7 Things you need to know about the AML/CFT Implementing Procedures to the Virtual Financial Assets Sector

It is the moment all MLROs and Compliance Officers within the local Virtual Financial Asset sphere have been waiting for – the publication of the legally binding Implementing Procedures (IPs) (Part II) in relation to the VFA sector!

Issued on the 3rd of February by the Financial Intelligence Analysis Unit, these Implementing Procedures set out how VFA Agents, VFA Service Providers and anyone conducting VFA offerings to the public are to comply with the AML/CFT obligations arising from the Prevention of Money Laundering and Funding of Terrorism Regulations.

Here are seven things you need to know about the Implementing Procedures in terms of the AML/CFT obligations to the Virtual Financial Assets Sector:

1. It is not a stand-alone document

Reading, understanding and following Part II of the Implementing Procedures with regards to the VFA Sector is a good start towards fulfilling your AML/CFT obligations towards local law. However, if you really want become proficient in this area, then Part II of the Implementing Procedures will need to be read in conjunction with Part I of the FIAU’s Implementing Procedures, as well as the relevant sections of the Prevention of Money Laundering Act, and the Prevention of Money Laundering and Funding of Terrorism Regulations.

In cases where there are conflicts between Part I and Part II of the IPs, then it is the VFA specific IPs that shall prevail.

2. A different side to Jurisdictional Risk…

Subject persons should know that conducting jurisdictional risk assessments means considering a number of factors relating to that particular country, such as the money laundering threat, the perceived threat of terrorists and terrorist groups associated with that region, the level of corruption, and tax haven status.

Part II of the Implementing Procedures states that jurisdictional risk should also take into account the amount of cybercrime that is associated with a particular jurisdiction. Therefore, if a client who holds VFAs resides in a jurisdiction or is receiving or sending VFAs from/to a jurisdiction that is associated with a high level of cybercrime, then the Customer Risk Assessment must be amended to reflect this.

3. …and also to Interface Risk

Part I of the IPs divides interface risk into the following categories: (i) face to face; (ii) non-face to face (using technological systems with embedded safeguards); (iii) non-face to face using means with no embedded technological safeguards; and (iv) non-face to face through intermediaries.

The IPs in relation to the VFA sector dictate that when analyzing interface risk, the use of proxies, unverifiable IP addresses and geographical location, disposable email addresses or mobile numbers, as well as the use of different devices with the intention of obscuring geographical location must be factored into the Customer Risk Assessment. Therefore, it is very important that this information can be collected also from an IT perspective.

4. Collecting information on wallet addresses and the wallet types is very important

In the case of a VFA service provider who receives VFAs or is to send VFAs, it is necessary to collect and retain on file the wallet address from which the VFAs are to be received or to which the VFAs are to be sent. This is vital as it will show from where the VFAs are coming from and where they are being sent. Together with the address, the VFA service provider is also to ask the customer whether the address relates to a private wallet, a multi-signature wallet or a custodial wallet.

In the case of a private wallet, it is important that the VFA service provider establishes that the customer has control over the address that the VFAs originate from, especially in situations that involve significant amounts of VFAs, where there are doubts as to the actual location of the customer due to differing IP addresses/device geo locations, and where there are connections to high risk jurisdictions known for generating high amounts of crime, corruption or cybercrime activity.

In the case of multi-sig wallets, in situations where the different keys are held by different individuals, then such individuals are also considered to be customers and must be duly identified and verified as such (so they would need to be on-boarded as well).

In the case of custodial wallets, consideration must be made of whether such custodian is regulated or not. If not regulated, this would lead to an increase in the ML/FT risk and must be reflected accordingly in the CRA.

5. Assessment of VFA transactions needs to be done using specialized tools

Whenever VFA payments are made, the VFA Service Provider needs to (i) check the wallet addresses associated with the payment (both incoming address and outgoing address) for any adverse media in the public domain and (ii) use, where available, DLT analytical tools to detect potentially fraudulent or suspicious activity.

Analyzing wallet addresses will put VFA Service Providers in a better position to detect activity that could potentially lead to a filing of a Suspicious Transaction Report with the FIAU.

