https://www.dnb.nl/en/sector-information/supervision-sectors/crypto-service-providers/integrity-supervision-of-crypto-service-providers/sanctions-act-1977/draft-q-a-of-november-19-2021-on-sanctions-screening-for-inbound-and-outbound-crypto-transactions/

The duration of this consultation phase is four weeks. You can respond until 17 December COB via consultatie@dnb.nl. After the consultation phase, DNB will publish a feedback statement explaining any further adjustments.

In addition to the money laundering and terrorist financing risks, crypto transactions and the provision of crypto services also involve risks of violating sanctions regulations. Under the Sanctions Act 1977 (Sanctiewet 1977 – Sw) and the Regulation on Supervision pursuant to the Sanctions Act 1977 (Regeling toezicht Sanctiewet 1977 – RtSw), the assets of individuals and legal entities on a sanctions list must be frozen and no financial services may be provided to such individuals and legal entities. DNB supervises crypto service providers’ compliance with sanctions regulations. DNB assesses the effectiveness of the procedures and measures aimed at ensuring compliance with sanctions regulations, including sanctions screening. This Q&A specifically addresses the ways in which crypto service providers implement sanctions screening when executing a crypto transaction.

  1. Under Section 2 of the RtSw, providers of crypto services take measures to check whether parties with whom they have a relationship appear on sanctions lists. Who, apart from customers, are included in the scope of the term relationship?

Pursuant to the Sw and the RtSw, crypto service providers take measures to ensure they adequately check, at the minimum, the identities of the persons or legal entities with whom they have a relationship in their records, in compliance with the sanctions regulations.

The RtSw defines a relationship as "anyone involved in a financial service or a financial transaction". Based on the explanatory notes to the RtSw, the term relationship refers not only to an institution's customers, but also, inter alia, to the counterparties to transactions and the beneficiaries of transactions. The beneficiaries of an outgoing crypto (exchange) transaction or an outgoing wallet transaction may be customers of the crypto service provider, other crypto service providers or third party legal entities or persons. An incoming crypto (exchange) transaction or incoming wallet transaction may originate from the provider’s own customers, other crypto service providers or third party legal entities or persons. Therefore, in addition to the customers of crypto service providers, other crypto service providers and third party legal entities or natural persons involved in the transaction fall within the scope of the term "relationship".

  1. What measures does a crypto service provider take when conducting crypto transactions to check whether (legal) persons or entities are subject to sanctions?

The identity of all relationships of crypto service providers is screened for sanctions purposes. This means that crypto service providers and the counterparty and/or beneficiary involved in the transactions are screened. The crypto service provider can take a risk-oriented approach to determining the measures needed to be able to establish whether the identity of a counterparty and/or beneficiary matches the identity of persons or (legal)entities referred to in the sanctions regulations. It is up to the crypto service provider to decide how to perform these checks and what is necessary to be able to perform the mentioned checks, as long as the purpose of the sanctions regulations is achieved.

Adequate measures to effectively screen the counterparty and/or beneficiary

In the case of a transaction to or from an (external) crypto address not managed by the crypto service provider, the holder of that crypto address can be either the provider's own customer or another crypto service provider, or a third party (legal) person or entity. In the case of transactions to and from external crypto addresses, crypto service providers should also be able, by means of adequate measures, to effectively screen the identity of the counterparty and/or beneficiary concerned against the identity of a person or entity referred to in the sanctions regulations.

This implies that sufficient information about the counterparty and/or beneficiary is requested for the purposes of effective screening, such as name, date of birth, place of residence and residence address.

Another element of this is that the crypto service provider takes adequate measures to establish that the identity of the counterparty and/or beneficiary specified by the customer is indeed the identity of the recipient or sender, if the provider considers there is a higher than minimal risk that the identity of a counterparty and/or beneficiary does not match the specified identity. This may involve identity fraud (the counterparty and/or beneficiary uses someone else's identity), but it may also be the case that someone other than the specified counterparty and/or beneficiary has access to the specified crypto address.

The measures for carrying out adequate screening can be risk-oriented. Risk-oriented means that a provider takes more extensive measures for relationships that are considered higher risk in view of all relevant factors, than they do for relationships that are considered low-risk. Crypto service providers make a risk analysis and implement appropriate measures on that basis. The risk-based approach is assessed in the context of the entire set of measures in place in the business, see also the Guidance on the Anti-Money Laundering and Anti-Terrorist Financing Act and the Sanctions Act . The explanatory notes to the RtSw state: ‘it must always ensure that the risk is minimal that a financial service or transaction will result in financial resources going to one of the individuals or legal entities listed in the Sanctions Regulations.’

Where a provider considers that there is a higher than minimum risk that the identity of a counterparty and/or beneficiary does not match the specified identity, it takes measures to establish the true identity of a counterparty and/or beneficiary in order to perform effective screening. The Financial Sanctions Regulation Guideline of the Ministry of Finance states: ‘If no mitigating measures can be taken, if measures require too much effort or if there is too much residual risk, then the risk is not taken. In the case of sanctions, there can be virtually no acceptable level of residual risk because the material prohibitions of the sanctions regulations must be observed.’

The crypto service provider must be aware that it can take a risk-based approach to measures, but that the follow-up actions (reporting hits on sanctions lists and freezing assets) constitute an obligation of result.

How providers establish the identity of the counterparties to and/or beneficiaries of a transaction, and whether it is actually the recipient or sender, is not prescribed by regulation. The law does not prescribe any specific measure, as long as the measure taken provides adequate safeguards for the screening of relationships (see below for good practices).

Risks that may be considered in the analysis include the risks associated with the specific business model, the provider's target customer group, the payment and payout options for fiat money, the customer's risk and transaction profile, geographical risks, relevant metadata (including IP address), and the ability to send cryptos to or from third-party individuals or entities. Regarding cryptos, it can be noted in general that these products, because of characteristics that promote anonymity, carry a higher risk of violating sanctions regulations. The characteristics of the specific crypto are also taken into account in the risk analysis. This list is not exhaustive.

Low-risk example

In the case of a closed environment, where customers cannot conduct transactions other than with the crypto service provider itself, the risk of violation of the sanctions regulations is low if providers also comply with the (Wwft) customer due diligence obligations.