Andorra -- AML/CFT Compliance Regulatory Overview

**Law 14/2017 of 22 June on the prevention and fight against money laundering and the financing of terrorism:** This is Andorra's principal AML/CFT law, establishing the general obligations for all obliged entities. It has been subsequently amended to incorporate international recommendations.

**Law 9/2023 of 23 March on digital assets:** This specific law regulates virtual assets and their service providers, bringing VASPs under the scope of Law 14/2017 and defining the specific licensing and operational requirements for these entities. This law formally identifies VASPs as obliged entities for AML/CFT purposes.

Exchange between virtual assets and fiat currencies.

Exchange between one or more forms of virtual assets.

Custody and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

Natural persons in Andorra must have their identity verified using reliable, independent source documents, data, or information (e.g., official ID cards, passports), and Andorra now permits digital and remote identity verification methods such as document scanning and biometric liveness checks under its UIFAND-compliant AML framework.

Identification number (e.g., passport number, national ID number)

**Legal Entities:** Obtain and verify the client's legal existence and structure, including:

Articles of association and other relevant constitutive documents

Names of directors and senior management

Verification of individuals authorized to act on behalf of the legal entity.

Identify and take reasonable measures to verify the identity of the beneficial owner(s) of legal entities. This includes understanding the ownership and control structure. The threshold for beneficial ownership is typically 25% or more of the shares or voting rights, or control through other means.

For trusts or similar legal arrangements, identify the settlors, trustees, protectors (if any), beneficiaries, and any other natural person exercising ultimate effective control over the arrangement.

**Purpose and Intended Nature of the Business Relationship:**

Understand the purpose and intended nature of the business relationship or occasional transaction. This helps assess the risk profile of the client.

Conduct ongoing due diligence on the business relationship, including scrutinizing transactions undertaken throughout the course of that relationship to ensure that the transactions are consistent with the obliged entity’s knowledge of the customer, their business, and risk profile.

Ensure that documents, data, or information collected under the CDD process are kept up-to-date.

VASPs must apply a risk-based approach to CDD. This means the intensity of CDD measures should be proportionate to the assessed ML/TF risks.

**Simplified Due Diligence (SDD):** May be applied in low-risk situations, where specific conditions are met and there is sufficient assurance that the ML/TF risks are genuinely lower.

Enhanced Due Diligence must be applied according to the risk profile of the client, the business relationship, the product, or, reflecting a risk-based approach rather than a fixed set of mandatory trigger situations.

Transactions involving Politically Exposed Persons (PEPs).

Transactions with entities or individuals from high-risk jurisdictions identified by FATF or other credible sources.

Complex, unusually large transactions, and all unusual patterns of transactions that have no apparent economic or lawful purpose.

Any situation identified as posing a higher ML/TF risk in the VASP's risk assessment.

For VASPs, the Travel Rule (FATF Recommendation 16) as updated in June 2025 mandates the collection and sharing of originator and beneficiary information on all transactions, removing the previous €1,000 threshold as a universal trigger for enhanced due diligence on occasional transactions. However, specific threshold details may still appear in local implementing regulations, and EDD requirements can still apply based on risk assessment.

**Reporting Body:** **Unitat d'Intel·ligència Financera d'Andorra (UIFAND)**

Report any transaction (completed or attempted) that is suspicious.

The report must be made promptly.

**No Tipping Off:** VASPs and their employees are prohibited from disclosing to the customer or to third parties that an STR is being or has been filed.

**Retention Period:** Generally, a minimum of **five years**.

Records of all CDD measures taken (identification data, verification documents).

Records of all transactions, domestic and international (including the amount, type of currency, and identity of the parties involved, and date of transaction).

Records of internal AML/CFT policies, procedures, risk assessments, and training materials.

Records of any internal or external audits related to AML/CFT compliance.

**Accessibility:** Records must be easily retrievable by competent authorities upon request.

The AFA is responsible for licensing, supervising, and enforcing compliance for virtual asset service providers, including their AML/CFT obligations.

**Financial Intelligence Unit (FIU) for STRs:**

**Unitat d'Intel·ligència Financera d'Andorra (UIFAND)**

UIFAND is the central national authority for receiving, analyzing, and disseminating suspicious transaction reports.

