Earlier this week the FIAU issued Implementing Procedures applicable to the Virtual Financial Assets (VFA) sector.

The new Implementing Procedures (IP) apply to VFA agents, VFA issuers and VFA service providers that are regulated by the Virtual Financial Assets Act. In the case of VFA issuers it is important to note that they would be expected to abide by all of the AML/CFT obligations in the PMLFTR even in situations where, for whatever reason, they fail to comply with the whitepaper registration requirement of the VFA Act.

The IP extend also to other subject persons who may not be licensed as VFA service providers but who may be handling VFAs in the course of carrying out relevant financial business or activity. Persons carrying out one or more of these relevant financial businesses or activities in connection with VFAs are thus subject to the rules of the IP for VFAs:

  • a person licenced under the Investments Services Act to act as custodian in relation to a collective investment scheme , or to provide the services of management of investments to a collective investment scheme,
  • collective investment schemes providing services in Malta; or
  • a person providing custodian or nominee services.

Depending on the particular context in which they take place,

  • a liquidator or a curator in bankruptcy acting in the course of liquidation or bankruptcy;
  • a legal or other exempt person providing VFA services in an incidental manner in the course of a professional activity that is regulated by legal or regulatory provisions or a code of ethics governing the profession; or
  • a person providing investment advice in the course of providing another professional activity not covered by the VFA Act, provided that the provision of such advice is not specifically remunerated,

may also be subject to the IP for VFAs.

The new sectoral IP emphasise the risks arising from the nature of Virtual Financial Assets, such as anonymity, immediacy, irrevocability and decentralisation. In order to mitigate such risks while taking consideration of the nature of the VFA business and the rapid improvements in this sector, the Business Risk Assessments prepared by the subject persons shall be reviewed bi-annually rather than on an annual basis, or earlier if necessary.

VFA service providers are obliged to commission an independent external third party to perform a review of their AML/ CTF controls, policies and procedures. The independent review must be carried out at least every eighteen months or upon any material change or enhancement to the VFA service provider’s AML/ CFT programme.

The IP clarify how Customer Due Diligence shall be performed in a VFA scenario. Notably, they also provide guidance on the application of Simplified Customer Due Diligence in low risk scenarios where customers are trading with VFAs under €1,000.

In terms of transaction records, data such as wallet addresses involved in the transaction, customer identification details, name of the parties involved, type and value of the VFAs transacted, details of the bank account or wallets in all transactions shall be collected and kept on file.

The IP provide guidance on how to deal with various types of wallets such as Private Wallets, Custodian Wallets and Multi-Signature Wallets. Subject persons are to apply analytical tools to identify the content of the wallets and the history of the coins. Wallet addresses involved in the given transaction must be checked for adverse media in the public domain. As part of the process of identifying Source of Funds, subject persons must establish the origin of the coins, having special regard to the mining activity of the customer.

The Annex of the IP provides an indicative list of red flags, trends and case studies in the VFA sector to help VFA service providers understand better what they should look out for when designing and implementing their AML/ CFT programmes.