Virtual Assets Service Providers Act, 2022

1 No. 17 of 2022 VIRGIN ISLANDS VIRTUAL ASSETS SERVICE PROVIDERS ACT, 2022 ARRANGEMENT OF SECTIONS SECTION PART I PRELIMINARY

1. Short title and commencement
2. Interpretation
3. Application and prohibition
4. Powers of the Agency and the Commission PART II REGISTRATION REQUIREMENTS FOR VASPS
5. Prohibition against providing or engaging in transactions involving virtual assets
6. Application for registration
7. Approval of registration
8. Duty to notify change in information provided
9. Change of name
10. Maintaining financially sound condition
11. Directors and senior officers
12. Appointment of authorised representative
13. Functions of an authorised representative
14. Appointment of auditor
15. Powers of Commission in relation to the appointment of auditor
16. Obligations of auditor
17. Audit and audit report
18. Submission of audit report and extension of time
19. Group financial statements PART III GENERAL OBLIGATIONS OF VASPS
20. Duty to report information
21. Disposition or acquisition of significant or controlling interest in a VASP
22. Maintenance of records
23. Client assets

2 24. Misleading advertisement, statement, etc. 25. AML/CFT compliance 26. Obligations in relation to the Commission PART IV VIRTUAL ASSETS CUSTODY AND EXCHANGE Virtual Assets Custody Service 27. Virtual asset custody service: additional information required 28. Virtual asset custody service: conditions for registration 29. Obligations and restrictions Virtual Assets Exchange 30. Virtual assets exchange: requirements 31. Virtual assets exchange: conditions for registration 32. Restrictions and prohibitions PART V PARTICIPATION IN THE REGULATORY SANDBOX 33. Interpretation for this Part 34. Application to provide innovative FinTech 35. Approval to provide innovative FinTech 36. Termination of approval as a Sandbox participant PART VI MISCELLANEOUS 37. Register. 38. Cancellation of registration. 39. Revocation of registration. 40. Existing licensees. 41. Appointment of compliance officer. 42. Enforcement powers. 43. General powers of the Commission. 44. Exemption. 45. Fees, charges, etc. 46. Offences and penalties. 47. Regulations. 48. Application of Regulatory Code. 49. Amendment of Schedule. SCHEDULE

3 No. 17 of 2022 Virtual Assets Service Providers Act, 2022 Virgin Islands I ASSENT (Sgd.) John Rankin CMG, Governor. 23rd December, 2022 VIRGIN ISLANDS No. 17 of 2022 AN ACT TO MAKE PROVISION FOR THE REGISTRATION AND SUPERVISION OF VIRTUAL ASSETS SERVICE PROVIDERS IN RELATION TO TRANSACTIONS INVOLVING VIRTUAL ASSETS; THE APPROVAL OF PROVISION OF VIRTUAL ASSETS CUSTODY SERVICE; AND THE APPROVAL OF VIRTUAL ASSETS EXCHANGES; AND TO PROVIDE FOR OTHER MATTERS CONNECTED THEREWITH. [Gazetted29th December, 2022] ENACTED by the Legislature of the Virgin Islands as follows: PART I PRELIMINARY Short title and commencement

1. (1) This Act may be cited as the Virtual Assets Service Providers Act,

(2) This Act shall come into force on such date as the Minister may, by Notice published in the Gazette, appoint. Interpretation 2. (1) In this Act, unless the context otherwise requires “advertisement” means any form of communication that (a) relates to a specific offer to the public to subscribe for, or purchase, virtual assets; and (b) is intended to specifically promote the potential subscription or purchase of virtual assets; “Agency” means the Financial Investigation Agency established under section 3(1) of the Financial Investigation Agency Act, Revised Edition 2020;

4 “AMLTFCOP” means the Anti-money Laundering and Terrorist Financing Code of Practice, Revised Edition 2020; “AMLR” means the Anti-money Laundering Regulations, Revised Edition 2020; “applicant” means a person who makes or submits an application for the registration of a VASP under, or otherwise in compliance with a provision of, this Act; “Commission” means the Financial Services Commission established under section 3(1) of the FSCA; “controlling interest” means interest in an entity whereby (a) the person holding the interest has an influence over the activities of any undertaking of the entity without having a significant interest in the undertaking; or (b) a director or senior officer of the entity is accustomed to acting on the instructions of the person; “entity” means a person that is engaged in a relevant business within the meaning of regulation 2(1) of the AMLR; “FSCA” means the Financial Services Commission Act, Revised Edition 2020; “financial services legislation” has the meaning ascribed to it under section 2(1) of the FSCA; “Internet site”, in relation to the Commission, means the primary public access Internet site for the time being maintained by, or on behalf of, the Commission; “licensee” means a person licensed, approved or otherwise authorised by the Commission under the FSCA or a regulatory legislation specified in Part I of Schedule 2 of the FSCA; “money laundering” has the meaning ascribed to it in section 2(1) of the Financial Investigation Act, Revised Edition 2020; “proliferation financing” has the meaning ascribed to it in section 6 of the Proliferation Financing (Prohibition) Act, No. 20 of 2021; “senior officer” has the meaning ascribed to it under section 4 of the Regulatory Code, Revised Edition 2020, and the reference therein to “licensee” shall be construed to include a VASP issued with a certificate of registration under section 7(3)(a); “significant interest”, in relation to an entity, means a holding or interest in the entity or any holding company of the entity held or owned by a person, either alone or with any other person and whether legally or equitably, that entitles or enables the person, directly or indirectly to (a) control ten percent or more of the voting rights of that entity at a meeting of the entity or of its members; (b) a share of ten percent or more in any distribution (if applicable) made by the entity; (c) a share of ten percent or more in any distribution (if applicable) of the surplus assets of the entity; or

5 (d) appoint or remove one or more directors of the entity; “terrorist financing” has the meaning ascribed to it in section 2(1) of the Financial Investigation Agency Act, Revised Edition 2020; “virtual asset” means a digital representation of value that can be digitally traded or transferred, and can be used for payment or investment purposes, but does not include (a) digital representations of fiat currencies and other assets or matters specified in the Guidelines; or (b) a digital record of a credit against a financial institution of fiat currency, securities or other financial assets that can be transferred digitally; “virtual assets custody service” means the acceptance for safekeeping of virtual assets or instruments that enable a VASP to exercise control over the virtual assets or instruments; “virtual assets exchange” means a trading platform that is operated for the purpose of allowing an offer or invitation to be made to buy or sell any virtual asset in exchange for money or any virtual asset and which comes into custody, control, power or possession of, or over, any money or any virtual asset at any point in time during its course of business; “virtual assets service” means the business of engaging, on behalf of another person, in any VASP activity or operation (as outlined in the definition of “VASP”), and includes (a) hosting wallets or maintaining custody or control over another person’s virtual asset, wallet or private key; (b) providing financial services relating to the issuance, offer or sale of a virtual asset; (c) providing kiosks (such as automatic teller machines, bitcoin teller machines or vending machines) for the purpose of facilitating virtual assets activities through electronic terminals to enable the owner or operator of the kiosk to actively facilitate the exchange of virtual assets for fiat currency or other virtual assets; or (d) engaging in any other activity that, under guidelines issued pursuant to section 41A of the FSCA, constitutes the carrying on of the business of providing virtual asset service or issuing virtual assets or being involved in virtual asset activity; “VASP”, subject to subsections (2), means a virtual asset service provider who provides, as a business, a virtual assets service and is registered under this Act to conduct one or more of the following activities or operations for or on behalf of another person (a) exchange between virtual assets and fiat currencies; (b) exchange between one or more forms of virtual assets; (c) transfer of virtual assets, where the transfer relates to conducting a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another;

6 (d) safekeeping or administration of virtual assets or instruments enabling control over virtual assets; (e) participation in, and provision of, financial services related to an issuer’s offer or sale of a virtual asset; or (f) perform such other activity or operation as may be specified in this Act or as may be prescribed by regulations made under section 47. (2) A person who engages in or performs any of the following activities shall not qualify or be treated as a VASP (a) providing ancillary infrastructure to allow another person to offer a service, such as cloud data storage provider or integrity service provider responsible for verifying the accuracy of signatures; (b) providing service as a software developer or provider of unhosted wallets whose function is only to develop or sell software or hardware; (c) solely creating or selling a software application or virtual asset platform; (d) providing ancillary services or products to a virtual asset network, including the provision of services like hardware wallet manufacturer or provider of unhosted wallets, to the extent that such services do not extend to engaging in or actively facilitating as a business any of those services for or on behalf of another person; (e) solely engaging in the operation of a virtual asset network without engaging or facilitating any of the activities or operations of a VASP on behalf of customers; (f) providing closed-loop items that are non-transferable, non￾exchangeable, and which cannot be used for payment or investment purposes; and (g) accepting virtual assets as payment for goods and services (such as the acceptance of virtual assets by a merchant when effecting the purchase of goods). (3) The reference to funds or value-based terms, such as “property”, “proceeds”, “funds”, “funds or other assets” and “corresponding value” contained in any financial services legislation, Financial Investigation Agency Act, Revised Edition 2020, or any other enactment relating to money laundering, terrorist financing and proliferation financing shall be construed to include virtual assets with such modifications as may be necessary. (4) The reference in the FSCA and any regulations made thereunder to “licence” and “licensee” shall be construed as applying to a VASP, unless the context otherwise dictates. (5) Guidelines issued by the Commission under section 41A of the FSCA may provide guidance on what constitutes providing or participating in financial services for purposes of paragraph (b) of the definition of “virtual assets”, and paragraph (e) of the definition of “VASP”, in subsection (1).

