17 February 2023
Ten things every VASP should know about the BVI Virtual Assets Service Providers Act, 2022
The Virtual Assets Service Providers Act, 2022 (the “VASP Act”) came into force on 1 February 2023. The VASP Act regulates virtual asset service providers (“VASPs”) and requires that VASPs be registered with the BVI Financial Services Commission (the “FSC”).
1. The legislative regime
In conjunction with the VASP Act, the FSC also published Guidance on the Application for Registration of a Virtual Assets Service Provider (the “VASP Registration Guidance”) (available to view here), and the Virtual Assets Service Providers Guide to the Prevention of Money Laundering, Terrorist Financing and Proliferation Financing (available to view here).
Also applicable to VASPs is the Anti-money Laundering (Amendment) Regulations, 2022 and the Anti-money Laundering and Terrorist Financing (Amendment) Code of Practice, 2022 which, from 1 December 2022, brought VASPs within scope of the BVI AML/CTF regime for transactions involving virtual assets valued at $1,000 or more.
The FSC is the regulatory agency responsible for the regulation and supervision of financial services conducted in or from within the BVI. Their remit has been expanded by the VASP Act to include the supervision and regulation of VASPs operating in or from within the BVI.
3. Definition of a VASP
The VASP Act defines a “VASP” as a virtual asset service provider who provides, as a business, a virtual assets service and is registered to conduct one or more of the following activities or operations for or on behalf of another person:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets, where the transfer relates to conducting a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another;
- safekeeping or administration of virtual assets or instruments enabling control over virtual assets;
- participation in, and provision of, financial services related to an issuer’s offer or sale of a virtual asset; or
- perform such other activity or operation as may be specified in the VASP Act or as may be prescribed by regulations.
A person engaged in any of the following activities or operations, for or on behalf of another person, will be deemed to be carrying on a virtual assets service:
- hosting wallets or maintaining custody or control over another person’s virtual asset, wallet or private key;
- providing financial services relating to the issuance, offer or sale of a virtual asset;
- providing kiosks (such as automatic teller machines, bitcoin teller machines or vending machines) for the purpose of facilitating virtual assets activities through electronic terminals to enable the owner or operator of the kiosk to actively facilitate the exchange of virtual assets for fiat currency or other virtual assets; or
- engaging in any other activity that, under the Guidelines, constitutes the carrying on of the business of providing virtual asset service or issuing virtual assets or being involved in virtual asset activity.
Whether an entity is carrying on a virtual assets service will turn on, inter alia, whether the asset in question constitutes a “virtual asset” (as such term is defined in the VASP Act). For example, crypto based derivative products would require more careful consideration and may be caught by one or both the VASP Act or the Securities and Investment Business Act (“SIBA”).
Decentralised protocols that fall within the definition of virtual asset services above will also likely be subject to the VASP Act although specialist advice is required. In this regard we note that the VASP Registration Guidance makes reference to decentralised finance platforms, the sale of non-fungible tokens and the operation of peer to peer financing platforms as being activities and operations which may fall within the VASP Act where they satisfy the conditions of the VASP Act.
4. Activities not caught by the VASP Act
Out of scope services
The VASP Act is not intended to regulate the technology that underlies virtual assets or VASP activities and helpfully sets out a range of services which are not subject to the VASP Act, namely:
- providing ancillary infrastructure to allow another person to offer a service, such as cloud data storage provider or integrity service provider responsible for verifying the accuracy of signatures;
- providing service as a software developer or provider of unhosted wallets whose function is only to develop or sell software or hardware;
- solely creating or selling a software application or virtual asset platform;
- providing ancillary services or products to a virtual asset network, including the provision of services like hardware wallet manufacturer or provider of unhosted wallets, to the extent that such services do not extend to engaging in or actively facilitating as a business any of those services for or on behalf of another person;
- solely engaging in the operation of a virtual asset network without engaging or facilitating any of the activities or operations of a VASP on behalf of customers;
- providing closed-loop items that are non-transferable, non-exchangeable and which cannot be used for payment or investment purposes; and
- accepting virtual assets as payment for good or services (such as the acceptance of virtual assets by a merchant when effecting the purchase of goods).
In addition, it is worth noting that whilst not expressly excluded, the issuing of virtual assets in or from within the BVI is not an activity regulated by the VASP Act. However, care is needed as financial services related to an issuance may be caught by the VASP Act and if the virtual asset is considered an ‘investment’ under SIBA there may be further considerations to address. Indeed, just because the issuance of a virtual asset from a BVI entity may not be regulated under the VASP Act does not mean that other regulatory regimes can be ignored.
