Outdated browser

You are using an outdated browser. DNB.nl works best with:

19 November 2021 Supervision Supervision label Supervision Q&A

The duration of this consultation phase is four weeks. You can respond until 17 December COB via consultatie@dnb.nl. After the consultation phase, DNB will publish a feedback statement explaining any further adjustments.

In addition to the money laundering and terrorist financing risks, crypto transactions and the provision of crypto services also involve risks of violating sanctions regulations. Under the Sanctions Act 1977 (Sanctiewet 1977 – Sw) and the Regulation on Supervision pursuant to the Sanctions Act 1977 (Regeling toezicht Sanctiewet 1977 – RtSw), the assets of individuals and legal entities on a sanctions list must be frozen and no financial services may be provided to such individuals and legal entities. DNB supervises crypto service providers’ compliance with sanctions regulations. DNB assesses the effectiveness of the procedures and measures aimed at ensuring compliance with sanctions regulations, including sanctions screening. This Q&A specifically addresses the ways in which crypto service providers implement sanctions screening when executing a crypto transaction.

1. Under Section 2 of the RtSw, providers of crypto services take measures to check whether parties with whom they have a relationship appear on sanctions lists. Who, apart from customers, are included in the scope of the term relationship?

Pursuant to the Sw and the RtSw, crypto service providers take measures to ensure they adequately check, at the minimum, the identities of the persons or legal entities with whom they have a relationship in their records, in compliance with the sanctions regulations.

The RtSw defines a relationship as "anyone involved in a financial service or a financial transaction". Based on the explanatory notes to the RtSw, the term relationship refers not only to an institution's customers, but also, inter alia, to the counterparties to transactions and the beneficiaries of transactions. The beneficiaries of an outgoing crypto (exchange) transaction or an outgoing wallet transaction may be customers of the crypto service provider, other crypto service providers or third party legal entities or persons. An incoming crypto (exchange) transaction or incoming wallet transaction may originate from the provider’s own customers, other crypto service providers or third party legal entities or persons. Therefore, in addition to the customers of crypto service providers, other crypto service providers and third party legal entities or natural persons involved in the transaction fall within the scope of the term "relationship".

2. What measures does a crypto service provider take when conducting crypto transactions to check whether (legal) persons or entities are subject to sanctions?

The identity of all relationships of crypto service providers is screened for sanctions purposes. This means that crypto service providers and the counterparty and/or beneficiary involved in the transactions are screened. The crypto service provider can take a risk-oriented approach to determining the measures needed to be able to establish whether the identity of a counterparty and/or beneficiary matches the identity of persons or (legal)entities referred to in the sanctions regulations. It is up to the crypto service provider to decide how to perform these checks and what is necessary to be able to perform the mentioned checks, as long as the purpose of the sanctions regulations is achieved.

Adequate measures to effectively screen the counterparty and/or beneficiary

In the case of a transaction to or from an (external) crypto address not managed by the crypto service provider, the holder of that crypto address can be either the provider's own customer or another crypto service provider, or a third party (legal) person or entity. In the case of transactions to and from external crypto addresses, crypto service providers should also be able, by means of adequate measures, to effectively screen the identity of the counterparty and/or beneficiary concerned against the identity of a person or entity referred to in the sanctions regulations.

This implies that sufficient information about the counterparty and/or beneficiary is requested for the purposes of effective screening, such as name, date of birth, place of residence and residence address.

Another element of this is that the crypto service provider takes adequate measures to establish that the identity of the counterparty and/or beneficiary specified by the customer is indeed the identity of the recipient or sender, if the provider considers there is a higher than minimal risk that the identity of a counterparty and/or beneficiary does not match the specified identity. This may involve identity fraud (the counterparty and/or beneficiary uses someone else's identity), but it may also be the case that someone other than the specified counterparty and/or beneficiary has access to the specified crypto address.

The measures for carrying out adequate screening can be risk-oriented. Risk-oriented means that a provider takes more extensive measures for relationships that are considered higher risk in view of all relevant factors, than they do for relationships that are considered low-risk. Crypto service providers make a risk analysis and implement appropriate measures on that basis. The risk-based approach is assessed in the context of the entire set of measures in place in the business, see also the Guidance on the Anti-Money Laundering and Anti-Terrorist Financing Act and the Sanctions Act . The explanatory notes to the RtSw state: ‘it must always ensure that the risk is minimal that a financial service or transaction will result in financial resources going to one of the individuals or legal entities listed in the Sanctions Regulations.’