7 (6) Where provision is made in this Act for the giving of notice, submitting an application, or in any other way communicating any matter without specifying how such notice, application or communication must be given, made or delivered, the notice, application or other communication shall be given, made or delivered in writing, which may be in electronic form if delivered to the correct address. Application and prohibition 3. (1) This Act (a) applies to all entities operating in or from within the Virgin Islands that qualify and are registered as VASPs in accordance with the provisions of this Act; and (b) qualifies and shall be treated as financial services legislation under Part I of Schedule 2 of the FSCA, but the provisions of the FSCA shall apply only to the extent that the subject matter of application is not addressed under this Act. (2) The provisions of the Proceeds of Criminal Conduct Act, Revised Edition 2020, Proliferation Financing (Prohibition) Act, No. 20 of 2021, Counter Terrorism Act, No. 33 of 2021, AMLR, AMLTFCOP and other enactments relating to money laundering, terrorist financing and proliferation financing shall, unless otherwise stated, apply to virtual assets and VASPs as they apply to entities and, if need be, with such modification as may be necessary to ensure full and appropriate application to virtual assets and VASPs. Powers of the Agency and the Commission 4. (1) The Agency shall have and may exercise any of its powers under the Financial Investigation Agency Act, Revised Edition 2020, and any other powers under an enactment dealing with money laundering, terrorist financing and proliferation financing in relation to virtual assets and VASPs in so far as those powers are exercisable with respect to an entity. (2) The Commission shall have and may exercise any of its powers under the FSCA and any other powers under an enactment dealing with money laundering, terrorist financing and proliferation financing in relation to virtual assets and VASPs as those powers are exercisable with respect to an entity that is licensed by the Commission. (3) For purposes of subsections (1) and (2), the absence of any reference to virtual assets or VASPs in any of the enactments referred to in those subsections shall not be construed as ousting the jurisdiction of the Agency or the Commission, as the case may be, to exercise the powers exercisable under those enactments in relation to virtual assets and VASPs.

8 PART II REGISTRATION AND REQUIREMENTS FOR VASPS Prohibition against providing or engaging in transactions involving virtual assets 5. (1) No person shall carry on in or from within the Virgin Islands the business of providing a virtual asset service without being registered by the Commission in that regard. (2) An individual shall not carry on, or hold himself or herself out as carrying on, in or from within the Virgin Islands, virtual assets service as a business or in the course of business. (3) For the purposes of, but without limiting, subsection (1), a person carries on virtual assets service in the Virgin Islands if he or she occupies premises in the Virgin Islands for the purpose of carrying on a virtual assets service. (4) A BVI business company that carries on, or holds itself out as carrying on or being able to carry on, a virtual assets service outside the Virgin Islands is deemed to be carrying on the business of providing a virtual assets service from within the Virgin Islands. (5) Subsection (1) does not apply to a person excluded in such circumstances and to such extent as may be prescribed in regulations made under section 47. Application for registration 6. (1) A person who wishes to carry on in or from within the Virgin Islands the business of providing a virtual asset service (“the applicant”) may apply to the Commission for registration as a VASP to undertake such business in one or more of the following categories (a) to carry on the business of providing a virtual assets service; (b) to engage in the business of providing a virtual assets custody service; and (c) to operate a virtual assets exchange. (2) Where a person wishes to carry on the business of providing a virtual assets custody service or operate a virtual assets exchange, the person shall, in addition to complying with the requirements of this Part and Part III, comply with the requirements of Part IV as applicable. (3) An application under subsection (1) shall be in such form as the Commission may determine and publish on the Internet site. (4) Without prejudice to subsection (3), the applicant under subsection (1) shall, subject to subsection (7), provide the following information together with the application (a) the names and addresses of the persons proposed as directors and senior officers of the VASP; (b) the names and addresses of the persons who hold shares, including their level of shareholding in the VASP;

9 (c) the names and addresses of the persons who have a controlling interest in the VASP; (d) the physical address in the Virgin Islands of the VASP; (e) the name and address of the auditor of the VASP, including the auditor’s consent to act as such; (f) the name and address of the proposed authorised representative of the VASP; (g) a business plan in relation to the VASP which shall, at minimum, include the following (i) the knowledge, expertise and experience of the person applying for registration; (ii) detailed information on the nature, size, scope and complexity of the VASP, the underlying technology intended to be used, method of delivery of the virtual asset service and the virtual asset to be utilised; (iii) information on how the VASP will be marketed and the expected source of business; (iv) information on the anticipated human resource capacity of the VASP at commencement of business and in the long term; (v) any planned outsourcing arrangements and the systems to be put in place to govern such outsourcing arrangements; and (vii) an indication of the initial capital and financial projections of the VASP covering the first three years of operation, including projected set-up costs; (h) a written risk assessment of the VASP, outlining the risks the VASP will or may be exposed to and specifying how those risks are to be identified, measured, assessed, monitored, controlled and reported; (i) a written manual showing how the applicant, if granted registration, intends to comply with the requirements of this Act and any regulations made thereunder, including how the applicant intends to safeguard against the activities of money laundering, terrorist financing and proliferation financing; (j) the internal safeguards and data protection (including cyber security) systems intended to be utilized; and (k) the system to be put in place on how the VASP will handle client assets, custodian relationships and complaints. (5) For the purposes of processing an application for the registration of a VASP, the Commission may, in addition to the information provided under subsection (4), require such additional information as it considers appropriate and within such period as the Commission determines. (6) Where the Commission forms the view that, in relation to an application under subsection (1), any information required under subsection (4)

10 has not been provided, it shall notify the applicant to provide the information within such period as the Commission determines. (7) Where, subject to the receipt of an application in that regard, the Commission forms the view that, having regard to the type and nature of the business of the applicant, a requirement outlined in subsection (4) should not apply, the Commission may, in writing, waive that requirement in respect of the applicant. (8) Subject to a waiver by the Commission of a requirement pursuant to subsection (7), an application for the registration of a VASP under this section which fails to provide all the information required under subsection (4), or any additional information or missing information respectively required under subsection (5) or (6), within the prescribed period, shall be considered incomplete and abandoned. Approval of registration 7. (1) Subject to subsection (2), the Commission may approve an application for the registration of a VASP if the Commission is satisfied that (a) the applicant satisfies the requirements of this Act and any regulations made thereunder and the provisions of the Regulatory Code, Revised Edition 2020, applicable to the applicant; (b) the applicant intends, if registered as a VASP, to carry on the business for which it is to be registered; (c) the auditor of the proposed VASP has consented to so act and is approved by the Commission; (d) the proposed VASP and its directors, senior officers and persons with a significant interest or controlling interest in the proposed VASP meet the fit and proper criteria outlined in Schedule 1A of the Regulatory Code, Revised Edition 2020; (e) the organisation, management and financial resources of the proposed VASP are, or on registration will be, adequate for the carrying on of the VASP business; (f) the applicant, if registered as a VASP, has or will have the ability and capacity to manage and mitigate the risks of engaging in the VASP’s business activities, including the detection and prevention of activities that involve the use of anonymity-enhancing technologies or mechanisms (such as mixers, tumblers and similar technologies) that obfuscate the identity of the sender, recipient, holder or beneficial owner of a virtual asset; and (g) registering the VASP is not against the public interest. (2) Without limiting subsection (1), the Commission may refuse to register an applicant as a VASP if it forms the opinion that a person having a share or other interest in the applicant, whether significant, controlling or otherwise or legal or equitable, does not satisfy the fit and proper criteria outlined in Schedule 1A of the Regulatory Code, Revised Edition 2020. (3) Where the Commission approves an application for registration under subsection (1), it

