Andorra

**Exchange between digital assets and fiat currencies:** This covers cryptocurrency exchanges that allow users to buy and sell crypto with traditional money (EUR, USD, etc.).

Exchange between one or more digital assets: This covers crypto-to-crypto exchanges, but modern regulatory frameworks now also include fiat-to-crypto transactions, crypto ETF/ETP creation and redemption models, and broker-dealer or clearing functions as part of digital asset exchange definitions.

**Custody and administration of digital assets on behalf of third parties:** This covers services where an entity holds or controls private keys for virtual assets on behalf of clients.

If a payment processor's activities involve the direct handling, exchange, or custody of digital assets (e.g., accepting crypto payments on behalf of merchants and converting them to fiat, or holding crypto for settlement), they will fall under the VASP licensing requirements for exchange and/or custody services.

If a payment processor *only* facilitates fiat currency transactions that are *related* to virtual asset services (e.g., processing a credit card payment to a crypto exchange, but never touching the crypto itself), they might fall under traditional payment services regulations (requiring a payment institution license) rather than a VASP license, but the specifics would depend on the exact service model and AFA interpretation. Generally, if there's any direct interaction with the virtual asset, a VASP license is needed.

Transfer of digital assets is subject to active regulatory development and finalization, with basis transfer rules still being refined and not yet settled like traditional securities.

Issuance and placement of digital assets that qualify as 'digital securities' (e.g., certain STOs, security tokens) remain subject to SEC securities regulation, but other digital assets such as utility tokens, meme coins, and non-security asset-backed tokens are not covered under federal securities laws.

Provision of financial advice related to digital assets is now subject to specific statutory registration and compliance obligations under the Digital Asset Market Clarity Act and IRS mandatory reporting requirements, making the prior generic advisory claim outdated.

VASP licensing rules in relevant jurisdictions require minimum capital that can vary by the services offered and by the applicable regulatory regime; however, the original claim’s specific attribution to Law 35/2022 is not verified from the provided evidence and appears outdated or jurisdiction-dependent.

Under MiCA, the €125,000 minimum capital requirement applies to Class 2 crypto-asset service providers that provide custody and administration of crypto-assets on behalf of clients, typically together with other Class 2 services; it is not a standalone Andorra-specific rule.

**EUR 125,000:** For services related to the custody and administration of virtual assets on behalf of third parties.

Higher amounts may be required depending on the volume and complexity of operations, or if combined with other licensed activities.

In addition to initial capital, VASPs must maintain sufficient regulatory capital to cover operational risks and ensure continuous solvency.

**AML/KYC (Anti-Money Laundering / Know Your Customer):**

Andorra is committed to international AML/CFT standards, including those set by the Financial Action Task Force (FATF). VASPs are subject to strict AML/KYC obligations, which align with **Law 14/2017, of 22 June, on preventing money laundering and terrorist financing**.

Key AML/KYC requirements in jurisdiction AD are undergoing fundamental reform under FinCEN's April 7, 2026, Notice of Proposed Rulemaking, shifting from static checklists toward risk-based, effective programs; existing requirements under the BSA and CDD Rule remain in effect until final rules are adopted.

Customer Due Diligence (CDD): Implementing appropriate risk-based procedures for identifying and verifying the identity of clients (individuals and legal entities).

**Ongoing Monitoring:** Continuous monitoring of business relationships and transactions to detect unusual or suspicious activities.

**Risk Assessment:** Conducting a comprehensive risk assessment of their business, clients, products, and geographies.

**Suspicious Activity Reporting (SAR):** Reporting suspicious transactions to the Unitat d'Inteligència Financera d'Andorra (UIFAND).

**Record Keeping:** Maintaining records of client identification, transactions, and due diligence for a specified period.

**Designation of an AML Officer:** Appointing a qualified AML officer responsible for overseeing compliance.

A significant local presence is typically required. This often includes:

**Physical office:** Establishing an operational base in Andorra.

**Local management:** Having key management personnel (e.g., CEO, board members) and decision-making functions physically located in Andorra.

Directors and key employees for licensing in Andorra may qualify under various residency pathways, including passive residency (Golden Visa) which does not require active physical presence or a specific plan for residency. Active residency still requires physical presence for at least 183 days per year, but the claim that a 'clear plan' is universally required is now overly broad and outdated due to legislative changes in 2022 and 2025.

