AML regulations for Virtual Assets Service Providers in UAE
AML regulations for Virtual Assets Service Providers in UAE - Crypto AML Regulations in UAE
With the growing acceptance and attractiveness of Virtual Assets and the ever-increasing prominence of blockchain technology across various sectors of life, the Virtual Assets industry is booming in leaps and bounds. The virtual assets segment is directly impacting the financial sector and the economy as a whole.
With the increased movement in Virtual Assets, the need for intermediaries is also rising who can support and facilitate these transactions. We generally call them “Virtual Assets Service Providers.”
Given the above, it is critical to understand what the terms “Virtual Assets” and “Virtual Asset Service Providers” mean.
What is Virtual Assets?
Before we go to the phrase – Virtual Asset Service Provider, it is very critical to understand what Virtual Asset (“VA”) is and what all can be classified as such. As laymen for us, Virtual Assets are cryptocurrencies. But in reality, the VA is a broad concept evolving every moment, even as we read this.
Here, we can refer to the definition of “Virtual Asset” as prescribed by FATF, which reads as under:
“ a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes.”
Recently, in the Cabinet Resolution No. (111) of 2022, the phrase “Virtual Asset” has been defined as under:
A digital representation of the value that can be traded or transferred digitally, can be used for investment purposes, and does not include digital representations of paper currencies, securities or other funds.
As apparent from the definition, the critical elements of a Virtual Asset are as under:
- VAs must be digital
- It should have the ability to be traded digitally and transferred so
- Should carry some value, as to be used for payment or investment.
It is all possible and enabled by the use of “Distributed Ledger Technologies” (DLT), which has revamped the financial services sector to a great extent.
The most common example of VA is virtual currencies such as Bitcoin, Ether, Dogecoin, and Stablecoins.
It is critical to note that VA does not include digital representations of fiat currencies, shares, securities, or any such financial asset. These are just e-money and not virtual assets. The reason is that mere digital representation of such assets does not easily imbibe a feature to trade or transfer the same digitally. For example, the fiat currency stored in a bank be easily transferred from one account to another, and ownership can be changed but cannot trade the same as such; thus, it lacks one of the fundamental characteristics of VA.
Accordingly, it is critical to understand and note that for a financial asset to qualify as VA, it should have an inherent quality of being traded and transferred digitally.
As we are discussing VA, it is to be noted that VA and the phrase “Digital Assets” (DA) are being used interchangeably by the public. It is imperative to understand that term “Virtual Asset” cannot be used in the context of every “Digital Asset,” as every DA need not be a VA, but every VA has to be necessarily a DA. Instead, DA is a broader connotation that includes the non-fungible tokens* (NFT) and VAs.
*NFTs are unique (may not be interchangeable amongst the NFT community) digital assets used as collectibles rather than as a mode of payment or investment. As such assets do not satisfy the primary feature of being used for payment/investment purposes, the same is not considered as VA, per FATF guidelines.
What is Virtual Assets Service Provider?
Having had a brief idea about virtual assets, it is pertinent to understand what Virtual Asset Service Provider (VASP) is. Here also, we would refer to the definition of VASP as provided by FATF, as under:
“a business which conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
- an exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets; (transfer means to conduct a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another)
- safekeeping and administration of virtual assets or instruments enabling control over virtual assets;
- participating in and provision of financial services related to an issuer’s offer or sale of a virtual asset;
The use of the word “conducts” in the opening line of the definition indicates that for a service provider to qualify as VASP, it need not necessarily be the primary provider but also includes a person who helps in the active facilitation of services, i.e., the person who assists in carrying out of the services.
Further, the phrase “as a business” in definition clarifies its scope, which is limited to the only person who carries out the VA-related activities for or on behalf of someone else for a commercial reason. It signifies the exclusion of persons carrying out VA activities for their benefit on an irregular or infrequent basis, without any commercial sense or facilitating anyone else.
Now, we will evaluate each of these five subsections of the definition to understand what all sorts of activities related to VA would get covered here.
1. The exchange between virtual assets and fiat currencies
A person, natural or legal, carrying out an activity of converting the fiat currency into virtual assets or vice versa in the course of its business, then such a service provider would be construed as VASP.
