Bhutan -- AML/CFT Compliance Regulatory Overview

**Royal Monetary Authority (RMA) of Bhutan Website:** https://www.rma.org.bt/

**Anti-Money Laundering and Countering Financing of Terrorism Act of Bhutan (AMLCFT Act) 2018:** This is the cornerstone legislation for AML/CFT in Bhutan. While it may not explicitly name "cryptocurrency" or "virtual assets" in all its provisions, its broad definitions and regulatory scope are intended to cover evolving financial instruments and services that fall under the FATF's purview.

**AML/CFT Guidelines for Financial Institutions (2018):** Issued by the RMA, these guidelines provide detailed instructions and requirements for financial institutions to implement the provisions of the AML/CFT Act. While not specifically named for VASPs, these guidelines generally apply to any entity falling under the scope of "financial institutions" or "reporting entities" for AML/CFT purposes.

The Financial Institutions Act of Bhutan (1999, amended 2017) provides a framework for financial institutions, but for crypto/VASPs, Bhutan has introduced a fast-tracked licensing regime in Gelephu Mindfulness City that supersedes or supplements the general Act for virtual asset service providers.

**Individuals:** Collecting and verifying the customer's name, date of birth, nationality, unique identification number (e.g., citizenship ID), residential address. This typically involves using reliable, independent source documents, data, or information.

**Legal Persons/Entities (e.g., companies):** Collecting and verifying the legal name, legal form, proof of existence, powers governing the entity, address of registered office, and names of directors and senior management.

**Beneficial Ownership:** Identifying and verifying the natural persons who ultimately own or control the customer, or the natural person on whose behalf a transaction is being conducted.

**Purpose and Intended Nature of Business Relationship:** Understanding the purpose and intended nature of the business relationship.

**Ongoing Due Diligence:** Conducting ongoing monitoring of the business relationship and transactions to ensure they are consistent with the entity's knowledge of the customer, their business, and risk profile, including the source of funds.

**Risk-Based Approach:** Applying CDD measures based on the risk associated with the customer, product, service, or jurisdiction. This means:

**Simplified CDD:** For lower-risk situations.

**Standard CDD:** For typical relationships.

**Enhanced CDD (EDD):** For higher-risk situations, such as customers from high-risk jurisdictions, Politically Exposed Persons (PEPs), or complex transactions. EDD would involve obtaining additional information, increasing transaction monitoring, and obtaining senior management approval.

**Obligation to Report:** Any transaction (regardless of amount) where there are reasonable grounds to suspect that it may be linked to money laundering, terrorist financing, or other criminal activity must be reported.

**No Tipping-Off:** Reporting entities and their employees are prohibited from disclosing to the customer or any third party that an STR has been or will be filed.

**Reporting Mechanism:** Reports are submitted to the FIU (which is housed within the RMA) in a prescribed format.

**Customer Identification Data:** Records of all customer identification and verification documents (e.g., copies of ID, beneficial ownership information).

**Correspondence:** Records of business correspondence relating to customers.

**Duration:** Records must generally be kept for a minimum of **five (5) years** after the business relationship has ended or after the date of the transaction.

**Licensing:** As of current public information, Bhutan does not have a distinct licensing framework specifically for VASPs. However, depending on the nature of their activities (e.g., if they provide services similar to traditional financial institutions), they may be required to obtain a license under the Financial Institutions Act or operate under specific regulatory guidance from the RMA.

**FATF "Travel Rule":** The FATF's Interpretive Note 15 (Recommendation 16) requires VASPs to obtain and transmit originator and beneficiary information for virtual asset transfers. While not explicitly codified in Bhutanese law for VASPs, the RMA would likely expect VASPs to comply with this as part of their broader AML/CFT obligations, consistent with international standards.

**Emerging Landscape:** Bhutan has shown interest in blockchain technology (e.g., potential CBDC projects). The regulatory landscape for private virtual assets is likely to evolve. VASPs should monitor pronouncements from the RMA for any new circulars, guidelines, or legislative developments.

**Financial Institutions Act of Bhutan 1999 (and subsequent amendments):** This act governs financial institutions, and VASPs, if defined as financial institutions or subject to similar obligations, would fall under its regulatory ambit.

**Royal Monetary Authority Act of Bhutan 1982:** Establishes the RMA as the central bank and financial regulator.

**FATF Recommendations:** Bhutan is expected to comply with the FATF's standards, particularly **Recommendation 15**, which states that countries should regulate VASPs for AML/CFT purposes, license or register them, and subject them to effective systems for monitoring and ensuring compliance. This includes requirements for customer due diligence (CDD), record-keeping, and suspicious transaction reporting (STR).