**Adequate resources:** Demonstrating sufficient human and technical resources locally to carry out the licensed activities.

Governance and internal controls now incorporate AI-driven oversight and explicit ESG reporting mandates under recalibrated SEC enforcement.

**Fit & Proper Requirements:** Shareholders, directors, and key management personnel must meet "fit and proper" criteria, demonstrating integrity, competence, and financial soundness.

**Robust Internal Policies:** Implementing comprehensive policies and procedures for risk management, operational resilience, IT security, data protection, and customer complaint handling.

Regular internal and external audits are required for compliance and financial soundness, but under the 2025 FDICIA Final Rule, banks under $1 billion in assets are exempt from mandatory external audits in the U.S. federal banking context.

**IT Security and Operational Resilience:**

Implementing robust IT security measures to protect client assets and data.

Having clear business continuity and disaster recovery plans.

**Pre-Application Contact:** It is often advisable to engage in preliminary discussions with the AFA to understand specific requirements and obtain initial guidance.

**Preparation of Application Dossier:** The applicant must prepare a comprehensive application package, which typically includes:

**Detailed Business Plan:** Outlining the proposed services, target market, operational model, and growth strategy.

**Financial Projections:** Multi-year financial forecasts, including projected revenues, expenses, and capital adequacy.

**Legal Structure:** Documentation of the legal entity to be established in Andorra.

**Governance Framework:** Details of the organizational structure, roles, responsibilities, and internal controls.

**AML/CFT Manual:** Comprehensive policies and procedures for AML/KYC compliance.

**Risk Management Framework:** Strategies for identifying, assessing, monitoring, and mitigating various risks (operational, financial, reputational, cyber).

**IT Security Policies:** Documentation of technology infrastructure, data protection, and cybersecurity measures.

**Resumes and "Fit & Proper" Documentation:** For all key personnel, including directors and senior management.

Proof of Funds: Evidence of meeting dynamic capital requirements or specific minimum thresholds, which vary by regulatory regime and are subject to ongoing adjustment (e.g., Basel III Endgame buffers, sector-specific boosts, or annually updated immigration minimums).

Shareholder information includes detailed beneficial ownership data, identity verification, and ongoing reporting obligations under the Corporate Transparency Act and SEC Exchange Act Sections 13(d) and 13(g), not merely basic structure or owner details.

The complete application dossier is submitted to USCIS, but the submission method may now be electronic for certain employment-based applications, and the term 'AFA' is an outdated reference to the legacy Immigration and Naturalization Service (INS) rather than the current USCIS structure.

The AFA review and due diligence process has been modified under a deregulatory update, with steps described as 'simplifying the application process,' reducing the previous 'thorough review' standard.

Requests for additional information or clarifications.

Meetings with the applicant's management team.

On-site visits (if applicable) under the relevant AD jurisdiction are no longer governed by the superseded directive; the specific AD (2024-21-02) has been replaced, altering the regulatory requirement.

Background checks on key personnel and shareholders.

**Decision:** The AFA will issue a decision to grant or deny the license. If granted, the license will typically include specific conditions and ongoing obligations.

**Post-Licensing Obligations:** Licensed VASPs must continuously comply with all regulatory requirements, including periodic reporting to the AFA, ongoing AML/KYC obligations, and maintaining capital adequacy.

**Ley 35/2022, de 1 de diciembre, de representación digital de activos financieros y otros activos fungibles (Law 35/2022, of December 1, on the digital representation of financial assets and other fungible assets):**

**Autoritat Financera Andorrana (AFA) Official Website:**

The AFA is the primary regulator. Its website contains information on regulated entities, legislation, and supervisory guidelines.

**Ley 14/2017, de 22 de junio, de prevención del blanqueo de dinero y la financiación del terrorismo (Law 14/2017, of 22 June, on preventing money laundering and terrorist financing):**

FinCEN has proposed a new, risk-based AML/CFT program rule for all financial institutions including VASPs, but the rule is not yet final and the existing general AML/CFT law remains in effect pending finalization.

**Represents rights typical of traditional securities:** This includes shares, bonds, or other instruments that confer rights of ownership, debt, or participation in the capital or profits of an entity.

