Virtual Asset Service Providers and their registration obligation with the CSSF
On 15 January 2020, the Commission de Surveillance du Secteur Financier (the “CSSF”) published a “ Communiqué” on virtual assets and virtual asset service providers (the “Communiqué”) drawing the entities' attention to different aspects: • On the one hand, to a new FATF Interpretive Note, from June 2019, on the FATF Recommendation 15 on New Technologies, that takes into account virtual asset service providers; • On the other hand, to Directive 2018/843 of 30 May 2018 (the “AMLD5”) amending the previous Directive 2015/849 and extending its scope; and • Finally, to two draft bills of law (N° 7467 and 7512) transposing AMLD5 into the national legal order and, consequently, also extending the scope of the Law of 12 November 2004 on the fight against money laundering and terrorist financing (the “AML/CTF Law”). The two bills/laws mentioned hereinbefore were adopted soon after the Communiqué, on 25 March 2020: • One of the two laws namely added new definitions to the AML/CTF Law, including for “Virtual currency”, “Virtual asset”, “Virtual asset service provider”, “Safekeeping or administration service provider” and “Custodian wallet service” (the “First Amending Law”); • The other law, which was already modified this year before its first anniversary, enshrined provisions in the AML/CTF Law that are applicable to specific entities, including the so-called 'virtual asset service providers' (the “Second Amending Law”). Curiously, although the Second Amending Law introduced special provisions on “virtual asset service providers”, the definitions referred therein are to be found in the other law - the First Amending Law. This “duplicity” of laws could explain why most articles published on this subject exclusively refer to the First Amending Law (as “the law of 25 March 2020”) without ever considering the Second Amending Law.
One explanation is the fact that the First Amending Law transposed most provisions of AMLD5 into the AML/CTF Law, while the Second Amending Law transposed specifically points (19) and (29) of Article 1 concerning special entities.
Obligation to Register
As we pointed out hereinbefore, one of the main modification of the AML/CTF Law is the scope of the extension. The provisions of this law are now equally applicable to the following entities:
(1) real estate developers; (2) notaries; (3) virtual asset service providers; (4) safekeeping or administration service providers (including custodian wallet services); (5) art traders (including art galleries and auction houses where the value of the transactions is equal or superior to EUR 10,000); and (6) persons acting as intermediaries in the trade of works of art (where the value of the transactions is equal or superior to EUR 10,000).
Of those entities, "v irtual asset service providers" (the “ VASP”) will retain our focus in this paper. The new article 7-1 (2) of the AML / CTF law provides that VASPs must be registered within the register of virtual asset service providers established by the CSSF.
Consequently, all entities established in Luxembourg or providing services in Luxembourg, are now required to register with the CSSF in order to perform VASP activities and provide virtual asset services.
A VASP is defined by the AML/CTF law as any person who, on behalf of or for their clients, provides any of the following services:
(a) The exchange between virtual assets and fiat currencies, including the service of exchange between virtual currencies and fiat currencies; (b) The exchange between one or more forms of virtual assets; (c) The transfer of virtual assets; (d) The safekeeping or administration of virtual assets or instruments enabling control over virtual assets, including the custodian wallet service (that is, a service to safeguard private cryptographic keys on behalf of customers, to hold, store and transfer virtual currencies); (e) The participation in and provision of financial services related to an issuer’s offer or sale of a virtual asset.
The registration requirement for the VASPs (as defined) does not exclude the need to apply for other licenses/registrations that may be required for other activities it may also perform, either by Luxembourg law or by the laws of other jurisdictions.
