AML/CFT Frameworks of Virtual Asset Service Providers: Central Bank Observations on VASP Registration Applications – Money Laundering


To print this article, all you need to do is be registered or log in to

On July 11, 2022, the Central Bank issued a bulletin to Virtual Asset Service Providers (VASPs) outlining its regulatory expectations and exposing recurring weaknesses in VASP registrations.

As with all regulated entities, the Central Bank expects VASP have the necessary risk culture and the appropriate risk and control frameworks to minimize the risk of criminals using their products or services to launder money or finance terrorism.

When assessing an application for PSAV registration, the Central Bank must be satisfied that the applicant’s AML/CFT policies and procedures are robust enough to effectively address the risks of money laundering and terrorist financing associated with its business model.

Please see our briefing here for more information on the VASP registration process and obligations under the Anti-Money Laundering and Counter-Terrorist Financing (AML/CTF) frameworks.

Application phase

Waiting – The Central Bank expects applicant companies to review its guidance documents and reminds them of the opportunity to attend a pre-application meeting.

Weakness – In some cases, companies did not meet information and documentation requirements. For example, policies were submitted without accompanying procedures, or an internal risk register was submitted instead of a documented risk assessment.

Assessment stage

1) Risk assessment

Waiting – A company’s AML/CFT risk assessment should focus on the specific risks arising from a company’s business model and drive that company’s AML/CFT control framework. Rigorous controls should be in place to mitigate and manage identified risks.

Weakness – AML/CFT risks specific to the business, business activities and consumers have not been assessed or documented. The companies did not demonstrate how the residual risk ratings were determined for each risk factor. Information contained in the national risk assessment or CBI guidelines has not been considered (e.g. guidance on inherent risk factors such as nature, scale, complexity, geographic risk, product and service risk) when documenting the business risk assessment.

2) Policies and Procedures

Waiting – The company must maintain a documented set of AML/CFT policies and procedures, which are supplemented by guidelines and accurately reflect operational practices. Policies and procedures must also demonstrate consideration and compliance with Irish legal and regulatory requirements.

Weakness – Some policies and procedures submitted referenced legislative frameworks in other jurisdictions. In many cases, although policies were submitted, procedures that detail how the company implemented the policies were not provided.

3) Customer Due Diligence

Waiting – Businesses should know their customers, people claiming to act on behalf of customers and beneficial owners. Companies must also have enhanced due diligence procedures for dealing with Politically Exposed Persons (PEPs).

Weakness – Insufficient information on the purpose and intended nature of the business relationship with a customer before establishing the relationship as well as a lack of documentation of the PEP selection processes and the PEP approval processes within of the company.

4) Financial penalties

Waiting – The Central Bank expects companies to have an effective filtering system adapted to the nature, size and risk of their activity. Companies must follow clear escalation procedures in the event of a positive match.

Weakness – Failure to document a process for selecting financial sanctions and actions to be taken in the event of financial sanctions.

5) Outsourcing

Waiting – Where a VASP registered in Ireland outsources its AML/CFT functions, a documented agreement should clearly define the obligations of the outsourcing service provider. The VSP must also retain evidence of sufficient oversight. For more information on the Central Bank’s guidelines on outsourcing, please see our briefing here.

Weakness – Several applicant companies have not submitted their outsourcing policies or service level agreements or demonstrated sufficient oversight of outsourced activities or provided evidence of assurance testing.

6) CPF

Waiting – Individual Questionnaires (IQs) for each proposed Pre-Approval Controlled Function (PCF) role holder should be submitted as soon as possible.

Weakness – A failure or delay in submitting IQs for each PCF role holder.

7) Presence in Ireland

Waiting – The Central Bank expects at least one senior management employee to be physically located in Ireland.


Although the observations of the Central Bank mainly focus on VASPs, the expectations described as well as the weaknesses observed also apply to all companies seeking authorization as a regulated entity and when these companies are required to put in place put in place an effective anti-money laundering system. and terrorist financing regime.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR ARTICLES ON: Government, Public Sector of Ireland


Comments are closed.