**Is issued, transferred, and stored using Distributed Ledger Technology (DLT) or similar technologies.**

Equity tokens may represent ownership stakes in a company, but true equity tokens require direct issuer approval and SEC registration; many tokenized instruments now involve revenue-sharing or cash-flow rights rather than formal equity ownership, and voting, dividend, and asset claim rights depend on the specific legal structure and regulatory compliance.

**Debt Tokens:** Tokens representing debt instruments, such as bonds or loans, where holders are entitled to receive interest payments and/or the return of principal.

**Revenue/Profit Share Tokens:** Tokens that grant holders a right to a portion of the issuer's future revenues or profits, without necessarily conferring direct ownership.

**Security Tokens Offerings (STOs):** Issuances where the underlying digital asset explicitly represents a claim on an asset or stream of income, making it fall under securities law.

**Payment Tokens (Cryptocurrencies):** Tokens primarily intended as a means of exchange (e.g., Bitcoin, Ethereum when used purely as currency).

**Utility Tokens:** Tokens designed to provide access to a specific product or service within a DLT network or ecosystem (e.g., a token granting access to cloud storage, gaming features).

**Stablecoins:** Tokens designed to maintain a stable value relative to a fiat currency or other asset, although their specific features may sometimes lead to them being classified under different regulatory categories (e.g., e-money tokens or financial instruments if they grant specific financial rights).

**Authorization and Supervision:** Issuers of DLT-based securities and providers of services related to them (e.g., trading venues, custodians) must be authorized and supervised by the **Autoritat Financera Andorrana (AFA)**.

**Prospectus Requirements:** The public offering of DLT-based securities generally requires the publication of a prospectus approved by the AFA, similar to traditional securities offerings. This prospectus must contain all necessary information for investors to make an informed decision.

**Transparency and Disclosure:** Issuers are subject to ongoing transparency and disclosure obligations, including periodic financial reporting and disclosure of significant events.

**Fit and Proper Requirements:** Management and significant shareholders of entities involved in issuing or servicing DLT-based securities must meet "fit and proper" criteria.

Small offerings: Offerings below $10 million, as defined by SEC Rule 504 in Regulation D, or as further specified by applicable state-level micropurchase thresholds.

**Offerings to qualified/professional investors:** Where the investors are deemed sophisticated enough not to require the full protection of a prospectus.

Private placements: Offerings to a limited number of accredited investors, though modern exemptions like Rule 506(c) allow general solicitation to an unlimited number of accredited investors.

DLT-based securities can only be traded on regulated DLT-based trading venues or platforms that have been authorized by a recognized financial regulator (e.g., FINRA in the U.S.); these venues must comply with rules regarding market integrity, transparency, investor protection, and operational resilience.

**Market Abuse Rules:** Standard market abuse regulations, including prohibitions against insider trading and market manipulation, apply to DLT-based securities.

**Post-Trade Transparency:** Rules regarding trade reporting and post-trade transparency (e.g., public disclosure of transaction prices and volumes) are expected to apply.

**Custody:** Entities providing custody services for DLT-based securities must also be authorized and supervised by the AFA, adhering to robust security and operational standards.

**Imposing administrative fines:** For violations of regulatory requirements.

**Issuing cease-and-desist orders:** To stop unauthorized activities.

Revoking licenses or authorizations has expanded beyond serious breaches to include procedural failures, certification lapses, and national security concerns such as foreign adversary control.

Publicly sanctioning individuals or entities is used as a national security and foreign policy tool, not primarily for market transparency and deterrence.

**Requiring restitution or compensation:** To affected investors in certain cases.

Llei 24/2022, del 30 de juny, regulates blockchain and cryptocurrencies in Andorra, not Law 15/2022.

*(Note: This is in Catalan, the official language of Andorra)*

*(You may need to navigate the AFA website to find specific regulations or guidance related to digital assets as they are published).*

**Autoritat Financera Andorrana (AFA) – Andorran Financial Authority**

**Role:** The AFA is the primary regulatory and supervisory body for the financial system in Andorra, including DLT-based activities. It is responsible for authorizing and supervising entities operating under the DLT law, ensuring compliance with prudential and conduct-of-business rules, and enforcing AML/CFT regulations. The AFA was established through the merger of the Institut Nacional Andorrà de Finances (INAF) and the Agència Andorrana de Resolució d’Entitats Bancàries (AREB).

