Greece -- AML/CFT Compliance Regulatory Overview

**Law 4557/2018 (Government Gazette A' 139/30.07.2018)**: This is the primary Greek AML/CFT law, transposing the Fourth AML Directive (EU 2015/849). It established the general framework for obliged entities.

**Law 4734/2020 (Government Gazette A' 199/08.10.2020)**: This crucial law amended Law 4557/2018 to transpose the Fifth AML Directive (5AMLD) into Greek law. It explicitly expanded the scope of obliged entities to include:

Providers engaged in exchange services between virtual currencies and fiat currencies.

Providers of custodial wallet services (holding, storing, and transferring virtual currencies on behalf of customers).

Any other virtual asset service providers as defined by the Financial Action Task Force (FATF) recommendations and subsequent EU legislation.

**Law 4816/2021 (Government Gazette A' 118/09.07.2021)**: This law further amended Law 4557/2018, primarily to transpose aspects of the Sixth Anti-Money Laundering Directive (6AMLD) concerning the criminalization of money laundering offenses.

**Law 4991/2022 (Government Gazette A' 214/11.11.2022)**: This law made further amendments to Law 4557/2018, primarily to incorporate the changes from the EU Regulation on information accompanying transfers of funds and certain crypto-assets (Travel Rule).

**Identification and Verification of the Customer:**

**Natural Persons:** Obtain and verify the customer's full name, date of birth, place of birth, nationality, permanent address, and unique identification number (e.g., ID card, passport number). Verification must be done using reliable, independent source documents or data (e.g., government-issued photo ID, proof of address).

**Legal Entities:** Obtain and verify the entity's name, legal form, address of registered office, company registration number, and the names of the directors. Crucially, they must identify and verify the **Beneficial Owner(s) (BOs)** – any natural person who ultimately owns or controls more than 25% of the entity, directly or indirectly, or exercises control through other means.

**Understanding the Purpose and Intended Nature of the Business Relationship:** VASPs must understand why the customer is using their services and the expected pattern of transactions.

Regularly review transactions to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.

Ensure that documents, data, or information obtained for CDD are kept up-to-date.

Screen customers against sanction lists (e.g., EU, UN).

**Simplified Due Diligence (SDD):** May be applied in specific, clearly defined low-risk scenarios.

**Enhanced Due Diligence (EDD):** Required for higher-risk situations, such as:

Business relationships with Politically Exposed Persons (PEPs) or their family members/close associates.

Transactions involving high-risk third countries.

Complex, unusually large transactions or unusual patterns of transactions that have no apparent economic or lawful purpose.

Situations where the customer is not physically present for identification purposes (non-face-to-face).

Any other specific risks identified by the VASP's risk assessment or regulatory guidance. EDD measures might include obtaining additional information on the customer, BO, source of funds/wealth, purpose of the transaction, and requiring senior management approval for the relationship.

Funds or virtual assets are the proceeds of criminal activity.

Funds or virtual assets are related to terrorist financing.

**CDD Information:** Copies of the documents and data obtained through the CDD process (e.g., identification documents, beneficial ownership information).

**Transaction Records:** All relevant records relating to domestic and international transactions, sufficient to reconstruct individual transactions. This includes dates, amounts, types of virtual assets, sender, and recipient information.

**STRs and Internal Reports:** Records of all suspicious transaction reports filed, as well as any internal reports or analyses that led to the decision to file or not to file an STR.

**Hellenic Capital Market Commission (HCMC)**

**Role:** The HCMC is designated as the supervisory authority for VASPs under Greek law. It is responsible for registering VASPs, conducting ongoing supervision, ensuring compliance with AML/CFT obligations, and imposing sanctions for non-compliance.

**Hellenic Anti-Money Laundering Authority (or Authority for Anti-Money Laundering and Counter Terrorist Financing)**

**Role:** This is Greece's Financial Intelligence Unit. It is responsible for receiving, analyzing, and disseminating suspicious transaction reports (STRs) and other financial intelligence to law enforcement and other competent authorities for the investigation of money laundering and terrorist financing. While not a primary supervisor in the ongoing compliance sense for VASPs, it is the recipient of all STRs.