2. The exchange between different types of virtual assets
A person carrying out an activity of exchanging one type of virtual assets for another, i.e., a person providing services of offering one form of VA against exchange or payment of a different kind of VA, then such a service provider would be a VASP.
3. Transfer of virtual assets
Here, it is vital to understand the context in which the term “transfer” has been used. As clarified by FATF, “transfer” means to conduct a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another.
Accordingly, any person conducting a business activity, assisting or facilitating the transfer of ownership of the VA or even transfer of own VA of a person from one wallet to another.
Let us discuss some examples and sample cases around who can be considered as VASP or how to identify VASP in the context of exchange or transfer of VAs.
- It is pertinent to note that, most of the time, such exchange or transfer of VA takes place using some decentralized technology, where such VA exchange platforms have been created. Such software programs are “Decentralized or Distributed Application (DApp),” which operates on blockchain technology and facilitates digital assets and their transfer. The name suggests that such software or platforms run on a decentralized ledger. However, generally, these applications have a single authoritative party having specific controls over the software or application, which may include control over creating and launching a VA, enhancing the functionalities of the application and user interfaces, or collecting the fees. Thus, such DApp or software collects specific fees (generally in VAs) from the users for using or interacting with the DApp, which facilitates the exchange or transfer of VAs. These fees collected by applications go to the owner/developer, the application operator, or for the benefit of the community of such DApp.
- Such applications or software programs cannot be construed as VASP; however, the creator or operator of such application may be construed as VASP, as they are providing services to the users or facilitating the exchange or transfer of the VA using their software or application.
- Services related to Virtual Asset Escrow are used when sending/receiving or transferring the fiat currency in exchange for VAs when the custody of the funds is with the service provider.
- Brokerage services, where the provider facilitates issuing VAs and trading the same on behalf of the third person.
- Advanced trading and Order-book exchange services enable the parties to find each other, discover prices, access more sophisticated trading techniques (trading on margin or algorithm-based trading), and trade VA.
- Note that an application merely providing a platform for the buyers and sellers to find each other without facilitating the transaction between them would not be construed as a VASP.
- Virtual Asset Exchanges, which facilitates the exchange of VA for fiat currencies (cash, credit cards, wire transfers, etc.) against fees or commissions.
- Service providers offering the Crypto-ATMs would be treated as VASPs as they actively facilitate the exchange of VAs and fiat currencies through the kiosks.
4. Safekeeping or administration of virtual assets or instruments enabling control over virtual assets
Generally, the term “safekeeping” and “administration” of VA can be read in the same context, wherein the service provider would have the custody of the VA or the private key unique to the VA and carry out the transactions as instructed by the owner of the VA or the smart contracts on behalf of the service recipient. Further, as an extension, the term “control” indicates that the provider of such services would have capabilities or the power to trade/transfer the VA on behalf of the recipient.
A few examples of service providers fitting into this basket of services would be the companies providing custodial wallet service as they would be holding someone else’s VA.
It is critical to note that it would not include the providers offering auxiliary services such as providing internet or data storage services or software to the VASP (who is managing or controlling the VAs of the recipient of services), rather than engaging with ultimate recipients and accessing their VA.
5. Participating in and provision of financial services related to an issuer's offer or sale of a virtual assets
This clause covers the services concerning Initial Coin Offerings (ICO), a way to raise funds for new projects from early backers. It includes a person participating in ICO or providing financial services related to ICO. It includes purchasing VAs from an issuer to resell and distribute the same, book building, ICO underwriting, etc.
UAE Blockchain strategy 2021
In 2018, UAE government came up with its blockchain strategy 2021. Given the advantages of blockchain technology, the UAE blockchain strategy aims to transform 50% of government transactions on the blockchain platform by 2021. By adopting blockchain technology, the UAE government intends to save:
- AED 11 billion in transactions and documents processed routinely
- 398 million printed documents annually; and
- 77 million work hours annually.
Regulatory frameworks in UAE to govern the activities related to Virtual Assets
Given the increased popularity and use of virtual assets across the globe, the UAE government has issued various policies to promote the setting up of virtual asset companies in the UAE. The government has started issuing necessary regulations and forming regulatory authorities to regulate this market.
UAE Crypto Regulatory Authorities
Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA)
UAE financial and capital markets are primarily governed by the Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA).
