About Cryptoassets and Controls

By: Ilian Vasco

In previous instalments, we have discussed the approaches used in different jurisdictions to the treatment of virtual assets. To date, the most popular adoption is a risk-based approach that imposes requirements on virtual asset providers similar to those imposed on the financial sector (due diligence, licence to operate, accounting, suspicious transaction reporting). A complete ban on virtual assets has also been shown to be a latent option with fewer headaches for regulators.

Ideally, a virtual asset provider should apply all preventive measures contained in FATF Recommendations 9 to 21. The same applies to financial and non-financial entities involved in this market. Some of the less obvious elements of these recommendations are reviewed below:

Occasional Transactions


In addition to applying Due Diligence (DD) to all regular customers, it is also required for occasional customers who transact amounts in virtual assets above 1000 Euros or Dollars in cash or by transfers, where there is suspicion of money laundering or where false identification data is presumed. Of course, the criteria for "occasional" should be determined by each entity.


Identification and verification information


Usually identifiers such as physical address, date of birth, official identification number, among others, are used. However, in this context there is an urgent need for additional information that can range from IP address with an associated timestamp, geolocation, device information, virtual wallet addresses, hashing.

It is highly advisable to consider digital identification options that meet the criteria of independence and trustworthiness proposed by the FATF in its guidance on the use of digital identity.


Risk Profiles


A profile should be constructed from the information obtained to drive the risk-based approach (higher, lower scrutiny of transactions or termination of the relationship). At the customer level it is possible to consider the nature and volume of business activity, origin of virtual assets deposited or, at the segment level; customers with similar transactional volume using a specific virtual asset. Either way, these profiles should be updated on a regular basis.



It should be noted that OFAC has already included digital currency addresses in the SDN list. This means a new field to consider when cross-checking information, assigning similar importance to name matching. In addition, obliged entities could generate and share their own lists, e.g. when a participant refuses to continue operating due to the requested due diligence requirements.


Maintenance Records

Obliged entities must keep records of transactions and due diligence information for up to 5 years. Here, information concerning the identification of customers and beneficiaries takes on greater importance compared to the traditional financial market. It is not enough to keep public keys[1]It is not enough to rely on blockchain records alone. Although the authorities may be able to trace transactions back to a specific wallet, it may not be possible to easily link it to a natural person, which is why the additional information kept by virtual asset providers is necessary to link it to a real person.



Countries such as the United States, the United Kingdom and Mexico have a legal framework that requires operating licences for virtual asset market participants. Logically, in addition to applying for a licence, obliged entities should verify whether their sending or receiving counterparty has a trading licence.

Transmission of information

Obliged entities in this market must obtain, maintain and transmit the information associated with their counterparty on the originator and beneficiary of the transaction, as well as refrain from processing transactions with incomplete information. 


Although the FATF is technologically neutral, it presents some useful technologies when conducting this requirement in real time; they are based on the use of public and private keys of cryptography: SSL/TLS connections; X.509 certificates; APIs, among others.

Many aspects of the prevention system that obliged parties must apply, such as the identification and treatment of PEPs, the degree of due diligence applicable, continuous monitoring, among others, are missing. We have decided to leave them aside because they are the ones that are most similar to the traditional financial market, while emphasising that they are no less important.


[1] In cryptoassets we can understand the public key as a kind of bank account, which is used to receive coins. While the private key is used to sign and send coins.