Where a provider considers that there is a higher than minimum risk that the identity of a counterparty and/or beneficiary does not match the specified identity, it takes measures to establish the true identity of a counterparty and/or beneficiary in order to perform effective screening. The Financial Sanctions Regulation Guideline of the Ministry of Finance states: ‘If no mitigating measures can be taken, if measures require too much effort or if there is too much residual risk, then the risk is not taken. In the case of sanctions, there can be virtually no acceptable level of residual risk because the material prohibitions of the sanctions regulations must be observed.’

The crypto service provider must be aware that it can take a risk-based approach to measures, but that the follow-up actions (reporting hits on sanctions lists and freezing assets) constitute an obligation of result.

How providers establish the identity of the counterparties to and/or beneficiaries of a transaction, and whether it is actually the recipient or sender, is not prescribed by regulation. The law does not prescribe any specific measure, as long as the measure taken provides adequate safeguards for the screening of relationships (see below for good practices).

3. Which elements comprise the risk analysis?

Risks that may be considered in the analysis include the risks associated with the specific business model, the provider's target customer group, the payment and payout options for fiat money, the customer's risk and transaction profile, geographical risks, relevant metadata (including IP address), and the ability to send cryptos to or from third-party individuals or entities. Regarding cryptos, it can be noted in general that these products, because of characteristics that promote anonymity, carry a higher risk of violating sanctions regulations. The characteristics of the specific crypto are also taken into account in the risk analysis. This list is not exhaustive.

Low-risk example

In the case of a closed environment, where customers cannot conduct transactions other than with the crypto service provider itself, the risk of violation of the sanctions regulations is low if providers also comply with the (Wwft) customer due diligence obligations.

High-risk example

Crypto service providers may facilitate transactions to and from third parties (other than their own customers), provided they have taken appropriate measures to screen the counterparty and/or beneficiary against sanctions lists. The risk of violating sanctions regulations is high in transactions from and to third parties, because it is not clear from the (external) crypto address who the owner of the (external) crypto address is. Crypto transactions from or to third parties therefore involve the risk of facilitating crypto transfers to, or recieving crypto transfer from, a person or entity referred to in the sanctions regulations. Providers will therefore have to take adequate measures to minimise this risk.

Good practices

What concrete measures does DNB see in practice for providers of crypto services to manage the risks of violating sanction regulations?

  • Laying down in the contract or in terms of use that trading is only permitted using one's own crypto address.

  • Refusal of customers in certain very high-risk countries.

  • The SIRA describes risks of sanction violations in detailed scenarios, including mitigating measures.

  • When onboarding customers, an explicit assessment is made of the risk of the customer in question violating sanction regulations.

  • Research into and monitoring of (whitelisted) crypto addresses using monitoring software (before and after transactions).

  • Blocking of crypto addresses linked to illegal activities and addresses on OFAC (Office of Foreign Assets Control) sanctions lists.

  • Blocking transactions with external crypto addresses.

  • Examination of the technical aspects of the crypto address, in relation to the customer's profile and information provided by the customer.

  • Random checks to establish whether the counterparty and/or beneficiary specified by the customer is actually the recipient or sender.

  • Mandatory onboarding of counterparties and/or beneficiaries in transactions, including identification and verification of identity.

  • Research based on metadata such as IP addresses used or timestamps.

Measures to establish whether the counterparty and/or beneficiary specified by the customer is in fact the recipient or the sender:

  • The providers themselves provide customers with a crypto address (custodian or otherwise).

  • Checks by screen sharing or video call when logging in.

  • Checks by transaction signing or sending a small amount of crypto (back) to the provider on request.

  • Use of a unique deposit address known only to the customer with a limited duration.

Depending on the differences in risks, a more intrusive measure or a combination of measures may be chosen. The complete package of measures is tailored to the specific risks of the customer and the transaction.

Statutory provisions

  • Section 10 of the Sanctions Act
  • Section 1, opening words and under b, of the RtSw
  • Section 2 of the RtSw

Disclaimer for the Q&As and Good practices

This Q&A describes good practices. These are examples of ways in which you can comply with sanctions legislation. These good practices and the main Q&A text have a different status. Q&As provide further insight into DNB's policy practice through the interpretation of statutory supervisory rules. Institutions can comply with the law by other means. If they do so, they must be able to demonstrate to DNB that they comply with the legislation or regulations and substantiate this. Good practices set out suggestions or recommendations for supervised institutions. These are examples of possible applications that, in DNB's opinion, provide a good interpretation of the obligations laid down in legislation and regulations. Good practices are indicative in nature and institutions are free to choose a different application as long as they otherwise comply with the law.

This is a translation of the original Dutch text. No rights can be derived from this text. In the event of any discrepancy, the Dutch text prevails.

Sector(s)

  • Crypto service providers