**Website (General Information, often linked through Ministry of Finance or Justice):** Information is often found on sites like the Ministry of Finance or the General Secretariat for Anti-Crime Policy. Specific direct URL for the Authority itself is less common for FIUs, as their operations are sensitive. However, for reporting, detailed guidance is provided by the Authority to obliged entities.

**Custodial License Requirements (for AML/CTF purposes):**

**Greek Law:** Greece has transposed the 5th and 6th EU Anti-Money Laundering Directives (AMLDs) into national law, primarily through **Law 4557/2018 (Official Gazette A' 139/2018), as amended**. This law identifies "providers of services of exchange between virtual currencies and fiat currencies" and "custodian wallet providers" as 'obliged entities' for AML/CTF purposes.

**Registration:** Such entities are required to register with the **Hellenic Capital Market Commission (HCMC)**, which is designated as the competent authority for the supervision of Virtual Asset Service Providers (VASPs) for AML/CTF purposes. This registration is *not* a prudential license specifically for custody, but rather a registration to lawfully operate while fulfilling AML obligations.

**Law 4557/2018:** Articles 3(g) and 10(1) define "providers of services of exchange between virtual currencies and fiat currencies" and "custodian wallet providers" and subject them to AML/CTF obligations. (Access via Greek Government Gazette - *note: direct English translation URLs for specific articles are often unavailable, but the law number and official gazette are the authoritative reference*).

**Hellenic Capital Market Commission (HCMC):** The HCMC maintains a register of VASPs. Further details can be found on their official website under their supervisory mandates: https://www.hcmc.gr/ (Navigate to "Supervision" -> "Other Supervised Entities" or "Virtual Asset Service Providers").

**Segregation of Client Assets Rules:**

**Current Greek Law:** There are no specific *Greek* laws explicitly mandating segregation of client crypto assets from a custodian's own assets *purely* under the existing AML/CTF framework. AMLD focuses on identifying beneficial ownership and transaction monitoring, not prudential segregation.

However, general principles of good corporate governance and fiduciary duty would strongly encourage segregation, and any regulated financial institution providing such services would typically segregate assets based on existing financial services laws (though crypto assets aren't yet fully integrated into these frameworks).

**Current Greek Law:** No explicit *Greek* regulatory mandates for the use of cold storage for crypto assets. The AML/CTF framework focuses on identifying risks and implementing controls, not prescribing specific technological storage methods. However, robust security measures, which would typically include cold storage for a significant portion of assets, would be considered best practice to mitigate operational and security risks.

**Current Greek Law:** There is no specific definition of a "qualified custodian" for crypto assets under current Greek law. The term "custodian wallet provider" is used within the AML/CTF context, referring to entities that provide services to safeguard private cryptographic keys on behalf of their customers, to hold, store and transfer virtual currencies. This definition is for AML purposes, not a prudential "qualified custodian" designation akin to traditional finance.

**MiCA:** MiCA introduces a comprehensive licensing regime for "crypto-asset service providers" (CASPs). Specifically, providing "custody and administration of crypto-assets on behalf of clients" is defined as a crypto-asset service requiring prior authorization from a competent national authority (e.g., HCMC in Greece).

**Authorization:** CASPs seeking to provide custody services will need to apply for and obtain an authorization, demonstrating compliance with various organizational, operational, and prudential requirements.

**Article 3(1)(10):** Defines "custody and administration of crypto-assets on behalf of clients."

**Article 59:** Outlines the authorization requirements for CASPs.

**Article 67:** Specifies the operating conditions for crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients.

**EUR-Lex link to MiCA:** https://eur-lex.europa.eu/eli/reg/2023/1114/oj

**MiCA:** MiCA explicitly mandates strict segregation of client assets.

**Requirement:** CASPs providing custody services must keep client crypto-assets separate from their own assets and ensure that client fiat funds are held with credit institutions or central banks and kept separate from their own funds. Client assets must not be used for the CASP's own account.

**MiCA Regulation (EU) 2023/1114, Article 67(2) & (3):** "A crypto-asset service provider authorised for the custody and administration of crypto-assets on behalf of clients shall make adequate arrangements to safeguard the ownership rights of clients, especially in the event of the crypto-asset service provider's insolvency, and to prevent the use of clients' crypto-assets for its own account." and "A crypto-asset service provider authorised for the custody and administration of crypto-assets on behalf of clients shall keep clients' crypto-assets segregated from its own crypto-assets."

**MiCA:** MiCA introduces prudential safeguards for CASPs, including specific requirements for professional indemnity insurance or own funds.

**MiCA Regulation (EU) 2023/1114, Article 67(10):** "A crypto-asset service provider authorised for the custody and administration of crypto-assets on behalf of clients shall hold a professional indemnity insurance or own funds..."

**MiCA:** While MiCA doesn't explicitly mandate "cold storage," it requires CASPs to establish, maintain, and implement adequate policies and procedures to ensure the safekeeping of clients' crypto-assets and associated access tools. It also requires robust operational resilience and security.

**Requirement:** CASPs must have a robust internal governance framework, sound administrative and accounting procedures, and effective control and safeguard arrangements for IT systems. These general requirements strongly imply the necessity of secure storage solutions, which would typically include cold storage for a significant portion of client assets.

**MiCA Regulation (EU) 2023/1114, Article 67(4):** "firms providing custody and administration of crypto-assets on behalf of clients shall establish, maintain and implement adequate policies and procedures to ensure the safekeeping of clients' crypto-assets and the associated access tools."

**MiCA Regulation (EU) 2023/1114, Article 70:** Operational resilience requirements.

**MiCA:** Under MiCA, entities authorized to provide "custody and administration of crypto-assets on behalf of clients" will effectively be the "qualified custodians" within the EU framework. The authorization process ensures they meet the stringent requirements of MiCA.

**MiCA Regulation (EU) 2023/1114, Article 3(1)(10):** Defines the service.

**MiCA Regulation (EU) 2023/1114, Article 59:** Details the authorization process.

**Currently:** Crypto custody providers in Greece are primarily subject to **AML/CTF obligations** under **Law 4557/2018**, requiring **registration with the HCMC**. There are no specific prudential rules for segregation, insurance, or cold storage for crypto custody *yet*.

**Future (from December 30, 2024):** The **MiCA Regulation** will directly apply. Crypto custody providers will need a full **authorization** from the HCMC as a CASP, and will be subject to strict rules on **client asset segregation**, **professional indemnity insurance/own funds**, and robust **security/operational resilience** (implicitly including secure storage practices like cold storage). These authorized entities will effectively be Greece's "qualified custodians" for crypto assets.

**Regulator/Enforcement Body:** Hellenic Police (Cybercrime Division), Prosecutor's Office, in cooperation with Europol and other international law enforcement agencies.

**Entity Targeted:** A large international organized crime group operating "boiler rooms" (call centers) that defrauded investors across Europe, including Greece, using fake cryptocurrency investments.

**Violation Type:** Investment fraud, aggravated fraud, money laundering, participation in a criminal organization.

**Estimated damages:** Over €25 million (investigated amount, actual could be higher).

**Seizures:** Significant asset seizures, including bank accounts, luxury vehicles, real estate, and cryptocurrency wallets, though specific crypto amounts are not always publicly detailed at the initial stages. The operation led to the freezing of over 200 bank accounts and digital wallets.

**Date:** Arrests and operations primarily in **October 2023** (culmination of investigations started earlier).

**Outcome:** Multiple arrests (at least 15 in Greece, others internationally), dismantling of call centers, freezing of assets. Criminal proceedings are ongoing.

