Denmark -- AML/CFT Compliance Regulatory Overview

**Lov om forebyggende foranstaltninger mod hvidvask og finansiering af terrorisme (hvidvaskloven)** – **The Money Laundering Act**.

This is the core Danish law that transposes the EU's 4th, 5th, and 6th Anti-Money Laundering Directives (AMLDs).

The **5th AMLD** (Directive (EU) 2018/843) was particularly significant for bringing virtual asset service providers under the scope of AML/CFT regulations, requiring them to register and comply with the same obligations as traditional financial institutions.

The **6th AMLD** (Directive (EU) 2018/1673) primarily harmonises the definition of money laundering offences and associated penalties across member states, indirectly strengthening the overall framework.

Exchange between virtual currencies and fiat currencies.

Exchange between one or more virtual currencies.

Provide other services related to virtual assets.

**Identification and Verification of the Customer:**

**Natural Persons:** Obtain and verify the customer's identity (full name, address, date of birth, national identification number if applicable). Verification must be based on reliable, independent sources (e.g., valid passport, national ID card, driving license combined with proof of address).

**Legal Entities:** Obtain and verify the entity's name, legal form, address, registration number, and Articles of Association. Identify and verify the identity of the persons who are authorised to act on behalf of the legal entity.

**Purpose and Intended Nature of the Business Relationship:** Understand the purpose and intended nature of the business relationship or the occasional transaction.

VASPs must identify the ultimate beneficial owner (UBO) of all legal entities and trusts. A UBO is typically any natural person who directly or indirectly owns or controls more than 25% of the shares or voting rights, or otherwise exercises control.

Verification of the UBO's identity is also required, using reliable, independent sources.

VASPs must conduct an enterprise-wide risk assessment (§ 7 of Hvidvaskloven) to identify, assess, and understand the money laundering and terrorist financing risks associated with their customers, products, services, transactions, and geographic areas.

**Enhanced Due Diligence (EDD):** Required in situations presenting a higher risk of money laundering or terrorist financing. This includes:

Customers who are Politically Exposed Persons (PEPs) or their family members/close associates.

Customers from high-risk third countries (as identified by the EU or FATF).

Situations where the customer is not physically present for identification.

Measures include obtaining senior management approval, taking reasonable measures to establish the source of funds and wealth, and conducting enhanced ongoing monitoring.

**Simplified Due Diligence (SDD):** Permitted in clearly defined low-risk situations, but these are rare for the virtual asset sector, which is generally considered higher risk.

VASPs must continuously monitor the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship, to ensure that the transactions are consistent with the VASP’s knowledge of the customer, their business, and risk profile (§ 13 of Hvidvaskloven).

Customer information and risk profiles must be kept up-to-date.

**Reporting Threshold:** There is no minimum transaction threshold for reporting. A report must be made if there is a *suspicion* that funds are proceeds of crime or intended for terrorist financing.

**No Tipping-Off:** VASPs and their employees are strictly prohibited from disclosing to the customer or any third party that an STR has been made or that an investigation is underway.

**CDD Records:** All documents and information obtained for CDD purposes (identification data, verification documents) must be kept for **five years** after the end of the business relationship or the date of the occasional transaction.

**Transaction Records:** Records of transactions, including details sufficient to reconstruct transactions, must be kept for **five years** from the date of the transaction.

**Analysis and STRs:** Records of internal analyses, risk assessments, and any suspicious transaction reports made must also be retained for five years.

**Accessibility:** Records must be readily accessible to Finanstilsynet and other relevant authorities upon request.

Developing written AML/CFT policies and procedures.

Appointing a responsible AML officer/compliance function.

Implementing internal control measures, including independent audit functions.

Providing regular and adequate training to all relevant employees on AML/CFT regulations and the VASP's internal procedures.

**Finanstilsynet (Danish Financial Supervisory Authority - FSA)**

**Requirement:** Any entity providing services related to virtual currencies, including safekeeping or administration of virtual currencies on behalf of third parties (custodial wallet providers), is classified as a Virtual Asset Service Provider (VASP). As such, they must register with Finanstilsynet under the Danish Anti-Money Laundering Act (Hvidvaskloven).

**Scope:** This registration primarily focuses on AML/CTF compliance, ensuring firms have robust systems for customer due diligence (KYC), transaction monitoring, risk assessment, and reporting suspicious activities.

