Cryptocurrencies are now getting regulated in most jurisdictions, with existing rules expanding and becoming stricter. Learn why you need to know about cryptocurrency regulations and how businesses can stay compliant in different countries.
Today, there are approximately 18,000 different cryptocurrencies and 460 crypto-exchanges. As of December 2022, the global crypto market cap amounts to $857.16B. According to the World Economic Forum, $91 billion worth of cryptos are traded every 24 hours, most of which are Bitcoin or Ethereum.
So, the adoption of cryptocurrencies by both individuals and businesses has jumped in recent years—as has the amount of related illegal activity. Through July 2022, almost $2 billion was stolen in crypto through hacks, compared to just under $1.2 billion at the same point in 2021. Money laundering through crypto is another problem. Last year criminals laundered $8.6bn of cryptocurrency—up by 30% from 2020.
Therefore, most countries are either implementing or tightening existing regulations on crypto.Although country-specific regulations are usually built on FATF recommendations, each legislation has its own specifics—and companies providing services involving virtual assets must be aware of these specifics.
At the moment, cryptocurrency regulations already exist in many jurisdictions and continue to expand around the world.
At the international level, there is the Financial Action Task Force (FATF), a global money laundering and terrorist financing watchdog. The FATF issues global standards to prevent the misuse of virtual assets, which are then implemented in one form or another in national law.
In 2019, the FATF added amendments to Recommendation 15, based on which Virtual Asset Service Providers (VASPs) should be regulated in the same manner as financial institutions.
The Recommendation includes registration or licensing for VASPs at least in the jurisdiction where they are established, and compliance with AML regulations, such as Customer Due Diligence, KYC, transaction monitoring, sanctions screening, and other requirements.
Therefore, when it comes to registration or licensing, there are no global regulators for VASPs. According to the FATF, a company is considered a VASP if it provides the following services:
The definition of VASP may also differ depending on the jurisdiction, since the FATF’s definitions and recommendations are not mandated. Thus, each jurisdiction introduces their own definition of VASP and related regulatory measures.
Today KYC checks (as part of CDD) are mandatory for crypto operations in most jurisdictions.
KYC checks aim to identify and verify clients before establishing business relations, permitting transactions and other activities specified by law. The minimum information required during the client onboarding process depends on a given country’s legislation, but usually includes:
The above information then gets compared to government-issued documents submitted by the applicant.
During the onboarding process, KYC checks usually consist of the following steps:
To conduct KYC quickly and properly, crypto services often delegate this to specialized third-party solutions.
Check out these articles to learn why KYC is crucial for crypto:
Another AML requirement for VASPs is transaction monitoring. More specifically, , VASPs have to monitor customer activities and transactions on an ongoing basis in order to determine and report to authorities the following:
The FATF outlines the following red flags of money laundering when observing transactions:
Check out the following articles on the red flags of ML in crypto, and why crypto transaction monitoring is important:
The updated FATF Recommendations now require Virtual Asset Service Providers (VASPs) and financial institutions engaged in virtual asset (VA) transfers to follow the Travel Rule. This means collecting and sharing personal data of senders and recipients in a transaction. The FATF’s proposed threshold amounts to 1000$/€ for virtual asset transfers. Whereas if a transaction amount is lower than the threshold, VASPs can enjoy less stringent requirements (e.g., less information may be transferred). However, it should be noted that countries can establish their own thresholds or forego them altogether. This is stated in Recommendation 16, commonly referred to as the Travel Rule.
Members of the FATF and FATF-style regional bodies are already beginning to incorporate the Travel Rule into their respective anti-money laundering (AML) laws. However, the implementation has spurred a number of problems. According to the FATF’s Targeted Update on Implementation of FATF Standards on Virtual Assets-VASPs, 29 out of 98 responding jurisdictions reported having passed Travel Rule legislation as of March 2022, while only 11 jurisdictions have begun implementing enforcement and supervisory measures. Most recently, Japan announced that it would bring crypto transactions under the Travel Rule by May 2023. In the UK, Regulation 5 (on cryptoasset transfers) of the Money Laundering and Terrorist Financing Regulations comes into force on September 1, 2023. A similar law is expected in Lithuania in 2025.
Check these articles to learn how to stay compliant with the controversial Travel Rule:
What is the FATF Travel Rule? The ultimate guide to compliance (2022)
The Revised FATF Guidance on Virtual Assets: How Does It Affect DeFi?
