From 2020, digital currencies will be included in the European system for preventing money laundering and terrorist financing. Companies offering virtual currency services will thus become subject to the supervision and control of the Financial Market Authority (FMA). The new provisions are based on the Fifth Anti Money Laundering Directive (Directive (EU) 2018/843), which in Austria was transposed into the Financial Market Money Laundering Act (Finanzmarkt-Geldwäschegesetz or FM-GwG).
What was previously “reserved” for banks and financial service providers will in future also apply to any company offering virtual currency services. Specifically, wallet providers, crypto exchanges or trading platforms, peer-to-peer service providers, issuers of crypto assets and crypto asset teller machine operators will be covered. Such companies must identify their customers, check the origin of the funds and comply with any reporting and standstill obligations. Furthermore, companies offering virtual currencies must register with the FMA. Affected service providers have been able to submit applications to the FMA since 1 October 2019. Registration must be completed by 10 January 2020 at the latest and costs EUR 3,000.
1. What is a virtual currency?
Section 2, paragraph 21 of the FM-GwG defines a virtual currency as “[...] a digital representation of a value that has not been issued or guaranteed by any central bank or public authority and is not necessarily linked to a currency established by law and that does not have the legal status of a currency or money but is accepted by natural or legal persons as a medium of exchange and which can be transmitted, stored and traded electronically.”
The legislator makes it clear with this legal definition that virtual currencies – despite their misleading name – are not to be regarded as currencies in the narrower sense. Whether the respective crypto currency is classified as a virtual currency within the meaning of the FM-GwG depends particularly on its non-state origin, use as a medium of exchange and tradability. Clearly, crypto currencies such as Bitcoin, Ethereum, Litecoin, and Ripple & Co fall under the new definition of virtual currencies. Whether the FMA believes that other types of virtual currency should also fall within the scope of the FM-GwG will become apparent in the next few months.
2. Who is subject to the new money laundering rules and registration requirements?
If a service provider wishes to offer virtual currency services in or from Austria, it must comply with the due diligence and reporting obligations for the prevention of money laundering and terrorist financing, and must apply to the FMA for registration beforehand (Section 32a of the FM-GwG). The obligation to register applies to both natural and legal persons. Recital 10 of the Fifth Anti Money Laundering Directive states that the redesign of the money laundering legislation should cover all potential uses of virtual currencies. According to Section 2, paragraph 22 of the FM-GwG, a company offering virtual currency services is a service provider that offers one or more of the following services:
- Wallet provider (services for storing the secure private cryptographic keys that allow a customer to hold, store and transfer virtual currencies);
- Crypto exchanges/trading platforms (services for exchanging virtual currencies with fiat money and virtual currencies with each other);
- Peer-to-peer service providers (services that enable virtual currencies to be transferred);
- Issuers of crypto assets, crypto asset operators (financial services for the issuance and sale of virtual currencies).
3. What rules must be observed?
The new main obligations of companies offering virtual currency services concern AML (Anti Money Laundering) and KYC (Know Your Customer). When the new legislation enters into force, information on the origin of the funds used must be obtained and verified. Thus, the identity of the customer or the beneficial owner must always be established. Furthermore, all business relationships must be continuously monitored, and a corresponding plausibility check of the respective transaction behaviour must be carried out based on the information obtained from the obligated company.
A particularly complex challenge is therefore that every customer of a crypto exchange must provide information about the origin of their assets. The customer must specify how and when they bought the respective virtual currency, for example, by presenting the transaction document. The service provider must document all this and create a system for this purpose that collects all relevant information seamlessly. The service provider must then verify the truthfulness of the information received.
As already known from the banking sector, service providers are also subject to reporting and standstill obligations. They must also carry out a risk assessment and, if necessary, submit evidence to the competent supervisory authority. If – for whatever reason – this is not possible, the transaction may not be carried out. In addition, the business relations must be terminated and, if necessary, a Suspicious Activity Report must be submitted to the FMA.
4. Ongoing supervision by the FMA
Irrespective of whether the obligation to register is properly fulfilled, service providers are subject to ongoing supervision by the FMA to ensure they comply with the FM-GwG and the Money Transfer Act (Regulation (EU) 2015/847) provisions on virtual currencies from 10 January 2020. The FMA does not exercise any further supervision – specifically on areas covered by other legal acts. In addition, the relevant supervisory framework is limited to services offered in Austria. If a company is active in foreign financial markets as well as Austria, it must also observe the regulations applicable there.
5. How does registration work?
If a service provider subject to registration is a legal entity, its management is obliged to submit the following information and/or documents to the FMA:
- Company details (specifically, company name, registered office, business address, e-mail address and telephone number, company register number);
- Current excerpt from the company register or a public excerpt from the register or database of the service provider comparable to the excerpt from the company register;
- First name, surname, date and place of birth of the managing director, incl. copy of photo ID;
- First and last name, date of birth, place of birth and copy of the photo ID of the beneficial owner (= at least 10% of the share capital or voting rights or other significant influence);
- Current extract from the criminal record of all managing directors and all beneficial owners;
- Description of the business model with precise descriptions of and details about the respective virtual currency services offered, including details of any planned or ongoing business activity;
- Description of the internal control system and the strategies and procedures planned to meet the requirements of the FM-GwG and the Money Transfer Act (Regulation (EU) 2015/847);
- Presentation of the company’s ownership and control structure in an organisational chart. In addition, the extent of the beneficial owner’s participation must be disclosed.
6. Application and consequences of failure to register
In principle, the application must be submitted before the respective service is provided for the first time via the FMA’s P.O. Box or by e-mail to the address firstname.lastname@example.org The service provider will be informed of the authority’s decision on the registration in due course. If all the conditions have been fulfilled by the applicant, the service provider will be included in the authority's enterprise database. A list of all registered service providers will be available on the FMA homepage. It has been possible to submit applications to the authority since 19 October 2019. Service providers must pay a one-time fee of EUR 3,000 for the application process. In addition, service providers will incur costs for ongoing supervision by the authority, the exact amount of which cannot be estimated until a few months after the registration obligation enters into force. If a service provider fails to register (on time), the FMA may prohibit it from providing the respective service and impose fines of up to EUR 200,000.
On one hand, the now obligatory registration with the FMA represents a further hurdle for the affected companies to clear before launching on the market. The regulation is likely to make it particularly difficult to establish new crypto companies because the associated administrative and, above all, financial costs are so high. It will become clear over the coming months how the service providers affected will react to these innovations on the crypto market.
Some of the companies that will in future be obliged to register are already implementing AML or KYC measures voluntarily. In each case, however, it must be determined whether these correspond to the expectations of the legislator. Because companies offering virtual currency services will now have to comply with obligations that previously only affected credit institutions and financial service providers, it is likely that smaller stock exchanges will have particular difficulties meeting the requirements of the new legal situation.
On the other hand, the introduction of this new regulation will certainly lead to greater transparency and higher security on crypto exchanges. This brings the oversight of crypto service providers closer to that of banks and financial service providers, clearly indicating a certain level of acceptance by the legislator and the authority.
From a commercial point of view, companies should make sure they register in good time, especially as crypto services cannot be provided without proper registration. This in turn means that certain areas within the company – such as the internal control system to ensure compliance with the FM-GwG and the Money Transfer Act – must be structured accordingly and adapted if necessary.