**Fit & Proper:** Management and beneficial owners of registered VASPs must meet "fit and proper" criteria.

**Finanstilsynet's Guidance on Virtual Currencies:**

**URL (Finanstilsynet's page on registration for Virtual Currency Exchange and Wallet Providers):** https://www.finanstilsynet.dk/Tilsyn/Hvidvask-og-terrorfinansiering/Virksomheder_der_udbyder_veksling_mellem_virtuel_valuta_og_fiat_valuta_samt_virtuelle_tegneboeger (Content is primarily in Danish, but outlines the requirements).

**Current Situation (for non-financial instrument crypto):** There are **no specific, explicit legislative mandates** under current Danish law for the segregation of client virtual assets from the firm's own assets for *most* commonly traded cryptocurrencies (e.g., Bitcoin, Ethereum) that are generally not classified as "financial instruments" in Denmark.

**Best Practice:** While not legally mandated for crypto, segregation is considered a fundamental best practice in traditional financial services and is expected by Finanstilsynet as part of robust internal controls and risk management for any financial institution.

**If Classified as Financial Instrument:** If a specific digital asset is deemed a "financial instrument" under Danish law (e.g., certain security tokens, some structured stablecoins), then the full suite of MiFID II (Markets in Financial Instruments Directive II) rules, implemented in Denmark, would apply. MiFID II includes strict client asset segregation requirements. However, this is currently an exception rather than the norm for most widely traded crypto assets.

**Regulatory Reference (for financial instruments):**

**Danish Securities Trading Act (Værdipapirhandelsloven):** Implements MiFID II.

**Finanstilsynet's guidance on the classification of crypto assets:** Finanstilsynet has issued statements on when crypto assets might fall under financial legislation.

**Risk Management:** Firms are expected to manage their operational risks, which would typically include considering insurance as part of a comprehensive risk mitigation strategy.

**If Classified as Financial Instrument:** If a crypto asset is deemed a financial instrument, then capital requirements and potentially professional indemnity insurance requirements under MiFID II might apply, depending on the specific services offered.

**Current Situation:** There are **no specific legislative mandates** dictating the use of cold storage for crypto assets.

**Best Practice & Risk Management:** Custodial service providers are expected to implement appropriate security measures to protect client assets from theft, loss, or unauthorized access. Industry best practices widely recommend and utilize cold storage (offline storage) for a significant portion of assets as a key security measure. Finanstilsynet would expect a VASP's risk assessment and internal controls to address cyber and operational security robustly.

**Current Situation:** There is **no specific legal definition** for a "qualified custodian" tailored to crypto assets under current Danish law. The concept of a "qualified custodian" typically originates from securities regulations (e.g., in the U.S.) that apply to traditional financial instruments.

**AML Registration:** The closest current equivalent is being a registered VASP under the AML Act, which signifies meeting AML/CTF obligations and having suitable management.

**Authorization Requirement:** CASPs offering custody services will require authorization from a national competent authority (e.g., Finanstilsynet in Denmark) under MiCA, moving beyond mere AML registration.

**Operational Requirements for Safekeeping and Administration of Crypto-Assets:**

**Segregation of Client Assets:** MiCA explicitly mandates that CASPs must keep crypto-assets belonging to their clients separate from their own assets.

**Robust Internal Controls:** CASPs must establish and maintain robust internal controls and effective risk management procedures to ensure the safekeeping of crypto-assets.

**Security Policies:** CASPs must have a robust ICT (Information and Communication Technology) security policy in place, including appropriate technical and organizational measures to ensure the highest degree of security for crypto-assets.

**Access Protocols:** They must maintain proper records and access protocols to their clients' crypto-assets and private keys.

**Business Continuity:** Implement business continuity plans.

**Liability:** MiCA introduces specific liability rules for CASPs in case of loss of client crypto-assets or private keys due to events attributable to the CASP.

**Capital Requirements:** CASPs will be subject to minimum capital requirements.

**Conflicts of Interest:** CASPs must have effective arrangements to identify, prevent, manage, and disclose conflicts of interest.

**Information Disclosure:** CASPs must provide clear, fair, and not misleading information to clients, including on risks.

**Titles III and IV (relating to asset-referenced tokens and e-money tokens):** Application from **30 June 2024**.

**All other provisions (including those for CASPs providing custody services):** Application from **30 December 2024**.

**Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA):**

**URL (Official Journal of the European Union):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL%3A2023%3A150%3ATOC (The full text of the regulation is available here).