The Dubai Multi Commodities Centre (DMCC) has opened a crypto centre, and it houses VASPs offering, issuing, listing, and trading crypto assets. It also welcomes companies developing blockchain trading platforms.
It is noteworthy that the CBUAE, in July 2021, as a part of its 2023-2026 strategy, decided that it would launch its first digital currency by 2026.
The Hon’ble Prime Minister of the UAE has recently issued Cabinet Resolution No. (111) of 2022 Concerning the Regulation of Virtual Assets and their Service Providers, effective from 13th January 2023, to regulate the virtual asset sector by mandating the licensing of specific virtual asset activities by the Securities & Commodities Authority (SCA) of the UAE or the local licensing authorities of specific Emirates. The said cabinet resolution does not apply to virtual assets activities regulated in a Financial Free Zone.
The Dubai Financial Services Authority (DFSA)
The Dubai International Financial Centre (DIFC) based companies are regulated by DFSA.
The Financial Services Regulatory Authority (FSRA)
The Abu Dhabi Global Market (ADGM) based companies are supervised by the FSRA.
The Virtual Asset Regulatory Authority (VARA)
The VASPs operating from the Emirate of Dubai (except for the units registered in the Dubai International Financial Centre).
UAE Crypto Regulations
UAE Crypto Regulations for Onshore Companies
UAE financial and capital markets are primarily governed by the Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA).
UAE Onshore Companies are governed by SCA’s Decision No. 23 of 2020 concerning Crypto Assets Activities Regulation (CAAR).
CAAR also lays down AML/CFT requirements. CAAR provisions require reporting entities to:
- Set up a solid AML/CFT compliance framework
- Define policies and procedures for KYC and AML monitoring
- Ensure that the deposits and withdrawals are made only from and to a designated bank account of the entity, and the bank account must be maintained with an authorized financial institution. The SCA must have explicitly approved it if it’s a foreign financial institution.
- Ensure that the crypto assets are traceable
Further, they are also governed by the CBUAE’s Stored Value Facilities (SVF) Regulation 14 (SVF Regulation). The CBUAE has also issued the Retail Payment Services and Card Schemes Regulation (referred to above) (the “RPSCSR”). The RPSCSR applies to those providing payment token service.
The Cabinet Resolution No. (111) of 2022, effective from 13th January 2023, provides that the following activities related to virtual assets shall be licensed by the SCA or Local Licensing Authorities, as the case may be:
- provision of Virtual Asset Platform operation and management services,
- provision of exchange services between one or more forms of virtual assets,
- provision of Virtual Asset transfer services,
- provision of brokerage services in virtual assets trading operations,
- provision of Virtual Asset custody, management, and control services, and
- provision of financial services related to offering and/or selling by the issuer to the Virtual assets or participating in providing those services.
Moreover, the resolution also provides for the following for better compliance and regulation of the activities related to the virtual asset:
- No provider of virtual asset services shall operate in the UAE without necessary approvals and licensing from the Securities & Commodities Authority or Local Licensing Authority,
- Oversight of the above-mentioned activities by the Securities & Commodities Authority (SCA),
- Before issuing the license, the SCA shall verify the applicant’s fulfilment of the capital requirements, credit guarantees, compliance management system, commitment to AML regulations, etc.
- Compliance with AML regulations by the licensed providers of virtual assets services in terms of Federal Decree Law No. (20) of 2018 and it’s executive regulations, along with FATF recommendations issued explicitly for virtual asset activities.
Compliance and Risk Management Rulebook for VASP – Emirate of Dubai (except DIFC)
On 11th March 2022, Virtual Assets Law No. 4 of 2022 on the Regulation of Virtual Assets in the Emirate of Dubai came into force. It applies to virtual asset services in Dubai, except in the DIFC.
Further, VARA has been named as the supervisory authority for the virtual asset service providers seeking to operate in Dubai, whether mainland or free zones, except DIFC.