The UAE's Securities and Commodities Authority (SCA), in coordination with Dubai's Virtual Assets Regulatory Authority (VARA) and other relevant authorities, is responsible for establishing the unified legal and regulatory framework for virtual assets and DLT across the UAE, including Abu Dhabi.

**Llei 22/2022, del 21 de juliol, de representació digital d'actius mitjançant la utilització de tecnologia de registre distribuït**

**English Translation:** Law 22/2022, of July 21, on the digital representation of assets through the use of distributed ledger technology.

The Airworthiness Directive dated July 21, 2022, has been superseded by a newer directive effective as of August 18, 2025.

URL (Official Gazette - Butlletí Oficial del Principat d'Andorra - BOPA): https://www.bopa.ad/bopa/034024/Documents/Sumari_22_2022.pdf (This links to the full text of the law in Catalan).

Establishes the legal framework for the issuance, representation, transfer, and custody of assets using DLT.

Defines various types of digital assets, including "digital value assets" (e.g., utility tokens, payment tokens) and "digital financial instruments" (e.g., security tokens, representing traditional financial assets).

Mandates authorization by the AFA for entities wishing to engage in activities related to digital financial instruments, such as their issuance, public offering, or operation of trading platforms.

Proposed regulations from April 2026 would reorganize AML/CFT obligations, governance rules, and technological requirements for DLT service providers, shifting toward a risk-based framework rather than maintaining the previously strict, static mandates.

The regulatory framework involves ongoing adoption, revision, or urging of implementing regulations by government bodies to specify requirements for various activities.

**Permitted, but Strictly Regulated and Licensed:**

Andorra's stance is that crypto trading and exchanges (specifically those dealing with "digital financial instruments" or certain regulated "digital value assets") are permitted activities, but they fall under the strict licensing and supervisory regime of the AFA, as outlined in Law 22/2022.

Entities wishing to operate a crypto exchange (i.e., a trading platform for digital financial instruments or regulated digital value assets) or provide services such as custody, brokerage, or issuance of these assets must obtain a specific authorization from the AFA.

These entities are subject to comprehensive regulatory requirements, including:

**Authorization and Licensing:** Detailed application process with business plans, governance structures, and capital requirements.

**AML/CFT Compliance:** Robust anti-money laundering and counter-terrorist financing measures, including customer due diligence (CDD), transaction monitoring, and suspicious activity reporting. Andorra follows international standards set by FATF.

**Investor Protection:** Rules regarding transparency, disclosure, and fair trading practices.

**Operational Resilience:** Requirements for IT security, risk management, and business continuity.

**Law 14/2017 of 22 June on the prevention and fight against money laundering and the financing of terrorism:** This is Andorra's principal AML/CFT law, establishing the general obligations for all obliged entities. It has been subsequently amended to incorporate international recommendations.

**Law 9/2023 of 23 March on digital assets:** This specific law regulates virtual assets and their service providers, bringing VASPs under the scope of Law 14/2017 and defining the specific licensing and operational requirements for these entities. This law formally identifies VASPs as obliged entities for AML/CFT purposes.

Exchange between virtual assets and fiat currencies.

Exchange between one or more forms of virtual assets.

Custody and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

Natural persons in Andorra must have their identity verified using reliable, independent source documents, data, or information (e.g., official ID cards, passports), and Andorra now permits digital and remote identity verification methods such as document scanning and biometric liveness checks under its UIFAND-compliant AML framework.

Identification number (e.g., passport number, national ID number)

**Legal Entities:** Obtain and verify the client's legal existence and structure, including:

Articles of association and other relevant constitutive documents

Names of directors and senior management

Verification of individuals authorized to act on behalf of the legal entity.

Identify and take reasonable measures to verify the identity of the beneficial owner(s) of legal entities. This includes understanding the ownership and control structure. The threshold for beneficial ownership is typically 25% or more of the shares or voting rights, or control through other means.

For trusts or similar legal arrangements, identify the settlors, trustees, protectors (if any), beneficiaries, and any other natural person exercising ultimate effective control over the arrangement.

