Announcement of the Advisory Authority for Combating Money Laundering and Terrorist Financing, regarding the National Risk Assessment – NRA with respect to virtual assets and virtual asset service providers
Τhe Advisory Authority for Combating Money Laundering and Terrorist Financing (Advisory Authority), having regard to the international standards and in particular FATF Recommentation 15 on the conducting of a National Risk Assessment prior to the introduction of new technology, has acted as follows: Through the collaboration of the Ministry of Finance and the House of Representatives, a specialised Risk Assessment on the introduction of Virtual Assets (VA) and Virutal Asset Service Providers (VASPs) in the Republic, was commissioned in July 2020, from a specialised US Advisory Firm, Bandman Advisors, with expertise in FinTech & RegTech and Crypto Asset technology. All relevant stakeholders participated and provided relevant information for this endevour.
The findings and recommendations of this Report, were taken into account in the drafting of the primary and secondary legislation on AML/CFT enacted in 2021 for this respective sector. The Report which has been finalised in November 2021 is being published on the Ministry of Finance’s website, as per the provisions of article 57 of the Prevention and Suppression of Money Laundering and Terrorist Financing Law and in accordance with the EU AML/CFT Directives. We take this opportunity to thank all parties that assisted in the production of the Report and in particular Bandman Advisors for their excellent collaboration, insight and meticuluous work.
Some of the key findings and recommendations of the Report are listed below. The Authorities are committed to implementing the relevant recommendations and mitigating the ML/TF risks for this sector.
Some of the Key Findings:
- There is very limited VA or VASP (or VASP-type) activity in Cyprus. There have been limited access points for VA into the broader Cyprus economy.
- There is a widespread perception that the VA/VASP sector is high risk, but overall there is limited direct understanding or experience regarding the specific Money Laundering (ML) and Terrorist Financing (TF) risks of VA and VASP sector on the part of key authorities. CySEC has had initial direct supervisory experience supervising ML/TF risks of a small subset of entities.
- CySEC will have a critical role supervising VA activities, leading Cyprus’s efforts to mitigate VA/VASP ML/TF risks.
- The Police have acquired some direct experience and sophisticated understanding with VA.
- There is very limited to no use of specialised commercial cryptocurrency AML compliance and intelligence/blockchain forensics and transaction monitoring tools and databases. Supervisors, law enforcement and the FIU have received little to no access to and training on their use.
- As of late 2020 Cyprus had not implemented the wire transfer rule for transfer of VA for FIs and VASPs, often referred to as the “Travel Rule” for VA. The deficiency can be corrected in secondary legislation.
- Current measures to mitigate NPO vulnerabilities, including the consulting project and risk assessment currently being undertaken on behalf of the Minitry of Interior (MOI), are not taking into account the VA/VASP sector.
- Processes for updates from supervisors to obliged entities on designations to sanctions lists and other communications are designed for normal business hours. Because VA markets, unlike traditional financial markets, are active on a 24/7/365 basis, this could be a material gap with regard to VASPs and movement of VA (partly mitigated by other sources of updates available to obliged entities through widely available databases).
Some of the Recommended Actions:
- The Central Bank of Cyprus (CBC) and the Cyprus Securities and Exchange Commission (CySEC) should update their respective AML/CFT Directives to include measures dealing specifically with VA/VASPs. The revised directives should expressly incorporate the Travel Rule for VA wire transfers to address the FATF deficiency, and should make enhanced due diligence (EDD) indicators and requirements for VA that are currently implicit more explicit.
- In light of CySEC’s role supervising VASPS and VA activities and leading Cyprus’ efforts to mitigate VA/VASP ML/TF risks, it should also provide education to its supervised obliged entities regarding identification of suspicious activity in relation to VAs.
- Firms in the FI sector should expressly adopt written policies and procedures to comply with the wire transfer rule for VA. As the highest priority, CySEC should ensure that FIs already engaging in VASP-type activities do so.
- Authorities should start to maintain and share data and metrics specific to VA/VASPs. Although activity levels now are believed to be negligible, this will enable an evidence-based baseline as activities increase, promoting earlier detection of risks or changes to risk levels.
- Training and significant capacity building should be made available with respect to VA/VASP ML/TF risks, as well as technological and market evolution in VA/VASP sector. Training needs should be led and monitored at the Advisory Authority level.
- Supervisory authorities, Law enforcment and the FIU should receive in depth training of these issues and enhance their capacity accordingly.
- Cyprus should leverage its collaboration with other jurisdictions that have had additional and complementary experiences with the VA/VASP sector, drawing from these relationships to identify lessons and best practices. Such international cooperation could be an important channel for Cyprus to strengthen and accelerate its capacity building for the VA/VASP sector.