Virtual asset service providers (VASPs) operating in Ireland are now subject to Ireland's AML/CFT framework and must register with the Central Bank of Ireland.
Most of the Fifth Money Laundering Directive (MLD5) was transposed into Irish law on 18 March 2021. Our recent briefing contains more detailed analysis: Arthur Cox Q&A: MLD5 Transposition and AML Horizon-Scanning.
A VASP carrying on business in Ireland is now a "designated person" for the purposes of the Irish anti-money laundering (AML)/countering the financing of terrorism (CFT) framework, meaning that it is subject to AML/CFT obligations generally, and will need to register with the Central Bank of Ireland (CBI). These requirements came into effect on 23 April 2021.
This briefing summarises the registration process, and sets out what in-scope firms need to do next.
MLD5 brought virtual currencies and their providers into the scope of the EU's AML/CFT framework. In transposing MLD5 into Irish law, Ireland opted to base its AML/CFT framework for VASPs on the definitions of "virtual asset" and "virtual asset service provider" used by FATF in its Standards on Virtual Assets and Virtual Asset Service Providers, rather than on the corresponding provisions of MLD5 which are slightly narrower in scope. The rapid growth of virtual currencies, and the continually-evolving nature of the virtual asset market, have triggered a need to balance financial innovation against the potential use of virtual assets for money laundering (ML) or terrorist-financing (TF). The Financial Action Task Force (FATF) formally imposed AML/CFT obligations on VASPs in June 2019, and highlighted the lack of AML/CFT frameworks in jurisdictions in which VASPs operate, together with the increasing anonymity of transactions in virtual assets, as key ML/TF risks.
"A digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes"
This does not include digital representations of fiat currencies, securities or other financial assets.
Virtual Asset Service Provider
A person who, by way of business, carries out one or more of the following activities for, or on behalf of, another person:
(a) exchange between virtual assets and fiat currencies;
(b) exchange between one or more forms of virtual assets;
(c) transfer of virtual assets;
(d) custodian wallet provider (i.e. an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies);
(e) participation in, and provision of, financial services related to an issuer's offer or sale of a virtual asset or both.
This does not include a designated person that is not a financial or credit institution and that provides virtual asset services in an incidental manner, and is subject to supervision by a national competent authority other than the CBI.
Registration with the CBI
Registration not Regulation
The new registration requirement for VASPs, while it is more detailed (in particular as regards the obligations it imposes in respect of beneficial owners) than the AML/CFT framework introduced for 'Schedule 2' firms, is not a fully-fledged regulatory regime.
As mentioned in our recent briefing ( Much Ado about Crypto – the Draft EU Crypto-Assets Regulation), as part of its September 2020 Digital Finance Package the European Commission proposed an authorisation regime for issuers of asset-referenced tokens, and for crypto-asset service providers, which would facilitate passporting and introduce conduct of business requirements. This regime (known as MiCA) is not expected to come into force until 2024.
Who is in Scope?
From 23 April 2021, VASPs established in Ireland must register with the CBI as follows:
- An entity that was already carrying on the business of a VASP in Ireland at 23 April 2021 has 3 months to submit its registration application. In the interim, it will be deemed to have registered. However, if it does not submit its registration application by 23 July 2021, it will no longer be able to operate until such time as it has made an application and that application has been accepted.
- An entity that wishes to start operating as a VASP in Ireland (whether it is incorporated in Ireland or not) after 23 April 2021 must first register with the CBI.
- If a firm is already authorised by the CBI (either subject to prudential supervision or for conduct of business requirements) and operates, or plans to operate, as a VASP in Ireland, it must also register as a VASP.
While MLD5 requires each EU Member State to put a registration framework in place for VASPs, these frameworks are jurisdiction-specific i.e. being registered as a VASP with the CBI will not give an entity the ability to passport its VASP-related services into another EU Member State and vice versa. If it wishes to also provide VASP-related services in another EU Member State, it will need to comply with any equivalent registration requirements in that jurisdiction.
To register as a VASP:
- an in-scope firm will need to submit a pre-registration form, following which the CBI will allocate it a Central Bank Institution Number;
- the CBI has recommended that in-scope firms avail of an optional pre-application meeting with it; and
- once it receives its Central Bank Institution Number, an in-scope firm can complete the Registration Form and submit it via the CBI's Online Reporting System (ONR).
