Risk-based approach to Supervision or Monitoring of VASPs (Virtual Asset Service Provider)

Risk-based approach and what it entails

When tack­ling AML/CFT (Anti-Mon­ey Laundering/Countering the Financ­ing of Ter­ror­ism), the risk-based approach aims to build those mea­sures to pre­vent or mit­i­gate that are equal to the ML/TF (Mon­ey Laundering/Terrorist Financ­ing) risks iden­ti­fied by the rel­e­vant coun­tries and oblig­ed enti­ties. When it comes to super­vi­sion, this approach applies to how the resources are allo­cat­ed by the super­vi­so­ry author­i­ties.

A country’s pol­i­cy, legal and reg­u­la­to­ry approach should result in an effec­tive risk-based regime that is adopt­ed by a coun­try. Also, the finan­cial sec­tor pol­i­cy objec­tives should be reflect­ed in the nation­al pol­i­cy, legal and reg­u­la­to­ry frame­work.

When tack­ling mon­ey laun­der­ing and ter­ror­ist financ­ing, a coun­try should strive to reach high lev­els of finan­cial inclu­sion, sta­bil­i­ty, integri­ty and con­sumer pro­tec­tion whilst also fac­tor­ing in mar­ket com­pe­ti­tion.

VASPs (Vir­tu­al Asset Ser­vice Providers) come into play at this point. The FATF (Finan­cial Action Task Force) not only rec­om­mends but requires the reg­u­la­tion of VASPs for anti-mon­ey laun­der­ing and in the fight against the financ­ing of ter­ror­ism, both those licenced as well as those reg­is­tered, and sub­ject to valid sys­tems for their mon­i­tor­ing or super­vi­sion.

The role and importance of supervisors (for VSAP’s)

Super­vi­sors also need to devel­op a bet­ter and deep­er under­stand­ing of the VASP mar­ket, its for­mat and the part it plays not only in the finan­cial sys­tem but also in the country’s econ­o­my, so as to be able to per­form more accu­rate assess­ments of any poten­tial risk in the sec­tor. In their line of work, super­vi­sors should make use of an array of avail­able sources so that the ML/TF risks linked with VA (Vir­tu­al Asset) prod­ucts, ser­vices and activ­i­ties as well as those with VASPs are iden­ti­fied and assessed ade­quate­ly.

When such under­stand­ing is under­stood not to be com­plete, it may be deemed fit for the com­pe­tent author­i­ties to inter­vene and adopt a more tar­get­ed sec­toral risk assess­ment in rela­tion to the vir­tu­al assets sphere. This so that a bet­ter under­stand­ing can be devel­oped and utilised in the risk assess­ments.

Important factors to be kept in mind

When tak­ing into account any­thing relat­ed with VAs and VASPs, be it prod­ucts, ser­vices or activ­i­ties, the lev­el of risk needs to be fac­tored in. Busi­ness mod­els, cor­po­rate gov­er­nance arrange­ments, infor­ma­tion relat­ed to finances and account­ing, modes of deliv­ery, cus­tomer delin­eations, geo­graph­ic loca­tion, coun­tries where the oper­a­tions take place and the lev­el of adher­ence with AML/CFT mea­sures all come into play.

The con­trols in place, as well as the qual­i­ty of the risk man­age­ment pol­i­cy adopt­ed by a VASP and the prop­er func­tion­ing of its inter­nal over­sight, are all impor­tant aspects that the super­vi­sor needs to be aware of.

Obtaining the required information and periodic reviews

The rel­e­vant and required infor­ma­tion may be obtained via pru­den­tial super­vi­sors where VASPs or those involved with VA activ­i­ties are sub­ject to pru­den­tial reg­u­la­tions. Infor­ma­tion can also be extract­ed via the shar­ing of exam­i­na­tion find­ings and col­lab­o­ra­tions with banks, insur­ance com­pa­nies, secu­ri­ties providers and invest­ment com­pa­nies.

Reg­u­lar reviews of the assess­ments of risk pro­files of both the VASP sec­tor and VASPS by the super­vi­sors them­selves are impor­tant so that any pos­si­ble new threats may be detect­ed and dealt with.

