EU Compliance Guide
Digital currency compliance in the EU involves first Anti-Money Laundering compliance. Regulations are changing from this year. Exchanges and custodians will need to be compliant. Below we provide an overview of the changing regime.
1) Application of 4AMLD to virtual currency operators
Digital currency business are subject to the 4th Anti-Money Laundering Directive (4AMLD).
This new directive will be transposed by member states in June 2017.
In the summer of 2016 the Commission suggested to add virtual currency businesses into the scope of the directive.
Since then the Commission has presented an amendment to 4AMLD to include Custodians and Exchanges.
A Custodian is the provision of a service to hold and allow the transfer of virtual currency. An Exchange offers the ability to exchange one virtual currency for another.
This means these businesses will be subject to registration/licensing obligations to operate their business in the European Union.
Currently, it is not clear whether virtual currency will be required to register in each member state where they have customers. The (EBA) currently considers it to be the case.
However it is clear that the state level registration requirement will consist of a ‘fit and proper’ test. In general terms, this will entail identifying whether the founder of a virtual currency business has any criminal convictions. The test may involve other requirements that are yet to be detailed.
Virtual currency businesses should therefore be prepared to manage the compliance of their operations.
The impact is likely to increase the overhead of virtual currency businesses significantly.
Coinbase operates an (AML) compliant business and directs 20% of its salaried workforce towards compliance. It is not a bad rule of thumb to have 1/5th of your business dedicated towards compliance.
2) Transition process towards 4AMLD compliance
This article will help you understand the transition process.
June 2017 is not too far off and it will take time to develop the policies and processes for your business to prepare for the transition.
NB The following guidelines are not intended as legal advice.They are to provide some key pointers as you direct resources towards becoming compliant.
There are a few procedures and policies needed for basic AML compliance:
- An anti-money laundering and terrorist financing policy. This policy should cover areas such as Customer Due Diligence (KYC), record keeping, training, ongoing customer monitoring.
- The appointment of an anti-money laundering reporting officer.
- A Risk management matrix – identification and mitigation of all AML risks facing the business.
- Corporate governance policy – how responsibilities are allocated and how the board evaluates its risks on an ongoing basis.
- Reporting lines within the business – how information is channelled throughout the business, both up and downstream.
- Training of staff so they are aware of AML procedures and requirements.
- Ensuring internal and external audit procedures do you have in place to guarantee effective measures are effective.
- Devise processes to handle suspicious activity reporting.
- AML procedures should work in line with all IT security procedures – these should be complementary.
- An internal vetting policy for staff and supplier vetting.
- The first step in 4AMLD compliance is understanding how and when to identity new customers.
This is the most basic form of anti-money laundering compliance.
This process is referred to as Customer Due Diligence (CDD), more commonly known as ‘Know Your Client’).
With 4AMLD there are a few standard CDD measures required.
They are as follows:
- Collecting documents, data or information obtained from a reliable and independent source.
- Identifying the beneficial owner (the person behind a transaction). Understanding the ownership and control structure of the customer.
- Identifying the purpose and intended nature of the business relationship.
- Ongoing monitoring of business relationship. Ensure all transactions are consistent with the obliged entity’s knowledge of the customer.
When should you do the checks?
- The verification of the identity of customer/beneficial owner should take place before the establishment of the business relationship.
- But also the CDD measures should be applied to existing customers on a risk-sensitive basis.
If you are unable to complete the CDD then you should not carry out the transaction. You should then consider reporting to the Financial Intelligence Unit (FIU).
But 4AMLD compliance is about understanding that compliance is not a ‘blunt instrument’.
It has to be flexible and adaptive to the risks posed by a particular situation.
This is called the Risk Based Approach (RBA).
The RBA is greatly encouraged in the 4AMLD.
It involves distinguishing between certain types of risks and assessing the extent and appropriateness of the measures to addressing such risks.
There are a number of factors that come into play.
These factors are listed in 4AMLD.
Some of the key factors are as follows:
- Product characteristics (for example, a standard pension versus a new technology)
- Customer profiles (public companies versus companies that have nominees)
- Country characteristics (member states of EU versus countries with non-effective AML systems – the EU Commission keeps a list of such countries)
- Relationship factors (purpose of account/level of assets/size of transaction/regularity, duration of relationship).
