Albania -- AML/CFT Compliance Regulatory Overview

Exchange between virtual assets and fiat currencies.

Exchange between one or more forms of virtual assets.

Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

Alabama law requires individuals to physically produce identification when asked by police, not merely verbal self-identification, as affirmed by the Alabama Supreme Court in March 2026

**Natural Persons:** Identifying and verifying the identity of the customer and any beneficial owner using reliable, independent source documents, data, or information (e.g., identity cards, passports, official residence documents).

**Legal Entities:** Identifying and verifying the identity of the customer, including its name, legal form, address, proof of incorporation, and powers that regulate and bind the legal person. This also extends to identifying and verifying the identity of the natural persons who hold senior management positions and the beneficial owners.

**Beneficial Ownership:** Identifying the beneficial owner(s) of the customer and taking reasonable measures to verify their identity, including understanding the ownership and control structure of the customer.

**Purpose and Nature of the Business Relationship:** Obtaining information on the purpose and intended nature of the business relationship.

**Ongoing Monitoring:** Conducting ongoing monitoring of the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions are consistent with the VASP's knowledge of the customer, their business, and risk profile.

**Risk-Based Approach:** Applying CDD measures on a risk-sensitive basis. This means applying simplified CDD (SDD) measures where the risks are lower and enhanced CDD (EDD) measures where the risks are higher (e.g., transactions involving politically exposed persons (PEPs), high-value transactions, or relationships with customers from high-risk jurisdictions).

**Reporting Obligation:** If a VASP knows, suspects, or has reasonable grounds to suspect that funds are the proceeds of criminal activity, or are related to terrorism financing, it must promptly (without delay) report this to the General Directorate for the Prevention of Money Laundering (GDPML).

**No Threshold:** There is no minimum monetary threshold for reporting suspicious transactions; any amount can be suspicious.

**Protection for Reporters:** The law provides protection against civil or criminal liability for VASPs and their employees who report suspicions in good faith.

**"Tipping Off":** VASPs and their employees are prohibited from "tipping off" the customer or third parties about the fact that a suspicious transaction report has been made or that an investigation is underway.

**Period:** Records relating to CDD, business relationships, and transactions must be kept for at least **five years** after the end of the business relationship or after the date of an occasional transaction.

**Types of Records:** This includes copies of identification documents, account files, business correspondence, and records of transactions (including the amounts, currencies, and dates).

**Accessibility:** Records must be maintained in a way that allows for easy retrieval by competent authorities when requested.

**Internal Policies and Procedures:** Establish and maintain internal policies, controls, and procedures for AML/CFT compliance, proportionate to their nature and size.

**AML Officer:** Appoint a designated AML/CFT compliance officer at management level.

**Staff Training:** Implement ongoing training programs for relevant staff members to ensure they are aware of their AML/CFT obligations, the risks faced by the VASP, and how to identify and report suspicious activities.

**Risk Assessment:** Conduct institutional risk assessments to identify, assess, and understand the money laundering and terrorism financing risks to which they are exposed.

**General Directorate for the Prevention of Money Laundering (GDPML):** http://www.gdpml.gov.al/ (Often lists relevant legislation and guidance, though primarily in Albanian).

**Law No. 90/2020 "On Financial Markets Based on Distributed Ledger Technology" (DLT Law):**

This is Albania's primary legislation for regulating virtual assets and VASPs.

**Article 5(c)** explicitly states that VASPs are subject to the Law on Anti-Money Laundering and Counter-Terrorism Financing, thus bringing them squarely under the scope of sanctions compliance.

**Reference:** Law No. 90/2020 (Albanian Official Gazette, available via Albanian Parliament or Ministry of Finance, often referenced in legal summaries). An English summary can often be found through legal firms operating in Albania.

*General reference to Albanian legal portal:* Qendra e Publikimeve Zyrtare (QBZ) - Official Publishing Centre (search for "Ligj Nr. 90/2020").

This is the cornerstone of Albania's AML/CFT regime, applying to all "obliged entities," which now include VASPs by virtue of the DLT Law.

