Cryptocurrency Moves Out of the Shade – New AML Requirements for Virtual Asset Service Providers
Reading time: 4 mins
The European Union’s Fifth Anti-Money Laundering Directive (“5AMLD”) was transposed into Irish law on 23 April 2021 by the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the “2021 Act”). The Act will provide a level of regulation to deal with the increasing sophistication of money laundering, criminal activities and terrorist financing. While the scope of 5AMLD extends beyond the cryptocurrency sphere, this Insight will examine the key provisions of 5AMLD in the context of the regulation of cryptocurrency exchanges in Ireland and its interplay with the Central Bank of Ireland (“CBI”) in its role as the regulatory authority responsible for supervision of the financial services sector in Ireland.
Extension of AML and CFT Regime to Virtual Asset Service Providers
The 2021 Act extends the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 to 2021 (“CJA 2010 to 2021”) to virtual asset service providers (“VASPs”) in Ireland and in doing so:
- extends the anti-money laundering (“AML”) and countering the financing of terrorism (“CTF”) obligations and requirements under the CJA 2010 to 2021 to VASPs; and
- imposes certain other ongoing regulatory and registration requirements on VASPs, each of which we will discuss briefly.
What are VASPs?
The 2021 Act contains a fairly broad definition of “virtual asset service provider”. It would appear to extend to, among others, any cryptocurrency exchange provider on the basis that it extends to a firm (who by way of business) carries on any one of a number of activities on behalf of another including exchange between virtual assets and fiat currencies or one or more virtual assets, transfer of virtual assets, custodian wallet provider and participation or provision of financial services related to an issuer’s offer or sale of a virtual asset. A “virtual asset” is defined as a digital representation of value that can be digitally traded and can be used for payment of investment purposes (but excludes fiat currencies, securities or other financial assets) – its scope would seem, on this basis, to extend to cryptocurrencies (such as Bitcoin, Litecoin and Ethereum).
Summary of the impact of the 2021 Act for VASPs
- AML and CTF Requirements
VASPs are required to comply with the AML and CTF obligations which are contained in Part 4 of the CJA 2010 to 2021.
- Registration Requirements of the CBI
VASPs established in Ireland are required to register with the CBI for AML/CTF purposes and the CBI shall establish and maintain a register known as the “Register of Virtual Asset Service Providers” which will contain information such as name and address of each person registered to carry on business as a VASP.
Any VASP established in Ireland and carrying on business as a VASP prior to the 2021 Act coming into force (on 23 April 2021) has three months to apply to the CBI for registration – the transitional provisions in this regard are noteworthy as any person currently carrying on business as a VASP is regarded as being registered as a VASP until such time as the CBI has granted or refused the application for registration (provided such application complied with the ‘application for registration’ provisions of the new section 106G (Chapter 9A, Part 4) of the CJA 2010 to 2021 and was submitted within the three month timeline).
The CBI must be satisfied of a number of conditions before it will grant an application for registration including, effective AML/CTF policies and procedures being in place, management and beneficial owners meeting the requirements of the CBIs fitness and probity requirements and any additional requests for information or documentation from the CBI have been adequately met.
Any firm that is (i) not a VASP established in Ireland and (ii) intends to operate as a VASP in Ireland must be registered as a VASP with the CBI prior to commencement of any business as a VASP from Ireland.
Also, any firm that is currently authorised by the CBI for prudential and/or conduct of business services and plans to also carry on business as a VASP is obliged to register with the CBI as a VASP.
- Ongoing obligations
As mentioned above, VASPs will be subject to the AML and CTF obligations which are contained in Part 4 of the CJA 2010 to 2021 noting that in many instances such obligations are ongoing (and not just day one) obligations. The implications of failure to comply with the various obligations is considered below.
The ongoing obligations include (but are not limited to) retention of certain records, undertaking customer due diligence, notifying the CBI of certain suspicions including suspicions regarding the beneficial owners of the VASP and customer transactions, maintaining and implanting AML/CTF policies and procedures, providing training to staff on these policies and undertaking risk assessments.
- Regulatory disclosure statement
The holder of a registration must include a regulatory disclosure statement (in a prescribed form) in all advertisements for its services stating that it is registered and supervised by the CBI for all AML and CFT purposes only.
- Conditions in connection with the granting of an application
It is also noteworthy that under the terms of the 2021 Act, in granting an application, the CBI can impose any conditions that it considers necessary for the proper regulation of the firm as a VASP, and to prevent the business from being used to carry out money laundering or terrorist financing.
Implications of failure to comply with the new requirements
It is a criminal offence to carry on the business of a VASP (or claim or represent to be a VASP) in the absence of a VASP registration. Any person in contravention of this is liable (i) on summary conviction, to a class A fine or imprisonment up to 1 year or both, or (ii) on conviction on indictment, to a fine not exceeding €500,000 or imprisonment up to 5 years or both. Similarly, the failure to comply with the AML/CTF obligations contained in Part 4 of the CJA 2010 to 2021 is a criminal offence.
Certain other penalties may be imposed where (i) a holder of a registration has failed to comply with any condition of the registration or any prescribed requirements relating to the regulatory disclosure statement or (ii) where a holder of a registration has failed to comply with its retention of certain records obligations.
Also, worth noting is the power of CBI to revoke a registration in certain circumstances including where it has reasonable grounds to be satisfied that the registration was obtained by false or misleading information.
Given the nature and severity of the penalties (as illustrated above), it is imperative that VASPs are aware of their registration requirements and ongoing AML/CTF obligations to avoid any sanctions.
Incremental yet key regulation of the sector
The emergence and popularity of cryptocurrency and blockchain technology continues to grow and the establishment of Blockchain Ireland – a non-profit, member-led organisation - and its objective to establish Ireland as a global blockchain and cryptocurrency hub (and creating jobs in this space) is testament to this. Notwithstanding this (other than the 2021 Act in the context of AML/CTF obligations relating to VASPs), there is currently no Irish framework to regulate or prohibit cryptocurrencies and the issuers of such virtual assets. It would appear that Ireland is biding its time to assess whether a common EU-led approach is viable rather than seeking to be legislative pioneers in this field.
The drawbacks associated with cryptocurrencies have been well documented and include (i) its use by criminals as a tool to facilitate money laundering and terrorist financing, (ii) the lack of regulatory protections at present, (iii) the extremely volatile cryptocurrency values, and (iv) the investment risk associated with “initial coin offerings”. In this context, the proposal for future regulation of these virtual assets is undoubtedly to be welcomed. Last September, the EU’s Digital Finance Strategy 2020 was published and it contains a proposed framework for Markets in Crypto-Assets by the European Commission in the form of a proposed regulation.
In the context of wider regulation in this space, consideration must also be given to the application of aspects of the existing regulatory framework to these virtual assets and these considerations may receive the attention of the CBI and also the Department of Finance.
Importance of securing compliance
The transposing of 5AMLD into law in Ireland by the 2021 Act will have a significant impact on how cryptocurrency exchanges are regulated in Ireland. It is of paramount importance that cryptocurrency exchanges (and indeed any entity falling within the definition of ”virtual asset service provider”) established in Ireland are aware of their registration obligations, the application for registration timelines, and also the ongoing AML/CTF obligations - as failure to comply can result in severe sanctions.
 Including for example: (i) the 2014 Markets in Financial Instruments Directive (MiFID II), (ii) the Second Payment Services Directive (PSD2), (iii) the Prospectus Directive, and (iv) the General Data Protection Regulation.