11 (a) shall register the applicant and issue a certificate of registration in such form as it considers appropriate; and (b) may impose such conditions on the registration as it considers appropriate. (4) Where the Commission does not approve an application under subsection (1) for registration as a VASP, it shall so inform the applicant in writing giving the Commission’s reason for the refusal. Duty to notify change in information provided 8. (1) Where, prior to the approval and registration of an application under section 7, there is a material change in the information provided to the Commission under section 6, the applicant shall forthwith notify the Commission of that fact. (2) Where, after the approval and registration of an application under section 7, there is a material change in the information provided to the Commission under section 6 or any other change which is likely to materially affect the basis on which an applicant was approved and registered, the applicant shall forthwith notify the Commission of that fact indicating (a) the nature and scope of the change; (b) the reason for, or circumstance that gave rise to, the change; (c) whether or not the change is likely to materially affect the business of the VASP; and (d) in the case of a change in the information provided under section 6(4) and, if applicable, section 6(5), the reason for the change. (3) Where the Commission is notified of any change under subsection (1) or (2), it may issue such directive and exercise such power, including the power to deregister the registered VASP, as it considers appropriate, having regard to the requirements of this Act and any regulations made thereunder, the FSCA and the applicable provisions of the Regulatory Code, Revised Edition 2020. Change of name 9. (1) A VASP that is registered in accordance with this Act shall not, without the prior approval of the Commission, change its corporate name or the name under which it carries on business. (2) An application by a VASP to change its name shall be addressed to the Commission (a) giving reasons for the proposed change of name; (b) indicating whether or not the proposed change in name will or is likely to affect the nature or type of business for which the VASP was registered by the Commission; and (c) providing such additional information as may be necessary in assisting the Commission to properly and fully assess the application for change of name. (3) Without prejudice to subsection (2), the Commission may, by notice and within such period as is provided in the notice, direct a VASP to change the

12 name under which it carries on business if the Commission is of the opinion that the name (a) is identical to that of any other person, whether within or outside the Virgin Islands, or which so nearly resembles that name as to be likely to confuse or deceive; or (b) is otherwise misleading or undesirable. Maintaining financially sound condition 10. (1) A VASP shall, at all times, maintain its business in a financially sound condition by (a) having assets; (b) providing for its liabilities; and (c) generally conducting its business, so as to be in a position to meet its liabilities as they fall due. (2) If a VASP forms the opinion that it does not comply with subsection (1), it shall forthwith notify the Commission in writing. Directors and senior officers 11. (1) Subject to subsection (2), every VASP shall have at least 2 individual directors. (2) The Commission may at any time, having regard to the nature and risk associated with a VASP, require the VASP to have an individual director physically resident in the Virgin Islands if it does not already have one. (3) No VASP shall appoint a director or senior officer without the prior written approval of the Commission. (4) The Commission shall not grant approval under subsection (3) unless it is satisfied that the person proposed for appointment as a director or senior officer (a) satisfies the fit and proper criterial set out in Schedule 1A of the Regulatory Code, Revised Edition 2020; and (b) complies with the requirements of any guidelines issued by the Commission relating to the approval of directors and senior officers. (5) For the purposes of subsection (1), a director is considered to be physically resident in the Virgin Islands if, during the course of the year, the cumulative period of the director’s absence (if any) from the Virgin Islands does not exceed 120 days. Appointment of authorised representative 12. (1) A VASP shall appoint and at all times have an authorised representative who shall be a person approved by the Commission. (2) Subject to subsections (3), (4) and (5), a person qualifies to be considered for approval as an authorised representative if

13 (a) the person submits an application to the Commission seeking such approval; and (b) the person is (i) a BVI business company incorporated or registered under the BVI Business Companies Act, Revised Edition 2020; (ii) a partnership formed under the Partnership Act, Revised Edition 2020, or the Limited Partnership Act, Revised Edition 2020; or (iii) an individual who is physically resident in the Virgin Islands, and has knowledge of virtual assets service or management skills related to risks, whether in relation to VASPs or otherwise as the Commission considers relevant. (3) The Commission may, upon receipt of an application for the approval of a person as an authorised representative of a VASP under subsection (2)(a), approve the application if it is satisfied that (a) the person satisfies any of the requirements outlined in subsection (2)(b); (b) the person meets the fit and proper criteria outlined in Schedule 1A of the Regulatory Code, Revised Edition 2020; (c) where the person is a BVI business company, the company’s directors and senior officers and any other person having a significant interest or controlling interest in the company satisfy the fit and proper criteria outlined in Schedule 1A of the Regulatory Code, Revised Edition 2020; (d) where the person is a partnership, the partners satisfy the fit and proper criteria outlined in Schedule 1A of the Regulatory Code, Revised Edition 2020; and (e) approving the person is not against the public interest. (4) A person who has been certified as an authorised representative in accordance with section 64 of the Securities and Investment Business Act, Revised Edition 2020, may, subject to complying with subsection (2)(a), be approved by the Commission as an authorised representative under this section. (5) The Commission may refuse to approve an application for the appointment of an authorised representative of a VASP if the Commission is of the opinion that the person that is the subject of the application does not satisfy the fit and proper criteria outlined in Schedule 1A of the Regulatory Code, Revised Edition 2020. (6) This section and section 13 do not apply in respect of a VASP that has a significant management presence in the Virgin Islands. (7) Where an authorised representative resigns or has his or her appointment terminated or the office of authorised representative becomes vacant for any reason, the VASP concerned does not commit an offence if it appoints another authorised representative approved in accordance with this section within 21 days of the date of the previous authorised representative ceasing to so act.

14 (8) In reckoning the 21 days period under subsection (7), the period during which an application is pending before the Commission for approval shall not be counted. (9) No person shall act, or hold himself or herself out as acting, as an authorised representative of a VASP unless the person has been approved by the Commission and appointed as such by a VASP. (10) For purposes of subsection (6) and section 13(2), the Commission shall prescribe in the Regulatory Code, Revised Edition 2020, the criteria for what constitutes significant management presence in the Virgin Islands. Functions of an authorisedrepresentative 13. (1) An authorised representative of a VASP shall perform the following functions (a) act as the main intermediary between the VASP that he or she represents and the Commission; (b) accept service of notices and other documents on behalf of the VASP that he or she represents; and (c) keep in the authorised representative’s office in the Virgin Islands such records, or copies of such records, as may be prescribed in the Regulatory Code, Revised Edition 2020, or in regulations made under section 47. (2) Except in relation to a VASP that has a significant management presence in the Virgin Islands and as may otherwise be provided in regulations made under section 47, all documents to be submitted, or fees to be paid, by a VASP to the Commission shall be submitted or paid by its authorised representative. Appointment of auditor 14. (1) Subject to subsection (2), a VASP shall appoint and at all times have an auditor for the purposes of auditing its financial statements. (2) The Commission may, in exercise of the powers conferred by section 40C of the FSCA, exempt a VASP from the requirement to appoint and have an auditor. (3) A person shall not be appointed auditor under subsection (1) unless he or she (a) is qualified under the Regulatory Code, Revised Edition 2020, to act as auditor of a licensee; (b) has consented to act as auditor of the VASP; and (c) has been approved by the Commission. (4) Subject to subsection (5), the Commission may approve the appointment of a person as an auditor under subsection (1), if it is satisfied that the person has met the requirements of subsection (3)(a) and (b) and has sufficient experience and is competent to audit the financial statements of the VASP. (5) The approval by the Commission of the appointment of an auditor under subsection (4) is not required if

15 (a) the auditor appointed in respect of a financial year acted as auditor of the VASP in the previous financial year; and (b) the Commission has not revoked its approval of the appointment of the auditor by the VASP. (6) A VASP shall, within 14 days of the appointment of its auditor, submit a notice of appointment to the Commission. (7) A VASP shall make such arrangements as are necessary to enable its auditor to audit its financial statements in accordance with the requirements of this Act, the Regulatory Code, Revised Edition 2020, and any regulations made under section 47 including, as the auditor may reasonably require for the purposes of the audit (a) by giving the auditor a right of access at all reasonable times to its financial records and all other documents and records; and (b) by providing the auditor with such information and explanations as the auditor may request. (8) Where a person ceases to be the auditor of a VASP, the VASP does not contravene subsection (1) if it appoints another auditor in accordance with this section within 2 months of the date that the person who was previously appointed auditor ceased to hold that appointment. Powers of Commission in relation to the appointment of auditor 15. (1) Where the Commission is satisfied that the auditor of a VASP has failed to fulfil his or her obligations under this Act or is otherwise not a fit and proper person, in accordance with Schedule 1A of the Regulatory Code, Revised Edition 2020, to act as the auditor of the VASP, it may, by notice to the VASP, revoke the approval of the appointment of the auditor. (2) Where a VASP receives a notice under subsection (1) revoking the approval of appointment of its auditor, the VASP shall (a) provide the auditor with a copy of the notice; and (b) appoint a new auditor in accordance with section 14. (3) If a VASP fails to appoint a new auditor as required under subsection (1), the Commission may appoint an auditor for the VASP, and an auditor so appointed shall be deemed, for the purposes of this Act, to have been appointed by the VASP. Obligations of auditor 16. (1) Notwithstanding anything to the contrary contained in any other enactment, the auditor of a VASP shall report immediately to the Commission any information relating to the affairs of the VASP that he or she has obtained in the course of acting as its auditor that, in his or her opinion, suggests that (a) the VASP is insolvent or is likely to become insolvent or is likely to be unable to meet its obligations as they fall due; (b) the VASP is operating in a manner that may be detrimental to the interest of its clients;