Moreover, in line with Virtual Assets Law No. 4 of 2022, VARA recently issued a detailed VASP compliance and risk management Rulebook to be adhered to by the companies providing services related to virtual assets. The AML/CFT section of the Rulebook provides for various mandatory compliance frameworks that a VASP has to follow mandatorily. The principal AML compliance aspects covered in the Rulebook are as under:
- Appointment of Money Laundering Reporting Officer (MLRO) with minimum 2 years of experience related to AML/CFT compliance,
- Conducting AML Business Risk Assessment,
- Designing and implementing the AML/CFT policies & procedures in line with the VARA Rulebook, AML Federal Laws and the FATF Recommendations related to the virtual assets segment,
- Client Due Diligence, including screening of clients, UBOs, Virtual Asset transactions and the Virtual Asset Wallet address,
- Transaction monitoring and suspicious transaction reporting to the FIU and VARA,
- Compliance with FATF Travel Rule,
- Maintaining of AML records for a minimum period of 8 years.
UAE Crypto Regulations for Financial Free Zone - Dubai International Financial Centre (DIFC)
The DFSA is a supervisory authority for the companies housed in DIFC. The DFSA has come out with a Consultation Paper No. 138, establishing its own regulatory framework for investment tokens. Very recently, on 8th March 2022 the DFSA came out with Consultation Paper No. 143 for regulating crypto tokens.
UAE Crypto Regulations for Financial Free Zone - Abu Dhabi Global Market
The Financial Services Regulatory Authority (FSRA) is a supervisory authority for the companies housed in Abu Dhabi Global Market (ADGM). The FSRA came out with a regulatory framework in 2015 concerning the crypto asset businesses. Further, The Financial Services and Markets Regulations (FSMRs) 2015 regulates crypto assets in ADGM.
in 2018 FSRA came up with FSRA Rules (Crypto Asset Legislative Framework).
The rules are:
(a) Conduct of Business Rules (COBS_VER04.250618) (see appendix for detailed amendments);
(b) Market Infrastructure Rules (MIR_VER03.250618) (see appendix for detailed amendments);
(c) Glossary (GLO_VER05.250618) (see appendix for detailed amendments).
In 2020 Financial Services and Markets (Amendment No 2) Regulations were issued.
Several guidelines have also been issued, including:
- Guidance – Regulation of Virtual Asset Activities in ADGM (“Virtual Assets Guidance”)
- Guidance – Regulation of Digital Security Offerings and Virtual Assets under the FSMR
- Guidance – Regulation of Initial Coin/Token Offerings and Crypto Assets under the FSMR (“ICO Guidance”)
On 21st March 2022, the ADGM issued a consultation paper No.1 of 2022 seeking proposals for enhancements to capital markets and virtual assets in ADGM.
Guiding Principles for VA Regulations by FSRA
In September 2022, FSRA issued a document laying down the guiding principles around its approach to Virtual Asset Regulation and Supervision for virtual assets companies operating or planning to set up VA units in ADGM.
These guiding principles suggest the high-level approach that FSRA would adopt to regulate the operation of the virtual asset in ADGM, focusing on maintaining the stability of the ADGM’s ecosystem, the risk associated with VA, protection of the customers using VAs and the ease of entry to new VA players in ADGM. Following are the 6 guiding principles laid down for VA regulation in ADGM:
Principle 1 – A Robust and Transparent Risk-Based Regulatory Framework
To oversee the VA activities and mitigate the inherent risk in the VA segment, the FSRA shall regulate the VA operations in ADGM. Its VA regulatory framework includes activity-specific rules and relevant guidance aimed at protecting the customers investing in VA and maintaining the financial stability and integrity of the market.
Principle 2 – High Standards for Authorisation
The authorization standards focus on admitting only such VA operators within ADGM who maintains transparency and meets the regulatory framework to prevent market abuse or any damage to ADGM’s ecosystem. For new applications for setting up a VA business unit in ADGM, FSRA shall grant an “in-principle” approval only to the applicants having the business plan and the controls matching the FSRA’s risk appetite. Final approval shall be provided only when the applicant has successfully completed the operational testing to the satisfaction of the FSRA.
Principle 3 – Preventing Money Laundering and Other Financial Crime
Owing to anonymity and easy access, FSRA mandates the application of AML/CFT regulations to the VA operators in ADGM. It includes adherence to ADGM-specific rules, Federal Laws and Cabinet Decisions on AML/CFT, FATF Guidance and Recommendations around VA. FSRA insists on transparency around the beneficial ownership and mandates the VA firms not to transact with the counterparty whose identity is unknown at any stage during the transaction
Principle 4 – Risk-Sensitive Supervision
FSRA shall follow a risk-based approach to supervise the VA segment, wherein the risk assessment shall be continuously done for the VA firms based on their size, nature and complexity. FSRA aims to ensure that the VA firms have effective controls and adequate risk management strategy, which is commensurate with the size and nature of the firm.
