Digital Asset Service Providers AML/CFT/CPF Risk Management Guide

Digital Asset Service Providers (DASPs) Money Laundering, Terrorist Financing, and Proliferation Financing of Weapons of Mass Destruction (ML/TF/PF) Risk Management Guide.

With the purpose of providing specific guidelines for Digital Asset Service Providers (DASPs) on the application of Article 21 letter o) of the Digital Asset Issuance Law (LAID), Article 19 of the Regulation of Digital Asset Service Providers, and other applicable regulations regarding the management of ML/TF/PF risks, in which it is established that these supervised entities must maintain a program against Money Laundering, Terrorist Financing, and Proliferation of Weapons of Mass Destruction that complies with the Law against Money Laundering and Assets and international best practices articulated by the Financial Action Task Force (FATF), this guide is issued, which comprises the regulatory framework, international standards, and the risk-based approach.

For the issuance of this Guide, the results of the National Risk Assessment on Money Laundering and Terrorist Financing, as well as the National Policy for the Prevention of Money Laundering and Assets, and Terrorist Financing (2023-2025), have been taken into account.

1. Regulatory Framework The legal framework applicable to DASPs regarding ML/TF/PF risk management is as follows: a) Law against Money Laundering and Assets. b) Regulation of the Law against Money Laundering and Assets. c) Instruction for the Prevention, Detection, and Control of Money Laundering and Assets, Terrorist Financing, and the Proliferation of Weapons of Mass Destruction issued by the Financial Investigation Unit of the Attorney General's Office. d) Special Law against Acts of Terrorism. e) United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances. f) United Nations Convention against Transnational Organized Crime. g) United Nations Convention against Corruption. h) International Convention for the Suppression of the Financing of Terrorism. i) Central American Convention for the Prevention and Repression of Money Laundering and Assets Crimes. j) Digital Asset Issuance Law and its Regulations.

2. Financial Action Task Force (FATF) International Standards FATF Standards apply to both countries and DASPs, as well as to obligated entities providing services related to Digital Assets. In general, it is expected that as a DASP carries out financial activities covered by FATF Recommendations, similar ML/TF/PF prevention measures are adopted as those of that sector.

Of the 40 Recommendations issued by FATF, the following are especially applicable and relevant to Digital Asset Service Providers:1 a) Risk assessment (Recommendation 1). b) Customer due diligence (Recommendation 10). c) Record keeping (Recommendation 11). d) Politically exposed persons (Recommendation 12). e) Correspondent banking (Recommendation 13). f) New technologies (Recommendation 15). g) Electronic transfers (Recommendation 16). h) Reliance on third parties (Recommendation 17). i) Establishment of internal controls and foreign branches and subsidiaries (Recommendation 18). j) Higher-risk countries (Recommendation 19). k) Submission of suspicious transaction reports (Recommendation 20). l) Protection for disclosure and confidentiality (Recommendation 21).

Likewise, all preventive measures must be applied, with two particularities: a) The threshold designated for an occasional operation from which DASPs must perform customer due diligence (CDD) is US$1,000.00. b) The rules on electronic transfers established in Recommendation 16 apply to DASPs and virtual asset transfers in the "Travel Rule".

The "Travel Rule" according to Article 84-B, numeral 1, letter e) of the Instruction of the Financial Investigation Unit (UIF) are all those customer and operation records that allow knowing the origin and destination of transactions with Digital Assets. In particular, through the application of the "Travel Rule", it is intended that in the case of a virtual asset transfer, the originating DASP obtain and maintain the required and precise information of the originator and the required information of the beneficiary, and that regarding virtual asset transfers, send the aforementioned information to the beneficiary DASP or financial institution (if applicable) immediately and securely, and make it available to competent authorities, including this Commission.