These factors can lead to a situation of low or high risk.
In “cases of higher risk” (article 18) then enhanced due diligence (EDD) measures will be required.
EDD measures are also required in other specified scenarios. For example, dealing with a client that is politically exposed/correspondent banking relationships/life insurance/shell banks.
Some of those general enhanced measures include:
- Examining the “background and purpose of all complex and unusually large transactions”,
- Examining “all unusual patterns of transactions, which have no apparent economic or lawful purpose”,
- Increasing the “degree and nature of monitoring of the business relationship, in order to determine whether those transactions or activities appear suspicious”.
The Joint Money Laundering Steering Group (JMLSG) in the UK suggests looking at “source of wealth and source of funds” as an enhanced due diligence measure: requesting “information as to the customer’s residential status, employment and salary details, and other sources of income or wealth […] in order to decide whether to accept the application or continue with the relationship”. This source of wealth measure is usually applicable when dealing with politically exposed persons, but can be applied in a more general manner for EDD.
Further guidance on the appropriate enhanced measures to be used is to be provided by European Supervisory Authorities.
There are, however, other 4AMLD obligations beyond customer and ED measures.
When a suspicious activity in your business is identified this should be handled appropriately. If it is known or suspected, or have reasonable grounds to suspect, that funds – regardless of the amount – are the proceeds of criminal activity or terrorist financing, a report with (FIU) should be filed . All suspicious transactions should be reported.
In addition there is record-keeping. Records should be retained for five years after the end of the business relationship. Organised records and responsiveness. The 4AMLD wants to ensure that a regulated company shall be in a position to be responsive to a request for information (article 42).
3) Treatment of Virtual Currencies
How to treat virtual currencies themselves and transactions involving virtual currencies.
Comprehensive guidance has been provided by the Financial Action Task Force (FATF) with regards to virtual currencies.
The FATF wrote a comprehensive report in June 2015 on the treatment of virtual currencies.
Its guidance – while specific guidance is produced by the EU commission or other (ESAs) – should be relied upon for regulated entities.
The FATF 2015 report identifies specific risks associated with virtual currencies and provides guidelines on how to deal with such risks.
The FATF states that “due to anonymity and the challenges to conduct a proper identification of the participant, convertible decentralised VCPPSs in general may be regarded of higher risk of ML/FT which would require the application of enhanced due diligence measures.”
This means that EDD will be the benchmark for the standard engagement of any new virtual currency customer.
While adhering to the CDD measures above you will also need to implement EDD measures such as identifying source of wealth/funds of a customer.
Other specific CDD measures that the FATF recommends
for virtual currency businesses are as follows:
Data collection (IP addresses and New Payment Product Services (NPPS),
“These, to the extent applicable, include: corroborating identity information received from the customer, such as a national identity number, with information in third party databases or other reliable sources; potentially tracing the customer’s Internet Protocol (IP) address; and searching the Web for corroborating activity information consistent with the customer’s transaction profile, provided that the data collection is in line with national privacy legislation.”
Maintaining transaction records
“At a minimum, financial institutions and DNFBP (Designated Non-Financial Businesses and Professions) should be required to maintain transaction records that include: information to identify the parties; the public keys, addresses or accounts involved; the nature and date of the transaction, and the amount transferred. The public information available on the blockchain provides a beginning foundation for record keeping, provided institutions can adequately identify their customers.”
Limitation on initial loading mechanism
“As with NPPS, VCPPS (Virtual Currency Payment Products and Services) business should consider, for occasional transactions above a given threshold, limiting the source of funds to a bank account, credit or debit card, or at least applying such limitations to initial loading, or for a set period until a transaction pattern can be established, or for loading above a given threshold.”
Technology for forensic tools
The FATF has encouraged the use of technology to managing risks appropriately. Some of those systems will provide a information on the blockchain that can be used to corroborate information provided by a customer.
The 4AMLD comes into force by the summer of 2017. In the meantime, virtual currency exchanges/custodians should prepare to transition into a regulated environment. This means having controls and processes in place to become AML compliant. In addition, having specific measures in place to deal with the particular risk profile of virtual currencies.