16 (c) the VASP no longer meets any of the conditions outlined in section 7(1); (d) the VASP is no longer compliant with the requirement of section 10; (e) the VASP has significant weaknesses in its internal controls which render it vulnerable to significant risks or exposures that have the potential to jeopardise its financial viability; (f) an offence has been or is being committed by the VASP in connection with its business; or (g) serious breaches of this Act or the Regulatory Code, Revised Edition 2020, or such enactments, guidelines or Codes relating to money laundering, terrorist financing or proliferation financing as may be enacted, issued or prescribed have occurred in respect of the VASP or in connection with its business. (2) Where a VASP terminates the appointment of an auditor or an auditor resigns, the auditor shall (a) forthwith inform the Commission of the termination of his or her appointment or his or her resignation, and disclose to the Commission the circumstances that gave rise to such termination or resignation; and (b) if, but for the termination of his or her appointment or his or her resignation, he or she would have reported information to the Commission under subsection (1), he or she shall report the information concerned to the Commission as if his or her appointment had not been terminated or he or she had not resigned. (3) The Commission may require an auditor of a VASP to discuss any audit the auditor has conducted or commenced with, or provide additional information regarding the audit to, the Commission. (4) Where, in good faith, an auditor or former auditor provides any information to the Commission in accordance with this section, the auditor is deemed not to be in contravention of this Act or any other enactment, or rule of law, agreement or professional code of conduct to which he or she is subject and no civil, criminal or disciplinary proceedings shall lie against him or her in respect thereof. (5) The failure, in good faith, of an auditor or former auditor to provide a report or any information to the Commission pursuant to this section does not confer upon any other person a right of action against the auditor which, but for that failure, that other person would not have had. Audit and audit report 17. (1) An auditor shall carry out sufficient investigation to enable him or her to form an opinion on the financial statements of a VASP and prepare an audit report, in compliance with Division 6 of Part II of the Regulatory Code, Revised Edition 2020, and any regulations made under section 47. (2) The auditor shall, upon completion of his or her audit of the financial statements of a VASP, provide an audit report to the VASP complying with the

17 provisions of Division 6 of Part II of the Regulatory Code, Revised Edition 2020, and any regulations made under section 47. (3) The Commission may at any time, by notice in writing, direct a VASP to supply the Commission with a report, prepared by its auditor or such other person as may be nominated by the Commission, on such matters as the Commission may determine, which may include an opinion on the adequacy of the accounting systems and controls of the VASP. (4) A report prepared under subsection (3) shall be at the cost of the VASP. Submission of audit report and extension of time 18. (1) A VASP shall, within 6 months of the end of its financial year, submit a copy of its auditor’s report in respect of the VASP’s financial statements to the Commission. (2) The Commission may, on the application of a VASP, extend the time for compliance with subsection (1) for a period of, or where it grants more than one extension for an aggregate period not exceeding, 6 months. (3) An extension under subsection (2) may be granted subject to such conditions as the Commission considers appropriate. Group financial statements 19. (1) Where a VASP is a member of a group of companies, the VASP may submit to the Commission its group financial statements, so long as those statements are presented in a manner that would enable a proper evaluation of the VASP’s financial position. (2) The Commission may require the group financial statements to be audited by the auditor of the VASP or by another auditor approved by the Commission. PART III GENERAL OBLIGATIONS OF VASPS Duty to report information 20. (1) A VASP shall report to the Commission such information, within such time, and verified in such manner, as the Commission may prescribe in writing, including information on the following: (a) the level of compliance with the requirements of this Act; (b) the level of exposure of clients; (c) a summary of the VASP’s clients by geographical location; (d) the financial position of the VASP; (e) the risks encountered and how they have been resolved or are being resolved, including whether there has been any financial or other loss;

18 (f) the VASP’s key performance indicators, achievements and any relevant statistical information; (g) any significant complaints by clients and how such complaints have been resolved; and (h) where a significant complaint by a client has not been resolved, the plan put in place to resolve the client’s complaint. (2) Where the Commission considers that any information reported by a VASP is inaccurate or is not verified in the prescribed manner, it may, by written notice and within such time as it may specify, require the VASP to report amended or additional information to the Commission or to verify the information in such manner as may be specified in the written notice. Disposition or acquisition of significant or controlling interest in a VASP 21. (1) A person owning or holding a significant interest controlling interest in a VASP shall not, whether directly or indirectly, sell, transfer, charge or otherwise dispose of his or her interest in the VASP, or any part of his or her interest , unless the prior written approval of the Commission has been obtained. (2) A person shall not, whether directly or indirectly, acquire a significant interest or controlling interest in a VASP unless the prior written approval of the Commission has been obtained. (3) A VASP shall not, unless the prior written approval of the Commission has been obtained (a) cause, permit or acquiesce in a sale, transfer, charge or other disposition referred to in subsection (1); or (b) issue or allot any shares or cause, permit or acquiesce in any other reorganisation of its share capital that results in (i) a person acquiring a significant interest or controlling interest in the VASP; or (ii) a person who already owns or holds a significant interest or controlling interest in the VASP, increasing or decreasing the size of his or her interest. (4) Where a sale, transfer, charge or other disposition referred to in subsection (1) takes place, the VASP shall, for the purposes of subsection (3), be deemed to have caused, permitted or acquiesced in the sale, transfer, charge or other disposition referred to in subsection (1). (5) An application to the Commission for approval under subsection (1), (2) or (3) shall be made by the VASP, and any fees payable for the application and any approval of the application in that regard shall be paid by the VASP. (6) The Commission shall not grant approval under subsection (1), (2) or (3) unless it is satisfied that, following the acquisition or disposition, any person who will acquire a significant interest or controlling interest in the VASP satisfies the fitness and propriety criteria outlined in Schedule 1A of the Regulatory Code, Revised Edition 2020.

19 (7) Where the Commission, in the exercise of its powers under the FSCA or any other enactment, is minded to take enforcement action for the breach of subsection (1), (2) or (3), such enforcement action may be taken against the VASP if the VASP has caused, permitted or acquiesced in the sale, transfer, charge or other disposition or in the acquisition as referred to in the subsection. (8) This section shall not apply to a VASP that is listed on a recognised exchange. (9) For the purposes of subsection (8), “recognised exchange” means an exchange that is listed in the Regulatory Code (Recognised Exchanges) Notice, Revised Edition 2020. Maintenance of records 22. (1) A VASP shall keep records that are sufficient to (a) show and explain its transactions; (b) enable its financial position to be determined with reasonable accuracy; (c) enable it to prepare such financial statements and make such returns as it is required to prepare and make under this Act or any other financial services legislation; (d) enable its financial statements to be audited in accordance with the provisions of this Act; (e) show any complaints made by its clients and how such complaints have been dealt with; and (f) show the steps it takes to guard against the activities of money laundering, terrorist financing and proliferation financing. (2) In addition to maintaining the records specified in subsection (1), a VASP shall record and maintain all customer due diligence information in respect of its clients in accordance with the requirements of any enactment relating to money laundering, terrorist financing and proliferation financing. (3) The records referred to in subsection (1) shall be maintained in a form that they can be easily retrievable, and a retrievable form may consist of (a) an original copy or a certified copy of an original copy; (b) microform; (c) a computerized or other electronic data; or (d) a scanned document of the original document which is certified where necessary. (4) A VASP shall retain the records required to be maintained under this Act and any other enactment relating to money laundering, terrorist financing and proliferation financing for a period of at least 5 years. (5) For the purposes of subsection (4), the 5-year period shall (a) in the case of records required under this Act, be reckoned to commence from the date of termination of a business relationship

20 (as defined in regulation 2 of the AMLR) to which the records relate; and (b) in the case of records relating to money laundering, terrorist financing and proliferation financing, be reckoned in accordance with the requirements of the AMLR and AMLTFCOP. (6) Subsections (4) and (5) apply to a VASP after the cancellation or revocation of its registration as if its registration had not been cancelled or revoked. Client assets 23. A VASP shall (a) ensure that client assets are identified, or identifiable, and appropriately segregated and accounted for; (b) make arrangements for the proper protection of client assets; and (c) immediately notify (i) any client whose asset has in any way been unlawfully interfered with or otherwise compromised, upon becoming aware of such interference; and (ii) the Commission regarding the event mentioned in subparagraph (i); and (d) in relation to paragraph (c), inform the client and the Commission of the steps the VASP has taken or is taking to restore the client’s assets and protect the assets from any further unlawful interference or from otherwise being compromised. Misleading advertisement, statements, etc 24. (1) A VASP shall not, in relation to any activity that involves the business of the exchange, transfer, safekeeping, administration, or participation in, or provision of, virtual assets, whether or not carried on by the VASP and whether or not the activity is one the VASP is authorised to carry on, or in relation to any virtual asset business (a) issue, or cause or permit to be issued, an advertisement, brochure or similar document or make, or cause or permit to be made, a statement, promise or forecast, which the VASP knows, in a material particular (i) is false or misleading; or (ii) contains an incorrect statement of fact; (b) issue, or cause or permit to be issued, an advertisement, brochure or similar document or make, or cause or permit to be made, a statement, promise or forecast, where the VASP is reckless as to whether the advertisement, brochure, document, statement, promise or forecast, in a material particular (i) is false or misleading; or (ii) contains an incorrect statement of fact; or

