Navigating financial crime risks in the time of crypto-assets: What triggers your AML/CTF regime for crypto businesses?

Introduction

The risk of crypto-assets being used to further criminal activity is well recognised and considered a priority by authorities and industry alike. Various efforts are underway in a number of jurisdictions to address these risks. These efforts are important, not only to combat financial crime, but also to support the safe development of fintech and regtech initiatives and innovation.

In this four part series the authors look at different jurisdictions' approaches to anti-money laundering (AML) and counter-terrorist financing (CTF) in the crypto sector to include insights on a number of areas, including:

• The triggers to the AML/CTF regime for crypto-asset businesses and what this involves
• How financial institutions are approaching clients in the crypto sector, see part 2
• The regulator's approach to suspicious activity reporting and the consequences of getting it wrong, see part 3
• The future crypto landscape including opportunities and challenges, see part 4

The series is aimed at both financial institutions that are interested in the future development of crypto businesses, those looking to operate a crypto business, and existing providers of crypto products and services to navigate and manage financial crime risks.

Part 1: What triggers your AML/CTF regime for crypto businesses?

In this first article, the authors look at the triggers to the AML and CTF regime for crypto businesses in the United Kingdom, Germany, Netherlands, United States of America, Canada, Hong Kong, and Australia.

1. UK

From January 2020, UK based crypto businesses have had to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) (MLRs). However, the MLRs apply only to crypto business services carrying on certain specified activities. These activities include custodian wallet providers and crypto exchange providers. The latter covers crypto-asset automated teller machines (ATM), peer to peer providers and those issuing new crypto-assets, for example initial coin offerings or initial exchange offerings. To fall within the UK crypto AML regime, the activity must be carried on by way of business in the UK. Crypto businesses will have to register with the Financial Conduct Authority for AML purposes if the activity being carried out falls within scope of their MLRs and is carried out in the course of business within the UK.

2. Germany

Germany has adopted a new regulatory regime for crypto-assets in connection with the implementation of the European Fifth Anti- Money Laundering Directive (5AMLD) in 2020. The national implementation act aimed to cover all crypto tokens relevant for the financial markets. For this purpose, the new category of "Crypto-assets" was inserted in the definition of "Financial Instruments".

The 2020 reform also introduced the new regulated financial service of "Crypto Custody Business". With effect from June 10, 2021, the German Electronic Securities Act (eWpG) further amended the regulatory regime for crypto-assets. This 2021 act introduced the new regulated financial service of "Crypto Securities Registry Management" and changed the scope of application of the activities "Crypto Custody Business" and "Custody Business".

As a result of these recent reforms, the operation of a crypto exchange in Germany will likely trigger a licensing requirement for one or more types of banking business and/or financial services under the German Banking Act (KWG) or the German Investment Firm Act (WpIG). Similarly, custodial services in relation to crypto-assets will likely trigger specific licensing requirements under the KWG. Institutions authorized under the KWG or WpIG, at the same time, will also qualify as obliged entities under the German Money Laundering Act (GwG) and will thus be subject to the AML/CTF regime in Germany.

The application for a licence corresponds to the established authorisation process for credit institutions and investment firms. Therefore, extensive documentation and information (e.g. on the senior managers, the direct and indirect shareholders or the business plan) need to be filed with the competent authority.

3. Netherlands

The Act on the prevention of money laundering and terrorist financing (Wet ter voorkoming van witwassen en financieren van terrorisme, (Wwft)) is the primary anti-money laundering law in the Netherlands and provides that parties are prohibited from providing "crypto services" in or from the Netherlands without being registered as a crypto service provider with De Nederlandsche Bank.

The following two types of services are considered crypto services for purposes of the Wwft:

• Services for the exchange between cryptocurrencies and fiat currencies (exchange services);
• Services for the provision of custodian wallets (wallet services).

Anyone who provides these services in or from the Netherlands is required to register with De Nederlandsche Bank.

4. United States

Crypto-related services which do not otherwise fall within a traditional regulated financial service category are nevertheless still likely to be subject to AML requirements on account of falling within the definition of "money services businesses" under rules administered by the U.S Treasury Department's Financial Crimes Enforcement Network (FinCEN).The term "money services businesses" includes persons who act as a "dealer in foreign exchange" or a "money transmitter". Persons who operate a money services business must register with FinCEN and comply with the AML rules. Such persons are also likely to be subject to similar rules at state level.

5. Canada

The regulatory environment is similar to the United States in that that crypto related services that do not otherwise fall within a traditional regulated financial service category would still be subject to AML requirements if they fall within the definition of a money services business under Canada's AML legislation and regulations. The term "money services business" includes persons who deal in virtual currencies. Therefore, exchanging a virtual currency for fiat or another virtual currency, transmitting virtual currency for a client or receiving virtual currency for remittance to a beneficiary all requires registration.

6. Hong Kong

There are currently no specific laws covering crypto businesses. However, crypto businesses may be caught by AML requirements under the existing regulatory framework. For example, broker/dealers of securities are regulated under the Securities and Futures Ordinance and subject to licensing by the Securities and Futures Commission; stored value facilities (e.g. wallets/pre-paid cards) are subject to regulation by the Hong Kong Monetary Authority; and money service operators are subject to oversight by the Customs & Excise Department. All of these are subject to AML requirements.

Moreover, a licensing requirement for virtual asset exchanges will be introduced in 2022 which will require platform operators to perform AML checks.

7. Australia

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) regulates business activities in Australia known as "designated services". Crypto-assets were brought within the ambit of the AML/CTF Act through the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2017 (Cth). Now, under the AML/CTF Act, exchanging digital currency for money in the course of carrying on a digital currency exchange business, is a designated service.

Digital currency can also be connected to a number of other designated services, for example, if it involves an international funds transfer instruction or providing a remittance service. As an organisation that provides a designated service(s) must be registered with, and comply with, the Australian Transaction Reports and Analysis Centre's reporting obligations.

AML/CTF requirements are triggered for crypto businesses in varied ways across countries. As a consequence of not meeting AML/CTF requirements which apply, amongst other penalties, regulators can readily commence investigations into suspected breaches – these investigations can be time consuming and intrusive and they can lead to the exercise of enforcement powers such as imposing significant fines and censures on firms or withdrawal of their registration.

In the next article, the authors will continue looking at cross jurisdictional perspectives, specifically how financial institutions approach crypto sector clients and will take a look into the issues faced by crypto businesses and the moving landscape going forward. Please keep an eye out for Part 2 in this series: "How financial institutions are approaching clients in the crypto sector".

Produced by Thomson Reuters Accelus Regulatory Intelligence 01-Nov-2021