**Law 11/2021, of 17 June, on digital assets (Llei 11/2021, del 17 de juny, de regulació dels actius digitals):** This law establishes the legal framework for digital assets and defines the entities that provide services related to them (VASPs). It brings these entities under the supervision of the Institut Nacional Andorrà de Finances (INAF) and subjects them to AML/CFT obligations.

**Law 9/2005, of 21 February, on the prevention of money laundering and terrorist financing (Llei 9/2005, del 21 de febrer, qualificada de prevenció del blanqueig de diners o valors i del finançament del terrorisme):** This is Andorra's overarching AML/CFT law, which has been amended over time to align with international standards, including applying to VASPs as 'obligated entities'.

**Official Source (Catalan, original):** https://www.bopa.ad/bopa/017017/Pagines/DOC20050221_18_17_.aspx (Numerous amendments exist, so referring to the consolidated version used by INAF is best practice).

**Law 11/2021** was published on June 17, 2021, and came into force shortly thereafter, specifically bringing digital asset service providers under the AML/CFT regime.

The general **Law 9/2005** has been in effect since 2005, with subsequent amendments ensuring its application to emerging sectors like virtual assets. Therefore, VASPs operating in Andorra have been subject to AML/CFT obligations, including those akin to the Travel Rule, since the enactment of Law 11/2021 and subsequent regulatory developments from INAF.

For virtual asset transfers between two regulated VASPs, basic originator and beneficiary information (name, account number/wallet address) is required to be transmitted only for transactions above a de minimis threshold of $1,000, as per the FATF’s June 2025 update to Recommendation 16.

Following the June 2025 FATF update to Recommendation 16, the fixed EUR 1,000 de minimis threshold for additional information on virtual asset transfers has been removed or revised; jurisdictions may now adopt different thresholds or approaches aligned with the updated FATF standards.

For certain funds transfers, originator information may not require a national identity number or customer identification number, depending on jurisdictional exemptions and FATF revisions; baseline CIP rules still require name, address, date of birth, and place of birth for account opening.

Regulatory requirements for VASP interactions with unhosted wallets remain uncertain and jurisdiction-dependent. The U.S. FinCEN proposal for a EUR 1,000 threshold and beneficial owner verification has not been finalized. Additionally, a 2026 SEC ruling determined that software enabling wallet transactions is not a broker, reducing the scope of due diligence obligations. The Travel Rule requires some information collection, but thresholds and verification standards vary globally and are not uniformly set at EUR 1,000.

Under current FATF-aligned AML frameworks, a Virtual Asset Service Provider (VASP) includes any natural or legal person that, as a business, conducts one or more of the following for or on behalf of another person: (i) exchange between virtual assets and fiat currencies; (ii) exchange between one or more forms of virtual assets; (iii) transfer of virtual assets; (iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets (e.g., custodial wallets); and (v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

**Providers of exchange services between one or more forms of virtual assets.**

**Providers of transfer services of virtual assets.**

**Custody service providers of virtual assets (wallet providers).**

**Issuers of digital assets (in certain contexts, particularly where they also provide related services).**

**Collect and Store Information:** Implement robust systems to accurately collect, verify, and securely store the required originator and beneficiary information.

**Transmit Information:** Establish reliable and secure methods to transmit this information to the beneficiary VASP during or before the virtual asset transfer.

**Risk-Based Approach:** Develop and implement a risk-based AML/CFT program that includes policies, procedures, and internal controls to comply with the Travel Rule.

**Data Protection:** Ensure that the collection, storage, and transmission of personal data comply with Andorra's data protection laws, which align with EU GDPR standards.

Interoperability: You must comply with specific, legally binding interoperability standards (e.g., Travel Rule protocols) mandated by the FATF 2025 targeted update and MiCA regulation, not merely 'be prepared' to interact with diverse solutions.

**Administrative Fines:** Substantial monetary penalties, which can be significant and vary based on the severity of the breach, the VASP's size, and previous compliance history.

The Arkansas Department of Health has the power to deny, revoke, or suspend a VASP's operating license under 5 CAR § 23-107; the INAF is not the relevant authority.

**Public Censure:** Publication of regulatory sanctions, which can severely damage a VASP's reputation.

**Orders to Cease and Desist:** Requirements to stop certain activities until compliance issues are resolved.

In the U.S., individuals and corporate officers involved in money laundering or terrorist financing facilitation, even without explicit intent, routinely face criminal prosecution leading to imprisonment and fines, as enforcement is broad and consistent across severe and non-severe cases.