It is the moment all MLROs and Compliance Officers within the local Virtual Financial Asset sphere have been waiting for – the publication of the legally binding Implementing Procedures (IPs) (Part II) in relation to the VFA sector!
Issued on the 3rd of February by the Financial Intelligence Analysis Unit, these Implementing Procedures set out how VFA Agents, VFA Service Providers and anyone conducting VFA offerings to the public are to comply with the AML/CFT obligations arising from the Prevention of Money Laundering and Funding of Terrorism Regulations.
Here are seven things you need to know about the Implementing Procedures in terms of the AML/CFT obligations to the Virtual Financial Assets Sector:
1. It is not a stand-alone document
Reading, understanding and following Part II of the Implementing Procedures with regards to the VFA Sector is a good start towards fulfilling your AML/CFT obligations towards local law. However, if you really want become proficient in this area, then Part II of the Implementing Procedures will need to be read in conjunction with Part I of the FIAU’s Implementing Procedures, as well as the relevant sections of the Prevention of Money Laundering Act, and the Prevention of Money Laundering and Funding of Terrorism Regulations.
In cases where there are conflicts between Part I and Part II of the IPs, then it is the VFA specific IPs that shall prevail.
2. A different side to Jurisdictional Risk…
Subject persons should know that conducting jurisdictional risk assessments means considering a number of factors relating to that particular country, such as the money laundering threat, the perceived threat of terrorists and terrorist groups associated with that region, the level of corruption, and tax haven status.
Part II of the Implementing Procedures states that jurisdictional risk should also take into account the amount of cybercrime that is associated with a particular jurisdiction. Therefore, if a client who holds VFAs resides in a jurisdiction or is receiving or sending VFAs from/to a jurisdiction that is associated with a high level of cybercrime, then the Customer Risk Assessment must be amended to reflect this.
3. …and also to Interface Risk
Part I of the IPs divides interface risk into the following categories: (i) face to face; (ii) non-face to face (using technological systems with embedded safeguards); (iii) non-face to face using means with no embedded technological safeguards; and (iv) non-face to face through intermediaries.
The IPs in relation to the VFA sector dictate that when analyzing interface risk, the use of proxies, unverifiable IP addresses and geographical location, disposable email addresses or mobile numbers, as well as the use of different devices with the intention of obscuring geographical location must be factored into the Customer Risk Assessment. Therefore, it is very important that this information can be collected also from an IT perspective.
4. Collecting information on wallet addresses and the wallet types is very important
In the case of a VFA service provider who receives VFAs or is to send VFAs, it is necessary to collect and retain on file the wallet address from which the VFAs are to be received or to which the VFAs are to be sent. This is vital as it will show from where the VFAs are coming from and where they are being sent. Together with the address, the VFA service provider is also to ask the customer whether the address relates to a private wallet, a multi-signature wallet or a custodial wallet.
In the case of a private wallet, it is important that the VFA service provider establishes that the customer has control over the address that the VFAs originate from, especially in situations that involve significant amounts of VFAs, where there are doubts as to the actual location of the customer due to differing IP addresses/device geo locations, and where there are connections to high risk jurisdictions known for generating high amounts of crime, corruption or cybercrime activity.
In the case of multi-sig wallets, in situations where the different keys are held by different individuals, then such individuals are also considered to be customers and must be duly identified and verified as such (so they would need to be on-boarded as well).
In the case of custodial wallets, consideration must be made of whether such custodian is regulated or not. If not regulated, this would lead to an increase in the ML/FT risk and must be reflected accordingly in the CRA.
5. Assessment of VFA transactions needs to be done using specialized tools
Whenever VFA payments are made, the VFA Service Provider needs to (i) check the wallet addresses associated with the payment (both incoming address and outgoing address) for any adverse media in the public domain and (ii) use, where available, DLT analytical tools to detect potentially fraudulent or suspicious activity.
Analyzing wallet addresses will put VFA Service Providers in a better position to detect activity that could potentially lead to a filing of a Suspicious Transaction Report with the FIAU.
An issue that may arise with respect to DLT analytical tools is that they do not cater for all available crypto currencies. In this case, the absence of such a tool should be factored into a VFA Service Provider’s Customer Risk Assessment by specifying measures that can mitigate any corresponding ML/FT risks.
6. Emphasis on Enhanced Transaction Monitoring
As every subject person is aware of, the process of on-going monitoring involves the updating of documents and information that is kept on file, plus transaction monitoring. For VFA Service Providers, the scrutinization of transactions needs to take on a more enhanced approach, and we’re not just talking about the flagging of unusually large or unusual patterns of transactions here.
VFA Service Providers need to ensure that their transaction monitoring system has the following capabilities:
- Detection of mixers and tumblers;
- Detection of use of multiple wallets or frequent change in wallets;
- Detection of transaction history which will help to create a transaction profile, which will be used to identify transactions that do not match with the customer’s transaction profile;
- Capable of linking accounts controlled by the same customer;
- Capable of assigning alerts to customers identified as high risk or those conducting suspicious transactions;
- Identify rapid exchange of currencies;
- Identify rapid movements of funds;
- Identify the use of high-risk counterparties and transactions that use the darknet.
Such Transaction Monitoring Programs need to be reviewed during the annual AML/CFT control review, which should be undertaken by an independent party, with such testing including back-testing, post implementation testing and data integrity checks.
7. Did someone mention an AML/CFT Control Review?
Why of course! This is a new requirement that VFA Service Providers have to adhere to. The AML/CFT Control Review must be carried out by an independent party on the measures, policies, controls and procedures that VFA Service Providers have in place with respect to AML/CFT. This control review should result in a report detailing the following:
- whether the VFA Service Provider’s AML/CFT systems are fit for purpose and compliant with the obligations of the VFA Service Provider under the PMLA, the PMLFTR, and the FIAU’s Implementing Procedures;
- whether the AML/CFT systems and controls were adequate and effective throughout the review period; and
- whether any changes/enhancements are needed.
It is evident through the legislation and enforcement of such legislation that local authorities are leaving no stone unturned in fighting money laundering via crypto currencies. Despite their best efforts, the local authorities cannot fight this battle by themselves, and this is why VFA Service Providers need to take a stand against money laundering, and seriously implement systems and controls in place that will enable them to fulfil their AML/CFT obligations.
It is important to note that this article cannot be construed as being a substitute for reading the full Implementing Procedures (Part II) in relation to the VFA Sector, and readers are highly recommended to refer to all the relevant legal text in relation to local and EU wide AML/CFT obligations.
Disclaimer: The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet with up with any of our representatives to seek further information, please contact us for an appointment.