CompliReg, your first choice for regualtory authorisations, licences and registrations is proud to support Fintech UK and its endeavours to Map the FCA registered cryptoasset market in the UK.

Today (Monday 11 July 2022) the Central Bank of Ireland issued a press release highlighting weaknesses in Virtual Asset Service Providers’ (VASP) AML/CFT Frameworks.

As of today, according to the Central Bank's website, the total number of VASPs registered in Ireland is ZERO.  See image below.

Question: If there are no firms appearing on the register, does that mean that there are no VASPs operating lawfully in Ireland?  

Answer: No.  VASPs established in Ireland and carrying on business as a VASP immediately prior to the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021  coming into force, who applied to the Central Bank for registration before 23 July 2021 are permitted to continue to offer VASP services pending the outcome of their application ('transitional period'). 

While we have heard stories of firms operating as VASPs in Ireland in circumstances where they do not fall under the transitional period, such firms should be subject - if they came to the attention of the Central Bank -  to criminal and/or regulatory investigation.

​Accompanying today's press release is a bulletin in relation to Virtual Asset Service Providers (VASPs), seeking to assist applicant firms to strengthen both their applications for registration and their Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Frameworks.

The Central Bank says while it seeks to anticipate and support innovation in the financial services industry, firms operating in novel areas must ensure their businesses will not be used to launder the proceeds of crime or to finance terrorism.  The Central Bank issued the bulletin to VASPs to assist them in strengthening their applications and frameworks.

Background: Since 23 April 2021, VASPs are required to comply with the relevant AML/CFT obligations under the Criminal Justice Act 2010 to 2021. Any firm wishing to conduct business as a VASP must apply to the Central Bank for registration. The Central Bank says it is currently progressing the assessment of registration applications, and has provided feedback to 90% of applicants on their proposed AML/CFT frameworks.

Findings: The Central Bank identified, in the vast majority of applications:

• a lack of understanding and compliance with key AML/CFT obligations; and
• significant control weaknesses.

See below for further details on the Central Bank's 'findings' observations.
​
The Central Bank reported that the lack of compliance, coupled with control weaknesses, resulted in a significant number of the applicant firms not being able to demonstrate that they could meet their AML/CFT obligations.

Actions: The Central Bank has reconfirmed that it will only register a firm when it is satisfied that the firm can meet its AML/CFT obligations on an ongoing basis. It has said that all current and potential VASP applicants should:

• take actions to rectify weaknesses;
• review the bulletin; and
• be aware that if they fail to register they may face significant criminal and/or administrative sanctions.

The Central Bank also too the opportunity to remind that:

• VASPs are supervised by it for AML/CFT purposes only, and that consumers do not enjoy the Central Bank’s consumer protection mandate in their dealings with VASPs.
• as with all other supervised financial institutions, registered VASPs will be subject to a supervisory levy which will be driven by the level of resources applied to their supervision.

Incomplete Applications: A number of registration applications did not contain the required information and documentation and consequently such applications did not progress to the assessment phase.

• some firms had submitted policies but no accompanying procedures.
• a number of firms submitted a copy of the firm's internal risk register in place of a documented risk assessment.
• majority of firms that did not progress to the assessment phase had not availed of the pre-application meeting and/or had not given consideration to the guidance documents issued by the Central Bank.

Assessment Phase: In undertaking its assessment of registration applications, the Central Bank noted recurring fundamental issues preventing approving of registration applications as the applicants could not meet their AML/CFT legislative obligations or the Central Bank’s expectations. The Central Bank communicated its concerns and expectations to the applicants for further consideration.

The Central Bank helpfully provided a couple of pages in its bulletin (pages 4 - 6) giving an overview of recurring issues identified during the assessment of VASP registration applications.  These are repeated below.

Money Laundering and Terrorist Financing (ML/TF) Risk Assessment: An effective AML/CFT control framework is built on an appropriate ML/TF risk assessment that focuses on the specific ML/TF risks arising from the firm’s business model. This risk assessment should drive the firm’s AML/CFT control framework such that it ensures there are robust controls in place to mitigate and manage the specific risks identified through the risk assessment. The Central Bank identified a significant number of issues with the ML/TF risk assessments conducted by VASP applicant firms, including: 

• A number of firms had not assessed or documented the ML/TF risks as they pertain to the firm’s customers and business activities. The Central Bank expects a Risk Assessment to be specific to the firm and the specific risks that pertain to that firm’s activities and customers. 
• Several VASP applicant firms did not document the inherent ML/TF risks that pertain to the firm or document how, after assessing the effectiveness/strength of the firm’s control environment, the firm had determined the residual risk rating for each of the risk factors as set out in the CJA 2010 to 2021.
• A number of firms did not consider relevant information in the National Risk Assessment, CJA 2010 to 2021 and/or guidance on risk issued by the Central Bank, when documenting the firm’s risk assessment. This included consideration of inherent risk factors, such as Nature, Scale, Complexity, Geographical Risk, Products and Services risk, etc.