Definition of virtual assets All the aforementioned listed services relate to so-called virtual assets. The AML/CTF Law defines a “virtual asset” through a three-step test:
A general definition: it is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes;
An inclusive definition: it includes virtual currencies which are, themselves, defined by the AML/CFT Law as a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by persons as a means of exchange and which can be transferred, stored and traded digitally;
An exclusive definition: it excludes virtual assets fulfilling the conditions of “electronic money” within the meaning of Article 1, point (29), of the amended Law of 10 November 2009 on payment services and virtual assets fulfilling the conditions of “financial instruments” within the meaning of Article 1, point (19), of the amended Law of 5 April 1993 on the financial sector. However, at this point it gets rather technical:
The definitions for “ virtual asset” and “virtual currency” were added to the AML/CFT Law in order to take into account the new developments introduced by the AMLD5 and FATF Recommendation 15 . The “ virtual asset” definition finds its source, not in the AMLD5 (which only defines “ virtual currencies” but not “ virtual assets” ) but in the FATF Recommendation 15 (which only defines “ virtual assets” but not “ virtual currencies”). It would seem, therefore, that the Luxembourg legislator cherry-picked definitions in different texts and then decided to relate them with one another, which might have unexpected interactions with each other.
Indeed, “virtual currencies” now appear in the Luxembourg AML/CFT Law as a subset of “ virtual assets”. Yet, the AMLD5 specifically addressed “virtual currencies”, through a stand-alone definition, which shows no dependency from “virtual assets” as a supposed more generic term. Therefore, when the AMLD5 refers to “custodian wallet services ” it only does so in reference to “virtual currencies” - not to "virtual assets".
As a result, after transposition of the AMLD5, the AML/CFT Law now comprises two seemingly contradictory definitions for “ custodian wallet services”. One defining it as “ the safekeeping of private cryptographic keys on behalf of customers, to hold, store and transfer virtual currencies” (definition that limits this service to virtual currencies only and excludes all other virtual assets), the other defining it as “ the safekeeping or administration service provider of virtual assets or instruments enabling control over virtual assets” .
Aside from “ virtual assets” and “ virtual currencies”, the new European Proposal for a Regulation on Markets in Crypto-assets currently provides for a third definition: that of “ crypto-assets” . It is not only a mere difference in wording as the definition for “ crypto-assets” - as it currently stands – refers to a digital representation of value “ or rights” which may be transferred and stored electronically specifically through the “ using of distributed ledger technology or similar technology” (in italics, its differences with “virtual assets” and “virtual currencies”). Albeit the AML/CFT Law definition clearly excludes electronic money and financial instruments, it may be difficult, at times, to distinguish “ virtual assets” from “ virtual currencies” and “ crypto-assets” as one appears to absorb and comprise all the others. Yet, they all are a digital representation of value, can be traded and transferred digitally, and are not issued/guaranteed by a central bank or a public authority . One should also pinpoint that, that difference between “ used for payment” (virtual asset) and “ accepted as means of exchange” (virtual currency) seems to be a purely cosmetic difference, possibly to avoid confusions or undermine “ virtual currencies” as a means of payment (despite the term “ currency”), as one and the other essentially mean the same.
Lastly, it is nonetheless worth to point out that neither the “virtual asset” nor the “ virtual currencies” definitions refer to the use of a “ distributed ledger technology or similar technology” for their transfer/storage, unlike what is currently provided for “ crypto-assets” in article 3, para. 1, of the Proposal for a Regulation on Markets in Crypto-assets . Therefore, the use of such technologies is not a condition for an asset to be considered a “ virtual asset” or a “ virtual currency”.
Registration process with the CSSF
VASPs, including entities already licensed/registered by a competent authority and in particular licensed financial institutions, must comply with the AML/CFT Law obligations and submit a registration file to the CSSF to be registered as VASP.
The registration process generally starts with a meeting at the CSSF premises. This meeting aims at presenting, both, the applicant and its project. The CSSF will then determine, based on the project, whether a VASP registration is necessary. In case the applicant submits a formal registration file to the CSSF, it must include all the required documents and information .
Depending on whether the applicant is a natural or a legal person, it must provide the information as required with its registration request.
Documents and information must be submitted to the CSSF through a form available on the CSSF website. Naturally, the submission does not entail an automatic registration. The registration is only effective once the CSSF added the VASP to its register.
