Guernsey

**The Proceeds of Crime (Bailiwick of Guernsey) Law, 1999 (as amended)**

**The Terrorism and Crime (Bailiwick of Guernsey) Law, 2002 (as amended):** This law addresses terrorist financing and associated offences.

**The Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2017 (as amended):** These Regulations provide the detailed requirements for financial services businesses (which include VASPs for AML/CFT purposes) concerning customer due diligence, record-keeping, and internal controls.

**The Handbook for Financial Services Businesses on Countering Financial Crime and Terrorist Financing (the AML/CFT Handbook):** Issued by the GFSC, this handbook provides detailed guidance and specific requirements for regulated entities, including a dedicated section on Virtual Assets and VASPs (typically Section 11). This is where the operational details of the Travel Rule are explained.

**Risk-Based Approach (RBA):** VASPs must assess the money laundering and terrorist financing risks associated with their business, customers, products, services, and geographic areas. This assessment dictates the level of CDD applied. Virtual assets and related services are generally considered to carry higher inherent risks.

**Standard CDD:** For all customers, VASPs must:

**Identify the Customer:** Obtain proof of identity (e.g., passport, national ID card for individuals; incorporation documents, registers for legal entities).

**Verify the Customer's Identity:** Use reliable, independent source documents, data, or information. For individuals, this often involves documentary evidence and potentially non-documentary methods. For legal entities, verification of existence and legal form.

**Identify the Beneficial Owner (BO):** For legal persons or arrangements, identify and verify the identity of the natural person(s) who ultimately own or control the customer (typically 25% ownership threshold, or control via other means).

**Understand the Purpose and Intended Nature of the Business Relationship:** Gather information about why the customer wants to use the VASP's services and the expected activity levels.

**Collect Source of Funds/Wealth Information:** Understand where the customer's funds/virtual assets originate from.

**Enhanced Due Diligence (EDD):** EDD is required in situations where there is a higher risk of ML/TF. This includes, but is not limited to:

Complex or unusually large transactions.

Transactions with no obvious economic or lawful purpose.

Non-face-to-face business relationships without additional safeguards.

Specific virtual asset activities or types that inherently carry higher risk.

EDD measures may involve obtaining additional information, increased monitoring, requiring senior management approval, or independently verifying information.

**Simplified Due Diligence (SDD):** SDD may be applied in specific, clearly defined low-risk scenarios (e.g., certain regulated financial institutions), but VASPs must be cautious and justify its application.

**Ongoing Monitoring:** VASPs must continuously monitor customer relationships and transactions to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile. Any significant changes in customer behaviour or circumstances must trigger a review of CDD.

**Sanctions Screening:** All customers and transactions must be screened against applicable sanctions lists (e.g., UN, UK, EU, Guernsey).

**Obligation to Report:** VASPs have a legal obligation to report any knowledge, suspicion, or reasonable grounds for suspicion of money laundering or terrorist financing to the Financial Intelligence Unit (FIU). This includes attempts to launder money or finance terrorism.

**No Tipping-Off:** It is an offence to "tip-off" a customer or any third party that a suspicious transaction report has been or will be made.

**Internal Reporting:** VASPs must have internal procedures for employees to report suspicions to a designated Money Laundering Reporting Officer (MLRO) or Deputy MLRO. The MLRO is then responsible for evaluating the internal report and deciding whether to file an STR with the FIU.

**CDD Records:** Copies of all identification and verification data obtained for customers and beneficial owners, as well as the results of any risk assessments.

**Transaction Records:** Records of all transactions undertaken, including the amount, currency, date, and details of the parties involved (senders and receivers of virtual assets).

**Correspondence:** All relevant correspondence with customers.

**Internal and External Reports:** Records of internal suspicious activity reports and external suspicious transaction reports made to the FIU.

The end of the business relationship for customer identification data.

The date of the transaction for transaction records.