**Exchanges (Virtual Asset Service Providers - VASPs):**

**Definition:** Firms that offer exchange services between virtual currencies and fiat currencies, or between one or more virtual currencies. This covers both fiat-to-crypto and crypto-to-crypto exchanges.

**Requirement:** Registration as a VASP with Finanstilsynet.

**Custody Providers (Virtual Asset Service Providers - VASPs):**

**Definition:** Firms that provide custody and administration services of virtual currencies on behalf of clients (e.g., managing private keys, operating hosted wallets).

**If the payment processor directly handles or facilitates transactions in *virtual assets* (e.g., sending/receiving virtual assets on behalf of third parties, operating virtual asset wallets for payment purposes):** They will likely fall under the definition of a VASP and require registration with Finanstilsynet.

**If the payment processor *only processes fiat currency transactions* for a crypto business (e.g., a traditional payment institution processing fiat deposits to a crypto exchange):** They would be regulated under the Payment Services Act (implementing PSD2) or the Electronic Money Act, rather than as a VASP directly. The crypto business they serve would be the one requiring VASP registration.

**Key takeaway:** The VASP registration applies when the core service involves direct interaction with or management of virtual assets for others.

**Legal Basis:** The Danish Money Laundering Act (Hvidvaskloven) – specifically Section 2, subsection 1, no. 15, which defines the scope of virtual asset service providers.

**AML/KYC (Anti-Money Laundering / Know Your Customer):** This is the core requirement. Applicants must demonstrate robust policies and procedures for:

**Risk Assessment:** Comprehensive assessment of money laundering and terrorist financing risks associated with their business model, products, customers, and geographical exposure.

**Customer Due Diligence (CDD):** Identifying and verifying the identity of customers and beneficial owners. This includes ongoing monitoring of business relationships.

**Enhanced Due Diligence (EDD):** For higher-risk customers, products, or transactions.

**Reporting Suspicious Transactions (STRs):** Procedures for detecting and reporting suspicious transactions to the State Prosecutor for Serious Economic and International Crime (SØIK).

**Record Keeping:** Maintaining records of customer data and transactions for at least five years.

**Internal Controls & Training:** Establishing appropriate internal controls, policies, procedures, and providing regular training to employees on AML/CTF obligations.

**AML Officer:** Appointment of a qualified AML officer responsible for overseeing compliance.

Currently, for a standalone VASP registration, there is **no specific prescribed minimum capital requirement** like for banks or payment institutions.

However, the company must demonstrate **sufficient financial resources** to operate its business responsibly and meet its AML/CTF obligations. Finanstilsynet will assess the company's business plan, financial projections, and operational setup to ensure financial soundness.

*Note:* If the entity also falls under other financial regulations (e.g., as a payment institution), separate capital requirements for those activities would apply.

The legal entity applying for registration must be **established in Denmark** (e.g., registered with the Danish Business Authority, CVR number).

**Management and governance:** Finanstilsynet expects the company's management (e.g., CEO, AML Officer) to be "fit and proper" and for the firm to have effective management based in Denmark to ensure proper oversight and supervision. The "mind and management" principle generally applies.

Fit and proper assessment for board members and key management personnel.

Robust internal control framework, including IT security and data protection measures.

A sound business plan demonstrating the viability and compliance of the proposed operations.

**Preparation:** Gathering all necessary documentation, including:

Ownership structure and beneficial owners.

Details of management and board members (CVs, declarations of "fit and proper" status).

Comprehensive AML/CTF policies, procedures, and risk assessments.

IT security framework and operational procedures.

Financial projections and evidence of sufficient resources.

Legal opinions if specific aspects of the business model require clarification regarding regulatory scope.

**Submission:** Submitting the complete application to Finanstilsynet.

**Review and Dialogue:** Finanstilsynet reviews the application, which may involve several rounds of communication, questions, and requests for supplementary information or clarifications.

**Assessment:** Finanstilsynet assesses the completeness and adequacy of the submitted documentation against the requirements of the Money Laundering Act. They will specifically scrutinize the AML/CTF framework.

**Decision:** Finanstilsynet issues a decision (approval or rejection) regarding the registration.

**Timeline:** The processing time can vary significantly depending on the complexity of the application and the quality of the submitted documentation, often ranging from several months to a year.

**Finanstilsynet's main page on virtual currencies (often includes guidance):** You would typically search their website for "virtuelle valutaer" or "kryptovaluta". A specific direct link may change, but this search term will lead you to relevant pages.