**Purpose and Intended Nature of the Business Relationship:**

Understand the purpose and intended nature of the business relationship or occasional transaction. This helps assess the risk profile of the client.

Conduct ongoing due diligence on the business relationship, including scrutinizing transactions undertaken throughout the course of that relationship to ensure that the transactions are consistent with the obliged entity’s knowledge of the customer, their business, and risk profile.

Ensure that documents, data, or information collected under the CDD process are kept up-to-date.

VASPs must apply a risk-based approach to CDD. This means the intensity of CDD measures should be proportionate to the assessed ML/TF risks.

**Simplified Due Diligence (SDD):** May be applied in low-risk situations, where specific conditions are met and there is sufficient assurance that the ML/TF risks are genuinely lower.

Enhanced Due Diligence must be applied according to the risk profile of the client, the business relationship, the product, or, reflecting a risk-based approach rather than a fixed set of mandatory trigger situations.

Transactions involving Politically Exposed Persons (PEPs).

Transactions with entities or individuals from high-risk jurisdictions identified by FATF or other credible sources.

Complex, unusually large transactions, and all unusual patterns of transactions that have no apparent economic or lawful purpose.

Any situation identified as posing a higher ML/TF risk in the VASP's risk assessment.

For VASPs, the Travel Rule (FATF Recommendation 16) as updated in June 2025 mandates the collection and sharing of originator and beneficiary information on all transactions, removing the previous €1,000 threshold as a universal trigger for enhanced due diligence on occasional transactions. However, specific threshold details may still appear in local implementing regulations, and EDD requirements can still apply based on risk assessment.

**Reporting Body:** **Unitat d'Intel·ligència Financera d'Andorra (UIFAND)**

Report any transaction (completed or attempted) that is suspicious.

The report must be made promptly.

**No Tipping Off:** VASPs and their employees are prohibited from disclosing to the customer or to third parties that an STR is being or has been filed.

**Retention Period:** Generally, a minimum of **five years**.

Records of all CDD measures taken (identification data, verification documents).

Records of all transactions, domestic and international (including the amount, type of currency, and identity of the parties involved, and date of transaction).

Records of internal AML/CFT policies, procedures, risk assessments, and training materials.

Records of any internal or external audits related to AML/CFT compliance.

**Accessibility:** Records must be easily retrievable by competent authorities upon request.

The AFA is responsible for licensing, supervising, and enforcing compliance for virtual asset service providers, including their AML/CFT obligations.

**Financial Intelligence Unit (FIU) for STRs:**

**Unitat d'Intel·ligència Financera d'Andorra (UIFAND)**

UIFAND is the central national authority for receiving, analyzing, and disseminating suspicious transaction reports.

**Law 11/2021, of 17 June, on digital assets (Llei 11/2021, del 17 de juny, de regulació dels actius digitals):** This law establishes the legal framework for digital assets and defines the entities that provide services related to them (VASPs). It brings these entities under the supervision of the Institut Nacional Andorrà de Finances (INAF) and subjects them to AML/CFT obligations.

**Law 9/2005, of 21 February, on the prevention of money laundering and terrorist financing (Llei 9/2005, del 21 de febrer, qualificada de prevenció del blanqueig de diners o valors i del finançament del terrorisme):** This is Andorra's overarching AML/CFT law, which has been amended over time to align with international standards, including applying to VASPs as 'obligated entities'.

**Official Source (Catalan, original):** https://www.bopa.ad/bopa/017017/Pagines/DOC20050221_18_17_.aspx (Numerous amendments exist, so referring to the consolidated version used by INAF is best practice).

**Law 11/2021** was published on June 17, 2021, and came into force shortly thereafter, specifically bringing digital asset service providers under the AML/CFT regime.

The general **Law 9/2005** has been in effect since 2005, with subsequent amendments ensuring its application to emerging sectors like virtual assets. Therefore, VASPs operating in Andorra have been subject to AML/CFT obligations, including those akin to the Travel Rule, since the enactment of Law 11/2021 and subsequent regulatory developments from INAF.

For virtual asset transfers between two regulated VASPs, basic originator and beneficiary information (name, account number/wallet address) is required to be transmitted only for transactions above a de minimis threshold of $1,000, as per the FATF’s June 2025 update to Recommendation 16.