**Obligation:** All financial institutions and entities operating within Bhutan, including any VASPs (even if not explicitly licensed as such, they are expected to adhere to these principles), must comply with UN sanctions. This means they cannot deal with individuals, entities, or groups designated on the **UNSC Consolidated List**.

**Sanctioned Entity Screening:** VASPs must screen their customers (senders and recipients of virtual assets) against the UNSC Consolidated List before facilitating any transaction.

**Transaction Monitoring:** Implement systems to monitor transactions for any links to sanctioned entities or activities.

**Asset Freezing:** If a VASP identifies virtual assets belonging to, or controlled by, a designated person or entity, those assets must be frozen immediately, and the authorities (likely the Financial Intelligence Unit and the RMA) must be notified.

**Prohibition of Services:** No services, direct or indirect, should be provided to designated individuals or entities.

**UN Security Council Consolidated List:** https://www.un.org/securitycouncil/content/un-sc-consolidated-list

Extraterritorial Reach: OFAC sanctions apply to all U.S. persons (including entities incorporated in the U.S. and their foreign branches), transactions involving a U.S. nexus (e.g., using U.S. dollar clearing, U.S.-based servers, or U.S. IP addresses), and sometimes extend to non-U.S. persons engaged in activities that circumvent U.S. sanctions (secondary sanctions).

**Implications for Bhutanese VASPs:** A Bhutanese VASP, even if not directly a U.S. person, would risk severe penalties if it facilitates transactions involving OFAC-sanctioned individuals, entities, or jurisdictions, especially if those transactions touch the U.S. financial system or involve U.S. technology/services.

**Screening:** Best practice dictates that VASPs globally screen against OFAC's Specially Designated Nationals (SDN) and Blocked Persons List, as well as other relevant OFAC sanctions lists.

**Legal Reference:** U.S. Department of the Treasury, OFAC: https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information

**Extraterritorial Reach:** EU sanctions apply to EU nationals, entities incorporated under EU law, and any economic activity within the EU. They can also apply to non-EU persons for certain activities.

**Implications for Bhutanese VASPs:** Similar to OFAC, a Bhutanese VASP dealing with EU-sanctioned individuals, entities, or jurisdictions risks losing access to EU markets and financial services.

**Screening:** Global VASPs typically screen against the EU Consolidated Financial Sanctions List.

**Legal Reference:** European Union Sanctions Map: https://www.sanctionsmap.eu/

**Customer Due Diligence (CDD):** VASPs must perform robust CDD on all customers, including identity verification, understanding the nature of the business, and ongoing monitoring. This CDD process must incorporate screening against relevant sanctions lists (UNSC is mandatory for Bhutanese entities; OFAC/EU is best practice for global operation).

**Beneficial Ownership:** Identification and verification of the beneficial owners of corporate or legal entity customers.

**Source of Funds/Wealth:** Understanding the origin of funds or wealth involved in transactions, especially for high-risk customers or large transactions.

**Risk-Based Approach:** VASPs should adopt a risk-based approach, applying enhanced due diligence (EDD) to customers or transactions deemed higher risk (e.g., those involving high-risk jurisdictions, politically exposed persons, or complex corporate structures).

**Sanctioned Jurisdictions:** VASPs operating in Bhutan (or serving Bhutanese customers) must block or reject transactions originating from or destined for jurisdictions subject to comprehensive UN sanctions (e.g., North Korea, Iran for certain activities) or significant OFAC/EU sanctions.

**High-Risk Jurisdictions:** Beyond sanctioned countries, transactions involving jurisdictions identified by FATF or other international bodies as high-risk for AML/CFT (e.g., those on the FATF "grey list" or "black list") would require enhanced due diligence.

**UNSC Resolutions:** For countries under UN sanctions.

**OFAC/EU Sanctions Programs:** For countries specifically targeted by U.S. or EU sanctions.

**Fines:** Significant monetary penalties for institutions and individuals found in violation.

**Imprisonment:** Individuals involved in serious breaches, particularly those linked to money laundering or terrorist financing, could face terms of imprisonment.

**Loss of License/Registration:** If a VASP were to be formally licensed or registered, non-compliance could lead to the revocation of its operating authorization.

**Reputational Damage:** Beyond legal penalties, significant reputational damage can occur.

**UN Security Council Consolidated List:** This is the primary list Bhutanese entities are legally required to screen against.

**OFAC SDN List and other OFAC Sanctions Lists:** While not domestically enforced, these are critical for any VASP seeking to operate internationally or avoid exposure to U.S. financial risks.

**EU Consolidated Financial Sanctions List:** Important for similar reasons related to EU exposure.