Virtual Asset Service Providers (VASPs) carrying on business in Ireland have been “designated persons” for the purposes of Irish AML legislation, and required to register with the Central Bank of Ireland for AML/CFT purposes, since 23 April 2021.
The Central Bank supervises VASPs from an AML/CFT perspective only. In its latest Anti-Money Laundering Bulletin, published on 11 July 2022, it noted “significant and widespread weaknesses in the proposed risk and control frameworks of the vast majority of applicants”, with a number of those weaknesses recurring across a number of applicants.
The Central Bank highlighted a number of points which it expects applicants to take into consideration if their applications are to succeed:
- applications should be complete e.g. procedures should accompany policies, documented risk assessments should be provided (rather than simply the risk register), and any outsourcing policies and service level agreements should be provided;
- applicants should assess and document AML/CFT risks by reference to their customers and business activities;
- risk assessments must be specific to the firm and the risks applicable to its customers and business activities;
- applicants should document how, after assessing their control frameworks, they establish the residual risk rating for each of the risk factors set out in Irish AML legislation;
- risk assessments should take account of Central Bank guidance, Irish AML legislation and the National Risk Assessment;
- policies and procedures must show that all relevant legal and regulatory obligations have been considered and complied with; they must also reflect the operational reality, and be supplemented by guidance;
- where applicants use group policies and procedures for parent/group companies based in other jurisdictions, they must be adapted to the specifics of the Irish entity and the Irish legal and regulatory framework;
- when carrying out customer due diligence (CDD), firms should also focus on beneficial ownership, the purpose behind opening the account and whether the customer is a politically exposed person (rather than simply focusing on verifying identity); policies and procedures should also be in place covering how CDD will be refreshed;
- firms need to have effective sanctions screening processes in place, coupled with appropriate escalation procedures;
- outsourcing must be clearly documented (in particular, the provider’s obligations) and subject to sufficient oversight;
- where a person is proposed for a Pre-Approval Controlled Function, the individual questionnaire must be submitted promptly; and
- the applicant must have, at a minimum, a physical presence in Ireland with at least one employee in a senior management role based here.
The Central Bank’s press release and bulletin make it clear that a failure to meet the above expectations is likely to result in an application being refused. It also noted that most applicants had not taken up the opportunity of a pre-application meeting, and in many cases had not taken the Central Bank’s guidance into account when preparing their applications. VASPs planning to apply to the Central Bank should focus on the matters highlighted in the bulletin, and consider availing of the pre-application meeting with the Central Bank to iron out any potential issues as early as possible in the application process.
For more information on plans to regulate crypto-assets more widely, read our recent update: Crypto-Assets and AML: Agreement on MiCA; AML Action Plan progresses.
If you have any questions on the above, please contact our market-leading Financial Regulation Group.