Policies and Procedures: When developing AML/CFT policies, controls and procedures (“AML/CFT P&Ps”), firms should maintain a detailed documented suite of AML/CFT P&Ps, which are:

• supplemented by guidance
• accurately reflect operational practices; and
• fully demonstrate consideration of and compliance with all legal and regulatory requirements. 

The Central Bank identified a number of recurring issues with the AML/CFT P&Ps submitted by applicant firms including; 

• Several firms submitted AML/CFT P&Ps that did not meet the Irish legislative and regulatory requirements, in many instance referring to legislative frameworks in other jurisdictions where parent/group entities are situated. Where firms rely on group policies and procedures, these must be sufficiently detailed, applicable to the Irish entity that is applying for VASP registration and meet the Irish legislative and regulatory requirements.
• The Central Bank received several registration applications that included the firm’s policies but failed to include the firm’s procedures that document how the firm meet their legislative obligations. As detailed in the application guidance, applicant firms are required to submit AML/CFT P&P relating to Customer Due Diligence (“CDD”), Transaction Monitoring, Suspicious Transaction Reporting, Financial Sanctions, Record Keeping, Training and Assurance Testing

Customer Due Diligence (“CDD”): 
CDD involves more than just verifying the identity of a customer. Firms should collect and assess all relevant information in order to ensure that the firm:

• Knows its customers, persons purporting to act on behalf of customers and their beneficial owners, where applicable;
• Knows if its customer is a Politically Exposed Person (“PEP”)
• Understands the purpose of the account and therefore understands the expected activity; and;
• Is alert to any potential ML/TF risks arising from the relationship.

The Central Bank identified a number of recurring issues with the CDD AML/CFT P&Ps submitted by applicant firms including;

• A number of applicant firms failed to demonstrate compliance with the legislative obligation to obtain information reasonably warranted by the ML/TF risk on the purpose and intended nature of the business relationship with a customer prior to the establishment of the relationship.
• The Central Bank received several registration applications where the firm failed to demonstrate how screening is conducted for PEPs for both new and existing customers. A number of firms also failed to document how PEP customers are managed including documenting requirement for Senior Management approval, the application of Enhanced Due Diligence (“EDD”) measures to PEPs and enhanced on-going monitoring measures.
• Several firms failed to document policies and procedures relating to the refresh of CDD documentation.

Financial Sanctions Screening: The Central Bank’s expectation is that firms have an effective screening system in place, appropriate to the nature, size and risk of their business. In addition to this, firms should have clear escalation procedures in place to be followed in the event of a positive match.

• Several firms failed to document the frequency of Financial Sanctions screening, how the firm screens (including what, if any, software is used) and also the steps the firm would take in the case of a Financial Sanctions hit.

Outsourcing: A firm can outsource certain AML/CFT Functions, but are reminded that the firm remains ultimately responsible for compliance with its obligations under CJA 2010 to 2021. It is expected that, where firms outsource AML/CFT functions, a documented agreement is in place that clearly defines the obligations of the outsource service provider. Firms should also evidence that sufficient oversight is conducted on the outsourced activity.

A number of VASP applicant firms outsource certain AML/CFT functions to group-related parties and/or non-group related parties.

• Several firms did not include their policies around outsourcing or submit their service level agreements
• In addition to this, several firms have failed to demonstrate sufficient oversight of the outsourced activities or failed to evidence that appropriate regular assurance testing of the outsourced activities takes place.

Individual Questionnaires for proposed Pre-Approval Controlled Function role holders:
A number of firms have failed to or delayed in submitting Individual Questionnaires (IQs) for each of their proposed Pre-Approval Controlled Function (PCF) role holders. IQs should be submitted for each individual proposed to hold a PCF role as soon as practical.

The Central Bank’s expectation on a firm’s presence in Ireland.
In line with the principle of territoriality enshrined in the EU AML Directives and Section 25 of the CJA 2010 to 2021, the Central Bank expects a physical presence located in Ireland and for there to be at least one employee in a senior management role located physically in Ireland, to act as the contact person for engagement with the Central Bank. In addition, in accordance with Section 106 H of the CJA 2010 to 20212 , the Central Bank may refuse an application where the applicant is so structured, or the business of the applicant is so organised, that the applicant is not capable of being regulated to the satisfaction of the Central Bank. 

Further Reading: ​Press Release - Central Bank highlights weaknesses in Virtual Asset Service Providers’ AML/CFT Frameworks 11 July 2022 

Summary
Virtual Asset Service Providers (VASPs) operating in Ireland now need to demonstrate that they are compliant with the provisions of the 5th Money Laundering Directive (AMLD5) which recently came into effect on Friday 23rd April 2021.  

Preceding that date CompliReg, together with Fintech Ireland, hosted a webinar for VASPs, e-money and payments firms.  Details of that event here.  Given the demand from the audience, CompliReg and Fintech Ireland are hosting another Roundtable on the topic on Thursday 6th May - ROUNDTABLE: So, you want to be a Virtual Asset Service Provider?