We’ve broken down several popular crypto jurisdictions below:
Main regulator: Estonian Financial Intelligence Unit
Main regulation: the Estonian Money Laundering and Terrorist Financing Prevention Act
Who’s affected:
Travel Rule: implemented Read this article to learn why VASPs need to comply with local AML regulations: How the New Estonian AML Act Affects Virtual Currencies
Main regulator: Financial Markets Authority (AMF)
Main regulation: Monetary and Financial Code, PACTE law
Who’s affected: An actor may be considered a Digital Asset Service Provider (DASP) if it provides at least one of the following digital asset services, as mentioned in Article L. 54-10-2 of the Monetary and Financial Code: 1. The custody service on behalf of third parties of digital assets or access to digital assets, where applicable in the form of private cryptographic keys, with a view to holding, storing and transferring digital assets; 2. The service of buying or selling digital assets in legal tender; 3. The service of exchanging digital assets for other digital assets; 4. The operation of a digital asset trading platform; 5. The following services: a) the reception and transmission of orders for digital assets, meaning the act of receiving and transmitting buy or sell orders for digital assets on behalf of a client; b) the management of digital asset portfolios, meaning the act of managing, on a discretionary, client-by-client basis, portfolios that include one or more digital assets under a mandate given by a client; c) advice to investors in digital assets, which means giving personalized recommendations to a third party, either at their request or on the initiative of the service provider providing the advice, concerning one or more digital assets; d) digital asset underwriting, defined as the act of purchasing digital assets directly from a digital asset issuer, with a view to subsequently selling them; d) the guaranteed placement of digital assets, which consists in searching for buyers on behalf of a digital asset issuer and guaranteeing them a minimum amount of purchases by undertaking to buy the digital assets not placed; e) the non-guaranteed placement of digital assets, meaning the act of searching for buyers on behalf of a digital asset issuer without guaranteeing them an amount of purchases.” The registration requirement only refers to services listed in 1-4.
Travel Rule: not implemented Read the whole article to understand how VASPs can comply with crypto regulations in France: France Tightens Cryptocurrency Regulations as of June 2021. Here’s Our Guide to Staying Compliant
Main regulator: De Nederlandsche Bank
Main regulation: The Money Laundering and Terrorist Financing Prevention Act (Wet ter voorkoming van witwassen en financieren van terrorisme—Wwft)
Who’s affected:
Travel Rule: not implemented Read this article to understand regulations for VASPs in the Netherlands: Cryptocurrency Regulation in the Netherlands—How Companies Can Stay Compliant in 2022
Main regulator: Swiss Financial Market Authority (FINMA)
Main regulation: Anti-Money Laundering Ordinance (AMLO-FINMA), Anti-Money Laundering Act (AMLA), AMLO-FINMA7
Who’s affected: Financial intermediaries as specified in Articles 2 AMLA and 4 AMLO. As a rule, these include:
Travel Rule: implemented Read further: Switzerland’s FINMA Pushes New AML Rules to Crypto Transactions
Main regulator: Financial Services and Markets Authority—FSMA
Main regulation: Law on the prevention of money laundering and terrorist financing and on the restriction of the use of cash
Who’s affected:
Travel Rule: not implemented Check out this article to learn how to register a crypto business in Belgium: Guide to Mandatory Registration as a Crypto Business in Belgium
Main regulator: Monetary Authority of Singapore (MAS)
Main regulation: the Payment Services Act (PSA)
Who’s affected:
Travel Rule: implemented Read this article to get details on crypto regulations in Singapore: Singapore’s Digital Payment Token Regulations: Everything You Need to Know
Main regulator: the Financial Crimes Enforcement Network (FinCEN), the Commodity Futures Trading Commission (CFTC), the United States Securities and Exchange Commission (SEC)
Main regulation: United States Bank Secrecy Act (BSA) and amendments to it, provided by the Patriot Act, AMLA; FinCEN Implementing Act
Who’s affected: AML/CFT obligations in the US apply to entities that the BSA defines as “financial institutions” such as futures commission merchants and introducing brokers obligated to register with the CFTC, money services businesses (MSBs) as defined by FinCEN, and broker-dealers and mutual funds obligated to register with the SEC. In 2019, FinCEN issued Guidance which clarified the application of the BSA to some business models operating in the virtual assets field. In 2021, AMLA also amended the BSA, expanding some definitions, in particular that “financial institutions” include “value that substitutes for currency”. Financial institutions now include, inter alia:
Travel Rule: implemented
Main regulator: Financial Services Commission (FSC)
Main regulation: Act on the Reporting and Use of Specific Financial Transaction Information
Who’s affected: Services involved in the following business activities:
Travel Rule: implemented Read this article to get details on crypto regulations in South Korea: The New Crypto Regulations in South Korea: How to Prepare for the Changes
Main regulator: Financial Crimes Investigation Board (MASAK), the Central Bank of the Republic of Turkey (CBRT)
Main regulation: Regulation on the Disuse of Crypto Assets in Payments, Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism
Who’s affected: The AML law does not provide an explanation of the definition. According to the MASAK Guidance, crypto asset service providers mediate the buying and selling of crypto assets through electronic trading platforms.
Travel rule: status unclear Read this article to get details on crypto regulations in Turkey: Turkey Enacts Its First Crypto Regulations: Here’s How Businesses Can Adapt
The FATF, a global anti-money laundering watchdog, issues standards and recommendations on cryptocurrency regulations, which are not legally binding. However, they are often reflected in local crypto legislation, sometimes with modifications. In general, in most jurisdictions, cryptocurrencies and companies providing such services (VASPs) are subject to AML regulation on par with financial institutions. Additionally, registration/licensing requirements are applicable to them.
VASPs are supervised on a national level. International organizations, like the FATF, issue standards and recommendations for VASP regulations, which each jurisdiction uses as the basis for developing their own legislation.
Usually cryptocurrency is regulated by a government institution or agency, for example, a central bank or FIU.
On the EU level, Markets in Crypto-Assets (MiCA) project adoption is due. In addition, more jurisdictions are implementing the FATF Travel Rule (including Lithuania, the United Kingdom, Switzerland, etc.).