Key obligations for EU anti-money laundering compliance are now defined primarily by the new directly applicable EU Anti‑Money Laundering Regulation (AMLR) and related acts, which (from July 2027) will impose harmonised, detailed requirements on obliged entities – including comprehensive internal AML/CTF policies and controls, business‑wide risk assessments (including for new products, technologies, and delivery channels), explicit allocation of responsibility for AML compliance to a member of the management body, mandatory staff training and fitness/integrity assessments, restrictions and conditions on outsourcing (especially cross‑border), expanded customer due diligence and beneficial ownership verification (including use of new central registers and an overseas entities register), and specific obligations to screen customers and beneficial owners against targeted financial sanctions lists.

Apply customer due diligence (CDD) and enhanced due diligence (EDD) for higher-risk cases.

Monitor transactions for suspicious activity.

Report suspicious transactions (STRs) to the General Directorate for the Prevention of Money Laundering (GDPML).

Implement internal controls, risk assessments, and staff training.

**Implement asset freezing measures** in accordance with UN Security Council Resolutions and relevant international sanctions.

**Reference:** Law No. 111/2019 (often referenced in legal summaries).

**UN Sanctions:** Albania, as a UN member state, is legally obliged to implement all UN Security Council Resolutions, which include sanctions against specific individuals, entities, and countries (e.g., related to terrorism financing, proliferation, human rights abuses). These are implemented into national law or through decrees by the Council of Ministers.

**UN Consolidated Sanctions List:** https://www.un.org/securitycouncil/sanctions/information

**EU Sanctions:** As an EU candidate country, Albania closely aligns its foreign policy and legal framework with the EU. This means it largely adopts and implements sanctions imposed by the European Union. EU sanctions can target individuals, entities, and entire sectors in non-EU countries.

**EU Sanctions Map / Consolidated List:** https://www.sanctionsmap.eu/

**OFAC Sanctions (U.S. Department of the Treasury's Office of Foreign Assets Control):** While OFAC sanctions are primarily U.S. law, they have significant extraterritorial reach.

Albanian VASPs that conduct transactions in USD, interact with U.S. persons or entities, use U.S.-based software/services (e.g., blockchain analytics tools, custodial services), or have any other nexus to the U.S. financial system, *must* comply with OFAC sanctions. Failure to do so can result in severe penalties from the U.S. government.

**OFAC Specially Designated Nationals (SDN) List:** https://home.treasury.gov/policy-issues/financial-sanctions/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists

**Screen all customers (individuals and entities) against relevant sanctions lists** (UN, EU, OFAC SDN, and any lists published by the Albanian authorities implementing these). This applies during onboarding (CDD) and throughout the customer relationship (ongoing monitoring).

Screen transactions: Monitor transactions for any links to sanctioned individuals, entities, or jurisdictions, and proactively block and freeze illicit transactions as required by U.S. Treasury rules under the GENIUS Act.

**Identify Beneficial Ownership:** Ascertain the ultimate beneficial owners (UBOs) of corporate customers and screen them against sanctions lists.

**Implement Freezing Mechanisms:** Immediately freeze any virtual assets or funds belonging to, or controlled by, sanctioned individuals or entities, and report this to the GDPML without delay.

**Prohibit engagement:** Refrain from engaging in any transactions or business relationships with sanctioned parties.

**Prohibition on engaging with entities or individuals located in comprehensively sanctioned jurisdictions:** Examples often include North Korea, Iran, Cuba, Syria, and specific regions within other countries (e.g., Crimea, certain parts of Russia and Ukraine).

**Restrictions on specific sectors or types of transactions:** Even in non-comprehensively sanctioned countries, certain sectors (e.g., defense, energy, finance) or transactions might be restricted under targeted sanctions.

**Administrative Fines:** Significant financial penalties can be imposed on VASPs for failing to implement adequate AML/CFT controls, including sanctions screening and reporting failures. These fines can range from thousands to hundreds of thousands of Euros, depending on the severity and recurrence of the violation.

**License Revocation:** The Bank of Albania (as the licensing and supervisory authority for DLT entities) can revoke the operating license of a VASP for serious or repeated breaches of AML/CFT and sanctions compliance obligations.

**Criminal Penalties:** Individuals responsible for severe violations (e.g., facilitating money laundering or terrorism financing, willful evasion of sanctions) can face imprisonment. Corporate entities can also face criminal charges and substantial fines.

**Reputational Damage:** Non-compliance can lead to significant reputational harm, loss of customer trust, and difficulty in obtaining banking or partnership services.