pre­ven­tion of Mon­ey Laun­der­ing Act, and the Pre­ven­tion of Mon­ey Laun­der­ing and Fund­ing of Ter­ror­ism Reg­u­la­tions.

In cas­es where there are con­flicts between Part I and Part II of the IPs, then it is the VFA spe­cif­ic IPs that shall pre­vail.

2. A different side to Jurisdictional Risk…

Sub­ject per­sons should know that con­duct­ing juris­dic­tion­al risk assess­ments means con­sid­er­ing a num­ber of fac­tors relat­ing to that par­tic­u­lar coun­try, such as the mon­ey laun­der­ing threat, the per­ceived threat of ter­ror­ists and ter­ror­ist groups asso­ci­at­ed with that region, the lev­el of cor­rup­tion, and tax haven sta­tus.

Part II of the Imple­ment­ing Pro­ce­dures states that juris­dic­tion­al risk should also take into account the amount of cyber­crime that is asso­ci­at­ed with a par­tic­u­lar juris­dic­tion. There­fore, if a client who holds VFAs resides in a juris­dic­tion or is receiv­ing or send­ing VFAs from/to a juris­dic­tion that is asso­ci­at­ed with a high lev­el of cyber­crime, then the Cus­tomer Risk Assess­ment must be amend­ed to reflect this.

3. …and also to Interface Risk

Part I of the IPs divides inter­face risk into the fol­low­ing cat­e­gories: (i) face to face; (ii) non-face to face (using tech­no­log­i­cal sys­tems with embed­ded safe­guards); (iii) non-face to face using means with no embed­ded tech­no­log­i­cal safe­guards; and (iv) non-face to face through inter­me­di­aries.

The IPs in rela­tion to the VFA sec­tor dic­tate that when ana­lyz­ing inter­face risk, the use of prox­ies, unver­i­fi­able IP address­es and geo­graph­i­cal loca­tion, dis­pos­able email address­es or mobile num­bers, as well as the use of dif­fer­ent devices with the inten­tion of obscur­ing geo­graph­i­cal loca­tion must be fac­tored into the Cus­tomer Risk Assess­ment. There­fore, it is very impor­tant that this infor­ma­tion can be col­lect­ed also from an IT per­spec­tive.

4. Collecting information on wallet addresses and the wallet types is very important

In the case of a VFA ser­vice provider who receives VFAs or is to send VFAs, it is nec­es­sary to col­lect and retain on file the wal­let address from which the VFAs are to be received or to which the VFAs are to be sent. This is vital as it will show from where the VFAs are com­ing from and where they are being sent. Togeth­er with the address, the VFA ser­vice provider is also to ask the cus­tomer whether the address relates to a pri­vate wal­let, a mul­ti-sig­na­ture wal­let or a cus­to­di­al wal­let.

In the case of a pri­vate wal­let, it is impor­tant that the VFA ser­vice provider estab­lish­es that the cus­tomer has con­trol over the address that the VFAs orig­i­nate from, espe­cial­ly in sit­u­a­tions that involve sig­nif­i­cant amounts of VFAs, where there are doubts as to the actu­al loca­tion of the cus­tomer due to dif­fer­ing IP addresses/device geo loca­tions, and where there are con­nec­tions to high risk juris­dic­tions known for gen­er­at­ing high amounts of crime, cor­rup­tion or cyber­crime activ­i­ty.

In the case of mul­ti-sig wal­lets, in sit­u­a­tions where the dif­fer­ent keys are held by dif­fer­ent indi­vid­u­als, then such indi­vid­u­als are also con­sid­ered to be cus­tomers and must be duly iden­ti­fied and ver­i­fied as such (so they would need to be on-board­ed as well).

In the case of cus­to­di­al wal­lets, con­sid­er­a­tion must be made of whether such cus­to­di­an is reg­u­lat­ed or not. If not reg­u­lat­ed, this would lead to an increase in the ML/FT risk and must be reflect­ed accord­ing­ly in the CRA.

5. Assessment of VFA transactions needs to be done using specialized tools

When­ev­er VFA pay­ments are made, the VFA Ser­vice Provider needs to (i) check the wal­let address­es asso­ci­at­ed with the pay­ment (both incom­ing address and out­go­ing address) for any adverse media in the pub­lic domain and (ii) use, where avail­able, DLT ana­lyt­i­cal tools to detect poten­tial­ly fraud­u­lent or sus­pi­cious activ­i­ty.

Ana­lyz­ing wal­let address­es will put VFA Ser­vice Providers in a bet­ter posi­tion to detect activ­i­ty that could poten­tial­ly lead to a fil­ing of a Sus­pi­cious Trans­ac­tion Report with the FIAU.

