The Bank of Portugal has recently submitted to public consultation (Public Consultation No. 7/2022) a proposal of Notice (administrative regulation) aimed at further regulating the compliance with AML/CFT duties by entities engaged in the performance of activities related with virtual assets.
Further to the publication by the Bank of Portugal of Notice nº 3/2021, relating to the registration procedure before the Bank of Portugal of entities that carry out activities involving virtual assets, the Bank of Portugal is now hearing the market about a new administrative regulation that further regulates the duties of those entities in what regards AML/CFT. Once the Notice under public hearing is approved, and assuming that the bulk of its content is maintained, the above-mentioned obliged entities will be able to rely on a regulatory regime specifically crafted for virtual assets’ service providers. Therefore, despite the demanding nature of some of the normative options set out in the Bank of Portugal’s project, obliged entities will have a clearer view on how to comply with their duties. Among these, the following are of particular importance:
i. Obliged entities shall create an internal function for the compliance with AML/CFT duties. This internal function shall be headed by the AML/CFT Compliance Officer and integrated by employees selected based on high ethical standards and demanding technical requirements.
ii. An Executive Member of the Board shall be appointed Chief Compliance Officer for AML/CFT purposes.
iii. The Bank of Portugal defines a set of aspects that obliged entities will have to consider when conducting its ML/CFT risk assessment, namely, without limitation, the risks of each virtual assets made available to clients.
iv. Obliged entities shall comply with several requirements related with internal organization and procedures, namely in what concerns to DLT, IP tracking tools and tools to detect the use of technologies that could obscure identity or location.
v. A comprehensive outsourcing regime is defined, entrusting to obliged entities the obligation to adequately assess and mitigate the risks involved in the outsourcing.
vi. Obliged entities shall prepare a report on the internal communication of irregularities.
vii. Specific additional enhanced due diligence measures should be implemented.
Verónica Fernández | José Guilherme Gomes