An issue that may arise with respect to DLT analytical tools is that they do not cater for all available crypto currencies. In this case, the absence of such a tool should be factored into a VFA Service Provider’s Customer Risk Assessment by specifying measures that can mitigate any corresponding ML/FT risks.

6. Emphasis on Enhanced Transaction Monitoring 

As every subject person is aware of, the process of on-going monitoring involves the updating of documents and information that is kept on file, plus transaction monitoring. For VFA Service Providers, the scrutinization of transactions needs to take on a more enhanced approach, and we’re not just talking about the flagging of unusually large or unusual patterns of transactions here.

VFA Service Providers need to ensure that their transaction monitoring system has the following capabilities:

  • Detection of mixers and tumblers;
  • Detection of use of multiple wallets or frequent change in wallets;
  • Detection of transaction history which will help to create a transaction profile, which will be used to identify transactions that do not match with the customer’s transaction profile;
  • Capable of linking accounts controlled by the same customer;
  • Capable of assigning alerts to customers identified as high risk or those conducting suspicious transactions;
  • Identify rapid exchange of currencies;
  • Identify rapid movements of funds;
  • Identify the use of high-risk counterparties and transactions that use the darknet.

Such Transaction Monitoring Programs need to be reviewed during the annual AML/CFT control review, which should be undertaken by an independent party, with such testing including back-testing, post implementation testing and data integrity checks.

7. Did someone mention an AML/CFT Control Review?

Why of course! This is a new requirement that VFA Service Providers have to adhere to. The AML/CFT Control Review must be carried out by an independent party on the measures, policies, controls and procedures that VFA Service Providers have in place with respect to AML/CFT. This control review should result in a report detailing the following:

  • whether the VFA Service Provider’s AML/CFT systems are fit for purpose and compliant with the obligations of the VFA Service Provider under the PMLA, the PMLFTR, and the FIAU’s Implementing Procedures;
  • whether the AML/CFT systems and controls were adequate and effective throughout the review period; and
  • whether any changes/enhancements are needed.

7 Things you need to know about the implementing procedures to the virtual financial assets sector

In Conclusion

It is evident through the legislation and enforcement of such legislation that local authorities are leaving no stone unturned in fighting money laundering via crypto currencies. Despite their best efforts, the local authorities cannot fight this battle by themselves, and this is why VFA Service Providers need to take a stand against money laundering, and seriously implement systems and controls in place that will enable them to fulfil their AML/CFT obligations.

It is important to note that this article cannot be construed as being a substitute for reading the full Implementing Procedures (Part II) in relation to the VFA Sector, and readers are highly recommended to refer to all the relevant legal text in relation to local and EU wide AML/CFT obligations.

Disclaimer: The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet with up with any of our representatives to seek further information, please contact us for an appointment.


Getting ready for an ICO in Malta

Having chosen Malta as the place to set up an ICO given all the regulatory, language and the workforce talent benefits associated with this jurisdiction, ICO businesses need to be aware that there are a number of considerations which must be taken into account before the actual offering of their crypto-asset to the public.

These mostly relate to the regulatory aspect of ICOs, where Malta has chosen to be at the fore front of this sphere, leading the way for other countries where ICOs are unregulated to follow suit.

Functionaries of an ICO

First and foremost, and as required by Maltese Law, issuers of ICOs must appoint a VFA Agent in order to guide the ICO with respect to its responsibilities and obligations to ensure compliance with the law and to act as the middle-man between the ICO itself and the competent authority, which in this case is the Malta Financial Service Authority (MFSA).

The ICO needs the VFA Agent to facilitate the registration of the white paper, to advise the ICO on all matters relating to process of listing the crypto-asset to trading, and to assist with the on-going regulatory obligations that ICOs are required to meet during their operation.

If the ICO has an Innovative Technology Arrangement (ITA) in place (including any smart contracts), then the ICO needs to appoint a Systems Auditor that will review and audit the ITA as well as the ICO’s cyber security arrangements.

