Outdated browser

You are using an outdated browser. DNB.nl works best with:

Sanctions screening for (incoming and outgoing) crypto transactions

Q&A

In addition to the money laundering and terrorist financing risks, crypto transactions and the provision of crypto services also involve risks of non-compliance with sanctions regulations. Under the Sanctions Act 1977 (Sanctiewet 1977 – Sw) and the Regulation on Supervision pursuant to the Sanctions Act 1977 (Regeling toezicht Sanctiewet 1977 – RtSw), we supervise the internal control structures that crypto service providers must have in place to ensure compliance with the sanctions regulations (see the Open Book on Supervision). To do so, we assess the effectiveness of the procedures and controls aimed at ensuring compliance with sanctions regulations, including sanctions screening. This Q&A specifically addresses how crypto service providers can implement sanctions screening for a crypto transaction.

Published: 16 September 2022

Background - the European Union, following the lead of the United Nations and other bodies, has imposed sanctions on a number of countries, natural persons, legal persons and entities. Such sanctions are laid down in several European sanctions regulations. A well-known sanction is the freezing obligation: no funds or economic resources may be made available, directly or indirectly, to sanctioned natural persons, legal persons and entities.

Question 1:

Under Section 2 of the RtSw, providers of crypto services must take measures to check whether parties with whom they have a relationship appear on sanctions lists. Who, apart from customers, are included in the scope of the term relationship?

Answer 1:

Pursuant to the Sw and the RtSw, crypto service providers must take measures to ensure they adequately check their records, at the minimum, for matches of the identities of the natural persons, legal persons and entities with which they have a relationship with natural persons, legal persons and entities as mentioned in sanctions regulations.

The RtSw defines a relationship as anyone involved in a financial service or a financial transaction. Based on the explanatory notes to the RtSw, the term relationship refers not only to an institution's customers, but also, inter alia, to the counterparties to transactions and the payees of transactions. The payees of an outgoing crypto (exchange) transaction or an outgoing wallet transaction may be customers of the crypto service provider, other crypto service providers or third-party natural persons, legal persons or entities. An incoming crypto (exchange) transaction or incoming wallet transaction may originate from the service provider’s own customers, other crypto service providers or third-party natural persons, legal persons or entities. Therefore, in addition to the customers of crypto service providers, other crypto service providers and third-party natural persons, legal persons or entities involved in the transaction fall within the scope of the term "relationship".

Question 2:

What measures must a crypto service provider take when facilitating crypto transactions to check whether natural persons, legal persons or entities involved are subject to sanctions?

Answer 2:

Providers of crypto services must always check whether their relationships appear on one or more sanctions lists (screening). This means that crypto service providers and the counterparty and/or payee involved in the transactions must, at a minimum, be screened. The crypto service provider can take a risk-based approach to determining the measures to establish whether the identity of a counterparty and/or payee matches the identity of natural persons, legal persons or entities referred to in the sanctions regulations. It is up to the crypto service provider to decide how to perform these checks and what is necessary to do so, provided that the purpose of the sanctions regulations is achieved.

Adequate measures to effectively screen the counterparty and/or payee

In the case of a transaction to or from an crypto address not hosted by the crypto service provider (external crypto address), the holder of that crypto address can be either the provider's customer itself or another crypto service provider, or a third-party natural person, legal person or entity. In the case of transactions to and from external crypto addresses, crypto service providers must also be able to check, by means of adequate measures, whether the counterparty and/or payee concerned appears on one or more sanctions lists.

How providers establish the identity of the counterparties and/or payees in a transaction, and whether they are actually the recipient or sender, is not prescribed by regulation. The law does not prescribe any specific measure, provided that the measure taken sufficiently mitigates the risk of non-compliance with sanctions regulations.

This implies that sufficient information about the counterparty and/or payee must be requested for the purposes of effective screening, such as name, date of birth, place of residence and business address.
Another element of this is that the crypto service provider must take adequate measures to establish that the counterparty and/or payee specified by the customer is indeed the recipient or sender, if the provider considers there to be a higher than minimal risk that the identity of a counterparty and/or payee does not match the specified identity.

This may involve identity fraud (the counterparty and/or payee uses someone else's identity), but it may also be the case that someone other than the specified counterparty and/or payee has access to the specified crypto address and the corresponding wallet.

The measures for carrying out adequate screening can be risk-based. Risk-based means that a provider must take more extensive measures for relationships that are considered higher risk in view of all relevant factors than they do for relationships that are considered low risk. Crypto service providers must make a risk analysis and implement appropriate measures on that basis. The risk-based approach is assessed in the context of the entire set of measures in place in the business, see also the Guidance on the Anti-Money Laundering and Anti-Terrorist Financing Act and the Sanctions Act. The explanatory notes to the RtSw state: “It [i.e. the relevant institution] must always ensure that the risk is minimal that a financial service or transaction will result in financial resources going to one of the natural persons, legal persons or entities listed in the sanctions regulations.

