Background to an AML compliant token sale

There is a global move towards the regulation of virtual assets (“VA’s”) and Virtual Asset Service Providers (“VASP’s”) under the Financial Action task Force (“FATF”). Included in this category are the issuance of token sales, at which Gibraltar is at the forefront.

Entities issuing token sales are, or will be, subject to supervision or monitoring by competent national authorities. In Gibraltar, this is the Gibraltar Financial Services Commission (“GFSC”).

As part of this process, the Proceeds of Crime Act (“POCA”) 2015, was amended on 23^rd July 2021, to also include VASP’s.

Below we will aim to describe the requirements of a fully AML compliant token sale from Gibraltar, though the processes would not differ significantly from jurisdiction to jurisdiction.

What is a token sale

Specifically, the POCA 2015 (page 55) captures the following:

“undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of DLT or a similar means of recording a digital representation of an asset”.

Conducting an AML Compliant Token sale

1. Type of token sale

Consideration will be required on whether to perform any of, or a combination of the following:

(1) Private sale
(2) Public sale

The workload, processes, procedures and overall risk profile will vary significantly depending on the type of token sale being conducted.

2. Key documentation

A business risk assessment will need to be conducted in order to assess the AML/CFT risks associated with the business operations.

In addition to this, policies and procedures will need to be drafted for AML/CFT as defined in Section 26A of POCA.

Finally, a compliance report will need to be completed.

3. Due Diligence

The type of due diligence will be driven by the risk profile of the token purchaser, with consideration required on the 4 risk categories as follows:

• Customer Risk
• Interface Risk
• Country Risk
• Product Risk

The Due diligence information for consideration will always be:

• Proof of ID
• Proof of address
• Source of wealth and source of funds

4. Systems and software for collection of data

It is common to use systems and software for the purposes of gathering and storing KYC and Due Diligence information. These are sometimes done using simple forms, such as Google sheets, or software when there are large volume of data to review.
In any instance, it must be fit for purpose, secure and safe.

5. Wallet screening

Due to the transparent nature of blockchains, it is possible to employ wallet screening checks as part of the process, in order to track the origin of funds and ensure that it is not originating from a malicious source. Wallet screening is generally performed by using a third party software provider and the parameters can generally be tailored to be more/less sensitive, depending on the risk appetite of the firm.

6. Reconciliation & Reporting

Reconciliation of data will be required between the systems, software and blockchain, for the purposes of receiving the funds, but also for the token distribution process. By performing these processes appropriately, reporting to Management can be done on a timely basis for the necessary decision making.

7. Resources (financial & non-financial)

In order to be able to appropriately perform these duties, it is necessary to know how many personnel will be required, to cover the areas of compliance, finance and customer service.
For this reason, the right levels of funding and financial resources will need to be understood and modelled prior to the start of the token sale process.

8. A money laundering reporting officer (“MLRO”)

Section 26 of the Proceeds of Crime Act 2015 (“POCA”) imposes a requirement on every relevant financial business under legislation to maintain policies and procedures to prevent money laundering, the responsibility for creating the framework is with the Senior Management of the firm and they will appoint a MLRO.

The MLRO is the Compliance professional responsible for the oversight of the firm’s anti-money laundering activities and is the key person in the implementation of the anti-money laundering strategy of the firm.

The MLRO needs to be senior, to be free to act on their own authority and be informed of any relevant knowledge or suspicion in the firm.

9. Record keeping

The requirement to keep records is for a period of 5 years after completion of the transaction. Therefore, it is critical to have an appropriate storage and filing system in order to be in compliance with legislation and any other AML requirements.
In this manner, should a regulator or other similar entity wish to review records, they would be readily available on demand.

10. Others

Due to the infant nature of the DLT space in general, this is attractive to money launderers, criminals and fraudsters. There are certain types of trigger events which will need to be monitored throughout the process.

Questions to ask yourself and closing remarks

Are you looking to conduct an AML compliant Token sale and are you aware of the key benefits of doing so?

Have you come to the conclusion that Gibraltar is the appropriate jurisdiction to perform your token sale from?

The Team at TAG Consultancy have assisted entities in conducting fully compliant AML token sales and would be happy to assist you with the entire process from start to end.

Get in touch with us here to find out more!