Principle 5 – Commitment to Enforce Regulatory Breaches
FSRA shall dedicatedly work towards addressing the ADGM business units’ non-compliance with regulatory requirements. For this, FSRA has powers to collate the information from the ADGM companies, conduct investigations, and take disciplinary actions to prevent non-compliance with ADGM rules.
Principle 6 – International Cooperation
Given the global spread of the VA operations, to mitigate the risk and support the mutual exchange of information between international regulators, the FSRA has entered into various bilateral and multilateral Memorandum of Understandings (MoUs). Further, FSRA encourages the development of international best practices for VA’s sustainable growth to be sustainable and is ready to support the principles of global organizations like IOSCO, the Basel Consultative Group and FATF.
AML/CFT regulations and obligations on VASP - AML Crypto Regulations in UAE
Given the anonymity involved and lack of central governing authority (as most of the virtual assets-related activities are being carried out through a decentralized platform), the Financial Action Task Force (FATF) recommended that VASPs should also be subject to stringent anti-money laundering and combatting of terrorist financing (‘AML/CTF’) regulations, the way traditional financial institutions are.
Accordingly, in line with FATF’s recommendations and increased activities related to virtual assets in the UAE, the government recognized the need to regulate the virtual assets segment. Here is the list of important regulations, cabinet decisions, and circulars applicable to Crypto Companies and Virtual Asset Service Providers in UAE.
- Cabinet Resolution No. (111) of 2022 Concerning the Regulation of Virtual Assets and their Service Providers.
- The Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations.
- Federal Decree-Law No. (26) of 2021 amending certain provisions of Law No. 20 for 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations. Earlier, the original Decree Law provided that only Financial Institutions and the specified DNFBPs (Designated Non-Financial Businesses and Professions) would be subject to AML/CFT regulations. With amendments coming in, the AML/CFT rules and regulations also apply to Virtual Asset Service Providers.
- Cabinet Decision No. (10) of 2019 concerning the implementing regulation of Decree-Law No. (20) of 2018, as amended by Cabinet Resolution No. (24) of 2022. By amending the Cabinet Decision, the AML/CFT provisions are also made applicable to the Virtual Asset Service Providers.
- Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of United Nations Security Council (UNSC) Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution.
- VASP Compliance & Risk Management Rulebook issued by Virtual Asset Regulatory Authority of Dubai (VARA).
(a) VASP obligations under AML/CFT law
As entities being subject to AML/CFT regulations in UAE, VASP would be required to adhere to the following requirements to identify ML/FT risk and mitigate the same:
- Appoint the Compliance Officer to manage the AML/CFT program in the company.
- Maintenance of AML/CFT policy designed considering the applicable regulations, money laundering and terrorism financing risk the VASPs are exposed to, VA-related red-flag indicators, etc.
- Conducting business risk assessment from ML/FT risk perspective (using a risk-based approach) and identify the risk the VASP is exposed to and the controls in place to mitigate it.
- Customer screening, risk categorization, and performance of adequate due diligence (generally enhanced, owing to the inherent nature of the VA).
- Screening of Virtual Asset transactions and the Virtual Asset wallet address.
- Reporting suspicious transactions and activities to the authorities.
- Imparting adequate training to the employees and senior management.
- Periodic audit of the AML/CFT framework adopted for the company by an independent team.
- Annual risk assessment reporting.
(b) Virtual Assets “AML/CFT” Compliance Policy
Adherence to AML/CFT regulations becomes easy once the entity has set standards and policies to be followed. Accordingly, it is of utmost importance for every VASP to develop and adopt the “Virtual Asset AML/CFT Compliance Policy.” You may refer to the VASP AML Compliance Policy template available on our website.
(c) Technology-driven KYC, Screening, and Transaction monitoring for VASPs
Since the entire VA network operates on the blockchain or similar technology, the authorities also encourage using technology or digital tools to carry out AML/CFT related compliances.
