On 17 August 2023, the Commission de Surveillance du Secteur Financier (the « CSSF ») published frequently asked questions (the "Q&As") on virtual asset service providers (the "VASPs") to supplement its previous Q&As on (i) virtual assets for credit institutions and undertakings for collective investments and (ii) the fight against money laundering and terrorist financing ("AML/CTF") for individuals/investors.
The twenty Q&As are based on the current Luxembourg laws and do not take into consideration EU texts such as the regulation on markets in crypto assets (the so-called MiCAR). They pertain to entities registered in the CSSF register as a VASP or intending to (i) be established or (ii) offer virtual asset ("VA") services in Luxembourg (the "In-Scope Entities").
Amongst other, the Q&As remind that In-Scope Entities must be registered as a VASP prior to offering VA services. The Q&As set forth examples of criteria to determine if an entity is subject to registration requirements. For instance, a credit institution established in Luxembourg which intends to offer VA services will be required to register as a VASP. On the contrary, persons providing solely either the hardware or the software to design and support the offering of VAS are not subject to the requirement to register as a VASP.
The Q&As also provide clarification as to when VA services will be considered as being provided in Luxembourg. This is relevant for entities which are not established in Luxembourg but intend to offer VA services to clients in Luxembourg. To determine whether any such entity needs to register as a VASP, the CSSF performs a case-by-case analysis. The CSSF will notably analyse (i) the active commercial approach or strategy to offer VA services to the Luxembourg market, (ii) the existence of offers of the VA services on a durable and continuous basis, (iii) the distribution network in Luxembourg or use of intermediaries, (iv) contact details in Luxembourg such as dedicated phone lines, (v) the effective presence of the entity in Luxembourg and (vi) the location in Luxembourg of its technology infrastructure.
Finally, the Q&As explain the AML/CTF requirements which In-Scope Entities are subject to. In-Scope Entities must i.a (i) assess the ML/TF risks, (ii) have in place AML/CTF policy and procedures, (iii) monitor the transactions to detect suspicious ones before their processing and, on their own initiative, promptly report with the Luxembourg Financial Intelligence Unit (Cellule de Renseignement Financier). In-Scope Entities also need to comply with restrictive measures in financial matters.
The CSSF's role for the registered VASPs is currently limited to registration, supervision and enforcement for AML/CTF purposes.
For more information regarding the Q&As on virtual assets for credit institutions, please refer to our eAlert.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