The FATF lists 6 main ways in which infor­ma­tion may be shared when relat­ed to VA risks, be it both in the pub­lic and pri­vate realm:

  • ML/TF risk assess­ments;
  • Var­i­ous cat­e­gori­sa­tions and meth­ods which mon­ey laun­der­ers or ter­ror­ist financiers resort to when they exploit VASPs, spe­cif­ic VA mech­a­nisms or VAs in a broad man­ner;
  • Gen­er­al eval­u­a­tions about the qual­i­ty and util­i­ty of STRs (Sus­pi­cious Trans­ac­tion Reports) and oth­er per­ti­nent reports;
  • Infor­ma­tion on indi­ca­tors that may give rise to sus­pi­cion asso­ci­at­ed with VA activ­i­ties or VASP trans­ac­tions;
  • Tar­get­ed unclas­si­fied intel­li­gence, only when it is appro­pri­ate to be made use of; and
  • Any­one con­cerned, be it a coun­try, per­son or organ­i­sa­tion whose assets or trans­ac­tions should be frozen as per tar­get­ed finan­cial sanc­tions as found in the FATF rec­om­men­da­tions, more pre­cise­ly Rec­om­men­da­tion 6.

Approaches adopted by supervisors

The FATF pro­pos­es 3 main ways in which they can adjust their approach so as to achieve the most pos­si­ble when it comes to super­vi­sion and mon­i­tor­ing.

  • Adjust­ing the type of AML/CFT super­vi­sion or mon­i­tor­ing: super­vi­sors should employ a vari­ety of off­site and onsite access; there are times when off­site super­vi­sion and mon­i­tor­ing is not enough and would need to be beefed up with onsite access too. There are also instances where off­site super­vi­sion and mon­i­tor­ing suf­fices and resources should be engaged on high­er risk VASPs. Off­site super­vi­sion and mon­i­tor­ing may include analy­sis of infor­ma­tion, both obtained via research and pro­vid­ed by the VASP itself, con­trols and checks via rep­utable means and skype or sim­i­lar calls, amongst oth­ers;
  • Adjust­ing the fre­quen­cy and nature of ongo­ing AML/CFT super­vi­sion or mon­i­tor­ing: this can be mod­i­fied on an ongo­ing basis accord­ing to the risks that are iden­ti­fied and as issues arise. Oth­er vari­ables come into play too, such as geo­graph­ic loca­tion, the type of trans­ac­tion, be it vir­tu­al or fiat, the prod­ucts or ser­vices offered amongst oth­ers; and
  • Adjust­ing the inten­si­ty of AML/CFT super­vi­sion or mon­i­tor­ing: super­vi­sors should decide on the type and inten­si­ty of assess­ment in agree­ment with the risks that have been deter­mined. All this to ensure that VASPs poli­cies and pro­ce­dures do actu­al­ly pre­vent abuse by the VASPs them­selves.

Super­vi­sors should be flex­i­ble enough to adapt and update their ML/TF risk assess­ments and when appro­pri­ate, they should dis­close their rec­om­men­da­tions to the VASPs so that they, in turn, can improve the qual­i­ty of their risk-based approach­es.


All this is being done due to the changes adopt­ed by the FATF in Octo­ber 2018 to its Rec­om­men­da­tions and also the Inter­pre­tive Note in June 2019, to specif­i­cal­ly clar­i­fy regard­ing the appli­ca­tion of these rec­om­men­da­tions in regard to vir­tu­al assets and vir­tu­al assets providers and all that revolves around them.


The above-men­tioned arti­cle is sim­ply based on inde­pen­dent research car­ried out by Dr. Wern­er and Part­ner and can­not con­sti­tute any form of legal advice. If you would like to meet with up with any of our rep­re­sen­ta­tives to seek fur­ther infor­ma­tion, please con­tact us for an appoint­ment.

About Dr. Jörg Werner

Dr. jur. Jörg Wern­er, born 27 May 1971, attend­ed the law school of the Uni­ver­si­ty of Leipzig and passed his first state exam­i­na­tion in the State of Sax­ony in 1996. After suc­cess­ful­ly com­plet­ing his manda­to­ry legal intern­ship, he suc­cess­ful­ly passed the sec­ond state exam­i­na­tion of the State of Sax­ony-Anhalt in 1998 and was admit­ted to the bar and began to prac­tice as a Ger­man attor­ney (Recht­san­walt) before the court of Magde­burg the same year. He worked as an attor­ney at the Law Offices of Prof. Dr. Fre­und & Kol­le­gen until he formed the firm of Wrede & Wern­er. He was also admit­ted to prac­tice before the Supe­ri­or Court of Naum­burg. In 2001, he moved the firm’s offices to Cen­tral Berlin, where he was admit­ted to prac­tice before the Courts of Berlin. Dr. jur. Jörg Wern­er then com­plet­ed his doc­tor­al stud­ies at the Uni­ver­si­ty of Ham­burg and grad­u­at­ed as a Dok­tor der Rechtswis­senschaften (Doc­tor of Laws).

View All Posts

Leave a Reply

Your email address will not be published.