After submission, the CSSF will examine the registration file, may exchange with the applicant and organise meeting(s) with it. It may request additional information/documents during the registration process. Among the elements verified by the CSSF is the legal requirement for the applicant professional standing (no criminal records). The registration will take place once the CSSF finished its analysis. The entity details are then published in a public register established, kept and maintained by the CSSF. If significant changes would occur to the VASP activities after its registration, the registered VASP must immediately inform the CSSF in writing.
Registration or authorisation/license?
Unlike professionals of the financial sector, payment institutions and electronic money institutions (all three requiring a CSSF authorisation), VASPs do not require an authorisation/license per se but “only” a registration.
However, the registration process seems very similar to that of an authorization, especially considering that: • The VASP must submit a formal written application to the CSSF; • There is a registration process (which is, in its steps, similar to those of an authorisation); • The VASP will be registered in a public register; • The CSSF may collect fees from the VASPs subject to registration (note the subtlety: fees are collected "from VASP subject to registration" and not “for VASP registration”, which may imply a cyclical fee); • The CSSF may withdraw the VASP from the register in case of non-compliance with its AML/CTF obligations; • The CSSF has "several " AML/CTF supervisory powers over the VASPs; • The CSSF must approve beforehand the persons responsible for the VASP management and business policy ; • The CSSF may impose administrative sanctions on VASPs (in particular those provided by article 3-1 of the AML/CTF Law); and • Decisions taken by the CSSF may be referred to the Tribunal administratif (Administrative Court), where cases must be filed within one month (we suppose counting from the receipt of the decision). • The CSSF’s role regarding the registered VASPs is, however, limited to the registration, supervision and enforcement for AML/CTF purposes. One exception to this is the fact that the CSSF must be notified of, and approve beforehand, the persons (at last two persons) responsible for the management of the VASP and entitled to determine its business policy.
This provision in the AML/CTF Law might raise a few eyebrows given that the intent of the law should be (at least, originally) to provide legal tools to fight money laundering and counter-terrorism financing. One can question how that objective could be achieved through a curriculum approval of the individuals responsible for the VASP management and business policy.
Finally, the CSSF insists that, the fact that a VASP was added to the CSSF register does not equal to a positive assessment made by the CSSF of the quality of the services provided by the VASP . As such, the submission, the registration and/or the CSSF supervision may not be used for advertising or possible solicitations for business.
In practice however, only legal professionals are likely to make a difference between the taglines “ authorized by the CSSF” and “ registered with the CSSF ".
Compliance with AML/CTF
Once registered, the VASPs are required to comply with the AML/CTF professional obligations, including: • Identify, assess and understand the AML/CTF risks, taking into account risk factors including those relating to their clients, countries or geographic areas, products, services, transactions or delivery channels; • Implement customer due diligence before establishing a business relationship and apply, according to the customer’s risk level, a simplified customer due diligence or an enhanced customer due diligence; • Apply internal AML/CTF policies, controls and processs, such as model risk management methods, cooperation, record-keeping, internal control, compliance management, employee screening, and independent audit function (where appropriate); • Appoint a person responsible for compliance with the professional obligations as regards to the AML/CTF Law (compliance officer); • Conduct ongoing due diligence of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship; • Monitor transactions and business relationship, and report unusual or suspicious activities to the CSSF; • Provide special AML/CTF training programmes to employees; • Cooperate with the Luxembourg authorities responsible for AML/CTF and self-regulatory bodies. All entities with an activity related to virtual assets are advised to verify whether they need to register with the CSSF as a VASP and initiate that registration process and ensure how to comply with all their AML/CTF professional obligations.
Follow up with our lawyers
Our team specialised in Fintech, DLT and Artificial Intelligence is at your disposal in case of questions or need of assistance :
Erwin SOTIRI, Partner
Ruben MENDES, Associate