The Central Bank of the United Arab Emirates (CBUAE) has issued comprehensive guidance for licensed financial institutions operating in the country, outlining the risks associated with virtual assets (VAs) and virtual asset service providers (VASPs). With the guidance set to take effect in July 2023, financial institutions have just one month to ensure compliance with the new requirements, which primarily focus on anti-money laundering (AML) and combatting the financing of terrorism (CFT).
Experts in the financial services industry, including Barkha Doshi of Pinsent Masons, have underscored the need for swift adherence to the guidelines by licensed financial institutions in the UAE. Doshi emphasized that the guidance applies to all licensed financial institutions and aims to assist them in effectively implementing their AML/CFT obligations. She noted that the guidance aligns with the standards set forth by the Financial Action Task Force and provides clear definitions of VAs, VASPs, and VASP business models, while addressing the risks associated with virtual assets and service providers.
The CBUAE’s guidance comprehensively outlines the potential threats and risks posed by VAs and VASPs, as well as the relevant regulations governing these entities, including recent regulations introduced by the Securities and Commodities Authority. The document also highlights the presence of professional money laundering schemes that enable criminals to convert proceeds obtained through virtual currency on illicit online platforms.
Central to the guidance is the recognition that cryptocurrencies, the most common form of virtual assets, are particularly vulnerable to misuse due to their inherent characteristics, such as decentralization and anonymity.
Beyond raising awareness of the threats and vulnerabilities associated with VAs and VASPs, the guidance provides specific steps that financial institutions should take to mitigate risks when engaging with these entities.
The financial services regulator expects financial institutions to implement targeted preventive measures that identify, assess, manage, and mitigate risks related to VASPs and VA activities. These measures should be integrated into broader AML/CFT compliance programs and supported by appropriate governance and training.
Doshi clarified that the standards outlined in the guidance are not exhaustive and do not impose limitations on the measures financial institutions should undertake to fulfill their legal obligations.
As per the guidance, financial institutions must conduct and maintain enterprise-wide risk assessments, documenting risks related to customers exposed to VASPs or VAs. When conducting general customer due diligence, financial institutions should perform additional checks to determine if a customer is a VASP and ascertain the activities it conducts and the jurisdictions involved. Furthermore, institutions must assess if a customer provides downstream services to third-party VASPs and understand the extent to which the customer intends to use the institution to facilitate VA activity.
The guidance also mandates that financial institutions employ measures to mitigate money laundering and terrorism financing risks associated with VA investments. This includes conducting specific due diligence for all VASP counterparties and implementing enhanced control measures when engaging with high-risk VASP counterparties.
Doshi highlighted that the release of this guidance aligns with the recent efforts of the Securities and Commodities Authority to allow the licensing of VAs and VASPs in the onshore UAE. The UAE authorities aim to attract virtual asset businesses to the region by providing a welcoming and protective regulatory framework.