The applicant must have an AML/CFT framework in place before making its application. The application must be accompanied by supporting documents and information including:
- an organisation chart and, if relevant, a group structure chart;
- a business plan (including details of how transaction flows (of funds and assets) will operate);
- details of its beneficial owners and principal officers (directors, secretary, managers and similar officers);
- its AML/CFT business risk assessment, together with detail of its AML/CFT-related systems, controls, policies and procedures and details of the systems and controls in respect of its assurance testing programme; and
- details of all VASP-related outsourced functions.
Fitness and Probity
The CBI is very focused on the fitness and probity of a VASP's beneficial owners and principal officers. By way of reminder:
- beneficial owners: for AML/CFT purposes, an individual is a beneficial owner of a body corporate if it directly (or indirectly through other companies) holds > 25% of the shares in that entity, or otherwise directly (or indirectly through other companies) controls >25% of that body corporate. Individuals who have no legal or beneficial interest in shares in a body corporate, but are senior managing officials (such as the directors or the CEO), may be deemed to be its beneficial owners if the body corporate cannot identify, with certainty, any other individuals who may be its beneficial owners;
- principal officers: the directors, secretary, managers and similar officers of a VASP are its principal officers.
As part of its application for registration, an in-scope firm must (in addition to its own application form):
- submit specific application forms in respect of each of its beneficial owners;
- ensure that all relevant individuals who will hold Pre-Approval Controlled Functions complete Individual Questionnaires as part of the CBI's Fitness and Probity framework.
A registered VASP must take reasonable steps to ensure that its beneficial owners are "fit and proper" – failure to do so is a criminal offence. It must also notify the CBI if it has reasonable grounds to suspect that one of its beneficial owners is not a fit and proper person.
- Grant: Where the CBI grants an application for registration, it may attach conditions. It may also amend the scope of a VASP's registration at a later date (a VASP will have the right to appeal that decision to the Irish Financial Services Appeals Tribunal (IFSAT)).
- Refusal: Where the CBI refuses an application for registration, the firm will be given the opportunity to make written submissions to the CBI as to why its application should be granted, and can also appeal the refusal to IFSAT.
- Regulatory Disclosure Statement: Once a VASP's application is granted by the CBI, it must include a regulatory disclosure statement in all advertisements for its services stating that it is registered and supervised by the CBI for AML and CFT purposes only. The CBI may prescribe more details in respect of that regulatory disclosure statement (font, size, colour etc.) but at the date of writing it has not yet done so.
- Revoking Registrations: A VASP's authorisation can also be revoked (whether at the instigation of the VASP, or the CBI). The CBI may also issue a direction to a VASP limiting its activities to those set out in that direction (perhaps where the CBI is concerned that there may be grounds for ultimately revoking the VASP's registration, but wishes to look into the matter further).
- Register: The CBI must also establish and maintain a publicly-available register of VASPs.
Ongoing Monitoring of Beneficial Ownership
As mentioned above, one of the CBI's key focus areas as part of the application process is the beneficial ownership of applicants.
This theme continues once an application is granted, with CBI approval being required for the acquisition of a beneficial interest in a registered VASP. Key determining factors will be the influence that the proposed acquirer is likely to exercise over the VASP's business, its reputation (and the reputations of its senior staff), its financial position, and whether the acquisition could increase ML/TF risk.
The CBI may also request information from the Gardaí for the purposes of determining if an applicant, a VASP, a beneficial owner, or a principal officer is a fit and proper person.
If the CBI is concerned that a beneficial owner is influencing a VASP's affairs in a manner which could impair the VASP's ability to comply with Irish AML/CFT law, the CBI may issue a direction to the beneficial owner to take specific steps. If the beneficial owner fails to comply, there are a number of options open to the CBI via a court application, including an injunction, an order suspending the beneficial owner's voting rights, or an order directing the sale of the beneficial owner's holding in the VASP.
What does an in-scope firm need to do now?
In-scope firms, and those who plan to provide VASP services in Ireland, should begin to prepare their applications for registration. It is important to note that, before submitting an application, an in-scope firm must have its AML/CFT framework in place. As a VASP is now a "designated person" for AML/CFT purposes, the following obligations apply:
- to carry out and document a business risk assessment, which will underpin its approach to customer due diligence;
- to identify and verify its customers and beneficial owners, and to monitor its relationships with its customers;
- to report suspicious transactions;
- to put in place internal policies, procedure and staff training; and
- to keep records (noting that the CBI may direct VASPs to retain additional records beyond those that designated persons are already required to retain).
As mentioned above, VASPs are a key focus area for the FATF and it plans to carry out its second 12-monthly review of its standards on virtual assets and VASPs by June 2021. The Minister for Finance is empowered to make additional regulations giving the CBI further powers in relation to VASPs to reflect any evolution in the FATF's recommendations from time to time.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.