- For the “Know Your Customer” (‘KYC’) process, since most of the transactions between the recipient and the VASP would be non-face-to-face, some authorities suggest deploying tools or software that requests users to upload “selfie” as well as a copy of identity document bearing photo ID. Later, this technology should be able to match and verify the user’s ” selfie ” and the photo appearing on the ID.
- Further, various guidelines issued by different authorities encourage VASPs to deploy new technologies to enhance the efficiency of the customer onboarding process. It also includes functionality to screen the name of the user or customer against the international and local sanctions list in real-time, along with VA transactions and the VA wallet address.
- As part of transaction monitoring, some authorities insist on implementing the “Know Your Transaction” measures, enabling the VASPs to monitor the transactions from their origin to the destination effectively. The VASPs must collect every detail relevant to the transaction, about virtual assets, parties involved, locations, etc.
- Additionally, it is also recommended by the authorities to obtain the following details about VA or the customer or the transaction, mainly using the new technologies:
- Beneficiary and the originator of the VA
- The IP address of the customer, with an associated timestamp
- Wallet addresses involved.
ML/FT typologies and red-flag indicators relating to Virtual Assets (VA)
It is critical to understand the key ML/FT typologies associated with VA and VASP, given the great chances of this sector being exploited by the money launderers and for the financing of terrorist activities.
1. ML/FT typologies related to Virtual Assets (VA)
– The repeated withdrawal from one or more bank accounts of substantial amounts in cash, as a whole or in parts and within a relatively short period, without any apparent necessity and in combination with the repeated cashless receipt of sums of money (whereby the amounts received in the case of the trader in virtual currencies originate from the sale of virtual currencies).
– The purchase of virtual currencies whereby at least two of the following characteristics are fulfilled:
- the buyer offers his services through the internet through supply and demand sites;
- the buyer does not ascertain the identity of the seller;
- the buyer screens off his own identity;
- the buyer pays in cash;
- the buyer charges an unusually high exchange fee percentage;
- the transaction takes place in a (public) space where there are many members of the public present, thereby reducing the security risk for the buyer;
- there is no plausible legal or economic explanation for the method of exchange;
- the scale of the virtual currencies purchased is not likely to concern average private use;
- the buyer is not known to the tax authorities for his exchange establishment.
– The buyer or seller uses a so-called ‘mixer’ during the sale of virtual currencies.
– Use non-compliant exchanges to carry out the conversation between fiat and virtual currencies.
– Use cryptocurrency ATMs to convert the money quickly from fiat to virtual assets and vice versa.
– Multi-customer cross-wallet activity.
2. ML/FT red flag indicators for VASP
A. Red flags related to VA Transactions (Size and Frequency of the transactions):
– Manipulating VA transactions (e.g., exchange or transfer) in smaller portions to avoid the reporting requirement.
– Multiple high-value transactions carried out –
- Within 24 hours or period with minimal time gaps;
- Using a new or very old account not used for a long time.
– Transfer of VAs to multiple VASPs, located across different jurisdictions where
- there is no interconnection between the customer’s location, or
- there are no AML/CFT regulations.
– Firstly depositing VAs at an exchange and then instantly –
- withdrawing the VAs without any further activity, indicating redundant transactions and incurring unnecessary costs;
- transfer of one VA to another without logical commercial reason, or
- immediate withdrawal of the VAs to a private wallet from an exchange.
– Accepting fraudulent or theft funds.
B. Red flags related to VA Transaction Patterns (Transactions concerning new users):
- Depositing a large amount at the time of opening a new account is not consistent with the customer’s profile.
- Withdrawal, in a day or two, of the large amount deposited at the time of opening a new account or trades such a large amount on the same day.
- Trading the entire amount of VAs or withdrawal of the same to take off the whole funds from the platform by the new user.
C. Red flags related to Virtual Assets Transaction Patterns (Transactions concerning all users):
– Trading through multiple accounts with no reasonable explanation.
– Regular transfers in a day or a week to the same VA wallet –
- by more than one person;
- from the same IP address; or
- involving huge sums.
– Receipt of VAs from multiple unrelated accounts in smaller portions and immediately transferring the accumulated funds to another wallet or exchanging the entire value against fiat currency.
– Exchanging the VA against the fiat currency at a loss, without any business sense.
