Financial Services Advisory

Central Bank highlights weaknesses in Virtual Asset Service Providers’ AML/CFT Frameworks

insight featured image
As a result of recent amendments to the Criminal Justice (Money Laundering and Terrorism Financing) Act 2010 to 2021, Virtual Asset Service Providers (VASPs) are now “designated persons” and are required to comply with the relevant Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) obligations.

What is the impact?

VASPs must apply for registration with the Central Bank of Ireland (CBI), and carry out required AML/CTF obligations. Note that to carry on the business of a VASP in the absence of registration, and failure to comply with AML/CTF obligations is a criminal offence.

Registration with Central Bank

The CBI will assess:

  • the firm's AML/CFT policies and procedures that are effective in combatting the money laundering and terrorist financing (ML/TF) risks associated with its business model;
  • the firm's management and beneficial owners are fit and proper.

Ongoing AML/CTF Obligations

  • Carrying out an ML/TF risk assessment of their business;
  • Undertaking customer due diligence carry out ongoing monitoring of customers and customer transactions;
  • Filing 'Suspicious Transaction Reports'
  • Maintaining and implementing AML/CFT policies, procedures and controls;
  • Retaining appropriate records;
  • Providing AML/CFT training to all staff on an ongoing basis.
What is a VASP?

Provide any of the following services relating to virtual assets:

  • exchange between virtual assets and fiat currencies

  • exchange between one or more forms of virtual assets

  • transfer of virtual assets, that is to say, to conduct a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another

  • custodian wallet provider; and participation in, and provision of, financial services related to an issuer's offer or sale of a virtual asset or both

  • Note – ‘virtual asset’ means a digital representation of value that can be digitally traded or transferred, and can be used for payment or investment purposes, but does not include digital representations of fiat currencies, securities or other financial assets


What are the observations from the CBI on recent applications received?

The CBI has published a summary of key observations relating to recent applications received in its Anti-Money Laundering Bulletin (Issue 8/July 2022). This is to assist VASPs in strengthening their applications for authorisation.

Many applications did not contain the required information and documentation and consequently these applications could not progress to the assessment phase. As an example, some firms had submitted policies but no accompanying procedures. A number of firms submitted a copy of the firms internal risk register in place of a documented risk assessment.

“…the majority of firms that did not progress to the assessment phase had not availed of the pre-application meeting”


Money Laundering and Terrorist Financing (ML/TF) Risk Assessment


An effective AML/CFT control framework is built on an appropriate ML/TF risk assessment that focuses on the specific ML/TF risks arising from the firm’s business model. This risk assessment should drive the firm’s AML/CFT control framework such that it ensures there are robust controls in place to mitigate and manage the specific risks identified through the risk assessment.


  • A number of firms had not assessed or documented the ML/TF risks as they pertain to the firm’s customers and business activities. The Central Bank expects a Risk Assessment to be specific to the firm and the specific risks that pertain to that firm’s activities and customers. 
  • Several VASP applicant firms did not document the inherent ML/TF risks that pertain to the firm or document how, after assessing the effectiveness/ strength of the firm’s control environment, the firm had determined the residual risk rating for each of the risk factors as set out in the CJA 2010 to 2021. 
  • A number of firms did not consider relevant information in the National Risk Assessment, CJA 2010 to 2021 and/or guidance on risk issued by the Central Bank, when documenting the firm’s risk assessment. This included consideration of inherent risk factors, such as Nature, Scale, Complexity, Geographical Risk, Products and Services risk, etc.
Policies and Procedures


When developing AML/CFT policies, controls and procedures (“AML/CFT P&Ps”), firms should maintain a detailed documented suite of AML/CFT P&Ps, which are:

  • supplemented by guidance;
  • accurately reflect operational practices; and 
  • fully demonstrate consideration of and compliance with all legal and regulatory requirements.


