Screening a relationship in incoming and outgoing customer transactions

This factsheet was updated on 19 May 2021 following an objection procedure and our subsequent decision. In line with the Leeswijzer beleidsuitingen DNB, we will soon replace this factsheet by a Q&A.

A relationship may be either the crypto service provider's own customer or a third party:

1. A customer may send cryptos to or receive cryptos from their own (external) wallet not managed by the crypto service provider.
2. A customer may receive cryptos from or send cryptos to a third party.

In transactions to and from external wallets, crypto service providers must be able to effectively verify the identity of a party in a relationship with a person or legal entity referred to in the sanctions regulations. Effectively, this means the following:

• The provider must establish the identity and place of residence of the relationship and screen it against the sanctions lists (and this must not produce a hit).
• The provider must take adequate measures to ascertain that this person or legal entity is actually the recipient or the sender. Compliance with this requirement may be risk-based.

Providers are free in their choice of procedure of how to ascertain that the person or legal entity whose identity and place of residence they have established is actually the recipient or sender. The law does not stipulate specific measures, provided that they offer adequate safeguards for screening relationships. Thus, the law allows providers to choose the measures that best suit them and their customers, as well the magnitude of the risk that a relationship is not the indicated recipient or sender of the crypto.

For example, providers can whitelist external wallets using technological means. We have encountered various practices, such as:

• providing a crypto address to the customer (whether or not as a custodian)
• screen sharing or video conferencing at the time of logging in
• signing a transaction or sending back a small amount of cryptos to the provider on request

Other measures which could also help reduce risks but considered in isolation are most likely insufficient to comply with the Sw include:

• Laying down in a contract or terms of use that trading is only permitted using one’s own crypto addresses
• Investigating and monitoring (whitelisted) crypto addresses using pre- and post-transaction monitoring software
• Blocking crypto addresses linked to illegal activities and addresses sanctioned by the US Office of Foreign Assets Control (OFAC)