Preventative Measures and Regulatory Oversight
In line with international standards, particularly FATF Recommendation 15, which emphasizes the importance of conducting a National Risk Assessment before introducing new technology, the Advisory Authority for Combating Money Laundering and Terrorist Financing has taken several actions. In collaboration with the Ministry of Finance and the House of Representatives, a specialized Risk Assessment was commissioned in July 2020 from a U.S.-based advisory firm, Bandman Advisors, with expertise in FinTech & RegTech and Crypto Asset technology, to evaluate the introduction of Virtual Assets (VA) and Virtual Asset Service Providers (VASPs) in Cyprus.
The main objective of the NRA was to identify and assess the Money Laundering and Terrorist Financing (ML/TF) risks posed by crypto-assets, also referred to as digital assets, and VASP. The findings and recommendations of this Report have been incorporated into the primary and secondary legislation on AML/CFT that was enacted in 2021 for this respective sector. The finalized Report was published on the Ministry of Finance’s website in November 2021, as per the provisions of Article 57 of the Prevention and Suppression of Money Laundering and Terrorist Financing Law and following the EU AML/CFT Directives.
In the following article, the CX Financia team outlines the NRA report’s key findings regarding the ML/TF risks posed by VA and VASP.
The Advisory Authority is committed to implementing the relevant recommendations and mitigating this sector’s ML/TF risks.
Some of the key findings of the Report are listed below:
- There is limited VA or VASP (or VASP-type) activity in Cyprus, and there have been limited access points for VA into the broader Cyprus economy.
- There is a widespread perception that the VA/VASP sector is a high risk. Still, there is limited direct understanding or experience regarding the specific Money Laundering (ML) and Terrorist Financing (TF) risks of the VA and VASP sector on the part of key authorities. CySEC has had initial direct supervisory experience supervising ML/TF risks of a small subset of entities.
- CySEC will be critical in supervising VA activities, leading Cyprus’s efforts to mitigate VA/VASP ML/TF risks.
- The Police have acquired some direct experience and a sophisticated understanding of VA.
- There is limited to no use of specialized commercial cryptocurrency AML compliance and intelligence/blockchain forensics and transaction monitoring tools and databases. Supervisors, law enforcement, and the FIU have received little access to and training on their use.
- Current measures to mitigate NPO vulnerabilities, including the consulting project and risk assessment currently being undertaken on behalf of the Ministry of Interior (MOI), are not considering the VA/VASP sector.
- Processes for updates from supervisors to obliged entities on designations to sanctions lists and other communications are designed for regular business hours. Because VA markets, unlike traditional financial markets, are active on a 24/7/365 basis, this could be a material gap concerning VASPs and the movement of VA (partly mitigated by other sources of updates available to obliged entities through widely available databases).
Policies and Procedures Recommended to the Supervisory Authorities
The NRA identified several authorities directly related to providing VA services in Cyprus, including CySEC, CBC, Police, MOKAS, ICPAC, CBA, the Customs Department, and the Ministry of Interior.
A set of recommendations are proposed by Bandman Advisors to the key authorities and include, among others:
- Creation of a baseline of stored data related to the crypto-asset activities.
- CySEC to create a register with verified information of the CASP Beneficial Owners (BO), management and fitness standards.
- Access, use, and train on specialized cryptocurrency AML Compliance blockchain forensics and transaction monitoring databases.
- MOKAS to incorporate specific identifier fields in its reporting system for Suspicious Activity Reports (“SARs”) and Suspicious Transactions Reports (“STRs”) to categorize crypto-asset related reports.
- Development of VA freezing, safeguarding, and liquidating procedures in case of confiscation using several technological approaches.
- CySEC to include authorized CASP in its automated notification lists related to ML/TF.
- International cooperation for incoming and outgoing ML/TF requests related to crypto-asset activities
Preventative Measures for Crypto-Asset Obliged Entities
The NRA has identified specific vulnerabilities in the provision of crypto-asset services that arise due to the unique characteristics of virtual assets. These vulnerabilities include:
- Anonymity and pseudo-anonymous nature of virtual assets
- Global and online accessibility
- Immediate convertibility to fiat currencies through exchanges
- Difficulty in reversing or freezing transactions once completed
- Non-face-to-face client relationships
- Custody risk of hot and cold wallets
- Commingled wallets that result in VASP transactions not being registered on the blockchain.
To address these vulnerabilities, CX Financia Team suggests preventive and risk-mitigating measures such as:
- A risk-based approach for customer due diligence that covers the entire relationship cycle.
- Transaction monitoring measures, including Know Your Transaction procedures, wallet and crypto-asset source monitoring, and source of funds tracking through blockchain analytics. These measures should be applied to fiat money and crypto-asset deposits, including the source of wealth confirmation and deposit limits.
- Being aware of any regulatory differences that may cause regulatory arbitrage.
- Incorporating procedures for reporting to MOKAS within the entity’s AML compliance program.
- Efficient cooperation with competent authorities.
CySEC’s Circular C478
On December 21st, 2021, the Cyprus Securities and Exchange Commission (CySEC) released Circular C478 publishing the National Risk Assessment (NRA) Report by Bandman Advisors.
Identifying Money Laundering/Terrorist Financing (ML/TF) risk
The Risk Factors Guidelines recommend that firms consider relevant risk factors when identifying ML/TF risks associated with a business relationship or occasional transaction. These risk factors include the customer’s identity, the countries or geographical areas they operate in, the specific products, services, and transactions the customer requires, and the channels used by the firm to deliver these products, services, and transactions.
Sources of information
The Risk Factors Guidelines recommend that firms gather information about these ML/TF risk factors from various sources, including the European Commission’s supranational risk assessment and government information such as national risk assessments, policy statements, and alerts.
Assistance to Regulated Entities
The CySEC considers the National Risk Assessment (NRA) Report useful for Regulated Entities engaging or seeking to engage in Virtual Assets (VA) activities. The Report guides understanding AML/CFT risks and obligations and how to comply effectively. Therefore, CySEC expects that all Regulated Entities study the Report thoroughly and take its content into account when assessing AML/CFT risks. This will lead to the effectiveness of measures and procedures applied by the Regulated Entities.
Registration Process of a VASP/CASP
The registration process of a potential VASP (CASP under CySEC) is divided into two steps. During the shareholders’ due diligence, CySEC examines the source of funds to ensure that the entity’s initial capital has derived from legitimate activities and is adequate to support at least three years of operations. The second authorization step is the business model and plan assessment and the entity’s organizational structure.
Cyprus Takes Action to Address ML and TF Risk in Crypto-Asset Sector
The NRA indicates that the crypto-asset services provision sector will experience fast growth in the coming years as more entities and individuals wish to.
In the second enhanced follow-up report by MONEYVAL, Cyprus has shown progress in improving its compliance with FATF standards on combatting money laundering and terrorism financing. Although substantive progress has been made in implementing its VASP regime, a national action plan still lacks to address risks identified in the VASP sector. Cyprus must continue its efforts to strengthen its AML/CFT framework to effectively combat these risks and ensure compliance with international standards.
Choosing CX Financia as your trusted partner!
At CX Financia, we offer our experience and expertise in licensing and compliance. Our team deeply understands the regulatory landscape and can provide sophisticated advice and solutions to help you navigate the complexities of licensing and compliance!