The regulation of crypto-assets and recent anti-money laundering developments in Portugal

Rodrigo Formigal
Abreu Advogados, Lisbon
rodrigo.formigal@abreuadvogados.com

João Carvalho

Abreu Advogados, Lisbon

joao.carvalho@abreuadvogados.com

Introduction

In 2020, the Portuguese Government transposed Directive (EU) 2018/843, known as the Fifth Anti-Money Laundering Directive (AMLD5),[1] which amended Directive (EU) 2015/849 ('AMLD4').[2] The recent measures regarding the prevention of money laundering and terrorist financing in the crypto-asset ecosystem were enacted by Law No 58/2020 of 31 August 2020, which amended Law No 83/2017 of 18 August 2020, known as the law on anti-money laundering and combating the financing of terrorism ('AML/CFT Law').

Arguably, the main novelty of the transposition is the regulation of crypto-assets, such as crypto-currencies, in relation to anti-money laundering. Following the enactment of the AMLD5, the AML/CFT Law establishes an unprecedented legal definition of crypto-assets, as well as a new regulatory and compliance regime for crypto-asset activities and entities.

For starters, it is worth pointing out that the discussion around the regulation of crypto-assets has been a growing trend, both at EU and national levels. The increasing relevance of e-commerce has given way to a growing demand for faster and cheaper ways of processing transactions, without the need for a financial third party intermediary.

On the other hand, crypto-assets represent a twofold risk in terms of criminal offences, particularly money laundering activities. First, the pseudonymity/anonymity inherent to crypto-assets facilitates both the perpetration of the predicated offence as well as the laundering of the proceedings of the crime. Second, the cross-border flexibility that characterises crypto-assets, which is often coupled with the absence of a central, screening third party, enables criminal offenders to bypass the AML landscape of the real financial system. In fact, a recent instruction from the Bank of Portugal (BoP) has classified the use of products and services associated with crypto-assets as an ‘AML potential high-risk factor’, to which financial institutions should pay close attention.[3]

This article offers a brief analysis of the central aspects of the AML/CTF Law regarding crypto-assets, namely, (1) the legal definition, (2) the obliged entities, (3) the main regulatory principles and duties, and (4) its territorial scope. Attention will be paid to the Portuguese law features that depart from the AMLD5 regime, as well as to expected legislative and regulatory future developments.

Legal definition of crypto-asset and scope

The AML/CFT Law uses the term ‘virtual assets’, rather than the narrower concept of ‘virtual currency’ adopted by AMLD5.[4] For the purposes of this article, the term virtual asset and crypto-asset are used interchangeably.

Virtual assets are defined by the AML/CFT Law as:

‘A digital representation of value that is not necessarily attached to a legally established currency and does not possess a legal status of fiat currency, but is accepted by natural or legal persons as a means of exchange or of investment and which can be transferred, stored, and traded electronically.’[5] ​​​​​​​

At the outset, two relevant features derive from the legal concept of crypto-assets under Portuguese law. Firstly, the definition gives strength to the prevailing understanding that crypto-assets, including currency tokens, in principle, do not legally qualify as electronic money (e-money). At both at EU[6] and national[7] level, e-money is defined as:

‘an electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds [fiat money] for the purpose of making payment transactions.’

Where crypto-assets are not issued upon transfer of equivalent funds, and are not always redeemable at par value, they do not qualify as e-money. Accordingly, at this stage, neither e-money nor payment services regulatory measures, in principle, apply to entities carrying out activities with crypto-assets.

Secondly, the Portuguese definition is broader than the one provided for by AMLD5.

By adding virtual assets that are ‘accepted as a means of investment’ alongside the means of exchange, the AML/CFT Law encompasses both currency tokens and investment tokens. The latter are, arguably, excluded by the EU definition. It is not yet certain whether Portuguese authorities will consider utility tokens to be within the scope of the AML/CFT Law. Utility tokens are similar to vouchers, enabling users to obtain products and services through distributed ledger technology (DLT) platforms, by redeeming them against a certain performance of the issuer. Strictly speaking, they are not used as consideration in transactions (currency tokens), nor do they have an investment-like structure (investment tokens). Nevertheless, national authorities are expected to provide further clarification in this matter.

Obliged entities carrying out crypto-asset activities

In broad terms, it is possible to identify the following players along the crypto-asset chain:

• the initiator or issuer;
• miners;
• exchange service providers;
• wallet providers;
• tumbler service providers; and
• users.

Anti-money laundering regulation has traditionally focused on the intermediaries for the purposes of monitoring, detecting and reporting suspicious activities in the financial system. This ‘gatekeepers approach’ remains unchanged regarding crypto-asset activities in the EU and in Portugal. The obliged entities consist essentially of service providers that act as access and exit points to the crypto-assets ecosystem. Accordingly, users and miners of crypto-assets are, by definition, excluded from AML compliance mechanisms – at least for now.

Under Portuguese law, the obliged entities include any entity that performs in Portugal any of the following activities related to crypto-assets:[8]

• crypto-to-fiat exchange services;
• crypto-to-crypto exchange services;
• ‘virtual asset transfer’ services; and
• custodian wallet providers.

Once again, the AML/CFT Law has gone further than the AMLD5 in terms of scope, to include crypto-to-crypto exchange service providers. Categorically, operators of secondary markets where crypto-assets can be bought and sold in exchange for other crypto-assets – arguably, the majority of exchanges –[9] are considered obliged entities under the AML/CFT Law.