**Guernsey Financial Services Commission (GFSC)**

The GFSC is the integrated regulator for the Bailiwick of Guernsey's financial services industry. It supervises businesses for compliance with financial crime legislation and issues guidance, including the AML/CFT Handbook.

**Guernsey Financial Intelligence Unit (FIU)**

The FIU is the central agency for receiving, analysing, and disseminating suspicious transaction reports to law enforcement agencies.

**Integration:** Rather than creating entirely new legislation for DLT/virtual assets, Guernsey primarily applies its existing financial services and AML/CFT laws to entities and activities involving virtual assets where they fall within the scope of those laws.

**Risk-Based:** The GFSC adopts a risk-based approach, focusing on the specific risks posed by virtual asset activities, particularly concerning financial crime.

**Innovation-Friendly within Regulation:** Guernsey aims to foster innovation in the DLT space while ensuring regulatory integrity and protecting its reputation. They encourage businesses to engage with the regulator early to discuss potential DLT-based propositions.

The GFSC is the sole regulator of the financial services industry in Guernsey and is responsible for supervising entities involved with virtual assets that fall within its remit.

This is the cornerstone of Guernsey's AML framework. Entities dealing with virtual assets, particularly VASPs, fall under the scope of this law and its associated regulations.

**URL (GFSC page referencing it):** https://www.gfsc.gg/commission/financial-crime/proceeds-crime-laws

**The Terrorist Financing (Bailiwick of Guernsey) Law, 2020 (as amended)**

This law addresses CFT obligations, complementing the Proceeds of Crime Law.

**The Handbook on Countering Financial Crime and Terrorist Financing**

**Date:** Periodically updated (most recent major revision typically available on GFSC site). This handbook provides detailed guidance for regulated entities, including those involved with virtual assets, on how to comply with AML/CFT laws. It specifically addresses "virtual asset service providers" (VASPs).

**The Regulation of Fiduciaries, Administration Businesses and Company Directors, etc. (Bailiwick of Guernsey) Law, 2000 (as amended)**

If a virtual asset business provides fiduciary services, trust administration, or company administration in relation to virtual assets, it would likely fall under this law and require licensing.

**URL (GFSC list of laws):** https://www.gfsc.gg/commission/laws-regulations/regulation-fiduciaries-administration-businesses-and-company-directors-etc

**The Protection of Investors (Bailiwick of Guernsey) Law, 1987 (as amended)**

If virtual assets are considered "investments" or if an entity is providing "investment business" (e.g., advising on, dealing in, managing investments) in relation to virtual assets, then this law would apply, requiring licensing and adherence to investor protection rules.

**GFSC Guidance for Virtual Asset Service Providers (VASPs)**

The GFSC has issued specific guidance to help entities understand their obligations, particularly concerning AML/CFT requirements, when operating as a VASP.

**URL (often integrated into general AML guidance, or specific policy statements on DLT):** While a single standalone "VASP Guidance" document might evolve, the core principles are enshrined in the AML Handbook and policy statements on DLT. GFSC publishes news and policy updates on DLT, for example: https://www.gfsc.gg/news/gfsc-revises-its-policy-statement-regulation-distributed-ledger-technology-dlt

**Not Banned:** Guernsey does not ban crypto trading or the operation of crypto exchanges.

**Licensing Required for Regulated Activities:**

**Exchanges:** If an entity operates an exchange that facilitates trading in virtual assets, it will likely be subject to GFSC regulation, especially if it offers services that fall under the scope of existing financial services laws (e.g., acting as a broker, custodian, or providing investment advice).

**AML/CFT Obligations:** All entities acting as Virtual Asset Service Providers (VASPs), which include crypto exchanges, custodians, and firms engaged in virtual asset transfers, are subject to robust AML/CFT requirements as outlined in the Proceeds of Crime Law and the Terrorist Financing Law, and detailed in the GFSC Handbook. This includes customer due diligence (CDD), ongoing monitoring, record-keeping, and suspicious activity reporting.