21 (c) dishonestly conceal a material fact, whether in connection with an advertisement, brochure or similar document, statement, promise or forecast, or otherwise. (2) If the Commission is of the opinion that an advertisement, brochure or other similar document issued, or to be issued, or a statement, promise or forecast made, or to be made, by or on behalf of a VASP contravenes subsection (1) or is contrary to the public interest, it may (a) direct the VASP in writing not to issue the document, or not to make the statement, promise or forecast, or to withdraw it; or (b) grant approval to the VASP to issue the document, or make the statement, promise or forecast, with such changes as the Commission may specify. (3) Subsection (2) does not limit the powers of the Commission to take enforcement action in accordance with section 42. AML/CFT compliance 25. (1) Without derogating from section 3(2), every VASP shall take appropriate steps to comply with the requirements of this Act and other enactments relating to money laundering, terrorist financing and proliferation financing and shall, for that purpose, put in place appropriate systems and procedures to ensure such compliance. (2) As part of, and in addition to, its customer due diligence obligations under other enactments relating to money laundering, terrorist financing and proliferation financing, a VASP shall adopt measures to assist it in (a) tracing and collecting the Internet Protocol (IP) addresses of its customers, including their associated dates, stamps, geographical data, device indicators, virtual assets wallet addresses and transaction hashes; and (b) collecting such other information relating to its customers as is consistent with the Data Protection Act, No. 3 of 2021. Obligations in relation to the Commission 26. (1) A VASP shall, at all times, cooperate with the Commission in ensuring the VASP’s compliance with the requirements of this Act and any other enactment relating to a regulated activity which applies to a VASP, including compliance with other enactments relating to money laundering, terrorist financing and proliferation financing. (2) A VASP shall (a) provide the Commission with such documents and information as the Commission may require for the purpose of discharging its functions under this Act, the FSCA and any other enactment in relation to which the Commission has functions with respect to the VASP; and (b) forthwith notify the Commission if (i) the VASP is registered or licensed in another jurisdiction;

22 (ii) the VASP opens another office or establishes a physical presence in another jurisdiction; (iii) any enforcement action (whether in the nature of a censure or a regulatory or disciplinary action or otherwise) is taken, or criminal proceedings are brought, against the VASP in the Virgin Islands or in another jurisdiction; (iv) the VASP holds or acquires a significant interest or controlling interest in another entity, whether in the Virgin Islands or otherwise, that is engaged in the business of providing a virtual assets service; or (v) the VASP no longer meets any of the matters specified in section 7(1). (3) For the purposes of subsection (2)(a), if the Commission considers that any information provided by a VASP is inaccurate or incomplete or is not verified in a manner prescribed by law or by the Commission in the exercise of any of its powers, the Commission may, by notice and within such time as it may specify in the notice, require the VASP to (a) provide amended or additional information to the Commission; or (b) verify the information in such manner as may be specified in the notice. PART IV VIRTUAL ASSETS CUSTODY AND EXCHANGE VIRTUAL ASSETS CUSTODY SERVICE Virtual assets custody service additional information required 27. (1) A VASP that wishes to provide a virtual assets custody service shall include in its application under section 6(1) information on the following. (a) the facilities the VASP has to enable the safekeeping of virtual assets and related instruments; (b) the security measures in place to ensure the safekeeping of virtual assets and related instruments, including internal safeguards; (c) the measures in place to ensure a proper segregation of client assets; (d) the disclosure measures in place to ensure the transparency of the VASP’s operations, including notifications to clients regarding the safety of their virtual assets and related instruments; (e) the risks associated with the VASP’s safekeeping arrangements; (f) the methods of access to clients’ virtual assets held; and (g) any other measures the VASP has in place that are considered to be in the best interest of the beneficial owners of the virtual assets or related instruments held by the VASP.

23 (2) In addition to the information required under subsection (1), the Commission may require such further information as it considers appropriate and within such period as it may determine. (3) Where information required under subsection (1) or, where further information required by the Commission in accordance with subsection (2) is not provided within the period determined by the Commission, the application for approval shall be considered incomplete and abandoned. Virtual assets custody service conditions for registration 28. The Commission may approve and register, pursuant to section 7(1), an applicant as a VASP to provide a virtual assets custody service if satisfied that, in addition to the applicant complying with the requirements of Parts II and III (a) the applicant has provided the information required under section 27(1) and, if applicable, the further information required under subsection (2) thereof; (b) the applicant has taken appropriate measures to limit or mitigate any risks that may be associated with its safekeeping arrangements in respect of the assets of its clients and any related instruments; (c) the applicant has adequate security and other measures in place to properly safeguard the virtual assets of its clients and any related instruments; (d) the organisation, management and financial resources of the applicant are or, on approval will be, adequate to ensure the safekeeping of virtual assets and related instruments; and (e) it is not against the public interest to approve the applicant. Obligations and restrictions 29. (1) A VASP that is registered by the Commission to provide virtual assets custody service shall take appropriate steps to safeguard the virtual assets and related instruments against theft and loss. (2) Without prejudice to subsection (1), the VASP shall also undertake the following functions in relation to virtual assets and related instruments (a) enter into safekeeping arrangements with the owner of a virtual asset and related instruments with respect to (i) the duration of the safekeeping arrangements and whether or not such arrangements are renewable and, if so, on what terms; (ii) the manner in which the virtual assets and related instruments are to be held and maintained; (iii) the transactions that the VASP can engage in and how such transactions are to be conducted; (iv) the required disclosures relating to any risks associated with the safekeeping of the virtual assets and related instruments and the mitigating factors that should be employed thereby;

24 (v) the fees, spreads and any other remuneration payable to the VASP for safekeeping the virtual assets and related instruments; (vi) the manner in which clients may access their virtual assets and related instruments; (vii) the manner in, and conditions under, which the safekeeping arrangements may be terminated; (viii)the provision of information to the client regarding the security measures the VASP has in place to protect the virtual assets and related instruments; (ix) the remedies that may be available to the owner of the virtual assets and related instruments in the event of the theft or loss thereof; and (x) such other matter as the owner and the VASP may agree to include in the safekeeping arrangement, or the Commission may specify in an Order published on the Internet site; (b) source and adopt best practices in relation to information technology to be applied to the safekeeping of virtual assets and related instruments the VASP maintains on behalf of the owner; (c) ensure that any ancillary or subsidiary proceeds relating to virtual assets and related instruments accrue to the benefit of the owner of the virtual assets, unless otherwise agreed between the parties; and (d) take such other measures as may be necessary to safeguard the virtual assets and related instruments held on behalf of third parties. (3) A VASP shall not, unless specifically agreed with the beneficial owners of the virtual assets held by the VASP, encumber or cause to be encumbered the virtual assets deposits held or maintained on behalf of the VASP’s clients. VIRTUAL ASSETS EXCHANGE Virtual assets exchange requirements 30. (1) A VASP that wishes to operate a virtual assets exchange shall comply with such requirements and contain such information as may be prescribed in regulations made under section 47 and any additional requirements the Commission considers necessary for its approval of an application to operate a virtual assets exchange, including measures for the facilitation and protection of virtual assets trading on a virtual assets exchange. (2) Where a requirement or any information required pursuant to subsection (1), or where additional information required by the Commission in accordance with that subsection, is not provided within such time frame as the Commission may determine, the application for approval shall be considered incomplete and abandoned.

