VASP obligations after registration

Continued VASP compliance

Once registered, the VASP will be subject to a certain number of obligations and must comply with AML/CFT professional obligations, including:

​

• Make no use, in any way whatsoever, of its registration as evidence of a positive assessment made by the CSSF on the quality of the services that it provides. Neither can the VASP use the registration, the submission of a registration request, and/or the CSSF supervision, for advertising or for possible business solicitations (CSSF, VASP Registration procedure, end p. 2);

• Notify to the CSSF significant changes to the activities or to the key function holders notified upon registration occur (CSSF, VASP Registration procedure, p. 3);

• Have a ‘Responsable du Contrôle’ (hereinafter the “RC”) that possesses, and that can demonstrate, an adequate understanding of the Money Laundering, Terrorist Financing, Proliferation Financing risks posed by Virtual Assets and the necessary measures to mitigate them;

• Have a ‘Responsable du Respect’ (hereinafter the “RR”) with the same characteristics as the RC;

• Identify, assess and understand the AML/CTF risks related to the Virtual assets, taking into account risk factors including those relating to their clients, countries or geographic areas, products, services, transactions or delivery channels;

• Implement customer due diligence before establishing a business relationship and apply, according to the customer’s risk level, a simplified customer due diligence or an enhanced customer due diligence;

• Identify the customer and its beneficial owners, and verify their respective identity;

• Apply internal AML/CFT policies, controls and processes, such as model risk management methods, cooperation, record-keeping, internal control, compliance management, employee screening, and independent audit function (where appropriate);

• Appoint a person responsible for compliance with the professional obligations as regards to the AML/CFT Law (compliance officer);

• Conduct ongoing due diligence of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship;

• Monitor transactions and business relationship, and report unusual or suspicious activities to the CSSF;

• Provide special AML/CTF training programmes to employees;

• Cooperate with the Luxembourg authorities responsible for AML/CTF and self-regulatory bodies.

​

Continued VASP regulatory surveillance

​

For its part, the CSSF will ensure the registered VASPs comply with their obligations. In particular the CSSF:

​

• Will supervise VASPs, although its role is limited to the registration, supervision and enforcement for AML/CFT purposes only (CSSF, VASP Registration procedure, p. 3);

• May impose administrative sanctions and other administrative measures as provided for in chapter 3-1 of the AML/CFT Law (CSSF, VASP Registration procedure, p. 3);

• Has the right to withdraw the entity from the register in case of non-compliance with certain obligations, as provided for in Article 7-1 (4) of the AML/CFT Law (CSSF, VASP Registration procedure, p. 3);

• Is authorised to collect fees payable by the VASP, subject to its registration and AML/CFT supervision (CSSF, VASP Registration procedure, p. 3). These fees amount to an annual fee of 15,000 euros (Art. 1, par. 4, al. 1), Grand-Ducal Regulation of 19 December 2020);

• Decisions taken by the CSSF may be referred to the Tribunal administratif (Administrative Court), where cases must be filed within one month (we suppose counting from the receipt of the SSF decision).

​