**Custody Services:** Businesses offering custodial services for virtual assets are generally viewed as performing a regulated activity and would typically require licensing under the Fiduciaries Law, or potentially the Protection of Investors Law depending on the precise nature of the service.

**Innovation Hub:** Guernsey positions itself as a place where DLT and virtual asset businesses can establish and grow, provided they operate within a clearly defined and regulated framework. Early engagement with the GFSC is encouraged for innovative propositions.

**Adopted:** Yes, the FATF Travel Rule requirements for virtual assets and VASPs have been incorporated into Guernsey's AML/CFT regulatory framework.

**Effective Date:** The regulatory framework for VASPs, including the principles of the Travel Rule, became effective from **31 January 2021** when the GFSC updated its AML/CFT Handbook to extend its scope to VASPs. Subsequent updates and revisions to the Handbook have further refined and clarified the requirements to ensure full alignment with FATF guidance. The latest Handbook reflects the current operational requirements.

Guernsey largely aligns with the FATF's recommended thresholds. VASPs must obtain and transmit required originator and beneficiary information for virtual asset transfers where the value is equal to or exceeds **€1,000 / £1,000**.

For transfers below this threshold, VASPs are still required to collect and retain certain basic originator information (e.g., name and account number) but are not necessarily required to transmit full beneficiary information, subject to their risk assessment.

Exchanging between virtual assets and fiat currencies.

Exchanging between one or more forms of virtual assets.

Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

**Collect Required Information:** For transfers exceeding the threshold, VASPs must obtain accurate and complete originator information (name, account number, physical address, unique identification number/date and place of birth, if a natural person; or registration number/principal place of business, if a legal entity) and beneficiary information (name, account number).

**Transmit Information:** This information must be securely transmitted to the beneficiary VASP immediately and securely with the virtual asset transfer, or as close to the transfer as technologically feasible.

**Verify Information:** VASPs are expected to take reasonable steps to verify the identity of their customers (originators and beneficiaries, where applicable).

**Secure Data Handling:** Implement robust data protection and security measures to safeguard the collected information in transit and at rest.

**Record Keeping:** Maintain records of all required information and transactions for at least five years.

**Risk-Based Approach:** Apply a risk-based approach to identify, assess, and mitigate money laundering and terrorist financing risks, which may involve enhanced due diligence for higher-risk transfers or parties.

**Interoperability:** While no specific technology is mandated, VASPs are expected to adopt solutions that enable them to exchange the required information with other VASPs, implying the use of compatible Travel Rule messaging protocols (e.g., TRISA, OpenVASP, IVMS 101).

**Administrative Fines:** Substantial monetary penalties levied by the GFSC.

**Public Censure:** The GFSC can issue public statements detailing regulatory breaches.

**License Suspension or Revocation:** The VASP's license to operate in Guernsey can be suspended or permanently revoked.

**Disqualification:** Individuals found responsible for serious breaches may be disqualified from holding management positions within regulated entities.

**Criminal Prosecution:** In severe cases involving willful non-compliance or facilitating financial crime, individuals may face criminal charges, leading to imprisonment.

**The Money Laundering (Bailiwick of Guernsey) Law, 2007 (as amended):** This is the overarching legislative framework for AML/CFT in Guernsey.

**URL:** https://www.guernseylegalresources.gg/ccm/legal-resources/money-laundering/money-laundering-bailiwick-of-guernsey-law-2007.en (Note: Always check the Guernsey Legal Resources site for the latest consolidated version of the law).

**GFSC AML/CFT Handbook Page:** https://www.gfsc.gg/regulation/anti-money-laundering-and-combating-terrorist-financing/amlcft-handbook

(As of my last update, a direct link to the latest PDF might look something like this, but this link *will change* with updates: `https://www.gfsc.gg/sites/default/files/2023-11/Handbook%20for%20Financial%20Services%20Businesses%20on%20Countering%20Financial%20Crime%20and%20Terrorist%20Financing%20%28October%202023%20update%29.pdf`) - **Always navigate via the main GFSC page to ensure you have the most current version.**

**Rationale:** Holding virtual assets on behalf of others is considered a fiduciary activity, similar to holding traditional assets in trust or as an administrator.