**Hellenic Police (EL.AS) Announcement (Greek):** https://www.astynomia.gr/archives/101830 (This link points to a general EL.AS news archive, specific press releases may need deeper search on their site or through news aggregators if the direct link expires).

**Greek News Article (e.g., Ekathimerini, based on EL.AS):** https://www.ekathimerini.com/news/1223945/police-bust-international-call-center-fraud-ring/

**Regulator/Enforcement Body:** Hellenic Police, Public Power Corporation (PPC) security services, Prosecutor's Office.

**Entity Targeted:** Individuals operating an illegal cryptocurrency mining farm.

**Violation Type:** Theft of electricity, illegal operation. While not a direct "crypto violation," it's significant as it involves crypto-related activities leading to criminal charges.

**Estimated stolen electricity value:** Tens of thousands of euros (e.g., €50,000+ in some reports).

**Seizures:** Mining equipment (e.g., over 100 GPUs, computers).

**Date:** Various incidents, but a notable one in **early 2022**.

**Outcome:** Arrests, charges filed for electricity theft, seizure of equipment. Criminal proceedings.

**Source URLs:** (Reports of these types of busts are common in local Greek news. Specific direct links can be hard to maintain as news sites archive, but here's an example of reporting this type of incident.)

**Greek News Article (local reporting):** Search for "Ελληνική Αστυνομία κλοπή ρεύματος mining" (Hellenic Police electricity theft mining) will yield many such results. One example of reporting from a local site: https://www.protothema.gr/greece/article/1220412/thessaloniki-theiki-cryptocurrency-mining-farm-eikonei-i-astunomia-sto-panorama/ (This specific article details an incident in March 2022).

**Entity Targeted:** Individuals involved in a fraudulent scheme that lured victims into investing in fake cryptocurrency platforms.

**Violation Type:** Fraud, money laundering, establishment/participation in a criminal organization.

**Estimated damages:** Significant sums, often hundreds of thousands of euros.

**Seizures:** Bank accounts, potentially crypto assets if traceable and accessible.

**Date:** Several incidents of this nature occur. A significant bust was reported around **mid-2022**.

**Outcome:** Arrests, ongoing investigations and criminal proceedings.

**Hellenic Police Announcements:** Direct police press releases about specific operations are the best source, often found by searching "Ελληνική Αστυνομία απάτη κρυπτονομίσματα" (Hellenic Police crypto fraud).

**Criminal vs. Administrative:** As highlighted, Greece's most public "enforcement actions" against crypto-related activities have predominantly been criminal cases involving fraud, money laundering, and other illicit activities, rather than administrative fines against regulated entities for compliance failures. This is partly due to the evolving regulatory framework for crypto-asset service providers (CASPs).

**Upcoming MiCA Impact:** With MiCA becoming fully applicable across the EU, including Greece, from late 2024, the Hellenic Capital Market Commission (HCMC) and the Bank of Greece will have more defined powers to license, supervise, and *enforce* against crypto-asset service providers (CASPs) for compliance with MiCA's requirements (consumer protection, market integrity, AML). This is expected to lead to more administrative enforcement actions in the future.

**AML/CFT Focus:** Greece, like other EU members, is subject to the EU's Anti-Money Laundering Directives. The Financial Intelligence Unit (FIU) has a role in AML/CFT, and while they issue guidance and receive suspicious transaction reports, specific public enforcement fines against crypto entities for AML lapses haven't been widely publicized compared to criminal busts.

**Adoption:** Greece transposed the 5th AMLD (Directive (EU) 2018/843) into national law primarily through **Law 4734/2020**, which amended the existing AML/CFT framework established by **Law 4557/2018**. This legislation brought Virtual Asset Service Providers (VASPs) under the scope of AML/CFT obligations, including requirements consistent with the FATF Travel Rule.

**Law 4734/2020** was published in the Official Government Gazette (ΦΕΚ Α’ 199/09.10.2020) on **October 9, 2020**, and became effective upon its publication.

The **Hellenic Capital Market Commission (HCMC)**, designated as the competent authority for supervising VASPs, subsequently established a register for VASPs, which became operational in **early 2021**, indicating active enforcement.

Greece, in line with the EU 5th AMLD and FATF Recommendations, requires VASPs to collect and verify originator and beneficiary information for transfers involving virtual assets **equal to or exceeding €1,000**.

This threshold applies to both **cross-border** and **domestic** transfers.

For transfers below €1,000, VASPs are still expected to apply a risk-based approach and conduct due diligence, especially if there are suspicions of money laundering or terrorist financing.

**Important Future Note:** The upcoming EU Regulation on information accompanying transfers of funds and certain crypto-assets (**Transfer of Funds Regulation - TFR**, which will complement the MiCA Regulation) will introduce a **zero-threshold** for information collection (meaning all transfers, regardless of amount, must have originator and beneficiary information collected) but will maintain the **€1,000 threshold** for *verification* of that information. This regulation is expected to become fully applicable by late 2024/early 2025, further strengthening the Travel Rule in Greece and across the EU.

Exchanging between virtual assets and fiat currencies.

Exchanging between one or more forms of virtual assets.

Custody and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer's offer and/or sale of virtual assets.

Comply with AML/CFT obligations, including the Travel Rule.

Register with the **Hellenic Capital Market Commission (HCMC)**. The HCMC maintains a public register of registered VASPs.

**Hellenic Capital Market Commission (HCMC) Official Website:** https://www.hcmc.gr/

**Information Collection:** VASPs must collect and hold the following information for transfers above the threshold:

**Originator:** Name, address, official personal document number or customer identification number, date and place of birth, and the virtual asset wallet address (if applicable).

**Beneficiary:** Name and the virtual asset wallet address (if applicable).

**Information Transmission:** The originating VASP must securely transmit this information to the beneficiary VASP immediately and securely with the transaction.

**Information Verification:** VASPs must have robust systems to verify the collected information, especially for transfers exceeding €1,000.

**Record Keeping:** All collected information and transaction records must be retained for at least **five (5) years** after the transaction or termination of the business relationship, and up to ten (10) years if required by law or a competent authority.

**Risk Assessment:** VASPs must implement a risk-based approach to identify, assess, and mitigate ML/TF risks, including for transactions below the threshold.

**Data Protection:** Implementation must comply with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) regarding the handling of personal data.

**Administrative Penalties (imposed by the HCMC or other supervisory authorities):**

**Fines:** Substantial monetary fines, which can range from thousands to several millions of euros, or up to 10% of the total annual turnover for legal entities in the preceding business year. For serious or repeated breaches, the fine can be even higher.

**Public Statements:** Public announcements identifying the non-compliant VASP and the nature of the breach.

**Temporary or Permanent Prohibition:** Suspension or revocation of the VASP's registration or operating license.

**Removal of Management:** Requirement to replace members of the VASP's management body.

Individuals found responsible for money laundering or terrorist financing activities, or for intentionally facilitating such activities through non-compliance with AML/CFT duties, can face **imprisonment** and additional criminal fines.

Legal entities can also be subject to criminal sanctions, including significant fines and exclusion from public tenders.

**Law 4557/2018 (Original AML Law):** ΦΕΚ Α’ 139/30.07.2018 - https://www.kodiko.gr/nomothesia/document/21262/nomos-4557-2018 (Note: This is a legal database, not the direct gov.gr link, but provides the law content.)

**Law 4734/2020 (Amending Law, including VASP provisions):** ΦΕΚ Α’ 199/09.10.2020 - https://www.kodiko.gr/nomothesia/document/267720/nomos-4734-2020 (Again, a legal database showing the law content.)

**Note:** This authority typically operates under the Ministry of Finance or as a specialized independent body. Its official website might be integrated within a broader governmental portal, or it might have a dedicated one.