Background
AMLD5 aims to remove the anonymity from the process of providing virtual asset based services.  This applies to any organisation which provides exchange services between fiat and virtual currencies, as well between virtual assets or custodian wallet providers; bringing them into the scope of the EU’s anti-money laundering and counter-terrorist financing (‘AML/CFT’) framework.

The 2021 Act
The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the "Act") amends the current Irish AML/CTF legislation, which started life a decade ago through the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended).

New Definitions relating to Virtual Assets
The Act contains the following new definitions:

Designated Persons
The Act brings VASPs within the meaning of "designated person" (equivalent to an "obliged entity" under EU anti-money laundering law). The relevant obligations (Relevant Obligations) of designated persons under the Irish AML regime can be summarised as follows:

• Business Risk Assessment

Must carry out regular business risk assessments to identify and assess the risks of money laundering and terrorist financing involved in carrying on the designated person's business activities.

• Carry out Customer Due Diligence

An obligation to carry out due diligence to verify its customer's identity.

• Apply Business Risk Assessment when carrying out customer due diligence

Must apply the business risk assessment when deciding what level of due diligence is necessary for any given customer.  In certain circumstances, a designated person will be required to carry out enhanced due diligence.

• Suspicious Transaction Reporting

An obligation to report to the FIU, Ireland and the Revenue Commissioners, any suspicious transaction, (or suspicious activities which may be covering up, or preparing for suspicious transactions).

• Adopt internal policies

Must adopt internal policies, controls and procedures in relation to the designated person's business to prevent and detect the commission of money laundering and terrorist financing.

Requirement to Register
The Act requires that a person shall not carry-on business as a Virtual Asset Service Provider unless the person has successfully registered with the Central Bank of Ireland (Central Bank). This is a registration for AML/CFT purposes only. A firm currently authorised by the Central Bank under a different regime which is also acting as a Virtual Asset Service Provider will still be required to register as a VASP.

Whilst there is a three-month transitional period for VASPs to conclude the registration process the Act, which commenced operation on Friday 23rd April (commencement date), other than section 8 of the Act which commenced on Saturday 24th April, applies as of the commencement date.  This means that regardless of an existing VASP having three months to register, the VASP must comply with the Act on and from the commencement date. This means that VASPs availing of the transition period must comply on and from 23rd April with the Relevant Obligations listed above.

The Act sets out the high-level details of the registration process, and the grounds under which the Central Bank may refuse to register a VASP. These grounds include:

• the Central Bank has reasonable grounds to be satisfied that the applicant’s principal officers or beneficial owners are not fit and proper persons to run a business of this nature;
• the applicant has failed to satisfy the Central Bank that its business risk assessment, policies and procedures are adequate or fit for purpose;
• the applicant has failed to satisfy the Central Bank that it has in place the resources, procedures and arrangements for the provision of the business of a virtual asset service provider and the performance of activities, taking into account the nature, scale and complexity of its business and all the obligations that the provider has to comply with as a designated person; and
• the applicant has failed to demonstrate, that it can manage and mitigate the risks of engaging in activities that involve the use of anonymity-enhancing technologies or mechanisms and other technologies that obfuscate the identity of the sender, recipient, holder or beneficial owner of a virtual asset.

Preparation
The Central Bank’s website contains useful information for those requiring registration as a VASP, including the Criminal Justice Act* (as at commencement date), Guidelines on Fitness & Probity of Principal Officers/Beneficial Owners, and links to the AML/CFT Registration Form.  The Central Bank will not accept a registration application until the applicant has been through the pre-registration and has obtained a Central Bank Institution Number.

The Central Bank has also indicated that its current graduated approach to AML/CFT supervision will apply equally to VASPs, meaning that firms which present a higher risk of money laundering and/or terrorist financing will be subject to higher intensity and intrusive supervisory measures than those presenting a lower risk.

Next Steps
As many VASPs shall become designated persons for the first time, they should review their AML/CTF frameworks, their Relevant Obligations, legislation and guidance now.  Given that the Act has now commenced in operation, applicants should submit a Pre-Registration Information Form to the Central Bank to request a Central Bank Institution Number as soon as possible.

Being within the AML/CTF framework will surely bring benefits such as greater confidence to end-users (i.e., customers – individuals and corporates) of VASPs and hopefully, more banking partners will consider opening up their services to VASPs particularly ahead of the proposed Markets in Crypto Assets Regulation 2020/0265.

Support Available
As with any new process, it can appear complex and daunting until you have been through it a few times.  Thankfully help is at hand through CompliReg.  If you would like to setup an initial discussion to discuss your requirements, please check out our page and complete the enquiry form at  https://complireg.com/vasp.html. Stephen Fletcher or Peter Oakes will get back to you ASAP.  Our details at https://complireg.com/team.html.
 
This document (and any information accessed through links in this document) is for guidance purposes only and does not constitute legal advice.  CompliReg does not provide legal services.  Where legal services are required, CompliReg works with a select number of law firms.  If you are a law firm and wish to be considered for our panel, please contact [email protected].