Following the June 2025 FATF update to Recommendation 16, the fixed EUR 1,000 de minimis threshold for additional information on virtual asset transfers has been removed or revised; jurisdictions may now adopt different thresholds or approaches aligned with the updated FATF standards.

For certain funds transfers, originator information may not require a national identity number or customer identification number, depending on jurisdictional exemptions and FATF revisions; baseline CIP rules still require name, address, date of birth, and place of birth for account opening.

Regulatory requirements for VASP interactions with unhosted wallets remain uncertain and jurisdiction-dependent. The U.S. FinCEN proposal for a EUR 1,000 threshold and beneficial owner verification has not been finalized. Additionally, a 2026 SEC ruling determined that software enabling wallet transactions is not a broker, reducing the scope of due diligence obligations. The Travel Rule requires some information collection, but thresholds and verification standards vary globally and are not uniformly set at EUR 1,000.

Under current FATF-aligned AML frameworks, a Virtual Asset Service Provider (VASP) includes any natural or legal person that, as a business, conducts one or more of the following for or on behalf of another person: (i) exchange between virtual assets and fiat currencies; (ii) exchange between one or more forms of virtual assets; (iii) transfer of virtual assets; (iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets (e.g., custodial wallets); and (v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

**Providers of exchange services between one or more forms of virtual assets.**

**Providers of transfer services of virtual assets.**

**Custody service providers of virtual assets (wallet providers).**

**Issuers of digital assets (in certain contexts, particularly where they also provide related services).**

**Collect and Store Information:** Implement robust systems to accurately collect, verify, and securely store the required originator and beneficiary information.

**Transmit Information:** Establish reliable and secure methods to transmit this information to the beneficiary VASP during or before the virtual asset transfer.

**Risk-Based Approach:** Develop and implement a risk-based AML/CFT program that includes policies, procedures, and internal controls to comply with the Travel Rule.

**Data Protection:** Ensure that the collection, storage, and transmission of personal data comply with Andorra's data protection laws, which align with EU GDPR standards.

Interoperability: You must comply with specific, legally binding interoperability standards (e.g., Travel Rule protocols) mandated by the FATF 2025 targeted update and MiCA regulation, not merely 'be prepared' to interact with diverse solutions.

**Administrative Fines:** Substantial monetary penalties, which can be significant and vary based on the severity of the breach, the VASP's size, and previous compliance history.

The Arkansas Department of Health has the power to deny, revoke, or suspend a VASP's operating license under 5 CAR § 23-107; the INAF is not the relevant authority.

**Public Censure:** Publication of regulatory sanctions, which can severely damage a VASP's reputation.

**Orders to Cease and Desist:** Requirements to stop certain activities until compliance issues are resolved.

In the U.S., individuals and corporate officers involved in money laundering or terrorist financing facilitation, even without explicit intent, routinely face criminal prosecution leading to imprisonment and fines, as enforcement is broad and consistent across severe and non-severe cases.

**Requirement:** Any entity providing custody services for virtual assets on behalf of third parties is considered a "Virtual Asset Service Provider" (VASP) under Ley 28/2022 and must be authorized by the Autoritat Financera Andorrana (AFA).

Applicants must comply with stringent requirements covering corporate governance, internal controls, risk management, financial resources (including minimum capital), anti-money laundering (AML) and counter-terrorist financing (CFT) policies, and operational integrity.

The AFA will assess the suitability and professionalism of the management and shareholders.

The process involves following a risk-based regulatory review or compliance process focused on operational procedures, security controls, and compliance requirements, rather than necessarily submitting a single comprehensive application outlining every aspect of the business model.

**Ley 28/2022, de 15 de desembre, de representació digital d'actius:** Articles 3.16, 5, 8, 9, and subsequent articles detailing VASP authorization.

URL (Official Bulletin of the Principality of Andorra - BOPA): https://www.bopa.ad/bopa/035/documents/BOPA_35_2022_12_21.pdf (See Section II for VASPs and authorization)

**Autoritat Financera Andorrana (AFA):** Regulator responsible for VASP authorization.

URL: https://www.afa.ad/ (Navigate to "Actius Digitals" or "Virtual Assets" section for specific guidance once available)

While Ley 28/2022 does not explicitly use the term "segregation" in the same prescriptive way as traditional finance for client funds, the underlying principles of safeguarding client assets and acting in their best interest are inherent.