Within the information that may be included in the "Travel Rule" are: (i) the date of the operation, (ii) the type and quantity of each virtual currency, (iii) the name of the institution, its address, the nature of its main activity or occupation, and, in the case of a person, their date of birth, (iv) the name and address of the beneficiaries, (v) the number of each account affected by the transaction, the type of account, and the name of each holder, (vi) each reference number related to the transaction and having a function equivalent to that of an account number, (vii) each transaction identifier, including sending and receiving addresses, and (viii) the exchange rates used and their source.

1 Guide for the Regulation of AML/CFT of Virtual Assets and Virtual Asset Service Providers in the GAFILAT Region, August 2023.

Under no circumstances shall DASPs cease to collect and store information to be used via the "Travel Rule" in Digital Asset transfers, regardless of the amount of the operation.

3. Beneficial Owners DASPs must exercise special care and diligence in the application of Article 21-A of the Instruction for the Prevention, Detection, and Control of Money Laundering and Assets, Terrorist Financing, and the Proliferation of Weapons of Mass Destruction issued by the Attorney General of the Republic, in the sense that every DASP, as an obligated subject under the ML/TF/PF prevention regulations, must identify and verify the identity of the beneficial owner of persons or legal structures, obtaining information on the identity of the natural person or persons who, ultimately, hold the majority shareholding of the legal entity.

Compliance with this regulatory obligation has special relevance in transfers or exchanges carried out with Digital Assets.

4. Suspicious Operations As a consequence of the adequate implementation of Customer Due Diligence (CDD), DASPs must identify, document, and report to the Financial Investigation Unit (UIF) those operations that may be considered irregular, inconsistent, or that do not relate to the type of economic activity of the client.

The obligation contained in Article 9-A of the Law against Money Laundering and Assets is highlighted, in the sense that it is also an obligation of every obligated subject, as is the case with DASPs, to report to the UIF the attempt of suspicious operations.

5. Risk-Based Approach Regarding the risk-based management approach, it is required that entities supervised by the National Commission of Digital Assets (CNAD) implement a risk management system, which must be understood as a strategic process carried out by the entire entity, through which they identify, evaluate, mitigate, monitor, and communicate the different types of risks to which they are exposed. Such management must be in accordance with its nature, risk profile, volume and complexity of its activities, business lines, own and third-party resources.

To execute the ML/TF/PF risk-based approach, DASPs must consider the level of inherent risks in their operations and management as mitigating those risks. a) Inherent Risk The risk management system of each DASP must be capable of mitigating the inherent risks of authorized operations; this is the level of risk inherent to the activity, without taking into account the effect of controls. In virtue of this, the different levels of exposure to inherent risk of each activity are presented below, related to Article 19 of the Digital Asset Issuance Law, categorized into four levels ranging from low, moderate, above average to high.

Inherent ML/TF/PF Risk by each authorized activity for DASPs

Activity | Inherent Risk a) Exchange of digital assets for fiat money or equivalent or for other digital assets, whether using own capital or that of a third party. | High Risk: Transactions between digital assets and fiat money present greater risk, as it is necessary to determine the origin of funds, whether fiat money or digital assets. This is considered a very relevant entry filter against ML/TF/PF risks and therefore, an activity with high risk exposure. b) Operating an exchange platform or marketing of digital assets or derived digital assets. | High Risk: Transactions represent greater risk if it is a hot wallet. Therefore, its risk level is high. c) Risk and price assessment, as well as the subscription of digital asset issuances. | Moderate Risk: Since it is a technical opinion or advice, its degree of exposure is moderate. Additionally, there are other entry filters (Certifier and CNAD) more relevant that contribute to preventing ML/TF/PF risks in the issuance and exchange of digital assets. The foregoing does not exempt from the responsibility of verifying the origin of client funds for whom services are provided. d) Placing digital assets on platforms or digital wallets. | Moderate Risk: Since there are other filters (Certifier and CNAD) to prevent ML/TF/PF risks before a DASP places a third-party issuance on the platform, this activity is considered moderate risk. e) Promoting, structuring, and administering all types of investment products in digital assets. | Moderate Risk: Since it is a complementary and advisory service, its degree of exposure is moderate. Additionally, there are other relevant entry filters (Certifier and CNAD) that contribute to preventing ML/TF/PF risks.

