Inherent risk assessment for Virtual Assets and VASPs

The risk assessment recognizes that virtual asset characteristics bring potential improvements but also carry risk of abuse by criminals for ML/TF activities:

  • the ability to have pseudo-anonymous or anonymous transactions
  • fast cross-border value transfers
  • non-face-to-face business relationships

Pseudo-anonymous and anonymous exchange virtual assets (i.e. virtual assets that are used primarily as a means of exchange or a store of value), such as Bitcoin and Monero, are considered to present a very high ML/TF risk. Platform virtual assets (i.e. virtual assets that give access to digital marketplaces and platforms) such as Ethereum and ERC20 tokens, also present a high risk.

As far as VASPs are concerned, most are considered to have a medium or low level of inherent ML/TF risk, with the exception of centralized exchanges which are assessed as “high.” Centralized exchanges include VASPs that offer trading services (exchange between virtual assets or between virtual assets and fiat currencies) and also typically custody services, and that perform such services with respect to pseudo-anonymous or platform virtual assets which are considered to be high or very high risk. bitFlyer Europe S.A. is cited as an example of a centralized virtual asset exchange in Luxembourg.

table-6-inherent risk for VA types.jpg

table-8-inherent risk for VA types.jpg

Tables Extracted from the ML/TF VERTICAL RISK ASSESSMENT: VIRTUAL ASSET SERVICE PROVIDERS - Grand Duchy of Luxembourg - Ministry of Justice - December 2020

The report identifies drug trafficking, fraud, forgery, and theft as the most significant threats posed by virtual assets and VASPs to Luxembourg, followed by emerging threats in cybercrime, extortion and sexual exploitation.

In addition to the factors highlighted above, it is important to recognize that the international nature of this segment and the limited censorship abilities of virtual assets are key drivers of risk. The sheer volume of transactions and the accompanying technological complexity makes risk identification, measurement, and mitigation a significant challenge.

Mitigating measures

The risk assessment highlights that, since the adoption of two pieces of legislation on 25 March 2020 (accessible here and here), VASPs in Luxembourg are subject to AML obligations. This means that VASPs must, in particular:

  • perform a ML/TF risk assessment, i.e. identify, assess and understand the ML/TF risks they are exposed to and keep such assessment up-to-date;
  • perform customer due diligence (at onboarding and during the course of the business relationship), i.e. identify their customers and their beneficial owners, monitoring transactions, etc.;
  • cooperate with the competent authorities, in particular with the CSSF and the Financial Intelligence Unit (Cellule de renseignement financier); and
  • ensure appropriate internal organization, governance and training for staff.

The risk assessment sets out examples of how VASPs can demonstrate compliance. For example, VASPs should ensure that their internal training programs are tailored to virtual asset / VASP specificities, and should implement appropriate technical solutions to be able to monitor transactions and activities. In this respect, the report suggests that VASPs may use third-party virtual asset tracing analytics solutions to monitor transactions and identify any suspicious activities. VASPs should also ensure that they take into account the risks identified in the report in order to build their own ML/TF risk assessments, depending on the services they provide and the virtual assets they are exposed to.

The importance of AML for the VASP registration procedure

VASPs should not underestimate the importance of their AML processes as these form an important part of the registration procedure with the CSSF. VASPs are in particular required to provide or describe:

Importance of AML for the VASP registration procedure.png


The cost of registration

Although the initial registration procedure itself is free, a Grand-Ducal regulation of 19 December 2020 introduced an annual fee of EUR 15,000 payable by all VASPs providing services in Luxembourg and registered in Luxembourg in accordance with the provisions of the AML Law. As registration is mandatory, the payment of the annual fee must be factored in by all VASPs that intend to set up in Luxembourg or to provide services in Luxembourg. The annual fee was not announced when the VASP registration procedure was first launched in March 2020. The report states that there are approximately 20 VASP registrations currently pending with the CSSF, but none yet completed. According to the CSSF’s website there are not yet any VASP registrants in Luxembourg (as of 9 February 2021).

Towards VASP maturity in Luxembourg

The inclusion of VASPs in the existing ML/TF framework, the development of a formal registration process (and fees), and the publication of the first risk assessment are clear indicators that virtual assets and VASPs are embedding themselves into the Luxembourg financial sector. This reflects a long-term strategy to build virtual assets and VASPs into the existing regulatory landscape.

You can find more information on the VASP registration procedure, as well as the definitions for “virtual asset service provider”, “virtual asset”, “virtual currency” and "custodian wallet service” in the links below: