Greece

**Law 4557/2018** (as amended), which transposed the EU's 5th Anti-Money Laundering Directive (AMLD5) and 6th Anti-Money Laundering Directive (AMLD6) into national law. This law defines "providers of services of virtual assets" and mandates their registration.

**HCMC Decision No. 2/902/10.03.2021** (and subsequent amendments), which provides further details on the registration process and ongoing obligations.

**Exchanges:** Providers engaged in the exchange between virtual assets and fiat currencies, or between one or more virtual assets.

**Custody Providers:** Providers that offer custodian wallet services, holding, storing, and transferring virtual assets or private cryptographic keys on behalf of customers.

**Transfer Services:** Services enabling the transfer of virtual assets.

**Other VASP Activities:** Participation in and provision of financial services related to an issuer’s offer and/or sale of virtual assets, and providing virtual asset safekeeping and administration services.

Establish and implement robust AML/CFT policies, procedures, and internal controls in line with national and EU requirements.

Conduct customer due diligence (CDD) and enhanced due diligence (EDD) where necessary.

Monitor transactions for suspicious activities and report them to the Hellenic Financial Intelligence Unit (FIU).

Appoint an AML Compliance Officer and potentially a Deputy AML Compliance Officer.

Regular staff training on AML/CFT.

Management and key personnel must demonstrate integrity, competence, and absence of criminal records.

Shareholders holding significant stakes may also be subject to assessment.

While not explicitly always requiring a physical office, the VASP must be incorporated in Greece and have its management and operational base within the country to effectively comply with Greek AML/CFT laws and HCMC supervision.

The national AML regime does not impose specific *initial capital* requirements as stringent as a licensing regime. However, VASPs are expected to have adequate financial resources to operate responsibly and comply with their obligations. The HCMC will assess the financial soundness as part of the registration.

**Preparation:** Gather all required documentation, including internal AML/KYC policies, business plan, organizational structure, CVs and fit & proper declarations for management/shareholders, proof of incorporation.

**Submission:** Submit the complete application package to the HCMC.

**Review:** The HCMC reviews the application for compliance with Law 4557/2018 and related decisions. They may request additional information or clarifications.

**Decision:** If approved, the VASP is entered into the HCMC's "Register of Providers of Services of Virtual Assets."

**Hellenic Capital Market Commission (HCMC) - Virtual Assets Page:**

FEK A 139/01.08.2018 - *You would typically find consolidated versions via government legal databases in Greece, e.g., e-nomothesia, but the official gazette reference is the primary source.*

**HCMC Decision No. 2/902/10.03.2021 (in Greek, related to registration):**

*Often found on the HCMC website under "Decisions" or "Legal Framework."*

**30 June 2024:** Rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) begin to apply.

**30 December 2024:** Rules for all other crypto-assets and Crypto-Asset Service Providers (CASPs) begin to apply.

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):**

**Operating a trading platform for crypto-assets:** This covers **exchanges**.

**Custody and administration of crypto-assets on behalf of clients:** This covers **custody providers**.

**Exchange of crypto-assets for fiat currency or other crypto-assets.**

**Reception and transmission of orders for crypto-assets.**

MiCA introduces specific and often higher initial capital requirements based on the type of services offered (e.g., Article 67). For example:

Receiving and transmitting orders, providing advice, and portfolio management: €50,000.

Execution of orders on behalf of clients, exchange of crypto-assets, placing of crypto-assets: €125,000.

Custody and administration of crypto-assets and operation of a trading platform: €150,000.

These may be higher if the firm also holds client funds/crypto-assets.

Robust governance arrangements, including clear lines of responsibility.

Adequate IT systems, security protocols, and operational resilience.

Management board members and significant shareholders must meet strict "fit and proper" criteria, including reputation, knowledge, skills, and experience.

CASPs must comply with MiCA's enhanced AML/CFT provisions, which are designed to integrate with the broader EU AML framework. This includes comprehensive risk assessments, CDD/EDD, transaction monitoring, and suspicious transaction reporting.

A CASP must have its registered office in a Member State of the EU and have at least one of its directors residing in the Union (Article 60(5)).

Detailed information disclosures for clients regarding risks, fees, and the nature of services.

Prudential safeguards (e.g., segregation of client assets).

**Pre-Application (Optional):** Some firms may engage in pre-application discussions with the HCMC.

**Preparation of Comprehensive Documentation:** This is significantly more detailed than for registration, requiring:

Comprehensive governance arrangements, internal controls, risk management framework.