  • Several firms submitted AML/CFT P&Ps that did not meet the Irish legislative and regulatory requirements, in many instance referring to legislative frameworks in other jurisdictions where parent/group entities are situated. Where firms rely on group policies and procedures, these must be sufficiently detailed, applicable to the Irish entity that is applying for VASP registration and meet the Irish legislative and regulatory requirements.
  • The Central Bank received several registration applications that included the firm’s policies but failed to include the firm’s procedures that document how the firm meet their legislative obligations. As detailed in the application guidance, applicant firms are required to submit AML/CFT P&P relating to Customer Due Diligence (“CDD”), Transaction Monitoring, Suspicious Transaction Reporting, Financial Sanctions, Record Keeping, Training and Assurance Testing.
Customer Due Diligence (CDD)


CDD involves more than just verifying the identity of a customer.  Firms should collect and assess all relevant information in order to  ensure that the firm:

  • Knows its customers, persons purporting to act on behalf of customers and their beneficial owners, where applicable;
  • Knows if its customer is a Politically Exposed Person (“PEP”);
  • Understands the purpose of the account and therefore understands the expected activity; and
  • Is alert to any potential ML/TF risks arising from the relationship.


  • A number of applicant firms failed to demonstrate compliance with the legislative obligation to obtain information reasonably warranted by the ML/TF risk on the purpose and intended nature of the business relationship with a customer prior to the establishment of the relationship. 
  • The Central Bank received several registration applications where the firm failed to demonstrate how screening is conducted for PEPs for both new and existing customers. A number of firms also failed to document how PEP customers are managed including documenting requirement for Senior Management approval, the application of Enhanced Due Diligence (“EDD”) measures to PEPs and enhanced on-going monitoring measures.
  • Several firms failed to document policies and procedures relating to the refresh of CDD documentation.
Financial Sanctions Screening


The Central Bank’s expectation is that firms have an effective screening system in place, appropriate to the nature, size and risk of their business. In addition to this, firms should have clear escalation procedures in place to be followed in the event of a positive match.


Several firms failed to document the frequency of Financial Sanctions screening, how the firm screens (including what, if any, software is used) and also the steps the firm would take in the case of a Financial Sanctions hit.



A firm can outsource certain AML/CFT Functions, but are reminded that the firm remains ultimately responsible for compliance with its obligations under CJA 2010 to 2021. It is expected that, where firms outsource AML/CFT functions, a documented agreement is in place that clearly defines the obligations of the outsource service provider. Firms should also evidence that sufficient oversight is conducted on the outsourced activity.


A number of VASP applicant firms outsource certain AML/CFT functions to group-related parties and/or non-group related parties.

  • Several firms did not include their policies around outsourcing or submit their service level agreements.
  • In addition to this, several firms have failed to demonstrate sufficient oversight of the outsourced activities or failed to evidence that appropriate regular assurance testing of the outsourced activities takes place.
Individual Questionnaires for proposed Pre-Approval Controlled Function role holders


Individual Questionnaires should be submitted for each individual proposed to hold a PCF role as soon as practical.


A number of firms have failed to or delayed in submitting Individual Questionnaires (IQs) for each of their proposed Pre-Approval  Controlled Function (PCF) role holders.

The Central Bank’s expectation on a firm’s presence in Ireland


The CBI expects a physical presence located in Ireland, and for there to be at least one employee in a senior management role located physically in Ireland.


The Central Bank may refuse an application where the applicant is so structured, or the business of the applicant is so organised, that the applicant is not capable of being regulated to the satisfaction of the Central Bank.

In conclusion, technology firms must appreciate the changing regulatory environment which brings them under the same supervisory regime as regulated financial service providers in terms of their AML/CTF obligations.

In response they must have the necessary risk culture, and risk and control frameworks in place to minimise the risk of the use of their products or services by criminals for the purposes of money laundering or terrorist financing.

“The Central Bank will only register a firm when it is satisfied that the firm can meet its AML/CFT obligations on an ongoing basis”


Why Grant Thornton

Grant Thornton’s Financial Services Risk, Consulting and Advisory teams are comprised of dedicated experts who are experienced in supporting firms with meeting the Supervisory requirements highlighted by the Central Bank.

In particular, our industry-leading Prudential Risk team understands that regulation continues to drive the strategic agenda for financial and non-financial institutions. Working together with our prudential risk specialists, we believe our skillsets combine the best of scientific knowledge with real world experience to deliver practical, actionable solutions.

We specialise in assisting clients across the financial services sector in navigating through the maze of regulation and support clients to identify regulatory obligations and work towards full compliance balanced with your business needs.