In the previous table, it is highlighted that those activities with high risk are characterized by receiving fiat money, virtual assets, or hot wallets, which may come from sources from which it is unknown if a ML/TF/PF risk management process based on international standards has been carried out. While those activities such as the subscription of issuances, placement of assets in wallets, and structuring of digital assets, are considered moderate risk, since the clients who undergo these processes must provide more information to DASPs, for example, within the structuring of a token for the financing of a real estate project, the issuer must present financial information, administration, project history, as well as pass through a certification and review process by the CNAD, which is necessary to provide greater confidence to investors who acquire Digital Assets.

f) The following operations when carried out on behalf and for the benefit of third parties. f.1) Transfer digital assets or the means to access or control them, between natural or legal persons or between different acquirers, electronic wallets, or digital asset accounts. | High Risk: Transactions between digital assets and fiat money present greater risk, as it is necessary to determine the origin of funds, whether fiat money or digital assets. This is considered a very relevant entry filter against ML/TF/PF risks and therefore, an activity with high risk exposure. f.2) Safeguard, custody, or administer digital assets or the means to access or control them. | Above Average Risk: The existence of controls to determine the provenance of assets and prevent illicit funds from entering the system is relevant. Nevertheless, this activity is considered a second filter, therefore it is rated above average. f.3) Receive and transmit buy or sell orders for digital assets or the negotiation of derived digital assets. | Above Average Risk: The existence of controls to determine the provenance of assets and prevent illicit funds from entering the system is relevant. Nevertheless, this activity is considered a second filter, therefore it is rated above average. f.4) Execute buy or sell orders for derived assets. | Above Average Risk: The existence of controls to determine the provenance of assets and prevent illicit funds from entering the system is relevant. Nevertheless, this activity is considered a second filter, therefore it is rated above average.

b) ML/TF/PF Risk Management Among some aspects that the CNAD will evaluate in supervision visits to DASPs, to verify the existence of an effective program against Money Laundering, Terrorist Financing, and Proliferation of Weapons of Mass Destruction that mitigates inherent risks, in accordance with international standards in the matter, are:

1. Board of Directors or equivalent body: Being the main governing body of corporate governance of each DASP, the CNAD will verify compliance with all letters of Article 5 of the UIF Instruction.
2. Compliance Office: Among the aspects to review are the registration with the UIF, reports of regulated operations, compliance with the requirements of Principal and Alternate Compliance Officer, independence and autonomy of the Compliance Officer from operational areas, use of a risk-based approach in ML/TF/PF risk management, monitoring system, parameterization, and generated alerts.
3. Customer Due Diligence: Among the reviews, the effectiveness of standard, enhanced, simplified due diligence processes, Travel Rule for transfers, as well as existing processes for politically exposed persons, definition of high-risk clients, operations with higher-risk countries will be evaluated; in the case of legal persons, the process of identifying the beneficial owner and trusts will additionally be verified. On the other hand, the policy of updating client information used by DASPs will also be verified.
4. Other aspects: The function of Internal Audit, Training Plan for the prevention of ML/TF/PF, Institutional Code of Ethics, Information Security Policy, and its safeguard will also be evaluated.

c) Risk-Based Supervision The result of the identification of all inherent risks resulting from the operations of each DASP, including ML/TF/PF risk, when evaluated together with the quality of their management as a mitigant, which is obtained from supervision visits, will generate for the CNAD the Risk Map of each DASP, which is an important internal input to orient the resources available towards those entities with greater residual risks, over which supervisory actions will be applied based on the criticality of the determined findings.

The Board of Directors of the National Commission of Digital Assets, in accordance with the legal powers established in Article 9, letter o) of the Digital Asset Issuance Law, agrees to approve and publish this guide in the session of December 22, 2023.