Andorra -- Custody Regulations Regulatory Overview

**Requirement:** Any entity providing custody services for virtual assets on behalf of third parties is considered a "Virtual Asset Service Provider" (VASP) under Ley 28/2022 and must be authorized by the Autoritat Financera Andorrana (AFA).

Applicants must comply with stringent requirements covering corporate governance, internal controls, risk management, financial resources (including minimum capital), anti-money laundering (AML) and counter-terrorist financing (CFT) policies, and operational integrity.

The AFA will assess the suitability and professionalism of the management and shareholders.

The process involves following a risk-based regulatory review or compliance process focused on operational procedures, security controls, and compliance requirements, rather than necessarily submitting a single comprehensive application outlining every aspect of the business model.

**Ley 28/2022, de 15 de desembre, de representació digital d'actius:** Articles 3.16, 5, 8, 9, and subsequent articles detailing VASP authorization.

URL (Official Bulletin of the Principality of Andorra - BOPA): https://www.bopa.ad/bopa/035/documents/BOPA_35_2022_12_21.pdf (See Section II for VASPs and authorization)

**Autoritat Financera Andorrana (AFA):** Regulator responsible for VASP authorization.

URL: https://www.afa.ad/ (Navigate to "Actius Digitals" or "Virtual Assets" section for specific guidance once available)

While Ley 28/2022 does not explicitly use the term "segregation" in the same prescriptive way as traditional finance for client funds, the underlying principles of safeguarding client assets and acting in their best interest are inherent.

Authorized VASPs providing custody services are subject to fiduciary duties and robust internal control requirements. This implies that client assets must be clearly identifiable, protected from the custodian's own assets, and not be used for proprietary trading or commingled in a way that risks their availability to the client.

**Detailed rules on how client virtual assets must be held, distinguished from the custodian's own assets, and protected in the event of insolvency, will be specified in secondary regulations and AFA guidance.** This is a common practice where the foundational law sets the principle, and the regulator provides the operational details.

**Regulatory Reference:** Implied by general VASP operational requirements in Ley 28/2022 related to risk management, internal controls, and investor protection (Articles 9-11). Specifics will come from AFA regulations.

Ley 28/2022, in its general requirements for VASPs, mandates that authorized entities maintain adequate financial resources.

It is highly probable that the AFA, through secondary regulations, will require VASPs providing custody services to hold specific professional indemnity insurance or equivalent guarantees (e.g., capital buffers, guarantees from parent companies, or specific bonding) to cover potential operational risks, cyberattacks, or negligence resulting in loss of client assets. This is standard practice for regulated financial services and high-risk activities.

Insurance and bonding amounts and types for AFA-related contracts are determined by existing federal regulations such as FAR Subpart 28.3, Department of Labor requirements under LMRDA, and Treasury Circular 570, not by future AFA implementing regulations.

Brazil's 2025 regulations impose specific capital and borrowing limits on VASPs, reflecting a global shift toward detailed, binding financial stability requirements rather than leaving such rules to be specified later by an authority like the AFA.

The GENIUS Act, signed into law in July 2025, now explicitly requires stablecoin issuers to maintain one-to-one reserves, imposing a specific regulatory framework that supersedes any implicit 'cold storage' best practices. The claim that the law 'does not explicitly mandate cold storage by name' but 'implicitly drives' it is no longer accurate because the new explicit statutory reserve requirements replace any reliance on implied best practices.

The AFA, in its assessment of a VASP's operational security and risk management policies, would expect state-of-the-art cybersecurity protocols, which typically incorporate cold, warm, and hot storage strategies with multi-signature authorization or multi-party computation (MPC), and robust disaster recovery plans, tailored to jurisdiction-specific risks.

**Regulatory Reference:** Articles 9.1.d (guarantees of technical and operational reliability) and 9.1.e (risk management) of Ley 28/2022. Specific technical guidance will be provided by the AFA.

In Andorra, a 'qualified custodian' for digital assets is an entity that has been authorized by the Autoritat Financera Andorrana (AFA) to provide virtual asset custody services, under the framework established by Llei 35/2018 rather than Ley 28/2022.

There isn't a separate or distinct "qualified custodian" designation beyond being an AFA-authorized VASP providing custody. The authorization process itself ensures the entity meets the necessary standards for financial soundness, operational reliability, security, and compliance to be deemed fit to custody client assets.

**Regulatory Reference:** The entire Section II of Ley 28/2022, particularly Articles 5 ("Proveïdors de serveis d'actius virtuals") and 8-11 detailing the authorization process and requirements for VASPs.

**Ley 28/2022 is relatively new**, having been approved in December 2022 and entering into force in May 2023.

The primary pending legislation/regulatory work is the **development and issuance of secondary regulations, implementing decrees, circulars, and specific guidance by the Autoritat Financera Andorrana (AFA)**. These will:

Detail the precise application requirements for VASP licenses.

Specify minimum capital requirements, professional indemnity insurance, or equivalent guarantees.

Outline the exact operational procedures, internal controls, and security standards (including, implicitly, secure key management strategies like cold storage) expected from custodians.

Provide further clarity on AML/CFT obligations in the context of digital assets.

Establish ongoing supervisory requirements for authorized VASPs.

Therefore, while the foundational legal framework is established, many of the granular operational and compliance details are still being fleshed out by the AFA. Businesses looking to operate as custodians in Andorra should actively monitor AFA pronouncements and engage with local legal and regulatory experts.

**Regulatory Reference:** AFA's ongoing regulatory development work stemming from Ley 28/2022.

URL (AFA News/Publications): https://www.afa.ad/ca/noticies (Monitor this section for updates)

The U.S. is actively advancing market-structure legislation (CLARITY Act) that creates enforceable registration and compliance obligations, and authorities are already engaging in targeted enforcement actions such as asset blacklisting, indicating a shift from merely establishing legal grounds to active enforcement.

**Lack of Public Disclosure:** Financial regulators in smaller jurisdictions, or those dealing with administrative penalties, do not always publicize enforcement actions with the same level of detail (especially specific penalty amounts for smaller infractions) as larger bodies like the US SEC or FCA.

**Focus on Warnings for Unauthorized Activities:** The primary financial regulator in Andorra, the **Autoritat Financera Andorrana (AFA)** (formerly Institut Nacional Andorrà de Finances - INAF), does issue public warnings against entities or individuals operating without proper authorization. These warnings often include activities that could involve cryptocurrencies (e.g., offering investment services, scams) but typically do not specify a "penalty amount" or an "outcome" in the sense of a fine levied against a specific, operating regulated crypto entity for a defined violation. Instead, they serve as a public alert not to engage with unauthorized firms.

Warning the public about unauthorized entities operating in the financial sector, including those potentially involved in crypto scams or unlicensed activities.

**Regulator Name:** Autoritat Financera Andorrana (AFA)

**AFA Official Website (News & Warnings sections):** This is where any public warnings or regulatory updates would be posted.

AFA News and Press Releases (Check for "alertes" or "sancions")

AFA List of non-authorized entities or individuals and warnings (This section contains general warnings, but typically not specific enforcement action details with fines for crypto entities).