*Example of a relevant search result on their site:* https://www.finanstilsynet.dk/Tilsyn/Indberetning/Hvidvask/Virksomheder_med_virtuelle_valutaer (This link provides an overview of their supervision of virtual currency firms and relevant forms/guidance).

**The Danish Money Laundering Act (Hvidvaskloven):** The full legislative text is typically found on Retsinformation (Denmark's legal information database). Searching for "Hvidvaskloven" on Retsinformation will provide the latest consolidated version.

*Retsinformation (search for "Hvidvaskloven"):* https://www.retsinformation.dk/

**European Union AML Directives:** While Danish law implements these, understanding the underlying EU directives provides context.

**AMLD5 (Directive (EU) 2018/843):** https://eur-lex.europa.eu/eli/dir/2018/843/oj

**AMLD6 (Directive (EU) 2020/2848):** https://eur-lex.europa.eu/eli/dir/2020/2848/oj

Rules for stablecoins (Asset-Referenced Tokens and E-money Tokens) will apply from **30 June 2024**.

Rules for other crypto-assets and CASPs will apply from **30 December 2024**.

Once MiCA is fully applicable, national VASP registration regimes (like Denmark's current one) will largely be superseded by the new EU-wide licensing framework. Firms currently registered may need to apply for MiCA licenses, potentially with transitional provisions.

**Partial (Current):** Focused primarily on **Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF)** obligations for specific crypto-asset service providers. There are also consumer protection warnings. Crypto-assets that qualify as traditional financial instruments (e.g., securities) fall under existing financial legislation.

**Comprehensive (Future - EU-driven):** The full implementation of the EU's **MiCA Regulation** will introduce a comprehensive licensing and operational framework for crypto-asset issuers and service providers, harmonizing regulations across all EU member states, including Denmark.

**Role:** Responsible for supervising financial undertakings in Denmark, including ensuring compliance with AML/CTF laws, issuing guidance, and ultimately will be the competent authority for licensing under MiCA. They also issue consumer warnings regarding the risks of crypto assets.

**Anti-Money Laundering Act (Lov om forebyggende foranstaltninger mod hvidvask og finansiering af terrorisme)**

**Date:** Multiple iterations, with significant amendments in 2019/2020 to transpose the EU's 5th Anti-Money Laundering Directive (AMLD5) into Danish law. This extended AML/CTF obligations to providers of services related to virtual currencies.

**Key Provision:** Requires providers of services for exchanging virtual currencies for fiat currencies and providers of custodian wallet services to register with Finanstilsynet and comply with AML/CTF rules (e.g., customer due diligence, reporting suspicious transactions).

**Relevant Finanstilsynet Guidance (Danish):** https://www.finanstilsynet.dk/Tilsyn/Hvidvask/Vejledninger (Look for guidance related to "veksling mellem virtuelle valutaer og fiatvalutaer" and "udstedelse af og administration af virtuelle valutaer").

**Information on AML Registration for Crypto Providers:** https://www.finanstilsynet.dk/Tilsyn/Hvidvask/Virksomheder_der_tilbyder_veksling_mellem_virtuelle_valutaer_og_fiatvalutaer

**Markets in Crypto-Assets (MiCA) Regulation (EU Regulation 2023/1114)**

Rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) become applicable from **30 June 2024**.

Rules for other crypto-assets and Crypto-Asset Service Providers (CASPs) become applicable from **30 December 2024**.

**Key Provision:** As an EU regulation, MiCA is directly applicable in Denmark without needing national transposition. It establishes a comprehensive regulatory framework for the issuance and admission to trading of crypto-assets, and for the authorization and supervision of CASPs across the EU. This includes requirements for authorization, capital, governance, consumer protection, and market abuse prevention.

**EUR-Lex link (Official Journal):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

**Finanstilsynet's information on MiCA (Danish):** https://www.finanstilsynet.dk/Lovgivning/EU-lovgivning/MiCA_forordningen

**DLT Pilot Regime Regulation (EU Regulation 2022/858)**

**Date:** Applicable from **23 March 2023**.

**Key Provision:** This EU regulation establishes a pilot regime for market infrastructures based on distributed ledger technology (DLT). It allows for temporary derogations from existing financial services legislation to permit the development of DLT-based trading and settlement systems for certain tokenized securities. This is relevant for professional market participants exploring tokenized securities in Denmark.