An issue that may arise with respect to DLT ana­lyt­i­cal tools is that they do not cater for all avail­able cryp­to cur­ren­cies. In this case, the absence of such a tool should be fac­tored into a VFA Ser­vice Provider’s Cus­tomer Risk Assess­ment by spec­i­fy­ing mea­sures that can mit­i­gate any cor­re­spond­ing ML/FT risks.

6. Emphasis on Enhanced Transaction Monitoring 

As every sub­ject per­son is aware of, the process of on-going mon­i­tor­ing involves the updat­ing of doc­u­ments and infor­ma­tion that is kept on file, plus trans­ac­tion mon­i­tor­ing. For VFA Ser­vice Providers, the scru­ti­niza­tion of trans­ac­tions needs to take on a more enhanced approach, and we’re not just talk­ing about the flag­ging of unusu­al­ly large or unusu­al pat­terns of trans­ac­tions here.

VFA Ser­vice Providers need to ensure that their trans­ac­tion mon­i­tor­ing sys­tem has the fol­low­ing capa­bil­i­ties:

  • Detec­tion of mix­ers and tum­blers;
  • Detec­tion of use of mul­ti­ple wal­lets or fre­quent change in wal­lets;
  • Detec­tion of trans­ac­tion his­to­ry which will help to cre­ate a trans­ac­tion pro­file, which will be used to iden­ti­fy trans­ac­tions that do not match with the customer’s trans­ac­tion pro­file;
  • Capa­ble of link­ing accounts con­trolled by the same cus­tomer;
  • Capa­ble of assign­ing alerts to cus­tomers iden­ti­fied as high risk or those con­duct­ing sus­pi­cious trans­ac­tions;
  • Iden­ti­fy rapid exchange of cur­ren­cies;
  • Iden­ti­fy rapid move­ments of funds;
  • Iden­ti­fy the use of high-risk coun­ter­par­ties and trans­ac­tions that use the dark­net.

Such Trans­ac­tion Mon­i­tor­ing Pro­grams need to be reviewed dur­ing the annu­al AML/CFT con­trol review, which should be under­tak­en by an inde­pen­dent par­ty, with such test­ing includ­ing back-test­ing, post imple­men­ta­tion test­ing and data integri­ty checks.

7. Did someone mention an AML/CFT Control Review?

Why of course! This is a new require­ment that VFA Ser­vice Providers have to adhere to. The AML/CFT Con­trol Review must be car­ried out by an inde­pen­dent par­ty on the mea­sures, poli­cies, con­trols and pro­ce­dures that VFA Ser­vice Providers have in place with respect to AML/CFT. This con­trol review should result in a report detail­ing the fol­low­ing:

  • whether the VFA Ser­vice Provider’s AML/CFT sys­tems are fit for pur­pose and com­pli­ant with the oblig­a­tions of the VFA Ser­vice Provider under the PMLA, the PMLFTR, and the FIAU’s Imple­ment­ing Pro­ce­dures;
  • whether the AML/CFT sys­tems and con­trols were ade­quate and effec­tive through­out the review peri­od; and
  • whether any changes/enhancements are need­ed.

7 Things you need to know about the implementing procedures to the virtual financial assets sector

In Con­clu­sion

It is evi­dent through the leg­is­la­tion and enforce­ment of such leg­is­la­tion that local author­i­ties are leav­ing no stone unturned in fight­ing mon­ey laun­der­ing via cryp­to cur­ren­cies. Despite their best efforts, the local author­i­ties can­not fight this bat­tle by them­selves, and this is why VFA Ser­vice Providers need to take a stand against mon­ey laun­der­ing, and seri­ous­ly imple­ment sys­tems and con­trols in place that will enable them to ful­fil their AML/CFT oblig­a­tions.

It is impor­tant to note that this arti­cle can­not be con­strued as being a sub­sti­tute for read­ing the full Imple­ment­ing Pro­ce­dures (Part II) in rela­tion to the VFA Sec­tor, and read­ers are high­ly rec­om­mend­ed to refer to all the rel­e­vant legal text in rela­tion to local and EU wide AML/CFT oblig­a­tions.

Dis­claimer: The above-men­tioned arti­cle is sim­ply based on inde­pen­dent research car­ried out by Dr. Wern­er and Part­ner and can­not con­sti­tute any form of legal advice. If you would like to meet with up with any of our rep­re­sen­ta­tives to seek fur­ther infor­ma­tion, please con­tact us for an appoint­ment.


About Malcom Wallbank

Mr. Mal­colm Wall­bank, born on 12.04.1991, read for a Bach­e­lor of Com­merce (Hon­ours) degree at the Uni­ver­si­ty of Mal­ta, spe­cial­is­ing in Bank­ing and Finance and Man­age­ment, and grad­u­at­ed with Sec­ond Class Upper Degree in 2013. In the fol­low­ing year, he grad­u­at­ed with Dis­tinc­tion in M.Sc. Finance from the Uni­ver­si­ty of Strath­clyde, Scot­land.

View All Posts

Leave a Reply

Your email address will not be published.