– Exchanging vast amounts of fiat currency against VAs, or one type of VA, to other kinds of VAs, without any logical rationale.
D. Red flags related to Anonymity associated with Virtual Assets (VA):
- Customers prefer VAs providing higher anonymity, even when the transaction cost is high.
- Moving a VA from a transparent blockchain to a centralized exchange and immediately trading it for Anonymity Enhanced Coins.
- An unregistered/unlicensed VASP operating on peer-to-peer (P2P) exchange websites, handling large amounts of VA on their customer’s behalf and levying high transaction costs.
- The abnormal volume of VAs exchanged against fiat currency at exchanges, without any business rationale.
- Transactions through accounts associated with VASPs, offering mixing or tumbling services.
- Transactions are offering to mix and tumbling services to disguise the movement of illegal funds between known wallets and darknet marketplaces.
- A transaction with an account or wallet linked with any known suspicious sources, darknet marketplaces, mixing/tumbling services, gambling sites, or illegal activities.
- Using decentralized hardware or physical / paper wallets to move the VAs across the countries.
- Users register their internet domain names using proxies or domain name registrars (DNS), which offer suppression of the domain names’ owners.
- Users getting themselves registered through an IP address associated with a darknet or software allows communication using encrypted emails and VPNs, providing anonymity.
- Transactions where unfamiliar encrypted communication means are used instead of a VASP.
- Multiple wallets are being controlled from the same IP address, involving shell wallets registered in the name of various users to hide the linkages.
- Using inadequately documented VAs or VAs connected with fraud.
- Users transacting through VASPs have weak CDD and KYC processes.
- Using VA ATMs/kiosks
- Incurring higher costs;
- – in high-risk jurisdictions, having a criminal background, or
- – multiple times involving small transactions.
E. Red flags about Sender / Recipients (Irregularities observed during account creation):
– Operating multiple accounts with different names to avoid trading or withdrawal-related restrictions imposed by VASPs.
– Transactions through –
- non-trusted IP addresses;
- IP addresses from sanctioned jurisdictions; or
- IP addresses are flagged as suspicious or “black-listed.”
– Frequent requests to open an account with the same VASP and from the same IP address.
– Corporate users have their Internet domain registrations in a different jurisdiction than their place of establishment.
F. Red flags about Sender / Recipients (Irregularities observed during CDD process):
- Inadequate KYC information or a customer hesitates or refuses to share the KYC documents or information on the source of funds.
- The customer shares incorrect information about the transaction, the source of funds, or the association with the counterparty.
- The customer provides forged documents, fake photographs, or identification documents as part of the KYC process.
G. Red flags about Sender / Recipients (Profile):
- A customer provides identification or account records shared by some other account.
- Differences in the IP addresses associated with the customer’s profile and the transaction-related IP addresses.
- Publicly available information about the customer’s wallet address being associated with illegal activity.
- Information about customer’s criminal association.
H. Red flags about Sender / Recipients (Profile of potential money mule or scam victims):
- The transferor is unaware of the VA and related blockchain technology. These people could be money mules hired by professional money launderers, or scam victims turned mules who are tricked into transferring illegal funds without knowing their origin.
- Significantly aged customers, operating an account and transacting in large volumes, indicating involvement in VA money muling or a victim of elder financial exploitation.
- A financially vulnerable person is assisting drug dealers in their illegal business.
- Inconsistency between the VA transactions involving significant amounts and the customer’s financial profile indicates the existence of money laundering or a money mule.
I. Red flags about Sender / Recipients (Other unusual behavior):
- Frequent changes in the customer’s identification information, email addresses, IP addresses, or financial information.
- A customer enters a transaction with multiple VASPs using different IP addresses daily.
- Text in VA message box indicating association of the transactions with criminal activity or the purchase of illegal goods.
- Repeated transactions by a customer with a subset of users at considerable profit or loss, indicating potential account takeover & removal of victim balances via trade or ML scheme to disguise the funds using VASP infrastructure.
J. Red flags related to Source of Funds or Wealth:
- Customers using VA wallets, IP addresses, or bank cards are known to have been associated with fraud, sanctioned addresses, ransomware schemes, darknet marketplaces, or illegal websites.
- VA transactions are associated with online gambling services.
- Using multiple bank cards connected with a VA wallet to withdraw the considerable value of fiat currency (crypto-to-plastic).
