Anti-Money Laudering and combating the financing of terrorism for virtual assets service providers: new Notice by BdP

On the 24th of January 2023, Portuguese Central Bank (Banco de Portugal – BdP) published Notice no. 1/2023 (Notice) regarding Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) in the virtual assets service providers (VASPs) sector. This Notice had been submitted for public consultation and has also received assent from the National Data Protection Authority.

This Notice covers matters foreseen in Law no. 83/2017, of 18 August (AML/CFT Law), as well as in Law no. 97/2017, of 23 August (Law 97/2017), which regulates the application and execution of restrictive measures approved by the United Nations or by the European Union (EU) and establishes the sanctions framework for breaches of said measures. In this sense, the new Notice adapts the content of Notice no. 1/2022, of 6 June (Notice 1/2022), which regulates the duties of financial entities supervised by the BdP, to VASPs’ specific context. It is furthermore connected to Notice no. 3/2021, of 23 April (Notice 3/2021), which regulates the registration procedure for VASPs with BdP, a mandatory requirement in the terms set by Article 112-A of the AML/CFT Law. These advances indicate the increased level of regulation of the sector in question, which has been associated to considerable ML/TF (Money Laundering and Financing of Terrorism) risk.

This increased level of regulation follows a global trend, with sanctions related to the breach of AML/CFT duties being ever more frequent in this industry. The sanctioning power which regulatory entities may exert is starkly demonstrated in cases such as the 50 million dollars sanction imposed on Coinbase, a cryptocurrency exchange platform, by the New York State Department of Financial Services (NYDFS), for its failure to adequately implement a system for the detection of illegal activity. The company was also ordered to invest at least 50 million dollars in the development of an adequate compliance system.

This new Notice is addressed to entities which develop activities with virtual assets within domestic territory (see Article 4, number 6, in connection with Article 2, number 1, paragraphs ll) and mm), of the AML/CFT Law, as well as of Article 2, number 1, paragraph k), of the Notice), registered as such with the BdP (see Article 112-A of the AML/CFT Law, and Notice 3/2021). Entities not registered in domestic territory are considered “entities of equivalent nature” (see Article 2, number 1, paragraph l), of the Notice) and, while they are not directly subject to the provisions of this new Notice, the business relations between them and entities registered in domestic territory are thereby regulated in several aspects, namely in relation to the implementation of enhanced due diligence measures.

The Notice further aims to harmonize national legislation with the international framework for combating ML/TF, pre-emptively including some of the content expected to be included in the European Union’s AML Package (the legislative package aimed at combatting ML/TF), which is now in an advanced negotiation stage. It is also driven by Recommendation 15 of the Financial Action Task Force (FATF), reviewed in 2018 to include provisions on VASPs, as well as by FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, published in 2021, as is evident, for example, in the inclusion of the travel rule in the Notice.

The goal of this Notice is to clearly define the procedures, tools, mechanisms, formalities and the provision of information duties, among other aspects deemed necessary to the fulfillment of VASP related AML/CFT duties, a sector which has been identified as being of high risk and in which entities have had less time to develop their experience in adhering to these duties – as the procedures associated to the registration of VASPs with the BdP only entered into force on the 14th of April 2021, in line with the Explanatory Memorandum of this new Notice.

The Notice, articulated with the legal framework combatting ML/TF, mainly aims to:

• Clarify how the provisions in the AML/CFT Law and in Law 97/2017 apply to VASPs, taking into consideration particular risks and technical characteristics of the sector, mirroring Notice 1/2022, only applicable to financial entities;
• Introduce innovative elements in this legal framework which are specific to the daily life of the VASPs sector.

Concretely, this new Notice issued by the BdP addresses the execution of preventive duties against ML/TF by VASPs which are subject to BdP’s supervision for AML/CFT purposes. The following provisions should be highlighted:

• The duty to define and implement an AML/CFT control function. This function should be segregated from the activities which it must monitor, with the exception of entities with less than 6 employees (not accounting for board members) and those with less than € 1.000.000 in revenue in the previous financial year (see Article 3 of the Notice). This heightened internal control duty for AML/CFT purposes also includes the designation of a Money Laundering Reporting Officer, which should take on such functions exclusively (see Article 5 of the Notice, in conjunction with Article 16 of the AML/CFT Law);
• Though it is now generally admissible, subcontracting of processes, services, or activities for complying with these duties is subject to a set of rules and limitations, including the VASP’s responsibility for such subcontracting, the prohibition of subcontracting when it jeopardizes the quality of the implemented measures, the duty to assess the underlying risks, considering ML/TF preventive measures and the legal framework of the subcontracted entity, among others (See Article 16 of the Notice);
• Videoconferencing has also been introduced as a possible means of identity confirmation, when performing customer due diligence in the terms set by Article 25 of the AML/CFT Law. It can now be used both by VASPs and by subcontracted entities, when admissible, and upon compliance with several safeguards and technical and general requirements;
• Customer due diligence is updated to reflect the reality of the VASPs sector, with the BdP suggesting the use of adequate tools to determine the origin and destination of funds and of virtual assets (such as network analysis tools, or wallet associated exchange histories, for example) (see Article 24 of the Notice). The type of operations which can be performed without identifying the client are also very limited (see Article 24 of the Notice). The means to ascertain identifying elements are the same as those provided for the financial sector (see Article 21 of the Notice);
• Provisions for a greater control of the origin and destination of virtual assets are included, with certain information on the sender and the recipient mandatorily accompanying their transfers (see Articles 37 to 40 of the Notice), following the travel rule proposed by the FATF in Recommendation 15;
• The duty to identify and evaluate specific risk factors for this sector (see Article 7 of the Notice) is included, based on the assessment performed by the FATF.

The breach of preventive duties by VASPs may constitute an administrative offence, under articles 169 and 169-A of the AML/CFT Law, punishable by fines up to € 1.000.000 (see Article 170 of the AML/CFT Law).

The Notice enters into force on the 15th of July 2023, with the exception of the usage of videoconferencing as a means to confirm someone’s identity (see Article 25, number 4, paragraph c), subparagraph i), of the Notice), which may already be used.

Morais Leitão’s team continues to analyze this new Notice in detail, preparing to assist our clients in fulfilling their AML/CFT duties. We remain fully available for any clarification regarding the impact of this Notice on the entities subject to it.