This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our PRIVACY POLICY for more information on the cookies we use and how to delete or block them.

The significance of KYC and AML/CFT procedures in the DLT industry

13 September 2018

In anticipation of the coming into force of the Virtual Financial Assets Act (the “VFA Act”) in October, companies active in this field are in preparation mode to ensure that their activity would be in compliance with applicable rules.

One of the main selling points for certain DLT platforms is the fact that it provides end-users with complete anonymity, or as anonymous as the user wishes it to be. Everything from the location, the transaction details, and the true identity of the senders and receivers remains completely anonymous. Whilst this is a big selling point for some, it does pose a significant headache when it comes to Anti Money Laundering (AML) and Know Your Customer (KYC).

Legal entities carrying out a VFA offering in or from within Malta, or which will be providing VFA services, will become subject persons once the VFA Act comes into force. Hence, the importance of having the right mechanisms in place to ensure compliance with the applicable legislation has become crucial. Such entities will need to abide with the rules and regulations issued by competent authorities and will need to ensure that policies and procedures are prepared with the objective of putting them into practice.

The purpose of AML and KYC procedures is for financial institutions and other regulated companies to obtain specific information from clients and potential clients, to satisfy various regulatory conditions. All banks, law firms, corporate service provides, or similar subject persons, are required to carry out such due diligence procedures to establish the identity and location of the individual, as well as to pinpoint where exactly the funds have come from.

When it comes to cryptocurrency, by its very nature it is not compatible with such regulations, and this is set to cause quite a challenge for operators that want to set up a base from within the EU. Whilst combining the two concepts is not the easiest of tasks, the benefits from doing so are vast as it ensures that Initial Coin Offerings (ICOs), token offerings, and exchange transactions remain above board and in line with the law.

Token Offerings/ICOs

Depending on where you are based, regulatory approaches to ICOs or token offerings can differ substantially. Countries such as India, Macedonia, Bolivia, Algeria, and Bangladesh have completely banned such activities, whilst Malta, Germany, Israel, America, and Russia all allow them subject to country-specific current and future regulation. Within each of these pro-ICO/token offering jurisdictions are specific requirements for AML and KYC with particularly stringent criteria needing to be met within the 28 EU Member States.

The investment of funds derived from illicit activity into ICOs or token offerings is a potential way to launder money as in theory, these investments can be done without any identification and under complete anonymity. With that being said, DLT allows for the traceability of transactions and, hence, criminals are always on the pursuit for ways on how they can integrate their illegitimate money into the ecosystem.

In a token offering, funds (crypto or fiat) can be exchanged for a token that represents an amount, a service, or a product that can then be redeemed. These tokens can be purchased anonymously and then passed on, traded, sold, or transferred without anyone being able to tell where they came from or where they are going. This is a huge cause for concern as any reputable start-up or entrepreneur would want to do everything possible to avoid their brand and product being associated with money laundering.

By implementing KYC and AML procedures into the token-offering process, the issuer of the token can be sure of who they are providing the token to and where the funds that are being used to purchase them are derived. By collecting all of this information and storing it in a database, evidence of compliance can be demonstrated at any time, in case of any investigations or potential future illegal movements.


One of the biggest sectors within the crypto-sphere is that of cryptocurrency exchanges and trading platforms. These exchanges facilitate both the purchase of tokens, and the trading of crypto-crypto, crypto-fiat, and fiat-crypto which can also be an attractive platform for money launderers. Many jurisdictions have clamped down hard on such exchanges, demanding various levels of due diligence before trading or purchasing can begin. That said, there are also exchanges that do not require any sign-up procedure before activities can commence.

Due to the increase in popularity of such platforms and their widespread use by citizens from multiple jurisdictions, stricter AML and KYC rules are being enforced. For example, to execute transactions over certain benchmarks, additional KYC is required, and in terms of AML, cooperation is requested when it comes to reporting suspicious transactions.

The VFA Act and what it means to Malta

Malta has become one of the world’s first jurisdictions to take significant steps to regulate in favour of the industry, whilst ensuring the protection of operators, customers, and other stakeholders. Through the introduction of three bills, due to come into force on  1 October  2018, the Maltese government is hoping to provide much needed legal clarification on the sector, as well as ensuring that all relevant businesses operating in and from Malta are in full compliance with local and EU legislation.