Detailed IT and security policies.

Fit & proper assessments for all relevant individuals.

**Submission:** The application is submitted to the HCMC.

**Review & Assessment:** The HCMC undertakes a thorough review, potentially consulting with other EU authorities. They have a defined timeframe for decision-making (typically 90 working days from the submission of a complete application).

**Decision:** If authorized, the CASP can then passport its services across all other EU member states.

**Exchanges (Operating a trading platform for crypto-assets, exchange crypto-assets for fiat/other crypto):**

**Current:** Require registration as a VASP with the HCMC under Law 4557/2018.

**Future (from Dec 2024):** Require a MiCA license as a Crypto-Asset Service Provider (CASP) from the HCMC.

**Custody Providers (Custody and administration of crypto-assets on behalf of clients):**

This depends on what they "process":

**Processing *fiat* payments for crypto businesses:** If they solely handle fiat currency transactions (e.g., converting euros to dollars for a crypto exchange, or facilitating bank transfers), they would likely fall under traditional payment services regulations (e.g., PSD2/EMI license) supervised by the Bank of Greece, not crypto-specific rules.

**Processing *crypto* payments (e.g., facilitating payments directly in crypto-assets, or conversion services involving crypto-assets):** These activities would classify them as VASPs now and CASPs under MiCA, requiring registration/licensing as described above.

**Registration Regime (Current):** Primarily focused on AML/CFT compliance. While it requires adherence to certain standards, it is generally less comprehensive in terms of capital, operational, governance, and consumer protection requirements compared to a full licensing regime. The HCMC maintains a public register of VASPs.

**Licensing Regime (Future under MiCA):** A full authorization regime that encompasses not only robust AML/CFT, but also significant prudential requirements (capital), extensive governance and operational standards, comprehensive consumer protection measures, and market integrity rules. A MiCA license grants a "passport" to operate across the entire EU.

**Law 4557/2018 (Government Gazette A' 139/30.07.2018)**: This is the primary Greek AML/CFT law, transposing the Fourth AML Directive (EU 2015/849). It established the general framework for obliged entities.

**Law 4734/2020 (Government Gazette A' 199/08.10.2020)**: This crucial law amended Law 4557/2018 to transpose the Fifth AML Directive (5AMLD) into Greek law. It explicitly expanded the scope of obliged entities to include:

Providers engaged in exchange services between virtual currencies and fiat currencies.

Providers of custodial wallet services (holding, storing, and transferring virtual currencies on behalf of customers).

Any other virtual asset service providers as defined by the Financial Action Task Force (FATF) recommendations and subsequent EU legislation.

**Law 4816/2021 (Government Gazette A' 118/09.07.2021)**: This law further amended Law 4557/2018, primarily to transpose aspects of the Sixth Anti-Money Laundering Directive (6AMLD) concerning the criminalization of money laundering offenses.

**Law 4991/2022 (Government Gazette A' 214/11.11.2022)**: This law made further amendments to Law 4557/2018, primarily to incorporate the changes from the EU Regulation on information accompanying transfers of funds and certain crypto-assets (Travel Rule).

**Identification and Verification of the Customer:**

**Natural Persons:** Obtain and verify the customer's full name, date of birth, place of birth, nationality, permanent address, and unique identification number (e.g., ID card, passport number). Verification must be done using reliable, independent source documents or data (e.g., government-issued photo ID, proof of address).

**Legal Entities:** Obtain and verify the entity's name, legal form, address of registered office, company registration number, and the names of the directors. Crucially, they must identify and verify the **Beneficial Owner(s) (BOs)** – any natural person who ultimately owns or controls more than 25% of the entity, directly or indirectly, or exercises control through other means.

**Understanding the Purpose and Intended Nature of the Business Relationship:** VASPs must understand why the customer is using their services and the expected pattern of transactions.

Regularly review transactions to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.

Ensure that documents, data, or information obtained for CDD are kept up-to-date.

Screen customers against sanction lists (e.g., EU, UN).

**Simplified Due Diligence (SDD):** May be applied in specific, clearly defined low-risk scenarios.

**Enhanced Due Diligence (EDD):** Required for higher-risk situations, such as:

Business relationships with Politically Exposed Persons (PEPs) or their family members/close associates.

Transactions involving high-risk third countries.

Complex, unusually large transactions or unusual patterns of transactions that have no apparent economic or lawful purpose.

Situations where the customer is not physically present for identification purposes (non-face-to-face).

Any other specific risks identified by the VASP's risk assessment or regulatory guidance. EDD measures might include obtaining additional information on the customer, BO, source of funds/wealth, purpose of the transaction, and requiring senior management approval for the relationship.

Funds or virtual assets are the proceeds of criminal activity.

Funds or virtual assets are related to terrorist financing.

**CDD Information:** Copies of the documents and data obtained through the CDD process (e.g., identification documents, beneficial ownership information).

**Transaction Records:** All relevant records relating to domestic and international transactions, sufficient to reconstruct individual transactions. This includes dates, amounts, types of virtual assets, sender, and recipient information.

**STRs and Internal Reports:** Records of all suspicious transaction reports filed, as well as any internal reports or analyses that led to the decision to file or not to file an STR.

**Hellenic Capital Market Commission (HCMC)**

**Role:** The HCMC is designated as the supervisory authority for VASPs under Greek law. It is responsible for registering VASPs, conducting ongoing supervision, ensuring compliance with AML/CFT obligations, and imposing sanctions for non-compliance.

**Hellenic Anti-Money Laundering Authority (or Authority for Anti-Money Laundering and Counter Terrorist Financing)**

**Role:** This is Greece's Financial Intelligence Unit. It is responsible for receiving, analyzing, and disseminating suspicious transaction reports (STRs) and other financial intelligence to law enforcement and other competent authorities for the investigation of money laundering and terrorist financing. While not a primary supervisor in the ongoing compliance sense for VASPs, it is the recipient of all STRs.

**Website (General Information, often linked through Ministry of Finance or Justice):** Information is often found on sites like the Ministry of Finance or the General Secretariat for Anti-Crime Policy. Specific direct URL for the Authority itself is less common for FIUs, as their operations are sensitive. However, for reporting, detailed guidance is provided by the Authority to obliged entities.

**Custodial License Requirements (for AML/CTF purposes):**

**Greek Law:** Greece has transposed the 5th and 6th EU Anti-Money Laundering Directives (AMLDs) into national law, primarily through **Law 4557/2018 (Official Gazette A' 139/2018), as amended**. This law identifies "providers of services of exchange between virtual currencies and fiat currencies" and "custodian wallet providers" as 'obliged entities' for AML/CTF purposes.

**Registration:** Such entities are required to register with the **Hellenic Capital Market Commission (HCMC)**, which is designated as the competent authority for the supervision of Virtual Asset Service Providers (VASPs) for AML/CTF purposes. This registration is *not* a prudential license specifically for custody, but rather a registration to lawfully operate while fulfilling AML obligations.

**Law 4557/2018:** Articles 3(g) and 10(1) define "providers of services of exchange between virtual currencies and fiat currencies" and "custodian wallet providers" and subject them to AML/CTF obligations. (Access via Greek Government Gazette - *note: direct English translation URLs for specific articles are often unavailable, but the law number and official gazette are the authoritative reference*).

**Hellenic Capital Market Commission (HCMC):** The HCMC maintains a register of VASPs. Further details can be found on their official website under their supervisory mandates: https://www.hcmc.gr/ (Navigate to "Supervision" -> "Other Supervised Entities" or "Virtual Asset Service Providers").

**Segregation of Client Assets Rules:**

**Current Greek Law:** There are no specific *Greek* laws explicitly mandating segregation of client crypto assets from a custodian's own assets *purely* under the existing AML/CTF framework. AMLD focuses on identifying beneficial ownership and transaction monitoring, not prudential segregation.

However, general principles of good corporate governance and fiduciary duty would strongly encourage segregation, and any regulated financial institution providing such services would typically segregate assets based on existing financial services laws (though crypto assets aren't yet fully integrated into these frameworks).

**Current Greek Law:** No explicit *Greek* regulatory mandates for the use of cold storage for crypto assets. The AML/CTF framework focuses on identifying risks and implementing controls, not prescribing specific technological storage methods. However, robust security measures, which would typically include cold storage for a significant portion of assets, would be considered best practice to mitigate operational and security risks.

**Current Greek Law:** There is no specific definition of a "qualified custodian" for crypto assets under current Greek law. The term "custodian wallet provider" is used within the AML/CTF context, referring to entities that provide services to safeguard private cryptographic keys on behalf of their customers, to hold, store and transfer virtual currencies. This definition is for AML purposes, not a prudential "qualified custodian" designation akin to traditional finance.

**MiCA:** MiCA introduces a comprehensive licensing regime for "crypto-asset service providers" (CASPs). Specifically, providing "custody and administration of crypto-assets on behalf of clients" is defined as a crypto-asset service requiring prior authorization from a competent national authority (e.g., HCMC in Greece).

**Authorization:** CASPs seeking to provide custody services will need to apply for and obtain an authorization, demonstrating compliance with various organizational, operational, and prudential requirements.

**Article 3(1)(10):** Defines "custody and administration of crypto-assets on behalf of clients."

**Article 59:** Outlines the authorization requirements for CASPs.

**Article 67:** Specifies the operating conditions for crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients.

**EUR-Lex link to MiCA:** https://eur-lex.europa.eu/eli/reg/2023/1114/oj

**MiCA:** MiCA explicitly mandates strict segregation of client assets.

**Requirement:** CASPs providing custody services must keep client crypto-assets separate from their own assets and ensure that client fiat funds are held with credit institutions or central banks and kept separate from their own funds. Client assets must not be used for the CASP's own account.

**MiCA Regulation (EU) 2023/1114, Article 67(2) & (3):** "A crypto-asset service provider authorised for the custody and administration of crypto-assets on behalf of clients shall make adequate arrangements to safeguard the ownership rights of clients, especially in the event of the crypto-asset service provider's insolvency, and to prevent the use of clients' crypto-assets for its own account." and "A crypto-asset service provider authorised for the custody and administration of crypto-assets on behalf of clients shall keep clients' crypto-assets segregated from its own crypto-assets."

**MiCA:** MiCA introduces prudential safeguards for CASPs, including specific requirements for professional indemnity insurance or own funds.

**MiCA Regulation (EU) 2023/1114, Article 67(10):** "A crypto-asset service provider authorised for the custody and administration of crypto-assets on behalf of clients shall hold a professional indemnity insurance or own funds..."

**MiCA:** While MiCA doesn't explicitly mandate "cold storage," it requires CASPs to establish, maintain, and implement adequate policies and procedures to ensure the safekeeping of clients' crypto-assets and associated access tools. It also requires robust operational resilience and security.

**Requirement:** CASPs must have a robust internal governance framework, sound administrative and accounting procedures, and effective control and safeguard arrangements for IT systems. These general requirements strongly imply the necessity of secure storage solutions, which would typically include cold storage for a significant portion of client assets.

**MiCA Regulation (EU) 2023/1114, Article 67(4):** "firms providing custody and administration of crypto-assets on behalf of clients shall establish, maintain and implement adequate policies and procedures to ensure the safekeeping of clients' crypto-assets and the associated access tools."

**MiCA Regulation (EU) 2023/1114, Article 70:** Operational resilience requirements.

**MiCA:** Under MiCA, entities authorized to provide "custody and administration of crypto-assets on behalf of clients" will effectively be the "qualified custodians" within the EU framework. The authorization process ensures they meet the stringent requirements of MiCA.

**MiCA Regulation (EU) 2023/1114, Article 3(1)(10):** Defines the service.

**MiCA Regulation (EU) 2023/1114, Article 59:** Details the authorization process.

**Currently:** Crypto custody providers in Greece are primarily subject to **AML/CTF obligations** under **Law 4557/2018**, requiring **registration with the HCMC**. There are no specific prudential rules for segregation, insurance, or cold storage for crypto custody *yet*.

**Future (from December 30, 2024):** The **MiCA Regulation** will directly apply. Crypto custody providers will need a full **authorization** from the HCMC as a CASP, and will be subject to strict rules on **client asset segregation**, **professional indemnity insurance/own funds**, and robust **security/operational resilience** (implicitly including secure storage practices like cold storage). These authorized entities will effectively be Greece's "qualified custodians" for crypto assets.

**Regulator/Enforcement Body:** Hellenic Police (Cybercrime Division), Prosecutor's Office, in cooperation with Europol and other international law enforcement agencies.

**Entity Targeted:** A large international organized crime group operating "boiler rooms" (call centers) that defrauded investors across Europe, including Greece, using fake cryptocurrency investments.

**Violation Type:** Investment fraud, aggravated fraud, money laundering, participation in a criminal organization.

**Estimated damages:** Over €25 million (investigated amount, actual could be higher).

**Seizures:** Significant asset seizures, including bank accounts, luxury vehicles, real estate, and cryptocurrency wallets, though specific crypto amounts are not always publicly detailed at the initial stages. The operation led to the freezing of over 200 bank accounts and digital wallets.

**Date:** Arrests and operations primarily in **October 2023** (culmination of investigations started earlier).

**Outcome:** Multiple arrests (at least 15 in Greece, others internationally), dismantling of call centers, freezing of assets. Criminal proceedings are ongoing.

**Hellenic Police (EL.AS) Announcement (Greek):** https://www.astynomia.gr/archives/101830 (This link points to a general EL.AS news archive, specific press releases may need deeper search on their site or through news aggregators if the direct link expires).

**Greek News Article (e.g., Ekathimerini, based on EL.AS):** https://www.ekathimerini.com/news/1223945/police-bust-international-call-center-fraud-ring/

**Regulator/Enforcement Body:** Hellenic Police, Public Power Corporation (PPC) security services, Prosecutor's Office.

**Entity Targeted:** Individuals operating an illegal cryptocurrency mining farm.

**Violation Type:** Theft of electricity, illegal operation. While not a direct "crypto violation," it's significant as it involves crypto-related activities leading to criminal charges.

**Estimated stolen electricity value:** Tens of thousands of euros (e.g., €50,000+ in some reports).

**Seizures:** Mining equipment (e.g., over 100 GPUs, computers).

**Date:** Various incidents, but a notable one in **early 2022**.

**Outcome:** Arrests, charges filed for electricity theft, seizure of equipment. Criminal proceedings.

**Source URLs:** (Reports of these types of busts are common in local Greek news. Specific direct links can be hard to maintain as news sites archive, but here's an example of reporting this type of incident.)

**Greek News Article (local reporting):** Search for "Ελληνική Αστυνομία κλοπή ρεύματος mining" (Hellenic Police electricity theft mining) will yield many such results. One example of reporting from a local site: https://www.protothema.gr/greece/article/1220412/thessaloniki-theiki-cryptocurrency-mining-farm-eikonei-i-astunomia-sto-panorama/ (This specific article details an incident in March 2022).

**Entity Targeted:** Individuals involved in a fraudulent scheme that lured victims into investing in fake cryptocurrency platforms.

**Violation Type:** Fraud, money laundering, establishment/participation in a criminal organization.

**Estimated damages:** Significant sums, often hundreds of thousands of euros.

**Seizures:** Bank accounts, potentially crypto assets if traceable and accessible.

**Date:** Several incidents of this nature occur. A significant bust was reported around **mid-2022**.

**Outcome:** Arrests, ongoing investigations and criminal proceedings.

**Hellenic Police Announcements:** Direct police press releases about specific operations are the best source, often found by searching "Ελληνική Αστυνομία απάτη κρυπτονομίσματα" (Hellenic Police crypto fraud).

**Criminal vs. Administrative:** As highlighted, Greece's most public "enforcement actions" against crypto-related activities have predominantly been criminal cases involving fraud, money laundering, and other illicit activities, rather than administrative fines against regulated entities for compliance failures. This is partly due to the evolving regulatory framework for crypto-asset service providers (CASPs).

**Upcoming MiCA Impact:** With MiCA becoming fully applicable across the EU, including Greece, from late 2024, the Hellenic Capital Market Commission (HCMC) and the Bank of Greece will have more defined powers to license, supervise, and *enforce* against crypto-asset service providers (CASPs) for compliance with MiCA's requirements (consumer protection, market integrity, AML). This is expected to lead to more administrative enforcement actions in the future.

**AML/CFT Focus:** Greece, like other EU members, is subject to the EU's Anti-Money Laundering Directives. The Financial Intelligence Unit (FIU) has a role in AML/CFT, and while they issue guidance and receive suspicious transaction reports, specific public enforcement fines against crypto entities for AML lapses haven't been widely publicized compared to criminal busts.

**Adoption:** Greece transposed the 5th AMLD (Directive (EU) 2018/843) into national law primarily through **Law 4734/2020**, which amended the existing AML/CFT framework established by **Law 4557/2018**. This legislation brought Virtual Asset Service Providers (VASPs) under the scope of AML/CFT obligations, including requirements consistent with the FATF Travel Rule.

**Law 4734/2020** was published in the Official Government Gazette (ΦΕΚ Α’ 199/09.10.2020) on **October 9, 2020**, and became effective upon its publication.

The **Hellenic Capital Market Commission (HCMC)**, designated as the competent authority for supervising VASPs, subsequently established a register for VASPs, which became operational in **early 2021**, indicating active enforcement.

Greece, in line with the EU 5th AMLD and FATF Recommendations, requires VASPs to collect and verify originator and beneficiary information for transfers involving virtual assets **equal to or exceeding €1,000**.

This threshold applies to both **cross-border** and **domestic** transfers.

For transfers below €1,000, VASPs are still expected to apply a risk-based approach and conduct due diligence, especially if there are suspicions of money laundering or terrorist financing.

**Important Future Note:** The upcoming EU Regulation on information accompanying transfers of funds and certain crypto-assets (**Transfer of Funds Regulation - TFR**, which will complement the MiCA Regulation) will introduce a **zero-threshold** for information collection (meaning all transfers, regardless of amount, must have originator and beneficiary information collected) but will maintain the **€1,000 threshold** for *verification* of that information. This regulation is expected to become fully applicable by late 2024/early 2025, further strengthening the Travel Rule in Greece and across the EU.

Exchanging between virtual assets and fiat currencies.

Exchanging between one or more forms of virtual assets.

Custody and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer's offer and/or sale of virtual assets.

Comply with AML/CFT obligations, including the Travel Rule.

Register with the **Hellenic Capital Market Commission (HCMC)**. The HCMC maintains a public register of registered VASPs.

**Hellenic Capital Market Commission (HCMC) Official Website:** https://www.hcmc.gr/

**Information Collection:** VASPs must collect and hold the following information for transfers above the threshold:

**Originator:** Name, address, official personal document number or customer identification number, date and place of birth, and the virtual asset wallet address (if applicable).

**Beneficiary:** Name and the virtual asset wallet address (if applicable).

**Information Transmission:** The originating VASP must securely transmit this information to the beneficiary VASP immediately and securely with the transaction.

**Information Verification:** VASPs must have robust systems to verify the collected information, especially for transfers exceeding €1,000.

**Record Keeping:** All collected information and transaction records must be retained for at least **five (5) years** after the transaction or termination of the business relationship, and up to ten (10) years if required by law or a competent authority.

**Risk Assessment:** VASPs must implement a risk-based approach to identify, assess, and mitigate ML/TF risks, including for transactions below the threshold.

**Data Protection:** Implementation must comply with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) regarding the handling of personal data.

**Administrative Penalties (imposed by the HCMC or other supervisory authorities):**

**Fines:** Substantial monetary fines, which can range from thousands to several millions of euros, or up to 10% of the total annual turnover for legal entities in the preceding business year. For serious or repeated breaches, the fine can be even higher.

**Public Statements:** Public announcements identifying the non-compliant VASP and the nature of the breach.

**Temporary or Permanent Prohibition:** Suspension or revocation of the VASP's registration or operating license.

**Removal of Management:** Requirement to replace members of the VASP's management body.

Individuals found responsible for money laundering or terrorist financing activities, or for intentionally facilitating such activities through non-compliance with AML/CFT duties, can face **imprisonment** and additional criminal fines.

Legal entities can also be subject to criminal sanctions, including significant fines and exclusion from public tenders.

**Law 4557/2018 (Original AML Law):** ΦΕΚ Α’ 139/30.07.2018 - https://www.kodiko.gr/nomothesia/document/21262/nomos-4557-2018 (Note: This is a legal database, not the direct gov.gr link, but provides the law content.)

**Law 4734/2020 (Amending Law, including VASP provisions):** ΦΕΚ Α’ 199/09.10.2020 - https://www.kodiko.gr/nomothesia/document/267720/nomos-4734-2020 (Again, a legal database showing the law content.)

**Note:** This authority typically operates under the Ministry of Finance or as a specialized independent body. Its official website might be integrated within a broader governmental portal, or it might have a dedicated one.

**Source:** UN Security Council Resolutions.

**Mechanism:** These resolutions are legally binding on all UN member states, including Greece. The EU then implements these resolutions into its own legal framework, making them directly applicable within Greece.

**Focus:** Target specific individuals (e.g., terrorists, those involved in proliferation of WMDs), entities, or entire regimes (e.g., North Korea, Iran, specific regions).

**Obligations:** Freezing of funds and economic resources, travel bans, arms embargoes.

**Relevance to Crypto:** If a UN-sanctioned individual or entity attempts to use or hold virtual assets, those assets are subject to the same freezing and reporting obligations as traditional financial assets.

