Financial institutions often serve many different customers in many different sectors, including customers in sectors with higher inherent integrity risks. The sector in which a customer operates is one of the factors that a financial institution...Read more
Screening a relationship in incoming and outgoing customer transactions
The Sanctions Act (Sanctiewet 1977 – Sw) and the Regulation on Supervision pursuant to the Sanctions Act 1977 (Regeling toezicht Sanctiewet 1977 – RtSw) stipulate that providers of crypto services must take measures to ensure they adequately check, at the minimum, the identities of the persons or legal entities with whom they have a business relationship in their records, in compliance with the sanctions regulations. The RtSw defines a relationship as “anyone involved in a financial service or a financial transaction”. This includes the counterparty or other party involved in a transaction of a crypto service provider's customers.
This factsheet was updated on 19 May 2021 following an objection procedure and our subsequent decision. In line with the Leeswijzer beleidsuitingen DNB, we will soon replace this factsheet by a Q&A.
A relationship may be either the crypto service provider's own customer or a third party:
- A customer may send cryptos to or receive cryptos from their own (external) wallet not managed by the crypto service provider.
- A customer may receive cryptos from or send cryptos to a third party.
In transactions to and from external wallets, crypto service providers must be able to effectively verify the identity of a party in a relationship with a person or legal entity referred to in the sanctions regulations. Effectively, this means the following:
- The provider must establish the identity and place of residence of the relationship and screen it against the sanctions lists (and this must not produce a hit).
- The provider must take adequate measures to ascertain that this person or legal entity is actually the recipient or the sender. Compliance with this requirement may be risk-based.
Providers are free in their choice of procedure of how to ascertain that the person or legal entity whose identity and place of residence they have established is actually the recipient or sender. The law does not stipulate specific measures, provided that they offer adequate safeguards for screening relationships. Thus, the law allows providers to choose the measures that best suit them and their customers, as well the magnitude of the risk that a relationship is not the indicated recipient or sender of the crypto.
For example, providers can whitelist external wallets using technological means. We have encountered various practices, such as:
- providing a crypto address to the customer (whether or not as a custodian)
- screen sharing or video conferencing at the time of logging in
- signing a transaction or sending back a small amount of cryptos to the provider on request
Other measures which could also help reduce risks but considered in isolation are most likely insufficient to comply with the Sw include:
- Investigating and monitoring (whitelisted) crypto addresses using pre- and post-transaction monitoring software
- Blocking crypto addresses linked to illegal activities and addresses sanctioned by the US Office of Foreign Assets Control (OFAC)
- Crypto service providers