Authorized VASPs providing custody services are subject to fiduciary duties and robust internal control requirements. This implies that client assets must be clearly identifiable, protected from the custodian's own assets, and not be used for proprietary trading or commingled in a way that risks their availability to the client.

**Detailed rules on how client virtual assets must be held, distinguished from the custodian's own assets, and protected in the event of insolvency, will be specified in secondary regulations and AFA guidance.** This is a common practice where the foundational law sets the principle, and the regulator provides the operational details.

**Regulatory Reference:** Implied by general VASP operational requirements in Ley 28/2022 related to risk management, internal controls, and investor protection (Articles 9-11). Specifics will come from AFA regulations.

Ley 28/2022, in its general requirements for VASPs, mandates that authorized entities maintain adequate financial resources.

It is highly probable that the AFA, through secondary regulations, will require VASPs providing custody services to hold specific professional indemnity insurance or equivalent guarantees (e.g., capital buffers, guarantees from parent companies, or specific bonding) to cover potential operational risks, cyberattacks, or negligence resulting in loss of client assets. This is standard practice for regulated financial services and high-risk activities.

Insurance and bonding amounts and types for AFA-related contracts are determined by existing federal regulations such as FAR Subpart 28.3, Department of Labor requirements under LMRDA, and Treasury Circular 570, not by future AFA implementing regulations.

Brazil's 2025 regulations impose specific capital and borrowing limits on VASPs, reflecting a global shift toward detailed, binding financial stability requirements rather than leaving such rules to be specified later by an authority like the AFA.

The GENIUS Act, signed into law in July 2025, now explicitly requires stablecoin issuers to maintain one-to-one reserves, imposing a specific regulatory framework that supersedes any implicit 'cold storage' best practices. The claim that the law 'does not explicitly mandate cold storage by name' but 'implicitly drives' it is no longer accurate because the new explicit statutory reserve requirements replace any reliance on implied best practices.

The AFA, in its assessment of a VASP's operational security and risk management policies, would expect state-of-the-art cybersecurity protocols, which typically incorporate cold, warm, and hot storage strategies with multi-signature authorization or multi-party computation (MPC), and robust disaster recovery plans, tailored to jurisdiction-specific risks.

**Regulatory Reference:** Articles 9.1.d (guarantees of technical and operational reliability) and 9.1.e (risk management) of Ley 28/2022. Specific technical guidance will be provided by the AFA.

In Andorra, a 'qualified custodian' for digital assets is an entity that has been authorized by the Autoritat Financera Andorrana (AFA) to provide virtual asset custody services, under the framework established by Llei 35/2018 rather than Ley 28/2022.

There isn't a separate or distinct "qualified custodian" designation beyond being an AFA-authorized VASP providing custody. The authorization process itself ensures the entity meets the necessary standards for financial soundness, operational reliability, security, and compliance to be deemed fit to custody client assets.

**Regulatory Reference:** The entire Section II of Ley 28/2022, particularly Articles 5 ("Proveïdors de serveis d'actius virtuals") and 8-11 detailing the authorization process and requirements for VASPs.

**Ley 28/2022 is relatively new**, having been approved in December 2022 and entering into force in May 2023.

The primary pending legislation/regulatory work is the **development and issuance of secondary regulations, implementing decrees, circulars, and specific guidance by the Autoritat Financera Andorrana (AFA)**. These will:

Detail the precise application requirements for VASP licenses.

Specify minimum capital requirements, professional indemnity insurance, or equivalent guarantees.

Outline the exact operational procedures, internal controls, and security standards (including, implicitly, secure key management strategies like cold storage) expected from custodians.

Provide further clarity on AML/CFT obligations in the context of digital assets.

Establish ongoing supervisory requirements for authorized VASPs.

Therefore, while the foundational legal framework is established, many of the granular operational and compliance details are still being fleshed out by the AFA. Businesses looking to operate as custodians in Andorra should actively monitor AFA pronouncements and engage with local legal and regulatory experts.

