How to apply for a British Virgin Islands virtual asset service provider licence
The British Virgin Islands’ Virtual Assets Service Providers Act 2022 (the Act) came into force on 1 February. The Act is supported by the British Virgin Islands Financial Services Commission’s (FSC) guidance on the prevention of money laundering, terrorist financing, and proliferation financing (AML/CFT/CPF) and the FSC’s guidance on the application for registration as a virtual asset service provider.
Registering as a virtual asset service provider
The Act contains a prohibition that no person should carry on, in or from within the British Virgin Islands, the business of providing a virtual asset service without being registered by the regulator in that regard. Importantly, a British Virgin Islands business company that carries on virtual asset services outside the British Virgin Islands is deemed to be carrying on the business of providing a virtual asset service from within the British Virgin Islands. The Act, therefore, applies extra-territorially.
To the extent that any person is conducting a virtual asset service, that person will need to be registered with the FSC. Any person who was conducting a virtual asset service business prior to the Act coming into force should be looking to register with the regulator within the six-month transitional window, which expires on 31 July. Failing to become registered will subject the person conducting the virtual asset-related activity to possible regulatory enforcement action or criminal sanctions.
It is important that persons who are conducting a virtual asset service business take regulatory advice to ensure that the new regime is applicable to them. Once it is determined that a person is a virtual asset service provider, they should start working on the registration application which must be filed with the regulator.
If a person who was conducting a virtual asset service prior to the Act coming into force submits an application for registration before the end of the transitional window, that person can continue to conduct that business while the regulator reviews and processes the application. This will ensure that there is no disruption to legacy business, as it would have successfully been grandfathered into the Act's regime upon the granting of a certificate of registration under the Act.
All applicants should work with their service providers to submit a full and complete application to the regulator within the transitional timeframe. Any incomplete applications run the risk of not being processed by the regulator, which can lengthen the registration timetable or lead to the application being rejected altogether.
Main considerations when applying for registration
Applicants for registration under the regime need to consider:
Governance issues: An applicant will need to consider the composition of its board of directors and must ensure that it always has two individual directors sufficient to meet the “four eyes” test. There may also be a requirement for an applicant to appoint a local resident as non-executive director.
Virtual asset service providers approved authorised representative: An applicant will need to have in place an authorised representative approved under the Act based in the British Virgin Islands, who must possess sufficient knowledge of the applicant's virtual asset service-related business, as well as an auditor.
This authorised representative will: act as the main intermediary between the virtual asset service provider and the regulator; accept service of notices and other documents on behalf of the VAS provider; and keep — in the authorised representative’s office in the British Virgin Islands — records or copies of records that are prescribed for under financial services legislation.
Ownership structure: An applicant will need to present full information on the ultimate beneficial ownership structure of the virtual asset service provider; all intermediary structures (if any) will need to be disclosed — complex structures may lead to delays.
Auditor: An applicant will need to identify an auditor who will audit its annual financial statements. The auditor will need to be approved by the regulator and will have reporting obligations to the regulator under the Act.
Business plans: An applicant's business plan will need to be as detailed as possible, and at a minimum include matters such as corporate governance, capital reserves, technological audits, liquidity, risk management strategies, consumer protection provisions, related parties, and public disclosures, custody and safeguarding, escrow and lock-up provisions, interoperability, cessation of business and succession planning, and implementation of the travel rule.
Policies and procedures: An applicant will need to have strong internal controls, including risk assessment frameworks, AML/CFT/CPF and sanctions compliance procedures, outsourcing agreements and policies, data protection and cyber-security framework, statement of technological infrastructures, business continuity plans, custody and safe-keeping of assets framework, complaints-handling procedures, technology audits framework, and suitable insurance requirements.
All the necessary documents required for registration under the Act are uploaded into the main registration form and submitted, most likely electronically, to the regulator for handling.
Compliance with the AML/CFT/CPF regime
The AML/CFT/CPF regime was introduced through the Anti-Money Laundering Regulations 2008 (the regulations) and the Anti-Money Laundering and Terrorist Financing Code of Practice 2008 (the code), and became effective on 1 December 2022. Once it is established that a person is considered a virtual asset service provider, it will therefore be treated as a “relevant person” doing “relevant business” under the AML/CFT/CPF framework and will need to ensure full compliance with both the regulations and the code.
In summary, this means that the virtual asset service provider would need to ensure that, as a part of the AML/CFT/CPF regime, it is identifying procedures in relation to new and continuing business relationships; establishing and maintaining verification procedures, and, where there is reliance on third parties, that there are appropriate channels to obtain the identification documents from those third parties as a means of recording the identity of customers, maintaining records and underlying documents, appointing the necessary compliance and money laundering reporting officers and conducting annual training.
The virtual asset service provider will need to have suitable policies and procedures in place as a part of its internal controls for ensuring compliance with the AML/CFT/CPF regime, and ensure that these policies and procedures are tested.
Continuing obligations for virtual asset service providers
Once registered under the Act, virtual asset service providers must ensure they comply with all the continuing regulatory requirements that apply under the regime:
- Notification/pre-approval requirements: for example, change of information provided, change of name, maintaining a financially sound condition, appointment of directors, appointment of authorised representative and auditor, submission of audited financial statements, maintenance of records, disposition or acquisition of significant or controlling interest in a virtual asset service provider, client assets, AML/CFT/CPF and sanctions compliance;
- Remaining fit and proper — as such, fulfilling the regulator's assessment that all VAS providers are competent and that they conduct their business in line with the regulatory principles in the Regulatory Code 2009;
- Maintaining adequate human and technological resources and policies, procedures, and mechanisms to ensure compliance;
- Screening of employees: assessing the competence and probity of employees; and
- Considering and adapting resources and procedures to any changes in scope of business and legislative developments.
Enforcement under the Act and associated regimes
Failure by a virtual asset service provider (once registered) to comply with the requirements under the Act or under the AML/CFT/CPF regime can lead to various criminal offences. Should a formal charge be laid, a competent authority (a court in this case) would be empowered to impose both monetary penalties and custodial sentences.
As well as court proceedings, the regulator would also be able to use the administrative penalty regime for any administrative breach of financial services legislation. As well as imposing an administrative penalty, the regulator can also conduct onsite regulatory inspections, suspend and revoke any regulatory approvals given to a virtual asset service provider, and issue public statements and advisory warnings about the provider on its enforcement website.
As with any new regulatory regime, it is important that both existing and potential virtual asset service providers looking to become registered under the Act work closely with their service providers to understand the regime created by the Act and its subsidiary legislation and guidance, to ensure they are in full compliance with the new framework.
This article first appeared in the Thomson Reuters Regulatory Intelligence on 28 March 2023.