**Source:** EU Council Regulations and Decisions.

**Mechanism:** EU sanctions implement UN resolutions but also include autonomous EU sanctions regimes (e.g., in response to the situation in Ukraine, human rights violations, cyberattacks, terrorism). EU Regulations are directly applicable and binding in their entirety in all member states, without the need for national implementing legislation (though national laws define penalties).

Council Regulation (EU) No 269/2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine.

Council Regulation (EC) No 2580/2001 on specific restrictive measures directed against certain persons and entities with a view to combating terrorism.

Various specific regulations targeting countries like Syria, Iran, Myanmar, Venezuela, etc.

**Obligations:** Asset freezes, prohibitions on making funds/economic resources available, trade restrictions (embargoes on goods and technology), travel bans.

**Relevance to Crypto:** EU sanctions explicitly cover "funds" and "economic resources," which are broad enough to include virtual assets. Recent EU sanctions packages (e.g., related to Russia) have explicitly mentioned crypto assets. VASPs are expected to comply with these restrictions.

**Source:** U.S. laws and executive orders, administered by the U.S. Department of the Treasury's OFAC.

**Mechanism:** While primarily U.S. law, OFAC sanctions have significant extraterritorial reach. This is especially relevant for VASPs that:

Deal with U.S. persons (citizens, residents, entities).

Handle transactions denominated in U.S. dollars.

Use U.S.-origin software or technology.

**Obligations:** Prohibitions on transactions, blocking of assets, reporting requirements.

**Relevance to Crypto:** OFAC has actively targeted virtual currency mixers, exchanges, and addresses associated with sanctioned entities, illicit finance, and ransomware. Any VASP in Greece with a U.S. nexus or international operations will generally need to screen against OFAC lists (e.g., Specially Designated Nationals and Blocked Persons List - SDN List) to avoid potential secondary sanctions or direct enforcement actions.

**EU Anti-Money Laundering Directives (AMLDs):** Specifically, the 5th AMLD (Directive (EU) 2018/843) brought VASPs under the scope of AML/CFT regulations. The upcoming MiCA Regulation (Regulation (EU) 2023/1114 on Markets in Crypto-Assets) will further regulate VASPs, including aspects relevant to financial crime compliance.

**Greek National Law:** Law 4557/2018 (ΦΕΚ Α' 139/30.07.2018) transposed the 4th and 5th AMLDs into Greek law, establishing the legal framework for combating money laundering and terrorist financing for obliged entities, including VASPs. This law designates the Hellenic Financial Intelligence Unit (FIU) as the primary authority for receiving suspicious transaction reports and the Bank of Greece as a supervisory authority for VASPs regarding AML/CFT compliance.

**Customer Due Diligence (CDD) / Know Your Customer (KYC):** Identify and verify the identity of customers and their beneficial owners.

**Sanctions Screening:** Screen all customers (new and existing), beneficial owners, and transaction counterparties against relevant sanctions lists (UN, EU, and potentially OFAC). This must be done at onboarding, prior to transactions, and on an ongoing basis.

**Asset Freezing:** Immediately freeze funds and economic resources (including virtual assets) belonging to or controlled by sanctioned individuals or entities.

**Prohibition on Making Funds Available:** Do not make any funds or economic resources available, directly or indirectly, to sanctioned individuals or entities.

Report any frozen assets to the relevant Greek authorities (e.g., Hellenic FIU, Bank of Greece) without delay.

Report suspicious transactions (STRs) to the Hellenic FIU if there are grounds to suspect money laundering or terrorist financing, which often involves a sanctions nexus.

**Internal Controls:** Establish robust internal policies, procedures, risk assessments, and training programs to ensure compliance. Appoint a compliance officer responsible for AML/CFT and sanctions.

**Record Keeping:** Maintain records of all transactions, CDD documentation, and sanctions screening results for at least five years.

All customers (individual and corporate).

Beneficial owners of corporate customers.

Intermediaries in complex crypto transactions.

**What Lists to Screen Against:**

**UN Consolidated List:** Individuals and entities designated by the UN Security Council.

**EU Consolidated Financial Sanctions List:** This is the primary EU list, combining all individuals and entities targeted by EU asset freeze measures. It is frequently updated.

