RegSol Blog

Central Bank highlights weaknesses in Virtual Asset Service Providers’ AML/CFT Frameworks

July 2022

On 11th July 2022, the Central Bank issued a bulletin to VASPs outlining its regulatory expectations and highlighting recurring weaknesses it has observed in VASP registration applications to date and their Anti-Money Laundering and Countering the Financing of Terrorism (‘AML/CFT’) Frameworks.

In the vast majority of applications, the Central Bank noted a lack of understanding and compliance with key AML/CFT obligations, in addition to significant control weaknesses, thereby increasing the risk of criminals using their products or services to launder money or finance terrorism.

What are VASPs?

The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (‘CJA 2010’) was amended by The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (‘CJA 2021’) to transpose elements of the Fifth Anti-Money Laundering Directive into Irish law.

Under the CJA 2021, A VASP is defined as a person who, by way of business, carries out one or more of the following activities for, or on behalf of, another person:
  • exchange between virtual assets and fiat currencies;
  • exchange between one or more forms of virtual assets;
  • transfer of virtual assets, that is to say, conduct a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another;
  • custodian wallet provider;
  • participation in, and provision of, financial services related to an issuer’s offer or sale of a virtual asset or both.
A virtual asset is defined by the CJA 2021 as a "digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include digital representations of fiat currencies, securities or other financial assets". Some of most commonly known virtual assets such as Bitcoin, Ethereum and NFTs (non-fungible-tokens) fall within this definition.

Central Bank Requirements

Since 23rd April 2021, a person, or business, providing any of these the services outlined above is considered a VASP and are therefore a “designated person” under the CJA 2010. As such, they are required to comply with the AML/CFT obligations contained under Part 4 of the CJA 2010 as amended.

VASPs are also subject to the following requirements:

1. Registration with the Central Bank for AML/CFT Purposes

All VASPs established in Ireland are required to register with the Central Bank for AML/CFT purposes only.

In order for the Central Bank to approve a VASP's application for AML/CFT registration, the Central Bank must be satisfied that:
  • the VASP’s AML/CFT policies and procedures are effective in combatting the money laundering and terrorist financing risks associated with its business model; and
  • the VASP’s management and beneficial owners are subject to the Central Bank’s fit and proper regime. This regime imposes standards in relation to competence, capability, honesty, ethical behaviour and financial soundness. These requirements apply both at the time of registration of a VASP and on an ongoing basis.
2. On-going AML/CFT Obligations

As designated persons, VASPs are required to comply with AML/CTF obligations on an ongoing basis. This includes obligations relating to carrying out business wide risk assessments, customer due diligence, frequent monitoring of VASP customers and related transactions, filing of suspicious transaction reports, developing and implementing appropriate AML/CTF policies and procedures, maintaining records and ensuring provision of training.

Consequences for non-compliance

It is a criminal offence not to comply with the obligations set out under Part 4 of the CJA 2010 as amended and that a failure to do so may result in a fine, imprisonment or both. Alternatively, a breach of Part 4 of the Act may result in enforcement action under the CBI’s Administrative Sanctions Procedure for Designated Persons under the supervision of the CBI.

Key Issues highlighted in bulletin

The bulletin outlines the key issues and recurring weaknesses identified by the Central Bank during its assessment of VASP registration applications. In that regard, the Central Bank highlighted the following expectations for future VASP applicants in submitting complete and comprehensive applications:

1. Application Phase

The Central Bank expects applicant VASP firms to consider its guidance documents and reminds them of the option to attend a pre-application meeting to assist prospective applicants in answering specific questions about any aspect of the registration process and the completion of the VASP AML/CFT Registration Form.

Assessment Phase
  • Risk Assessment
The VASP’s AML/CFT risk assessment must focus on specific risks arising from a VASP firm's business model and drive that firm's AML/CFT control framework. Robust controls must be implemented to mitigate and manage the identified risks.
  • Policies and Procedures
The VASP should maintain a documented suite of AML/CFT policies and procedures, which are supplemented by guidance and accurately reflect operational practices. The policies and procedures should also demonstrate consideration of and compliance with Irish legal and regulatory requirements.
  • Customer Due Diligence
The VASP is required to know their customers, persons purporting to act on behalf of customers and beneficial owners. VASP firms must also have enhanced due diligence procedures for dealing with politically exposed persons (PEPs).
  • Financial Sanctions
The Central bank expects VASPs to have an effective screening system appropriate to the nature, size and risk of their business. VASP firms must follow clear escalation procedures in the event of a positive match.

  • Outsourcing
Where an Irish registered VASP outsources its AML/CFT functions, a documented agreement (for example, a service level agreement), must clearly define the outsourcing service provider's obligations. The VASP should also maintain evidence of sufficient oversight or be able to provide evidence of assurance testing.
  • Presence in Ireland
The Central Bank expects a physical presence located in Ireland and for there to be at least one employee in a senior management role located physically in Ireland, to act as the contact person for engagement with the Central Bank.

  • Pre-Approval Controlled Function (PCF)
Individual Questionnaires (IQs) for each proposed PCF role holder to be submitted as soon as practical.

How RegSol Can Help

As a leading provider of regulatory compliance solutions to SMEs operating in Ireland, RegSol assists firms applying to the Central Bank for registration/authorisation and in developing effective AML/CFT frameworks.

With a number of VASPs already availing of RegSol CEO, AnneMarie’s expertise, her extensive experience in both advising firms and drafting tailored, compliant AML/CFT business risk assessments and policies and procedures, means she is well placed to guide VASPs through the Central Bank’s registration application process in an efficient and time sensitive manner.

To see how RegSol can assist your firm please contact us at