**VASP Definition:** The GFSC recognizes "virtual asset custody wallet providers" as a type of VASP. Providing such services falls within the scope of regulated activities.

**Application Process:** Prospective licensees must submit a comprehensive application to the GFSC, demonstrating:

Adequate financial resources (capital requirements vary based on the nature and scale of the business).

Experienced and fit and proper directors and senior management.

Comprehensive risk management policies and procedures, including cybersecurity.

Robust Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) frameworks.

**The Regulation of Fiduciaries, Administration Businesses and Company Directors, etc. (Bailiwick of Guernsey) Law, 2000:** https://www.gfsc.gg/commission/laws-regulations/fiduciaries-law

**Guidance on Virtual Assets & VASPs (GFSC):** The GFSC has issued specific guidance for firms dealing with virtual assets, emphasizing their obligations under the Fiduciaries Law and AML/CFT framework. These are usually found in policy statements and handbooks on the GFSC website under "Laws & Regulations" or "Policy & Guidance."

**Core Principle:** Licensed custodians must ensure that client virtual assets are clearly separated and identifiable from the firm's own assets. This is crucial for investor protection, particularly in the event of insolvency of the custodian.

**On-chain segregation:** Ideally, client assets are held in distinct, segregated wallet addresses or accounts on the blockchain that are clearly identifiable as belonging to clients, not the firm.

**Robust internal accounting:** Where technical commingling might occur for operational reasons (e.g., using shared liquidity pools in some complex scenarios), the firm must maintain impeccable internal records and accounting that clearly delineate each client's beneficial ownership and entitlements. However, direct on-chain segregation is generally preferred and expected for primary custody.

**Legal Ownership:** The legal framework must ensure that clients retain beneficial ownership of their assets.

**Regulatory Reference:** This requirement stems from the general principles of the **Fiduciaries Law** and the GFSC's broader expectations for licensed entities, which mandate the safeguarding of client money and assets. While there might not be a single "crypto segregation rule" distinct from traditional assets, the principles apply directly.

**GFSC Handbook on Countering Financial Crime and Terrorist Financing:** https://www.gfsc.gg/commission/laws-regulations/amlcft-handbook (This handbook includes specific sections on virtual assets and related risks, indirectly supporting the need for robust asset management and segregation for AML/CFT purposes).

**Risk Management Expectation:** However, insurance and bonding are considered critical components of a robust risk management framework. The GFSC expects licensed custodians to assess their operational risks thoroughly, including those unique to digital assets (e.g., cyber theft, key loss, insider fraud), and to implement appropriate mitigation strategies.

**Best Practice:** Carrying adequate insurance coverage (such as crime insurance, cyber insurance, or professional indemnity insurance) is highly recommended and would be viewed favorably by the GFSC as part of demonstrating a sound and responsible business. It's often a commercial necessity for attracting clients.

**Capital Requirements:** Instead of mandatory insurance, the GFSC imposes capital requirements designed to ensure that firms have sufficient financial resources to withstand operational shocks.

**Security Principle:** The GFSC mandates that licensed custodians implement robust security measures to protect client assets from theft, loss, or unauthorized access. This includes comprehensive cybersecurity frameworks, strong cryptographic key management, multi-factor authentication, and resilient operational procedures.

**Best Practice Expectation:** While not explicitly mandated as "cold storage," GFSC's expectations regarding the safeguarding of client assets effectively necessitate the use of industry best practices. For digital assets, this means that a significant portion (and ideally the vast majority) of assets under custody should be held in "cold" (offline) storage environments to minimize exposure to online threats.

