Virtual Asset Service Providers in the regulatory spotlight

Virtual Asset Service Providers (VASPs) are firms that provide certain services relating to virtual assets such as offering an exchange between virtual assets and fiat currencies, exchange between different forms of virtual assets, transfer of virtual assets such as moving a virtual asset from one address or account to another, providing custodian wallet services and participating in and providing financial services related to an issuer's offer and/or sale of a virtual asset.

The European Union's Fifth Anti-Money Laundering Directive (5AMLD) requires VASPs to comply with anti-money laundering and counter financing of terrorism (AML/CFT) requirements. Ireland has implemented 5AMLD by way of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act, 2021, (the "2021 Act") which came into effect in Ireland on 23 April 2021.

Under the 2021 Act, VASPs are now 'designated persons' for the purposes of the general AML/CFT obligations set out under the previous Anti-Money Laundering Directives and as set out in Ireland in the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended).

As well as complying with these obligations, VASPs must now register with the Central Bank for AML/CFT purposes. The CBI will maintain a Register of VASPs and may impose conditions on such registrations. The 2021 Act nominates the Central Bank as the supervisor for VASPs and confers powers on the regulator to address the beneficial ownership of VASPs, including a power to restrict the acquisition of beneficial interests in VASPs and to require the prior approval of the Central Bank for such acquisitions.

Registration requirements

Firms that were established in Ireland and carrying on business as a VASP must register with the Central Bank within 3 months of 23 April 2021. Firms that are already authorised by the Central Bank for other services that are carrying on VASP activities must also register separately with the Central Bank as a VASP.

When registering, VASPs must satisfy the Central Bank that their AML/CFT policies and procedures are effective to address the risks associated with their business model and the firm's senior managers and beneficial owners must meet the relevant fit and proper requirements set out in the 2021 Act.

Policies and procedures

VASPs should now carry out an AML/CFT risk assessment of their business and must undertake appropriate due diligence on their customers and monitor customer transactions. Where suspicious transactions are identified these must be reported to the Financial Intelligence Unit of An Garda Síochána and the Revenue Commissioners. Once established, the VASP's policies and procedures must be maintained and implemented, relevant records must be maintained for five years and AML/CFT training should be provided to all staff and repeated annually.

Regulatory scrutiny

It is notable that for the second year running the Central Bank has emphasised its focus on VASPs when setting out its supervision and enforcement priorities. The Central Bank has been developing a supervisory engagement strategy for VASPs and has indicated that VASPs will be subject to intense supervision as the Central Bank increases its operational understanding of the business models and services offered.

VASPs may ultimately be sanctioned under the Central Bank's Administrative Sanctions Procedure for AML/CFT failings, with liability of up to €10 million euros or 10% of turnover, whichever is greater. Individuals who are concerned in the management of a VASP and who participate in a breach of AML/CFT requirements can also be subject to the Administrative Sanctions Procedure, be subject to sanctions of up to €1 million and/or be disqualified from management positions in regulated financial services providers.

It is also a criminal offence to carry on the business of a VASP without being registered or to fail to comply with the VASP's conditions of registration or certain requirements which the Central Bank may prescribe for the purpose of the proper and orderly regulation of VASPs.

Next steps

VASPs will be conscious to ensure their application for registration is approved by the Central Bank, by having effective policies and procedures tailored to their business and conducting appropriate due diligence on senior personnel who they intend to propose to be subject to the fit and proper requirements of the 2021 Act.

As other regulated firm's experience has shown, and given the Central Bank's recent focus on AML/CFT operational compliance, relating for example, to systems and controls designed to monitor transactions on an ongoing basis to identify and report AML/CFT risk, the design, implementation and maintenance of these policies and procedures can require significant planning, combining legal compliance requirements and systems expertise.

Whilst the Central Bank has published regular AML bulletins setting out for industry its expectations on how firms should comply with above AML/CTF obligations, it will be important that VASPs act now to map those legal requirements across their own businesses and to assess what policies and procedures are required to meet these legislative requirements and regulatory expectations.

Get unlimited access to all Global Banking Regulation Review content