**Regulatory Reference:** AFA's ongoing regulatory development work stemming from Ley 28/2022.

URL (AFA News/Publications): https://www.afa.ad/ca/noticies (Monitor this section for updates)

The U.S. is actively advancing market-structure legislation (CLARITY Act) that creates enforceable registration and compliance obligations, and authorities are already engaging in targeted enforcement actions such as asset blacklisting, indicating a shift from merely establishing legal grounds to active enforcement.

**Lack of Public Disclosure:** Financial regulators in smaller jurisdictions, or those dealing with administrative penalties, do not always publicize enforcement actions with the same level of detail (especially specific penalty amounts for smaller infractions) as larger bodies like the US SEC or FCA.

**Focus on Warnings for Unauthorized Activities:** The primary financial regulator in Andorra, the **Autoritat Financera Andorrana (AFA)** (formerly Institut Nacional Andorrà de Finances - INAF), does issue public warnings against entities or individuals operating without proper authorization. These warnings often include activities that could involve cryptocurrencies (e.g., offering investment services, scams) but typically do not specify a "penalty amount" or an "outcome" in the sense of a fine levied against a specific, operating regulated crypto entity for a defined violation. Instead, they serve as a public alert not to engage with unauthorized firms.

Warning the public about unauthorized entities operating in the financial sector, including those potentially involved in crypto scams or unlicensed activities.

**Regulator Name:** Autoritat Financera Andorrana (AFA)

**AFA Official Website (News & Warnings sections):** This is where any public warnings or regulatory updates would be posted.

AFA News and Press Releases (Check for "alertes" or "sancions")

AFA List of non-authorized entities or individuals and warnings (This section contains general warnings, but typically not specific enforcement action details with fines for crypto entities).

**Law 14/2017, of June 22, on the prevention and fight against money laundering and terrorist financing (Llei 14/2017, del 22 de juny, de prevenció i lluita contra el blanqueig de diners i el finançament del terrorisme):** This is the overarching AML/CTF law that establishes the general obligations for all financial entities and designated non-financial businesses and professions (DNFBPs), which now explicitly include Virtual Asset Service Providers (VASPs). It mandates compliance with international sanctions.

**Law 23/2022, of December 1, on the Digital Economy, Digital Assets, and Security Tokens (Llei 23/2022, de l'economia digital, els actius digitals i la seguretat jurídica de les transaccions basades en la tecnologia de registres distribuïts):** This specific law regulates the digital asset sector in Andorra. It explicitly brings VASPs under the scope of AML/CTF obligations set out in Law 14/2017, including sanctions compliance.

**Decrees and Regulations:** The Andorran government issues specific decrees to implement UN Security Council Resolutions and to adopt restrictive measures aligned with the EU's Common Foreign and Security Policy (CFSP).

**Asset Freezing:** Immediately freeze the virtual assets and funds of individuals and entities designated by the UN Security Council.

**Prohibition of Services:** Prohibit making any funds or economic resources available, directly or indirectly, to or for the benefit of sanctioned persons or entities.

**Reporting:** Report any frozen assets or attempted transactions involving sanctioned parties to UIFAND without delay.

**Key UN List:** UN Security Council Consolidated List.

**Asset Freezing:** Freeze virtual assets and economic resources of individuals and entities designated under EU sanctions regimes.

**Prohibition of Transactions:** Prohibit financial transactions and services that would directly or indirectly benefit sanctioned persons or entities. This includes restrictions on certain types of transactions, sectors (e.g., energy, finance), or specific goods and technologies (e.g., dual-use items).

**Circumvention Prevention:** Take measures to prevent the circumvention of EU sanctions.

**Reporting:** Report any relevant findings to UIFAND.

**Key EU List:** EU Consolidated Financial Sanctions List (often accessed via the EU Sanctions Map).

Dealings with U.S. persons (citizens, residents, entities).

Transactions involving U.S. currency (USD).

Use of U.S. infrastructure or services (e.g., cloud providers, payment processors).

Any other nexus to the U.S. jurisdiction.

**Asset Blocking:** Block the virtual assets and property of individuals and entities on OFAC's Specially Designated Nationals and Blocked Persons (SDN) List and other OFAC sanctions lists.

**Prohibition of Transactions:** Prohibit any transactions or dealings with sanctioned persons, entities, or jurisdictions.

**Reporting:** Report blocked assets and rejected transactions to OFAC.

**Key OFAC List:** Specially Designated Nationals (SDN) List.