One of these bills, the Virtual Financial Assets Act seeks to provide regulation and investor protection through a variety of obligations, assurances, and guidelines. One particular part of the VFA Act pertains to Initial VFA Offerings, therefore covering inter alia ICOs and token offerings. Under the new rules, companies operating in the sphere of virtual financial assets may be required to apply for a licence with the Malta Financial Services Authority, as well as adhere to a number of stipulations regarding the whitepaper, marketing materials, and civil liabilities. They are also required to implement a fully compliant KYC/AML process that is applied to all parties deemed necessary by both local, and EU law.

Furthermore, certain entities are required to apply for a licence to carry out their services, and to determine whether the token is a virtual financial asset, a virtual token, or a financial instrument such as a security.

Part V of the Act refers to the obligations of licence holders and it outlines certain requirements that ensure full compliance with the Prevention of Money Laundering Act. These requirements include governing principles and responsibilities, fiduciary responsibilities towards customers, and consent requirements.

The 5AML Directive

On a pan-EU level, the upcoming Fifth Anti-Money Laundering Directive has been designed to fill the regulatory void that has been created as a result of the quick progression of the cryptocurrency sector. The new Directive came into force on the 9 July 2018, and Member States will have until the 10 January 2020 to transpose the provisions into national law.

The new rules pertain specifically to two different kinds of cryptocurrency business: providers that are engaged in exchange services between virtual currencies and fiat currencies, as well as custodian wallet providers.

Any business that falls into these two categories will be considered as an obliged entity and as such will need to ensure full compliance with AML/CTF legislation in the same way that more traditional financial institutions such as banks, are required to do. As soon as the directive becomes national law, both exchange operators and crypto wallet providers that operate in or from Malta will be required to implement measures to counteract money laundering, terrorist financing, as well as KYC procedures, and transaction monitoring.

Whilst most of these businesses that are operating in the EU have already implemented some level of KYC/AML/CTF procedures, this new legislation will formalise the requirements to provide more integrity for the sector.

Even though these steps may cause inconvenience to customers, and even criticism due to the amount of work required for businesses to implement such measures, these mechanisms are completely necessary. In order for the sector to grow and to be taken seriously by those that cast doubts upon it, it needs to become more transparent and trustworthy whilst at the same time shaking off any links to illicit activities. Through regulation and compliance, the integrity of the cryptocurrency world can continue to grow and investors, consumers, and industry movers and shakers will feel more inclined to adopt this disruptive and constantly evolving technology.

Emphasis is being placed on the fact that VFA Agents, which will be assisting issuers of DLT assets and VFA service providers when applying for their respective licence, will need to collect information on the source of wealth of the founders and/or shareholders to ensure that the funds being invested into the project have been generated through legitimate means.

Furthermore, the licensees under the VFA Act will also have obligations of verifying the source of funds of the contributors and end-users, as applicable. When dealing with fiat currencies, there are traditional methods of acquiring supporting documentation to confirm the source of funds, namely by requesting a copy of the individual’s bank statement and then highlighting their main source of income to be backed up by additional documentation such as payslips, dividend warrants and other similar documentation.

However, there are a lot of individuals and organisations in this industry that have acquired their wealth through the inflation of cryptocurrencies during the course of the years. Due to the fact that such cryptocurrencies are held in wallets (the ownership of which is hard to prove) it has become harder for service providers and other subject persons to be able to verify such wealth.

Albeit, in the past few years, we have seen an increase in start-up regtech companies developing software solutions for verifying source of wealth relating to DLT assets held in wallets. These platforms allow for an automated process of tracking DLT transactions to ensure that the manner in which they were derived is in line with what had been declared by such persons.


BDO Malta through its experienced professionals and partners provides a vast array of services to the DLT industry in the AML sector. In addition to carrying out AML audits and guiding clients in setting up proper KYC procedures, as part of the overall DLT service provision, we can assist our clients in setting up the proper KYC and AML procedures and internal controls in line with the requirements already emanating out of the VFA Act and which will be issued in the future through Rules applicable to both Issuers of VFA assets and providers of VFA services.

For further information, kindly get in touch with our Fintech team on [email protected]