Before the ICO kicks off, the Systems Auditor needs to prepare a report which covers the review of all aspects of the ITA and must certify that nothing in the ITA shall contain any rights to unilaterally mutate, amend or destroy without leaving a trace of the ITA or smart contract involved.

Once the ICO is in operation, the Systems Auditor would then need to draft, on an annual basis, a systems audit report on the compliance of the ITA with any qualitative standards set and guidelines issued by the Malta Digital Innovation Authority (MDIA), applicable of course to the type of ITA in question.

The ICO would need to appoint a Custodian who ideally should be an independent third party in order to safekeep the ICOs assets as well as investors’ funds. If the funds in question are crypto-currencies, then such a custodian must be licenced under the VFA Act and Regulations to conduct such as service.

Alternatively, should the funds in question be fiat, then a central bank, a licenced banking institution in the EU or a third country, a money market fund, a licenced e-money institution or a licenced payment institution can act as a custodian.

The role of the custodian could also be performed through the use of an ITA (smart contract) which has to be certified by a Systems Auditor.

An Auditor will also need to be appointed by the ICO and shall, for each annual accounting period, prepare a management letter in accordance with International Standards on Auditing.

Finally, the ICO shall appoint and have at all times in place a Money Laundering Reporting Officer (MLRO). This role cannot be taken likely, and the individual taking on such a role needs to be of good repute, competent and financially sound, and must also complete a course as approved by the MFSA, and subsequently sit for a mandatory interview with the MFSA in order to be deemed as fit for this role.

Board of Administration

The ICO will need to have a Board of Administration (BOA) which will need to be made up of two or more individuals respecting the dual control principle. Such persons will need to prove to the MFSA that they have the required knowledge and understanding of the ICO’s business to enable them to direct the business of the ICO. The BOA will also be obliged to ensure that the ICO complies with the Rules, Regulations and Guidelines applicable to them and will be required to conduct a fitness and properness test that will need to prove their competence, solvency and integrity to the MFSA.


As is the case with non-regulated ICOs, ICOs that are regulated in Malta need to draw up a whitepaper, with this whitepaper to be sent to the MFSA ten working days before its circulation to the public and must be signed off by the members of the BOA that are representing the ICO as well as the VFA Agent. Such a whitepaper needs to:

  • Be dated;
  • Contain all the information as specified in the First Schedule of the Virtual Financial Assets Act (VFA Act) and;
  • Include a statement by the Board of the ICO in question confirming that the whitepaper complies with the requirements of Article 3 and Article 4 of the VFA Act.

If the ICO deploys a smart contract, the elements of the whitepaper shall be coded within the respective smart contract, with this being applicable to features such as transfer limitations, soft cap and hard cap, refund mechanisms, dispute resolutions, burning protocols, etc.

Compliance Certificate & AML/CFT Report

The ICO must, on an annual basis and reviewed by its VFA Agent, draw up a Compliance Certificate which will need to be submitted to the MFSA. Therefore, in order to comply with such a requirement, ICOs need to be sure that they:

  • Satisfy all local AML/CFT requirements and that they have adequate systems in place to identify suspicious transactions and draw up suspicious transaction reports;
  • Obtain confirmation from their Systems Auditor that their ITA complies with the qualitative standards and guidelines issued by the MDIA;
  • Ensure that they pass a fitness and properness assessment as confirmed by their VFA Agent;
  • Obtain a statement from the ICOs Board of Administration whether the ICO has been or is in breach of any clauses of the VFA Act, Regulations or Rules.

The ICO must also engage an independent auditor to draw up an AML/CFT Report on an annual basis. In order to fulfill such a requirement, the ICO needs to ensure that:

  • The AML/CFT/KYC systems the ICO purports to have in place are actually in place;
  • The Independent Auditor has reviewed the operations of the ICO from an AML/CFT perspective.

Policies and Procedures

In order to be compliant with the respective Regulations and Rules that govern ICOs in Malta, ICOs need to draw up a number of policies and procedures that will enable them to formalize many of the aspects that need to be considered when operating within a regulatory environment that caters for investors’ needs. Without getting into the detail of what should be contained within such policies and procedures (but please contact us should you wish to), ICOs need to draw up policies in relation to a number of factors, including but not limited to Record Keeping, Public Disclosures, Code of Dealing, Asset Control, Cyber Security, and IT Infrastructure.

Do not hesitate to get in touch with us today for a consultation if you are interested in setting up an ICO in Malta and wish to discuss the way forward towards achieving this goal.

Disclaimer: The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet with up with any of our representatives to seek further information, please contact us for an appointment.

4 Different Crypto Licenses in Malta explained

A lot of hype is being generated (and rightly so!) about how Malta is going to regulate and licence virtual financial assets (VFAs) when other countries are treating VFAs as hot potatoes. But what exactly IS regulated licenced? Is it the VFA itself? Is it the company issuing the VFA? What about services relating to VFAs? So many questions but really and truly the answers are quite simple.

The short answer is that the VFA offerings and their respective white papers will be regulated Malta Financial Services Authority (MFSA), and the services related to VFAs will be regulated and licenced by the MFSA. So, whilst VFA offerings themselves do not need a licence (but their white paper needs to be submitted to the MFSA BEFORE the issuance actually happens), services relating to VFAs need a licence.

Licenced VFA Activities

Whilst there are FOUR kinds of VFA Licences, such licences cover EIGHT VFA Services – which are the following:

  1. Reception and Transmission of Orders;
  2. Execution of orders on behalf of other persons;
  3. Dealing on own account;
  4. Portfolio Management;
  5. Custodian/Nominee Services;
  6. Investment Advice;
  7. Placing of Virtual Financial Assets;
  8. Operation of a VFA Exchange.

If these services found familiar, then you probably came across them in some form of EU transposition of the MiFID2 regulation, which is a good thing, as then you probably know what these services entail – of course, with some (or a lot actually!) VFA sprinkled on top!

VFA Licence Classes explained

Each of the four VFA licence classes will encapsulate the eight VFA Services listed above. The first class of licence is the Class 1 Licence (duh!). Class 1 Licence holders will be licenced to conduct the service of reception and transmission of orders (Service Number 1 above), provision of investment advice (Service Number 6) and the placing of Virtual Financial Assets (Service Number 7). Holders of this licence will need to hold an initial capital requirement of €50,000 OR €25,000 and Professional Indemnity Insurance. Given that such services will be licenced and regulated by the MFSA, licence holders will need to pay a yearly supervisory fee. This supervisory fee for Class 1 Licence Holders will be €5,500 for revenue up to €50,000 plus €700 per €50,000 revenue tranche thereafter.

Class 2 Licence holders are able to provide ANY of the eight above-mentioned VFA Services EXCEPT Operating an Exchange and Dealing on own account. Therefore, under the Class 2 Licence, VFA Services 1, 2, 4, 5, 6 AND 7 mentioned above can be conducted. Of course, given that this class of licence offers holders the possibility of providing more services, the initial capital requirement is higher than the Class 1 Licence. In this case, the initial capital requirement of a Class 2 Licence will be €125,000, and the applicable supervisory fee will be €9,000 for revenue up to €250,000 plus €800 per €250,000 revenue tranche thereafter.

Should one wish to offer ANY VFA Service EXCEPT operating a VFA Exchange, then one would need to apply for a Class 3 Licence, which would oblige holders to hold an initial capital requirement of €730,000. Of course, the mandatory supervisory fee in this case would be €12,000 for revenue up to €250,000 plus €800 for every revenue tranche of €250,000 thereafter.

Last and most definitely not least, comes the Class 4 Licence, which lo and behold, allows providers to offer ANY of the VFA Services listed above! Before rushing to apply for this licence, one must keep in mind that an initial capital requirement of €730,000 applies, and the supervisory fee is €50,000 for revenue up to €1,000,000 plus €5000 per revenue tranche of €1,000,000 thereafter.


It’s all very simple, right? One word of advice: do not let the supervisory fees scare you off! Just think what regulatory endorsement and approval does for one’s reputation! One can see it as a certification of quality that can be used to put clients’ minds at rest and entice them to use the services of your first-class regulated firm instead of those service offered by the pesky, dodgy, unregulated competition.