- Purchasing VAs using funds sourced from cash deposited into credit cards.
- The cycle of depositing the substantially high amount into a VA wallet using unknown sources of funds and subsequently converting the same into fiat currency indicates theft of funds.
- No information or incomplete information about the origin and owners of the funds, such as the involvement of shell companies.
- Placing funds into an Initial Coin Offering (ICO) without giving personal information about the investors.
- Transactions using pre-paid cards and immediate withdrawal after that.
- A customer sourcing funds from third-party mixing services or wallet tumblers.
- The primary source of customers’ wealth is investments in VAs, fraudulent ICOs, etc
K. Red flags related to Geographical Risks:
- Trading on an exchange not registered in the customer’s jurisdiction or not at all registered with any jurisdiction.
- The customer prefers a VA exchange or MVTS located in high-risk countries, where there are no or weak AML/CFT regulations for VASP.
- The customer is setting up a business in a jurisdiction that lacks strong AML/CFT regulations without any logical business explanation.
AML UAE at your service
As required by the UAE authorities and FATF, VASPs must adhere to international standards and manage their business against the ML/FT risk they are exposed to. Here, we can help you understand whether your business activity fits into the VASP activities charted out by FATF and your obligations as VASP from AML/CFT perspective. Also, we can assist you with documentation of the AML/CFT policies, conducting training, etc., and ensuring your compliance with the regulations.
Our Timely and Accurate AML consulting Services
For your smooth journey towards your goals
Share via :
FAQs On AML Regulations for Virtual Assets Service Providers
A Crypto Asset is a record within an electronic network or distribution database functioning as a medium for exchange, storage of value, unit of account, representation of ownership, economic rights, or right of access or utility of any kind, when capable of being transferred electronically from one holder to another through the operation of computer software or an algorithm governing its use.
Cryptoasset exchange is an important part of the cryptoasset ecosystem, where the exchange provides liquidity to the market participants. Unregulated Cryptoasset exchanges pose significant money laundering risks, while regulated ones can also be targeted in money laundering schemes.
The mainland companies or onshore crypto and other virtual assets companies in UAE are regulated by the Central Bank of UAE (CBUAE) and the Securities and Commodities Authority (SCA). Further, Virtual Assets Regulatory Authority (VARA), CBUAE, and SCA control Dubai-based virtual assets service providers.
The Dubai Financial Services Authority (DFSA) is a supervisory authority for companies housed in DIFC.
The Abu Dhabi Global Market (ADGM) based crypto and other virtual asset companies are supervised by the Financial Services Regulatory Authority (FSRA).
Yes, all Virtual Asset Service Providers (VASPs) have to register with the goAML portal in UAE.
- VASPs have to register on the goAML Portal
- VASPs are required to appoint the AML Compliance Officer to manage the AML/CFT program.
- Virtual Asset Service Providers have to conduct Business Risk Assessment (BRA)
- VASPs have to prepare their AML Policy and Procedures Manual
- VASPs need to conduct KYC, Screening, Risk Assessment of customers, suppliers, and third-parties
- VASPs have to conduct enhanced due diligence of customers, suppliers, and third-parties
- Crypto Companies and other virtual asset service providers have to file Partial Name Match Report (PNMR) with FIU UAE
- Virtual Asset Service Providers have to file Funds Freeze Report (FFR) with FIU UAE
- VASPs have to file Suspicious Activities Report (SAR) with goAML UAE
- VASPs have to submit Suspicious Transactions Report (STR) with UAE goAML portal
- VASPs have to provide Anti-Money Laundering training to employees and senior management
- VASPs have to submit High Risk Country Transaction Report (HRC)
- VASPs have to submit High Risk Country Activity Report (HRCA)
- VASPs have to get themselves audited for AML purposes by an independent auditor
- VASPs have to submit Annual AML Risk Assessment Report
- VASPs have to ensure that the entities and individuals they deal with are not engaged in proliferation financing
About the Author
CISA, FCA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is a multi-disciplinary professional with more than 22 years of experience in compliance, risk management, accounting, system audits, IT consultancy, and digital marketing. He has extensive knowledge of Anti-Money Laundering rules and regulations, and he helps companies comply with legal requirements. Pathik also helps companies generate value from their IT investments.