top of page
  • Writer's pictureRemote Lawyer

Key Requirements of an Anti-Money Laundering (AML) Policy for Companies Engaging in Virtual Digital Asset (VDA) Transactions

In recent years, the rise of Virtual Digital Assets (VDAs) has brought about a new wave of financial transactions and investment opportunities. Virtual assets refer to any digital representation of value that can be digitally traded, transferred or used for payment.

In March, 2023, the Financial Intelligence Unit (FIU) had come out with a set of guidelines containing the key requirements that VDA service providers need to incorporate in their AML Policy.

In this blog post, we shall discuss, what are the key requirements to be included in the AML Policy of a VDA Service Provider.

Who are VDA Service Providers?

Before we delve into the key requirements, of an AML Policy of a VDA Service Provider, it is pertinent to understand, who are VDA Service Providers, who are mandatorily required to have an AML Policy in place. The service providers who carry out the following activities, for or on behalf of another natural or legal person, in the course of business require an AML Policy:

a)     exchange between virtual digital assets and fiat currencies;

b)     exchange between one or more forms of virtual digital assets;

c)     transfer of virtual digital assets;

d)     safekeeping or administration of virtual digital assets or instruments enabling control over virtual digital assets; and

e)      participation in and provision of financial services related to an issuer’s offer and sale of a virtual digital asset.

Understanding the Regulatory Landscape.

The first step in developing an effective AML policy for VDA transactions is to understand the regulatory landscape. There are several laws and regulations for the VDA transactions. Companies must familiarize themselves with the applicable laws and regulations, such as the Prevention of Money Laundering Act, 2002 (PMLA) and the rules under it, as well as any specific guidelines issued by the regulatory authorities in their jurisdiction. This includes understanding the definitions of key terms such as Virtual Digital Assets, Reporting Entities, and the obligations imposed by the regulatory framework.

Risk-Based Approach (RBA)

A fundamental aspect of an AML policy for VDA transactions is the adoption of a risk-based approach. Companies need to conduct a comprehensive risk assessment to identify and understand the specific ML/TF/PF risks (Money Laundering/ Terrorism Financing/ Proliferation Financing) associated with their VDA activities. This includes assessing the risks related to different types of VDAs, customer profiles, transaction volumes, and geographical factors. The risk assessment should be documented and regularly reviewed to ensure its effectiveness in identifying and mitigating risks.


 Customer Due Diligence (CDD) and Know Your Customer (KYC) Norms

One of the core requirements of an AML policy is the implementation of robust CDD and KYC procedures. Companies must establish effective processes for identifying and verifying the identity of their customers, including beneficial ownership determination. This involves obtaining and verifying customer information, conducting enhanced due diligence for high-risk customers, and ensuring compliance with record-keeping requirements. Additionally, companies should have procedures in place to monitor and update customer information on an ongoing basis.


Transaction Monitoring and Reporting Obligations

An effective AML policy should include provisions for transaction monitoring and reporting obligations. Companies need to implement systems for monitoring VDA transactions, including the detection of suspicious activities and the reporting of suspicious transactions to the relevant financial intelligence unit. This involves the timely submission of Suspicious Transaction Reports (STRs) and compliance with specific reporting formats prescribed by the regulatory authorities.

All SPs (Service Providers) are required to, where they have reasonable grounds to suspect that funds are the proceeds of crime or are related to ML, TF and PF, report their suspicions promptly to FIU-IND.


Prohibition of Tipping-Off and Information Sharing

Companies must ensure that their AML policies include provisions for prohibiting tipping-off, which involves disclosing that an STR or related information is being reported to the authorities. Additionally, the policy should outline procedures for sharing information with relevant authorities while maintaining confidentiality and data privacy.


Training and Internal Controls

To effectively implement an AML policy, companies need to invest in training programs for their employees, especially those involved in compliance and risk management roles. Training should cover AML/CFT/CPF obligations, transaction monitoring, and reporting requirements. Furthermore, companies should establish robust internal controls and audit mechanisms to ensure compliance with the AML policy and regulatory requirements.


Compliance with Travel Rule and Specific Obligations

Given the unique nature of VDA transactions, companies engaging in such activities must ensure compliance with specific obligations such as the Travel Rule, which requires the inclusion of originator and beneficiary information in VDA transfers. Additionally, companies involved in activities like Initial Coin Offerings (ICOs) or Initial Token Offerings (ITOs) should have specific procedures in place to address the AML risks associated with these activities.

SPs should ensure to include required and accurate originator information, and required beneficiary information, on wire transfers and related messages. SPs should also monitor wire transfers to detect those which lack the required originator and/or beneficiary information and screen the transactions to comply with relevant UNSCR resolutions.


 Record Retention and Access to Information

An effective AML policy should outline the requirements for record retention as per the provisions of the PMLA. Companies must retain records of transactions, customer identification data, and business correspondence for a specified period, as well as establish measures to safeguard the privacy of the data and prevent unauthorized access.


 Specific Obligations for VDA Transactions

Given the unique characteristics of VDA transactions, companies must ensure that their AML policies address specific obligations such as the identification of beneficial ownership of VDA wallets, compliance with the travel rule, and reporting requirements for VDA transfers to and from intermediary SPs and un-hosted wallets.

Thus, the key requirements of an AML policy for companies engaging in VDA transactions are centred around understanding the regulatory landscape, adopting a risk-based approach, implementing robust CDD and KYC procedures, establishing transaction monitoring and reporting mechanisms, and ensuring compliance with specific obligations related to VDA activities.

By prioritizing these requirements and developing comprehensive AML policies, companies can effectively mitigate the risks associated with financial crime in the VDA space and demonstrate their commitment to regulatory compliance and integrity in the digital asset ecosystem.

In case of any queries around drafting of AML Policy for Your VDA Business, you can reach out to us by sending an email to


bottom of page