25 Virtual assets exchange conditions for registration 31. (1) Subject to subsection (2), the Commission may approve and register, pursuant to section 7(1), an applicant as a VASP to operate a virtual assets exchange if satisfied that, in addition to the applicant complying with the requirements of Parts II and III, the applicant has satisfied any requirements prescribed in regulations made under section 47, including any additional information required by the Commission in accordance with section 30(2). (2) In making a determination under subsection (1), the Commission shall consider whether (a) the virtual assets exchange (i) shall, if approved, engage in the operation of a virtual assets exchange by listing or facilitating the issuance of virtual assets; (ii) has or, on approval will have, in place, appropriate organisational, managerial and financial resources to ensure the proper operation of the virtual assets exchange; and (iii) has in place adequate measures to monitor and mitigate any risks related to the operation of the virtual assets exchange, including risks related to money laundering, terrorist financing and proliferation financing; and (b) approving the virtual assets exchange is not against the public interest. Restrictions and prohibitions 32. (1) In approving and registering an applicant under section 7(1) to operate a virtual assets exchange, the Commission may, without limiting subsection (3)(b) thereof, impose conditions relating to (a) the geographic area the virtual assets exchange may carry on its business; (b) the nature of the access of users to the virtual assets exchange; (c) the types of clients that the virtual assets exchange may market its services to; (d) restrictions on the types of virtual assets that may be traded on the virtual assets exchange; (e) the listing of virtual assets, including issues relating to filing reports and providing net worth with respect thereto; (f) identifying and managing conflicts of interest; (g) price discovery mechanisms designed to detect and prevent price manipulation and other unfair trading activities; (h) disclosures to be made to clients in relation to the operation of the virtual assets exchange, including disclosures relating to theft or loss of assets and any related insurance obligations;

26 (i) the need to appropriately monitor and supervise trading activities on the virtual assets exchange, including actions concerning the freezing and suspension of trading of virtual assets; (j) the technology used in the operation of the virtual assets exchange, including measures relating to the resiliency of the exchange and the security measures in place to safeguard the exchange; (k) the clearing and settlement process in relation to transactions between sellers and purchasers of virtual assets; (l) financing in relation to the purchase of virtual assets; and (m) any other necessary control measures to safeguard the integrity of the virtual assets exchange and protect the interests of persons investing on the exchange. (2) A VASP that is registered to operate a virtual assets exchange shall not (a) provide financing to its clients for the purchase of virtual assets, unless (i) it applies to, and obtains the approval of, the Commission; and (ii) after obtaining the requisite approval under sub-paragraph (i), it makes disclosures to its clients regarding the terms of, and the risk associated with, the financing; (b) engage in trading or marketing activities in relation to any virtual assets for its own benefit which may be detrimental to the interests of its clients, unless such activities (i) are necessary for the operation of the virtual assets exchange; and (ii) have been disclosed to its clients prior to engaging in the trading or marketing activities; (c) permit the trading of a virtual asset on its virtual assets exchange in a manner that is misleading or deceptive, or designed to defraud persons who subscribe for, or purchase, the virtual asset; (d) permit a client to trade in or purchase a virtual asset on its virtual assets exchange without first (i) satisfying itself that the client is aware of the risks involved in trading in, subscribing for, or purchasing, the virtual asset; and (ii) making the disclosures required under this section; (e) provide fiat currency-to-fiat currency exchange services to users of its virtual assets exchange without the written approval of the Commission; or (f) engage in any other activity not specified in paragraphs (a) to (e) which has the potential to compromise the integrity of the virtual assets exchange or erode public confidence in the exchange. (3) For purposes of subsection (2)(a), the provisions of the Financing and Money Services Act, Revised Edition 2020, shall not apply.

27 PART V PARTICIPATION IN THE REGULATORY SANDBOX Interpretation for this Part 33. In this Part, unless the context otherwise requires (a) the terms “innovative FinTech”, “Regulatory Sandbox” and “Sandbox participant” bear the meanings respectively provided in regulation 2 of the Financial Services (Regulatory Sandbox) Regulations, 2020; and (b) “regulatory legislation” means any financial services legislation that is listed in Part I of Schedule 2 of the FSCA. Application to provide innovative FinTech 34. (1) A VASP may be permitted to participate in the Regulatory Sandbox by submitting an application to the Commission for approval. (2) Where a VASP that is not registered under this Act or approved under the Financial Services (Regulatory Sandbox) Regulations, 2020 wishes to carry on a virtual assets service and provide innovative FinTech in accordance with the Financial Services (Regulatory Sandbox) Regulations, 2020, it (a) may submit an application to the Commission in accordance with those Regulations for approval as a sandbox participant; and (b) shall indicate in the application its intention to carry on the business of providing virtual assets service in relation to which the innovative FinTech will be applied. (3) Where prior to the coming into force of this Act, a person who was approved by the Commission under the Financial Services (Regulatory Sandbox) Regulations, 2020 to be a Sandbox participant wishes, after the coming into force of this Act and upon being registered as a VASP, to provide innovative FinTech in relation to virtual assets, the person shall (a) notify the Commission in writing in that regard; and (b) provide the innovative FinTech in relation to virtual assets after receiving the written approval of the Commission under section 35 and, for the purposes of that section, the notification under paragraph (a) shall be treated as if it were an application. (4) A person who submits an application under subsection (1), (2) or (3) shall (a) in the case of an application to provide a virtual assets service, provide to the Commission the information required under section 6; (b) in the case of an application to provide a virtual assets custody service, provide to the Commission the additional information required under section 27;

28 (c) in the case of an application to operate a virtual assets exchange, comply with any requirement outlined under or pursuant to section 30(1); and (d) upon approval, comply with the requirements and restrictions provided under this Act in relation to transactions involving virtual assets, including the provision of virtual assets custody service or the operation of a virtual assets exchange if approval is received in that regard. Approval to provide innovative FinTech 35. (1) Where the Commission, upon reviewing an application under section 34 (1) or (2) or receiving a notification under subsection (3) of that section, is satisfied that, having regard to the provisions of this Act with respect to an application for approval to provide a virtual asset service, it may, subject to subsection (4), approve the application and issue the applicant with a certificate of approval. (2) A person who is approved under subsection (1) in relation to an application under section 34(1) or (2) or a notification under subsection (3) of that section shall (a) be deemed to be approved as a Sandbox participant under the Financial Services (Regulatory Sandbox) Regulations, S.I. No. 27 of 2020; (b) comply with the requirements and restrictions of the Financial Services (Regulatory Sandbox) Regulations, S.I. No. 27 of 2020, so long as the person remains in the Regulatory Sandbox; and (c) subject to subsection (3), comply with the requirements and restrictions under this Act in relation to virtual assets. (3) Where the Commission considers it necessary in any particular case or class of cases, it may exempt a person approved under subsection (1) from the requirements of any provision of this Act, but such exemption shall not extend to requirements relating to money laundering, terrorist financing and proliferation financing. (4) Nothing contained in this section shall be construed to exempt a person from complying with the requirements of regulation 4 (2) of the Financial Services (Regulatory Sandbox) Regulations, S.I. No. 27 of 2020, and, if applicable, sub￾regulation (3) thereof, in relation to an application for approval as a Sandbox participant. (5) If the Commission does not approve under this section an application made in accordance with section 34, it shall notify the person concerned with the application in writing, providing the Commission’s reason for the refusal of approval. Termination of approval as a Sandbox participant 36. (1) Where a person is granted an approval in accordance with section 35, the approval may only be terminated in accordance with the provisions of the Financial Services (Regulatory Sandbox) Regulations, S.I. No. 27 of 2020, or for

29 failure to comply with a requirement of this Act or the FSCA or any directive given thereunder. (2) Where a person approved as a Sandbox participant ceases to participate in and test within the Regulatory Sandbox on the basis that the period specified in accordance with the provisions of the Financial Services (Regulatory Sandbox) Regulations, S.I. No. 27 of 2020, has come to an end, the person may, if he or she (a) was approved pursuant to an application under section 34(1) (i) revert to providing virtual assets service under this Act without the need for preparing and submitting a new application to the Commission; or (ii) surrender the certificate of registration issued under this Act and cease to carry on the business of providing virtual assets service; (b) was approved pursuant to an application under section 34(2), apply to (i) be licensed under a regulatory legislation; or (ii) be registered under this Act to provide virtual assets service only; or (c) was approved pursuant to an application under section 34 (3), apply to be licensed under a regulatory legislation. PART VI MISCELLANEOUS Register 37. (1) The Commission shall establish and maintain a Register of VASPs which shall be divided in a way that shows the VASPs that are (a) registered to carry on the business of providing virtual assets service; (b) registered to provide virtual assets custody service; (c) registered to operate virtual assets exchange; (d) registered to carry on more than one of the activities mentioned in paragraphs (a), (b) and (c); and (e) approved to participate in the Regulatory Sandbox. (2) A person may, upon payment of such fee as may be prescribed in accordance with section 45 (a) inspect the Register kept and maintained pursuant to subsection (1); or (b) request a certified or uncertified copy or extract of a certificate of registration of a VASP.

