One of the mitigating measures which must be adopted is Customer Due Diligence (‘CDD’), which must be carried out on all customers by VFA service providers. CDD must be carried out on all customers; both in the case of business relationships and occasional transactions, however to a varying degree. When establishing a business relationship, the CDD obligations are more onerous and the nature and purpose of the relationship must be identified, whereas in the case of occasional transactions only identification and verification of the customer and the beneficial owners is required. CDD must be carried out before transactions are concluded in order to ensure that the VFA service provider can take necessary action should the customer fail to cooperate. The level of CDD to be applied varies depending on the gravity of the risks posed and the Implementing Procedures benchmark low risk ML/TF at €1000, below which amount Simplified Due Diligence (‘SDD’) may be carried out.
VFA service providers receiving or sending VFAs must collect the wallet address from which VFAs are sent or received and must also identify whether the address is associated with a private wallet, a multi-signature wallet or a custodial wallet. Where the VFA service provider receives VFAs from customers from a private wallet the customer must prove control over the address where there is a sufficient degree of risk, for example in the case of transactions involving significant amounts of VFAs.
Whenever a VFA service provider enables payments or transactions involving VFAs, there must be systems in place to scrutinize wallet addresses in light of any negative publicly available information associated with it, and also use Distributed Ledger Technology (‘DLT’) analytical tools to detect fraudulent or suspicious transactions. Alternative measures may be used instead of DLT analytical tools where these are unavailable, such as in the case where no DLT analytical tools are available for a particular VFA. Furthermore, both wallet addresses from which VFAs are sent and received must be scrutinized. These procedures are to be carried out on a risk-sensitive basis.
In the case of business relationships, service providers must identify the reasons why customers will be using the product or service and in what manner and obtain information such as the volume of transactions that will be undertaken and in which jurisdictions. Furthermore, the source of wealth and the expected source of funds information must also be collected upon establishing a business relationship. However, the source of funds must only be determined in the case of irregular transactions which are not cohesive with the rest of the customer’s transactions or with the service provider’s expectations. Where payments are carried out through transactions involving VFAs, the source of funds is intended to establish how the customer obtained the VFAs. In the case where a significant amount of VFAs was mined by the customer, the service provider must obtain proof that the address from which the VFAs were sent was controlled by a mining pool and that the customer was associated with it. The service provider must then determine whether such activity was feasible in light of the customer’s source of wealth.
On-going monitoring obligations are triggered when business relationships are entered into, most notably including the requirement to establish a risk-based transaction monitoring program. This program must be able to recognize typologies and transaction patterns which suggest suspicious behaviour and create customer transaction profiles which record data such as the customer’s transaction history. The program must also be able to identify instances where a customer uses numerous wallets for the same VFA and link accounts belonging to the same customer. The program must be capable of creating alerts when customers are identified as high risk or are involved in suspicious transactions.
Subject persons must maintain transactions records including information such as the customer’s identification details, names of any parties to the transaction, bank account or wallet address details, where a custodial wallet is used the name of the institution holding a custodial wallet, the value date and the date of the value transfer and the type and value of any VFAs involved. This information must be retained even if it is publicly available.
An independent audit function must be established in order to test the subject person’s internal functions. An external review of VFA service providers’ measures, policies, controls and procedures must be reviewed at minimum once every 18 months from the commencement of its activities. The review is intended to test the service provider’s AML/CFT systems to ensure their effectiveness, and the test results must be compiled in a report stating whether the systems in place are up to standard and compliant with the PMLFTR and the Implementing Procedures as well as whether the systems were adequate during the period under review and whether any changes should be made. The review must test, inter alia, compliance with AML/CFT laws and internal procedures, identity verification methods, CDD, record-keeping, training programmes and processes for flagging and reporting of suspicious activities. It is recommended that the person undertaking the AML/CFT review collaborates with the Systems Auditor to gain a thorough understanding of the systems in place. A copy of the report along with the service provider’s senior management’s responses must be sent to the FIAU and any other relevant supervisory authorities upon request.
The requirements set out above applicable to service providers are also applicable to issuers offering VFAs to the public since the issuer is considered as a subject person under the PMLFTR. However, the following requirements differ:
For the full version of the Implementing Procedures, please access the following: https://fiumalta.org/library/PDF/implementprocedures/03.02.2020%20-%20IPs%20Part%20II%20VFAs%20(Published).pdf