On 19 November 2021, the Dutch Central Bank (De Nederlandsche Bank, DNB) published for consultation a Q&A addressing crypto service providers’ compliance with the Dutch Sanctions Act 1977 (Sanctiewet 1977).
DNB notes that in addition to money laundering and terrorist financing risks, executing crypto transactions and providing crypto services also involve risks of violating sanctions regulations. Therefore, crypto service providers must, among other things, check whether their clients and any ultimate beneficial owners appear on any national, EU or international sanctions list and, if so, hits must be reported to DNB.
This new Q&A addresses the ways in which crypto service providers are expected to implement sanctions screening measures when executing crypto transactions. The Q&A comprises three questions:
- Article 2 of the Regulation on supervision pursuant to the Sanctions Act 1977 (Regeling toezicht Sanctiewet 1977) requires crypto service providers to take measures to check whether parties with whom they have a relationship appear on sanctions lists. Who – besides customers – are included in the scope of the term ‘relationship’?
DNB (summary): counterparties to transactions and beneficiaries of transactions. The beneficiaries of an outgoing crypto (exchange) transaction or an outgoing wallet transaction may be customers of the crypto service provider, other crypto service providers or third party legal entities or persons. An incoming crypto (exchange) transaction or incoming wallet transaction may originate from the provider’s own customers, other crypto service providers or third party legal entities or persons. Therefore, in addition to the customers of crypto service providers, other crypto service providers and third party legal entities or natural persons involved in the transaction fall within the scope of the term ‘relationship’.
- What measures must a crypto service provider take when conducting crypto transactions to check whether (legal) persons or entities are subject to sanctions?
DNB (summary): the identity of all relationships of crypto service providers must be screened. Crypto service providers may take a risk-based approach in determining how to do this, as long as the purpose of the sanctions rules is achieved. In case of transactions to or from an (external) crypto addresses, crypto service providers should be able to to effectively screen the identity of the counterparty and/or beneficiary concerned. This implies that sufficient information on such counterparty and/or beneficiary must be requested (e.g. name, date and place of birth, residential address). In addition, a crypto service provider must take adequate measures to establish that the identity of a counterparty/beneficiary specified by a customer is the true identity of the recipient or sender in case such provider considers there to be a high risk that there could be a mismatch (e.g. identity fraud). If no mitigating measures can be taken, if the residual risk is too high, or if these measures require too much effort, the crypto service provider should not take the risk.
- Which elements comprise the risk analysis?
DNB (summary): risks that could be considered in the analysis include the risks associated with the specific business model, the crypto service provider’s target customer group, the payment and payout options for fiat money, the customer’s risk and transaction profile, geographical risks, relevant metadata (including IP address), and the ability to send cryptos to or from third party persons or legal entities.
DNB also lists a number of specific measures that it has seen crypto service providers apply in practice to manage the risks of violating sanctions regulations. These include, but are not limited to:
- refusing customers in certain (very) high-risk countries;
- blocking crypto addresses linked to illegal activities and addresses on the Office of Foreign Assets Control sanctions lists;
- block transactions with external crypto addresses;
- random checks to establish whether the counterparty and/or beneficiary specified by the customer is actually the recipient/sender;
- carrying out research based on metadata, such as IP addresses used or timestamps;
- in order to verify to the identity of a counterparty or beneficiary, carry out checks by screen sharing, video calls or transaction signing.
The consultation period ends on 17 December 2021. After the consultation phase, DNB will publish a feedback statement explaining any further amendments.