30 (3) A document or a copy or an extract of any document or a certificate of registration or any part thereof, whether in paper or electronic form, certified by the Commission is admissible in evidence in any proceedings as if it were the original document or certificate of registration. Cancellation of certificate of registration 38. (1) A VASP that is registered to provide a virtual assets service under this Act may apply to the Commission to cancel its registration by surrendering its certificate of registration issued under section 7(3). (2) Where the Commission receives an application under subsection (1), it may, if it considers it appropriate, cancel the VASP’s certificate of registration. (3) The cancellation of registration under subsection (2) is without prejudice to (a) the discharge of any legal obligation outstanding against the VASP seeking the cancellation of registration under this Act, the Financial Services (Regulatory Sandbox) Regulations, S.I. No. 27 of 2020, FSCA or any other enactment; or (b) any rights the Commission or a third party may have or bring against the VASP that was the holder of the certificate of registration. Revocation of registration 39. (1) The Commission may, subject to subsection (3), revoke a certificate of registration issued under section 7(1) if it forms the opinion that the VASP holding the certificate of registration (a) has committed a money laundering, terrorist financing or proliferation financing breach or other financial offence which is considered by the Commission to be sufficiently serious to warrant a revocation of the certificate of registration; (b) is no longer able to meet the requirements of this Act or any directive issued by the Commission under this Act, the FSCA or any other relevant financial services legislation; (c) had, at the time of applying for registration under this Act, provided information which was materially false or misleading; (d) no longer satisfies any of the considerations specified under section 7(1) on the basis of which the registration or approval was granted; (e) is providing a virtual assets service that poses a material risk to (i) persons who subscribe for, or purchase, virtual assets or have already subscribed for, or purchased, such assets; (ii) the financial services industry; (iii) the public welfare or reputation of the Virgin Islands; or (iv) the financial stability of the Virgin Islands; or (f) has otherwise engaged in conduct that is incompatible with

31 (i) the objective of registration under this Act to provide a virtual asset service; or (ii) a condition attached to the issuing of the certificate of registration. (2) The Commission may also revoke a certificate of registration referred to in subsection (1) if it forms the opinion that it is not in the public interest that the VASP holding the certificate of registration should continue to hold such certificate. (3) The Commission shall, before revoking a certificate of registration under subsection (1) or (2), notify the person holding the certificate of registration of the Commission’s intention to revoke the registration, giving its reason for the intention. (4) A person who receives a notification under subsection (3) may, within 21 days after receipt of the notification, submit a response to the Commission (a) not opposing the Commission’s intention to revoke the person’s certificate of registration; or (b) opposing the Commission’s intention to revoke the certificate of registration and giving his or her reason for the opposition. (5) Where the Commission receives a response under subsection (4) within the specified period and after considering the response, it may (a) carry out its intention to revoke the certificate of registration; or (b) take such other decision as it considers appropriate. (6) The Commission may act under subsection (5) if it does not receive any response pursuant to subsection (4). (7) Where the Commission forms the opinion that any of the matters outlined in subsection (1) or (2) is of a grave nature, it may, at the same time as providing the notification under subsection (3), direct the person concerned to suspend any business or activity relating to the provision of virtual assets service, and such directive shall remain in force pending the outcome of the Commission’s decision under subsection (5). (8) For the avoidance of doubt, the Commission may revoke a registration under this Act notwithstanding that the person registered or approved is also approved as a Sandbox participant in relation to virtual assets. (9) Where a person registered under this Act is also approved as a Sandbox participant in accordance with section 35 and the person’s registration is revoked under this section, the person shall, from the date of revocation of registration, cease to be deemed approved as a Sandbox participant under section 35(2)(a). (10) For the purposes of subsection (1)(a), a “financial offence” means an offence under any financial services legislation, including drug money laundering or the breach of any international or domestic sanction prescribed by or under any enactment. Existing providers of virtual assets service 40. (1) If, on the coming into force of this Act, a person was carrying on the business of providing a virtual assets service in and from within the Virgin Islands,

32 the person shall, if he or she intends to continue with the provision of the virtual assets service, submit an application for registration in accordance with the requirements of this Act. (2) An application under subsection (1) shall be made within 6 months of the date of coming into force of this Act. (3) Where the Commission receives an application within the time frame specified in subsection (2), the person carrying on the business of providing the virtual assets service may continue to provide such service until he or she receives notification from the Commission approving or refusing the application. (4) For the purposes of subsection (3), a person providing virtual assets service shall be deemed to have received notification from the Commission approving or refusing the application for registration (a) if sent by post, at the time when the envelope containing the notification would have been received in the ordinary course of post; (b) if by direct delivery, the document containing the notification is received by the applicant or by a secretary or clerk at the applicant’s office, whether or not the receipt of the document has been signed for; or (c) if sent by email, the notification is shown to have been electronically sent to the correct address. (5) Where a person receives notification from the Commission refusing an application made in accordance with this Act, the person shall, subject to subsection (6), immediately after receipt of the notification cease to provide virtual assets service in and from within the Virgin Islands. (6) Where the Commission refuses an application in accordance with subsection (3) but forms the view that the applicant needs time to wind down its business in an orderly manner, it may give the applicant such time as it considers necessary to wind down its business. (7) The Commission may, where it considers it necessary having regard to the nature and complexity of the applicant’s business or other extenuating circumstance, extend the time given to the applicant under subsection (6) to wind down its business. (8) Any extension of time given under subsection (7) shall be such as the Commission may consider fair and reasonable. Appointment of compliance officer 41. (1) Every VASP shall, unless otherwise exempted under the Financial Services (Miscellaneous Exemptions) Regulations, Revised Edition 2020, establish and maintain adequate systems and controls for ensuring compliance with the requirements of, and its obligations under, this Act. (2) For the purposes of subsection (1), sections 34, 34A (as applicable) and 35 of the FSCA and Division 4 of Part II of the Regulatory Code, Revised Edition 2020, shall apply to a VASP with such modifications as may be necessary to ensure the VASP’s compliance with the requirements of, and obligations under,

33 those sections of the FSCA and Division 4 of Part II of the Regulatory Code, Revised Edition 2020. Enforcement powers 42. (1) The Commission may take enforcement action against a VASP or other person if the VASP or that other person commits a breach or an an offence in respect of any provision of this Act. (2) Any enforcement action taken against a VASP or other person under subsection (1) may include the imposition of an administrative penalty. (3) The fines prescribed under the Schedule may, notwithstanding section 46, be treated as administrative penalties for the purposes of subsections (1) and (2), and a VASP or other person may not be proceeded against criminally under section 46 if the Commission has, in respect of that VASP or other person, exercised its power to impose an administrative penalty. (4) Without prejudice to subsections (1) and (2), the Commission may, whether in addition to taking any enforcement action under this section or otherwise in respect of a VASP or other person, exercise in relation to the VASP or other person (as applicable) any of its powers under the FSCA relating to (a) section 36 (appointment of examiners); (b) section 36A (appointment of qualified person); (c) section 37 (enforcement action, but only to the extent that such enforcement action, including power exercisable, is not prescribed under this Act); (d) section 37A (public statement); (e) section 39 (application for a protection order); (f) section 40 (power to issue directive); (g) section 40A (power to issue practice directions); (h) section 40D (power to require removal of directors and other persons); and (i) section 41A (power to issue guidelines). (5) For the purposes of subsection (4), the sections specified therein shall be applied with such modifications as may be necessary to make them applicable (a) to a VASP or other person; (b) in relation generally to the provision of virtual assets in and from within the Virgin Islands; or (c) for the purpose of taking enforcement action under this Act. (6) A person commits a breach or an offence under this Act if he or she contravenes or fails to comply with a provision of this Act in relation to which a penalty is prescribed in the Schedule. General powers of the Commission 43. (1) The Commission may, where it considers it necessary, require a VASP to provide the Commission with such report in relation to its obligations,

34 operations and business activities with respect to the provision of a virtual assets service as the Commission may determine. (2) The report required under subsection (1) shall be provided in such manner and within such period as the Commission may determine and may include a requirement to provide interim reports. Exemptions 44. Notwithstanding anything to the contrary contained in this Act, a person registered under this Act (a) is not required to be licensed under the Business Licensing Act, 2022 to carry on the business of providing a virtual assets service in and from within the Virgin Islands; or (b) who carries on only the business of providing a virtual assets service, need not be licensed under the Securities and Investment Business Act, Revised Edition 2020, or the Financing and Money Services Act, Revised Edition 2020. Fees, charges, etc. 45. (1) Regulations made under section 62 of the FSCA may provide for the fees chargeable and payable under this Act. (2) The Commission may refuse to take any action required of it with respect to a person registered or approved under this Act for which a fee is payable until the fee and any other fees, penalties and charges payable by, or in respect of, the person have been paid. (3) Any fee, charge or penalty that is owed to the Commission under this Act may be recovered as a debt due to the Commission. Offences and penalties 46. (1) Subject to section 40 (2), a person who contravenes or fails to comply with a provision of this Act specified in Column 1 of the Schedule and described in Column 2 of that Schedule commits an offence and, if proceeded against criminally, is liable on conviction up to the maximum of the penalty provided (a) in Column 3 of that Schedule, in the case of a body corporate or an unincorporate body; or (b) in Column 4 of that Schedule, in the case of an individual. (2) Where an offence is committed by a body corporate or an unincorporate body, a director, partner and every senior officer of the body corporate or unincorporate body who knowingly authorised, permitted or acquiesced in the commission of the offence also commits an offence and, if proceeded against criminally, is liable on conviction to the same penalty prescribed for the body corporate or unincorporate body. Regulations 47. (1) The Cabinet may, on the advice of the Commission, make such regulations as it considers fit for the effective carrying out of the provisions of this Act.