Trading of crypto-assets by individuals is generally **permitted** in Denmark.

However, Finanstilsynet consistently issues strong **warnings** to consumers about the significant risks associated with investing in crypto-assets, including high volatility, lack of regulatory protection (pre-MiCA), potential for fraud, and complexity. They emphasize that crypto-assets are generally not covered by investor compensation schemes.

**Finanstilsynet's consumer warning page (Danish):** https://www.finanstilsynet.dk/Advarsler/Advarsler_om_virksomheder/Forbrugere/Om_Investering_i_kryptovaluta

**Crypto Exchanges and Service Providers:**

**Currently (Pre-MiCA):** Entities operating as crypto exchanges (offering exchange services between crypto and fiat currency) or providing custodian wallet services in Denmark **must register with Finanstilsynet for AML/CTF purposes**. This registration confirms compliance with the Danish Anti-Money Laundering Act but is not a full regulatory license covering prudential or consumer protection aspects beyond AML.

**Future (Under MiCA - from late 2024/2025):** Crypto-Asset Service Providers (CASPs) operating in Denmark, or intending to offer services to Danish customers, will need to obtain a **MiCA license**. This will involve comprehensive authorization requirements from Finanstilsynet (or another EU national competent authority) covering various aspects like capital requirements, organizational arrangements, governance, and consumer protection. Once licensed in one EU member state, a CASP can "passport" its services across the entire EU, including Denmark.

**For transfers between Crypto-Asset Service Providers (CASPs):** The TFR mandates **no de minimis threshold**. This means that **all transfers of virtual assets, regardless of value**, between one CASP and another, must be accompanied by the required originator and beneficiary information.

**For transfers to or from unhosted wallets (self-hosted wallets):**

When a CASP initiates a transfer of crypto-assets to an unhosted wallet, or receives crypto-assets from an unhosted wallet, and the amount **exceeds EUR 1,000**, the CASP must verify that the unhosted wallet is owned or controlled by the originator or beneficiary.

The obligation to collect and transmit originator and beneficiary information always applies, but the specific *verification* requirement for unhosted wallets kicks in above €1,000.

Exchanges between virtual assets and fiat currencies.

Exchanges between one or more forms of virtual assets.

Custody and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer's offer and/or sale of virtual assets.

Providers facilitating transfers of virtual assets on behalf of customers.

Wallet address (or account number where applicable)

Address (residential or registered office)

Official personal document number (e.g., passport, national ID) or customer identification number

Ensure that transfers of virtual assets are accompanied by this information.

Verify the accuracy of the information, at least on the basis of documents, data or information obtained from a reliable and independent source.

Retain the information for a period of five years.

**Public reprimands and orders:** Finanstilsynet can issue injunctions or public reprimands.

**Administrative fines:** Significant fines can be imposed on the non-compliant entity. The AML Act allows for fines up to **EUR 5 million (approximately DKK 37.5 million)** or, in cases where the benefit derived from the breach can be determined, up to **10% of the undertaking's total annual turnover**. For natural persons, fines can be up to EUR 5 million.

**Criminal charges:** In severe cases, particularly involving deliberate breaches or repeated failures, individuals responsible within the VASP (e.g., management, board members) can face criminal prosecution, potentially leading to imprisonment.

**Withdrawal or suspension of registration/license:** Finanstilsynet can revoke or suspend the VASP's registration, effectively prohibiting them from operating.

**Regulation (EU) 2023/1113 (Transfer of Funds Regulation - TFR):**

**Danish AML Act (Hvidvaskloven):** The latest consolidated version is typically available on Retsinformation.dk, the official Danish legal information portal. Search for "Lov om forebyggende foranstaltninger mod hvidvask og finansiering af terrorisme (hvidvaskloven)".

*Example (may not be the absolute latest consolidated version, search Retsinformation for current):* https://www.retsinformation.dk/eli/lta/2023/1529 (This is a specific amendment act from 2023, the main act would be earlier). The primary Act is typically Lov nr. 1022 af 29/06/2020, with subsequent amendments consolidated into it.

**Danish Financial Supervisory Authority (Finanstilsynet) - Information on Virtual Assets:**

https://www.finanstilsynet.dk/Tilsyn/Tilsynsomraader/Hvidvask/Virksomheder_og_personer_med_kryptoaktiver (Danish page on AML supervision for crypto-asset businesses)

**EUR-Lex link (Official Journal):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R0858