Any entity wishing to provide virtual asset services in or from within the BVI is now required to be registered by the FSC. New entities must register with the FSC before commencing any VASP activities. VASPs already operational when the VASP Act came into force will have until 31 July 2023 to submit an application to the FSC, or to cease its VASP related activities. After this date, the VASP Registration Guidance confirms that all VASPs that have not submitted applications for registration will be considered to be conducting unauthorised business and subjected to the full enforcement mechanisms of the FSC.
When the FSC approves a VASP application, it will register the applicant, issue a certificate of registration and impose such conditions (if any) on the registration as it considers appropriate (including a requirement to obtain professional indemnity insurance).
With regard to timing, the VASP Registration Guidance helpfully records that (i) the FSC will endeavour to process an application and provide initial comments within six weeks from the FSC’s receipt of a completed application and (ii) the FSC’s service standard requires that the application process be concluded within six months from the initial submission date. Prospective applicants will therefore be able to take some comfort that they will receive an early indication of the likelihood of success and overall processing within six months.
6. Application for Registration
A VASP application for registration must be made in the FSC’s approved form and be accompanied with the following information and documentation:
- details of the proposed directors, senior officers, shareholders, beneficial owners, auditor and authorised representative of the VASP, with the ownership structure to be supported by a register of members and an ownership structure chart which evidences the breakdown of percentages held in the legal structure;
- a business plan in relation to the VASP, containing; (a) details of the knowledge, expertise and experience of the applicant, (b) information about the nature, size, scope and complexity of the VASP, (c) information about how the VASP will be marketed and the expected source of business, (d) the anticipated human resource capacity of the VASP, (e) any planned outsourcing arrangements and (f) an indication of the initial financial and capital projections of the VASP covering the first three years of operation (applicants must be able to demonstrate an adequate level of paid-up capitalisation and adequate liquidity reserves for the nature of their operations);
- a written risk assessment of the VASP;
- a business continuity plan;
- a written manual showing how the applicant, if granted registration, intends to comply with the requirements of the VASP Act;
- details of the internal safeguards and data protection (including cyber security) systems intended to be utilised;
- details of the system to be put in place on how the VASP will implement to handle client assets, custodian relationships and complaints; and
- declarations, completed by each of the applicant and the authorised representative, affirming that the information provided to the FSC in relation to the application is true and accurate.
An entity wishing to provide Virtual Assets Custody Services or to operate a Virtual Assets Exchange (as such terms are defined in the VASP Act) need to provide additional information and confirmations to the FSC, which are primarily intended to evidence the VASPs ability to safeguard client assets and to mitigate against the heightened risk of money laundering and terrorist financing.
Subject to certain exceptions, a VASP must have certain functionaries appointed at all times. The table below summarises what functionaries a VASP must appoint:
8. Ongoing requirements
The VASP Act sets out a number of on-going obligations for VASPs which include:
- maintaining records that (a) are sufficient to show and explain its transactions, (b) enable its financial position to be determined with reasonable accuracy, (c) enable it to prepare all necessary financial returns and statements, (d) enable its financial statements to be audited, (e) show any complaints made by clients and (f) show the steps it takes to guard against money laundering, terrorist financing and proliferation financing;
- submitting a copy of its auditor’s report to the FSC within 6 months of the end of its financial year;
- ensuring that client assets are identified, or identifiable, and appropriately segregated and accounted for;
- co-operating with the FSC to ensure compliance with the VASP Act, and providing the FSC with any documents or information it may require to discharge its functions; and
- obtaining the FSCs prior written approval to any proposed change of name, disposal of any significant interest in the VASP or changes to its functionaries.
9. Application Fees
The fees payable to the FSC in respect of a VASP application for registration under the VASP Act are confirmed in the Guidelines and summarised as follows:
- US$10,000 for an application to provide Virtual Assets Custody Services
- US$10,000 for an application to operate a Virtual Assets Exchange
- US$5,000 for any other virtual assets services.
Any entity carrying on virtual asset services without being registered under the VASP Act is liable on conviction to a fine of up to US$100,000 and/or 5 years imprisonment (for any director, partner or senior officer who knowingly authorised, permitted or acquiesced in the commission of the offence).
Should you require any further information or professional advice please contact your usual Carey Olsen lawyer or a key contact listed on this page.