35 (2) Without prejudice to subsection (1), the regulations may (a) require additional information to be provided for the registration of a VASP; (b) provide for additional technology measures to be adopted in relation to the provision of a virtual assets service; (c) make provision for additional disclosure requirements in relation to virtual assets; (d) specify such measures as may be considered necessary to ensure a proper and efficient keeping of records required under this Act, including the management and safeguarding of client assets; (e) prescribe the form, manner and place in which the records specified in section 22(1) are to be maintained, and other records required to be maintained by a VASP and the form, manner and place in which such records are to be maintained; (f) provide for the Register of VASPs kept and maintained pursuant to section 37(1) to contain additional information; (g) provide the nature and extent of insurance arrangements required in relation to virtual assets with a view to ensuring the adequate protection of the assets of persons who subscribe for, or purchase, virtual assets; and (h) specify such other measures as may be necessary to ensure compliance with the requirements of this Act. (3) Regulations made under subsection (1) may provide for the Commission to impose administrative penalties not exceeding $75,000 for a contravention of, or non-compliance with, a provision of the Regulations. Application of Regulatory Code 48. (1) Subject to the other provisions of this Act, the Preliminary Part and Parts I, II and VII of the Regulatory Code, Revised Edition 2020, shall apply to a VASP and, for that purpose, the Commission may (a) apply the provisions of those Parts of the Code to such extent and with such modification as it considers appropriate; and (b) provide for new matters in the Code in relation to VASPs to ensure full compliance with the objectives and requirements of this Act. (2) Without prejudice to subsection (1), the Regulatory Code, Revised Edition 2020, may (a) prohibit the issue of advertisements, brochures or similar documents relating to virtual assets activities of a particular type or description, whether as to the contents of the advertisement, brochure or other document or the persons for whom they are intended; (b) provide for (i) the issue, form and content of advertisements, brochures or similar documents; and

36 (ii) the making of statements, promises and forecasts, relating to virtual assets business; (c) provide for the form and content of group financial statements to be submitted under section 19; and (d) provide for the holding, control and handling of, and the accounting for, client assets by a VASP and, in particular, it may provide for (i) the manner in which client assets are to be identified, or made identifiable, segregated, accounted for and protected; (ii) the opening and maintenance of client accounts and the payment of monies into client accounts; (iii) the audit of client accounts and record keeping requirements concerning client assets; (iv) how interest and other monies earned with respect to client assets is to be dealt with; (v) circumstances in which client assets held by a VASP are deemed to be held on trust for the client; and (vi) such other matters relating to the custody and control of client assets by a VASP as the Commission considers appropriate. Amendment of Schedule 49. The Cabinet may, on the advice of the Commission, by Order amend the Schedule in such manner and to such extent as it considers necessary.

37 SCHEDULE [Section 46] OFFENCES AND PENALTIES COLUMN 1 Section contravened COLUMN 2 Description of offence COLUMN 3 Penalty (body corporate/unincorporate body) COLUMN 4 Penalty (individual) 5(1) 5(2) Carrying on virtual assets service without being registered Individual carrying on or holding out as carrying on virtual assets service $100,000 or 5 years imprisonment or both $75,000 or 5 years imprisonment or both $75,000 or 5 years imprisonment or both 8(1) & (2) 8(3) Failure to notify Commission of material change Failure to comply with a directive $75,000 or 3 years imprisonment or both $50,000 $50,000 or 3 years imprisonment or both $30,000 9(1) 9(3) Changing name without approval Failure to comply with a directive $20,000 $50,000 $10,000 $30,000 10(2) Failure to notify of non￾compliance under subsection (1) $75,000 or 3 years imprisonment or both $50,000 or 3 years imprisonment 11(1), (2) Failure to maintain 2 individual directors; or, if required, not having one director physically resident in the Virgin Islands $25,000 $15,000

38 11(3) Appointing director or senior officer without approval $25,000 $15,000 12(1) 12(7) 12(9) Failure to appoint and have an authorised representative Failure to appoint a replacement authorised representative within the prescribed period Acting or holding oneself to act as authorised representative without approval or appointment $25,000 $25,000 $50,000 or 3 years imprisonment $15,000 $15,000 $30,000 or 3 years imprisonment 14(1) 14(6) 14(7) 14(8) Failure to appoint and have an auditor Failure to submit notice of appointment of auditor Failure to make arrangement for auditor to audit financial statements Failure to appoint a replacement auditor within the prescribed period $25,000 $15,000 $40,000 $25,000 $20,000 $10,000 $40,000 $20,000 15(2) Failure of VASP to provide auditor with copy of notice revocation $20,000 $15,000 16(1) 16(2) Failure of auditor to make a report Failure of auditor to inform Commission of termination or resignation, or report information $25,000 $25,000 $20,000 $25,000

39 16(3) Failure of auditor to discuss audit or provide additional information required by the Commission $25,000 $20,000 17(2) 17(3) Failure of auditor to provide audit report to VASP Failure of VASP to supply Commission with a report $50,000 $50,000 $40,000 $40,000 18(1) Failure of VASP to submit copy of auditor’s report to the Commission $75,000 $50,000 20(1) 20(2) Failure of VASP to report information Failure to report amended or additional information $50,000 $50,000 $40,000 $40,000 21(1) 21(2) 21(3) Selling, transferring, etc. of interest or part thereof in VASP without approval Acquiring significant interest in VASP without approval Causing, permitting, etc. in disposal or reorganisation of share capital without approval $60,000 $50,000 22(1) 22(2) Failure to keep sufficient records Failure to maintain customer due diligence information $75,000 or 5 years imprisonment or both $75,000 or 5 years imprisonment or both $50,000 or 3 years imprisonment $50,000 or 3 years imprisonment

40 22(4) Failure to maintain records for the prescribed period $75,000 or 5 years imprisonment $50,000 or 3 years imprisonment 23(1) Failure to comply with requirements in relation to client assets $75,000 $50,000 24(1) 24(2) Failure to comply with any of the prohibitions identified in subsection (1) Failure to comply with a directive not to issue document or make statement, promise or forecast $100,000 or 5 years imprisonment or both $100,000 or 5 years imprisonment or both $75,000 or 5 years imprisonment $75,000 or 5 years imprisonment 25(1) 25(2) Failure to take appropriate steps to comply with AML/CFT requirements or to put systems and procedures in place Failure to adopt measures to trace and collect information identified in subsection (2) $100,000 or 5 years imprisonment or both $100,000 or 5 years imprisonment or both $75,000 or 5 years imprisonment $75,000 or 5 years imprisonment 26(1) 26(2) 26(3) Failure to cooperate with the Commission Failure to provide Commission with required documents and information or notify the Commission, in accordance with subsection (2) Failure to comply with notice to provide amended or additional $50,000 $50,000 $30,000 $40,000 $50,000 $20,000

41 information or verify such information 29(1) 29(2) 29(3) Failure to take steps to safeguard virtual assets and related instruments Failure to undertake any of the functions outlined in subsection (2) in relation to virtual assets Encumbering or causing to be encumbered virtual assets deposits on behalf of clients without agreement of beneficial owners of the virtual assets $100,000 or 5 years imprisonment or both $50,000 $100,000 or 5 years imprisonment or both $75,000 or 5 years imprisonment $30,000 $75,000 or 5 years imprisonment 32(2) Providing, engaging or permitting any of the activities outlined in subsection (2) contrary to the restrictions contained in the subsection $100,000 or 5 years imprisonment or both $75,000 or 5 years imprisonment 34(1) 34(4)(d) VASP providing innovative FinTech without approval Failure to comply with requirements and restrictions in relation to transactions involving virtual assets $100,000 or 5 years imprisonment or both $100,000 or 5 years imprisonment or both $75,000 or 5 years imprisonment $75,000 or 5 years imprisonment 40(5) Failure to cease providing virtual assets service after receipt of notification in that regard $100,000 or 5 years imprisonment or both $75,000 or 5 years imprisonment 41(1) Failure to establish and maintain adequate systems and controls to ensure compliance with $50,000 $40,000

42 requirements and obligations under the Act 43(3) Failure to provide report in the manner, and within the period, prescribed $25,000 $20,000 Passed by the House of Assembly this 24th day of November, 2022. Corine N. George-Massicote, Speaker. Phyllis Evans, Clerk of the House of Assembly.