**Key Management:** Firms must demonstrate highly secure key generation, storage, and recovery processes, often involving multi-signature schemes and geographically distributed backups.

**Regulatory Reference:** These expectations are embedded in the GFSC's general requirements for operational risk management and the protection of client assets, which apply to all licensed entities.

GFSC Policy & Guidance often elaborates on operational resilience and IT security expectations.

**Guernsey Equivalent:** In Guernsey, a "qualified custodian" would implicitly be a **GFSC-licensed entity** (primarily under the Fiduciaries Law) that meets all the necessary regulatory requirements to provide virtual asset custody services. This includes demonstrating:

**Licensing:** Holding the appropriate license from the GFSC.

**Financial Soundness:** Meeting capital adequacy requirements and having sound financial footing.

**Operational Robustness:** Having robust systems, controls, and procedures for safeguarding assets, managing risk, and ensuring business continuity.

**Governance:** Having fit and proper management, clear governance structures, and independent oversight.

**Compliance:** Adhering to all relevant laws and regulations, particularly AML/CFT, data protection, and fiduciary duties.

**Auditing:** Subject to regular audits (internal and external) to verify compliance and financial health.

**Regulatory Reference:** The **Fiduciaries Law** and the various **GFSC Handbooks and Guidance Notes** define the criteria for becoming and remaining a licensed and compliant financial services provider in Guernsey.

**Ongoing Evolution:** The GFSC remains active in monitoring developments in the virtual asset space, including DeFi, NFTs, and stablecoins. While there isn't currently any widely publicized *new, separate specific custody law* imminently pending beyond the existing framework, the GFSC is known for issuing updated guidance, policy statements, and potentially amendments to existing laws or regulations to clarify application to evolving virtual asset types and services.

**FATF Alignment:** Guernsey is committed to maintaining its alignment with FATF standards. Any future regulatory updates would likely build upon this commitment, refining definitions, scope, and specific requirements for VASPs.

**Staying Updated:** Businesses operating or looking to operate in Guernsey should regularly check the GFSC's website for news, consultation papers, and updated guidance.

**GFSC News & Announcements:** https://www.gfsc.gg/news

**UK Consolidated List of Financial Sanctions Targets:** Includes individuals and entities designated under various UK sanctions regimes.

**UN Security Council Consolidated Sanctions List:** Consolidates all individuals and entities subject to UN sanctions regimes.

**OFAC Specially Designated Nationals (SDN) and Blocked Persons List:** The most prominent OFAC list.

**EU Sanctions Map/List:** While not directly applicable, good to be aware of.

OFSI, OFAC, and other bodies have issued guidance and advisories specifically mentioning the risks of using virtual assets for sanctions evasion.

The UK's National Crime Agency (NCA) and other law enforcement agencies monitor crypto transactions related to illicit finance.

Blockchain analytics firms play a crucial role in identifying crypto addresses linked to sanctioned entities or activities.

**Broader Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) deficiencies:** These actions are usually against regulated financial services businesses (e.g., fiduciaries, banks, investment firms) for systemic failures in their AML/CFT frameworks, rather than specifically for engaging in or facilitating cryptocurrency transactions improperly. While these failures *could* indirectly impact virtual asset activities if the entities were involved, the enforcement isn't explicitly "crypto-focused."

**Governance and operational failings:** Breaches of regulatory principles, corporate governance, or data protection rules.

**Unlicensed activity:** The GFSC has a licensing regime for Virtual Asset Service Providers (VASPs). Enforcement might occur for operating without a license, but public records don't typically detail large fines specifically for this in recent years.

The GFSC often works to prevent breaches through proactive supervision, guidance, and licensing requirements for VASPs.

Enforcement actions might involve confidential settlements or outcomes that are not fully disclosed publicly, especially for smaller breaches.

Public statements of censure or fines are typically reserved for more significant, often systemic, breaches.

**GFSC Virtual Assets Information:** https://www.gfsc.gg/industry-sectors/banking/virtual-assets