Where a provider considers there to be a higher than minimum risk that the identity of a counterparty and/or payee is not consistent with the identity provided, it must take measures to establish the true identity of a counterparty and/or payee in order to perform effective screening. The Financial Sanctions Regulation Guideline of the Ministry of Finance states: “If no mitigating measures can be taken, if measures require too much effort or if there is too much residual risk, then the risk must not be taken. In the case of sanctions, there can be virtually no acceptable level of residual risk because the material prohibitions of the sanctions regulations must be observed.”

The crypto service provider must be aware that, while it can take a risk-based approach to screening measures, its follow-up actions such as reporting hits on sanctions lists and freezing assets constitute an obligation of result (i.e. best efforts do not suffice). For example, in incoming transactions, crypto service providers may choose to retain the cryptos in the (omnibus) wallet during the counterparty screening process before allocating them to the account of the customer who is the payee of the transaction.

Question 3:

What does the risk analysis consist of?

Answer 3:

Crypto services entail a high risk by their very nature, as the technology can facilitate a certain degree of anonymity of the crypto address holder and of transactions, and they are almost exclusively provided remotely. This means that crypto service providers are expected to mitigate risks more closely than service providers that face a lower risk of non-compliance with sanctions regulations.

There are different risks associated with each type of crypto transaction. For example, a crypto transaction involving a wallet hosted by another crypto service provider that has been registered under the same conditions differs in terms of risk from a crypto transaction involving an unhosted wallet. The risk of non-compliance with sanctions regulations is higher in transactions where the crypto address not hosted by a provider does not show to whom it belongs, such as in the case of unhosted/private wallets. Crypto transactions to or from third parties therefore involve the risk of cryptos being transferred to, or received from, a natural person, legal person or entity referred to in the sanctions regulations. It is the responsibility of the crypto service provider to assess this risk and take adequate mitigating measures.

Risks that may be considered in the analysis include those associated with the specific business model, the supervisory status of the provider's target customer group, the payment and payout options for fiat money, the customer's risk and transaction profile, geographical risks, relevant metadata (including IP address), and the ability to send cryptos to or from third-party natural persons, legal persons or entities. The characteristics of the specific crypto currencies must also be taken into account in the risk analysis. This list is not exhaustive.

Good practices

What concrete measures does DNB see in practice for providers of crypto services that could help manage the risks of non-compliance with sanctions regulations?

  • Legally enforcing in the contract with the customer or in the terms of use that the customer can only initiate transactions from and to its own crypto addresses.

  • Exercising restraint in accepting customers in sanctioned jurisdictions.

  • The integrity risk analysis that the provider must draw up to comply with the Wwft also describes risks of non-compliance with sanctions regulations in detailed scenarios, including mitigating measures.

  • When onboarding a new customer, an explicit assessment is made of the risk of the customer failing to comply with sanctions regulations.

  • Investigating and monitoring (whitelisted) crypto addresses using pre- and post-transaction monitoring software.

  • Blocking crypto addresses linked to sanctioned natural persons, legal persons and entities.

  • Blocking transactions with crypto addresses not hosted by the provider.

  • Examining the technical aspects of the counterparty’s or payee’s crypto address in relation to the customer's profile and information provided by the customer.

  • Performing random checks to establish whether the counterparty and/or payee specified by the customer is actually the recipient or sender.

  • Making onboarding of counterparties and/or payees in transactions mandatory, including determination and verification of identity.

  • Conducting investigations based on metadata such as IP addresses used or timestamps.

  • The providers themselves provide customers with a crypto address (custodian or otherwise).

  • Performing checks by means of screen sharing or video call when logging in.

  • Performing checks using transaction signing or by sending a small amount of crypto (back) to the provider on request.

  • Using a unique, temporary deposit address known only to the customer.

Depending on the differences in risks, a more intrusive measure or a combination of measures may be chosen. The complete package of measures is tailored to the specific risks of the customer and the transaction.

Statutory provisions

  • Section 10 of the Sanctions Act
  • Section 1, opening words and under b, of the RtSw
  • Section 2 of the RtSw

Disclaimer

Q&As provide further insight into our policy practice, because we use them to publish our interpretation of statutory standards. Institutions subject to our supervision may choose to comply with applicable laws and regulations in other ways, however. If they do so, they must be able to demonstrate and substantiate that their interpretation complies with applicable laws and regulations.

The good practices listed above have the status of suggestions or recommendations for crypto service providers. They are examples of possible applications that, in our opinion, provide a good interpretation of the obligations laid down in legislation and regulations. Good practices are indicative in nature and institutions are free to choose a different application as long as they otherwise comply with the law.

To read more about the status of our policy statements, go to the Explanatory guide to DNB's policy statements on Open Book on Supervision.

If any questions arise concerning the interpretation or accuracy of this Q&A, the Dutch version is leading.