**OFAC Sanctions Lists:** Specifically the Specially Designated Nationals (SDN) List, Sectoral Sanctions Identifications List (SSI), and other program-specific lists (e.g., related to cyber, narcotics). While not legally binding under Greek law, screening against OFAC lists is a best practice for international VASPs to mitigate U.S. sanctions risk.

Automated screening solutions are highly recommended given the volume of transactions and the dynamic nature of sanctions lists.

Sanctions lists must be updated frequently (daily is often required or best practice).

A robust "hit management" process is crucial to review potential matches, resolve false positives, and escalate true positives for further action.

**Scope:** Screening should encompass names, aliases, dates of birth, addresses, passport numbers, and potentially crypto addresses linked to known sanctioned entities, where such information is available and feasible.

**Examples of Sanctioned Jurisdictions (EU perspective):**

**Comprehensive Sanctions:** Iran, North Korea, Syria, certain regions of Ukraine (e.g., Crimea, Sevastopol, areas of Donetsk and Luhansk, Kherson, Zaporizhzhia).

**Targeted Sanctions:** Russia (extensive sectoral sanctions, asset freezes on specific individuals/entities), Belarus, Myanmar, Venezuela, Mali, etc.

**Implications for Crypto:** VASPs must prevent transactions originating from or destined for these jurisdictions, or involving individuals/entities based there, as per the scope of the specific sanctions regime. This often involves geoblocking IP addresses, scrutinizing wallet addresses linked to sanctioned regions, and enhancing CDD for clients with any connection to high-risk or sanctioned areas.

**Legal Basis:** Greek Law 4557/2018 (Articles 40-45) and other specific laws implementing EU sanctions.

**Imprisonment:** Individuals (e.g., responsible VASP officers or directors) can face imprisonment for serious breaches, particularly those involving terrorist financing or significant money laundering. Sentences can range from several years up to 10 years or more, depending on the severity and intent.

**Fines:** Significant criminal fines can be imposed on individuals and legal entities.

**Fines:** The Hellenic FIU and the Bank of Greece can impose substantial administrative fines on VASPs for non-compliance. These can range from hundreds of thousands to several million euros, or a percentage of the VASP's annual turnover (e.g., up to 10% of total annual turnover for serious breaches), as per AMLD5 requirements.

**Withdrawal of Authorization/License:** A VASP's operating license in Greece can be suspended or revoked.

**Public Censure:** Publication of a public statement identifying the VASP and the nature of the breach.

**Disqualification:** Responsible individuals may be disqualified from holding management positions.

**Reputational Damage:** Beyond legal penalties, non-compliance can lead to severe reputational damage, loss of customer trust, and difficulties in maintaining banking relationships.

**UN Consolidated List:** Accessible via the UN website (e.g., https://www.un.org/securitycouncil/sanctions/un-sc-consolidated-list).

**Access:** The EU Sanctions Map provides a comprehensive overview and access to the consolidated lists: https://www.sanctionsmap.eu/#/main

**OFAC Sanctions Lists:** For the reasons mentioned above (extraterritorial reach), compliance with OFAC lists is a critical risk mitigation strategy for international VASPs.

**Access:** The OFAC Sanctions List Search is the primary tool: https://sanctionssearch.ofac.treas.gov/

The SDN List can also be downloaded directly: https://www.treasury.gov/ofac/downloads/sdn.pdf

UN Security Council Sanctions Committees: https://www.un.org/securitycouncil/sanctions/information

EU Sanctions Map (overview and access to consolidated lists): https://www.sanctionsmap.eu/#/main

Council Regulation (EU) No 269/2014 (example of specific sanctions regime, current consolidated version): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02014R0269-20231215

**EU AML/CFT Framework (relevant for VASPs):**

Directive (EU) 2018/843 (5th AMLD, including VASPs): https://eur-lex.europa.eu/eli/dir/2018/843/oj

Regulation (EU) 2023/1114 (MiCA Regulation): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

Law 4557/2018 (ΦΕΚ Α' 139/30.07.2018) for AML/CFT and penalties. While a direct, freely accessible English translation URL is hard to provide, its official publication reference is essential. For official Greek gazette (ΦΕΚ) publications, a search on the National Printing Office website (Εθνικό Τυπογραφείο) would be required.

Hellenic Financial Intelligence Unit (FIU): https://www.hellenicfiu.gr/

OFAC Sanctions List Search: https://sanctionssearch.ofac.treas.gov/

Specially Designated Nationals (SDN) List: https://www.treasury.gov/ofac/downloads/sdn.pdf