Moreover, combining the inclusion of crypto-to-crypto exchanges with the coverage of investment tokens could mean that initial coin offerings (ICOs) can fall within the scope of the AML/CFT Law. Issuers are already included as obliged entities by France’s, Italy’s and the UK's AML national legislation.

Regarding wallet providers, the scope is also not identical to that of AMLD5. The provision is not limited to the safeguard and also includes the safeguard and administration of crypto assets or any instruments (ie, not restricted to private cryptographic keys) in order to control, hold, store or transfer crypto assets.

Finally, it is not clear whether the AML/CFT Law encompasses two further intermediaries; namely decentralised exchange services and tumbler service providers. In the first case, platform providers are not a central party to the transaction, since they simply provide users with a marketplace for posting bids and offers.[10] If that is the case, difficulties may arise in identifying the concrete obliged entity, which may be either the owner or the operator of the software. In the second case, tumbler service providers do not exactly ‘exchange’ or ‘transfer’ a crypto-asset for another, but rather distribute them among various keys, returning them back to their owner after adding extra layers of anonymity/pseudonymity. In any case, further clarifications are expected to be provided by competent authorities.

AML compliance

Pursuant to the AML/CFT Law, the entities carrying out any of the abovementioned crypto-asset activities are required to register with the BoP.[11]

The registration process is not simple and involves a substantive level of information to be provided to the BoP. To be granted the necessary registration, members of management and effective beneficiaries of the obliged entities are subject to a fit and proper assessment by the BoP.[12] Identification of said persons, in addition to the disclosure of legal and business documentation, is therefore necessary, under the registration procedure.

A regulation proposal of the BoP further implementing the changes to the AML/CFT Law and containing a model for the registration application of crypto-asset activities was under public consultation until 10 December 2020. The regulation is therefore expected to enter into force during 2021, but at the time of writing the final regulation was not yet published.[13]

In addition to prior registration with the BoP, crypto-asset entities are subject to the general framework of AML for non-financial institutions and must ensure compliance with the whole set of duties set forth whenever the amount involved is greater than €1,000. Such entities shall, among other duties:

• define and implement policies, procedures and control mechanisms, including training, that are appropriate for managing money laundering risks to which they are likely to be(come) exposed;[14]
• identify customers and business owners (know your customer or KYC);[15]
• collect and maintain information on the business relationship with users (customer due diligence or CDD);[16]
• Monitor and scrutinise transactions on the basis of a risk assessment;[17] and
• Report and cooperate with competent authorities when confronted with suspicious transactions.[18]

Despite the familiarity of this AML scheme, specific issues may arise when dealing with crypto-asset activities. This is so because of an underlying change of paradigm in AML duties for obliged entities. Crypto-asset service providers are, in most cases, dealing with ‘known transactions of unknown parties’, instead of the traditional AML assumption of ‘known parties, unknown transactions’.

To assist entities in their CDD and reporting duties, the Financial Action Task Force (FATF) has issued a report on money laundering/financing of terrorism red flag indicators associated with virtual assets. In brief, the FATF proposes the following list and categories of red flag indicators:[19]

• indicators related to transactions: including, size, frequency, and patterns of transactions;
• indicators related to anonymity: particularly associated with dark net marketplaces and the use of tumbling services;
• indicators about senders and receivers: namely, customer profiles and irregularities;
• indicators in the source of funds or wealth; and
• indicators related to geographical risk.

Another question raised by the abovementioned paradigm shift relates to privacy coins.[20] Despite the fact that EU and national legislation expressly safeguards the principle of technological neutrality – which means no crypto-asset or crypto-asset activity shall be deemed illegal a priori – AML requirements such as CDD may be outright incompatible with privacy technologies and the business models of some platforms.[21] The same goes, in part, for tumbler services.

To be sure, the BoP has stressed that its powers as the competent authority regarding crypto-asset activities are limited to the supervision and enforcement of AML/CFT provisions. At this stage, the BoP does not have general supervisory and prudential powers in the crypto-asset market,[22] which remains largely unregulated for now.

Territorial scope

Presently, the anti-money laundering regime under the AML/CFT Law only applies to onshore entities. Portuguese authorities generally consider that regulated services are provided ‘in’ Portuguese territory as long as the customers are local (irrespective of the marketing tools utilised, including the internet). In fact, some provisions of the AML/CFT Law also apply to entities, such as financial entities, payment institutions, electronic money institutions, and other equivalent entities which operate in Portugal on a cross-border basis under the so-called ‘EU Passport’, but entities carrying out crypto-assets activities are not captured under such provisions.

In any event, we should wait until the BoP’s guidance/regulation is issued to confirm that in-scope services who target Portuguese residents are not subject to other specific obligations.

Conclusion – what to expect?

Policymakers have increasingly stressed the need for a regulatory framework capable of preventing the criminal misuse of crypto-assets without stifling technological innovation and the development of the digital economy.

We expect to see the adoption of further legislative and regulatory measures concerning crypto-assets and crypto-asset activities, namely regarding money laundering.

On the one hand, a great degree of uncertainty, ambiguity, and disharmony still exists regarding matters where certainty and consistency are warranted. On the other, fast technological developments in this area are likely to make legislation rapidly outdated.

For instance, the European Commission has recently adopted a Digital Finance Package, which proposes a broad legislative framework on crypto-assets, namely, the implementation of a passporting regime accompanied by strict requirements.[23] ​​​​​​​

Certainly, crypto-asset players will be expected to perform further AML assessments in conducting their activities in Portugal based on these recent developments. Furthermore, close attention should be paid to future developments of legislative and regulatory measures in order to comply with AML requirements in an efficient manner.