Croatia

**Office for Anti-Money Laundering (Ured za sprječavanje pranja novca – USPN):** This is the primary authority responsible for supervising the implementation of AML/CFT measures by obliged entities, including VASPs. They maintain the register of VASPs.

**Website:** https://mup.gov.hr/ured-za-sprjecavanje-pranja-novca/5223 (Croatian Ministry of Interior page for USPN)

**Croatian Financial Services Supervisory Agency (Hrvatska agencija za nadzor financijskih usluga – HANFA):** While USPN handles the AML registration, HANFA, as the financial regulator, may also have a role in interpreting certain crypto-assets as financial instruments under existing securities laws, or in providing guidance, particularly concerning future MiCA implementation.

**National Bank of Croatia (Hrvatska narodna banka – HNB):** As the central bank, HNB monitors financial stability and may have views on crypto-assets impacting the traditional financial system.

**Directive (EU) 2018/843 (AMLD5):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.156.01.0043.01.ENG

**Directive (EU) 2015/849 (AMLD4), as amended by AMLD5 and AMLD6:** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L0849

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114 (Note: MiCA has a phased implementation, with most provisions for CASPs applying from **30 December 2025**).

**Current Regime (Pre-MiCA):** Croatia operates a **registration regime** for VASPs, primarily for AML/CFT supervision. This means entities providing virtual asset services must register with the USPN and comply with AML obligations. It is not a full financial services license in the traditional sense, but an AML registration.

**Future Regime (Post-MiCA):** From **December 30, 2025**, MiCA will introduce a **harmonized licensing regime** across the EU. Entities providing "crypto-asset services" (as defined by MiCA) will require a license from a competent national authority (likely HANFA in Croatia, in coordination with USPN for AML aspects) in one EU member state, which will then allow them to operate across the entire EU ("passporting"). This will replace the national AML registrations for the services covered by MiCA.

Services related to the exchange between virtual assets and fiat currencies.

Services related to the exchange between one or more types of virtual assets.

These services fall squarely within the VASP definition and require registration with the USPN.

Services related to the safekeeping and administration of virtual assets or instruments enabling control over virtual assets (e.g., private keys).

This is explicitly defined as a VASP service and requires USPN registration.

**Payment Processors (involving virtual assets directly):**

If a payment processor directly facilitates transactions in virtual assets on behalf of customers (e.g., receiving crypto from a customer and sending fiat to a merchant, or vice-versa), they would likely fall under the VASP definition of "transferring virtual assets" and require registration.

If a payment processor *only* handles fiat currency for a crypto business (e.g., processing credit card payments for a crypto exchange, but not touching the crypto itself), they would generally be regulated under traditional payment services laws (PSD2 framework) and would need a payment institution or e-money institution license/authorization, which is a different regulatory scope. The focus here is on *direct virtual asset involvement*.

Providing financial services in connection with the issuance and sale of virtual assets (e.g., acting as an initial coin offering (ICO) advisor or placement agent, if handling funds/assets).

Generally, a legal entity incorporated in Croatia is required to apply for registration.

A registered office in Croatia is necessary.

**AML/KYC Framework:** This is the most critical aspect:

**AML/CFT Policies and Procedures:** Comprehensive internal rules and procedures for customer due diligence (CDD), enhanced due diligence (EDD), ongoing monitoring, record-keeping, and reporting suspicious transactions.

**Risk Assessment:** A robust risk assessment methodology for identifying and mitigating money laundering and terrorist financing risks associated with the VASP's operations, customers, products, and geographies.

**Designated AML Officer:** Appointment of a qualified and experienced individual responsible for AML/CFT compliance, reporting directly to the management board. This officer must be based in Croatia.

**Staff Training:** Regular training programs for all relevant employees on AML/CFT obligations.

**Transaction Monitoring:** Systems and procedures for real-time or post-transaction monitoring to detect unusual or suspicious activities.

**Reporting Obligations:** Procedures for reporting suspicious transaction reports (STRs) to the USPN.

**Fit and Proper Requirements:** The management board members and significant shareholders must pass "fit and proper" tests, demonstrating good repute, honesty, integrity, and competence.

Robust internal governance arrangements, including clear lines of responsibility.

Under the current AML registration regime, there are **no specific, high capital requirements** explicitly prescribed solely for VASP registration, unlike for traditional financial licenses.

However, the entity must demonstrate sufficient financial resources to operate responsibly and meet its obligations, indicating financial solvency and operational capacity.

**Note for MiCA:** MiCA will introduce specific minimum capital requirements for CASPs, varying based on the type of service. These will be substantial.

**IT Security:** Robust IT systems and security measures to protect customer data and assets, prevent cyberattacks, and ensure operational continuity.

**Data Protection:** Compliance with the General Data Protection Regulation (GDPR) regarding the processing of personal data.

**Establish a Croatian Legal Entity:** Incorporate a company in Croatia (e.g., a d.o.o. – limited liability company).

**Develop Comprehensive Policies and Procedures:** Prepare all required AML/CFT policies, risk assessments, internal rules, and IT security frameworks.

**Appoint Key Personnel:** Designate a qualified AML Officer and ensure management meets fit and proper criteria.

**Prepare Application Documentation:** Compile a detailed application package, including:

Business plan, outlining services, target market, and operational model.

Detailed AML/CFT manual, risk assessments, and internal control procedures.

Information on management, shareholders, and AML officer (CVs, background checks, fit and proper declarations).

Proof of sufficient financial resources/solvency.

**Submit Application:** Submit the complete application package to the USPN.

**Review and Communication:** The USPN will review the application, potentially request additional information or clarifications, and may conduct interviews.

**Registration:** Upon successful review and approval, the entity will be registered as a VASP.

**Evolving Landscape:** The regulatory landscape for virtual assets is rapidly evolving, especially with MiCA coming into full effect. Entities should stay informed of updates.

**Professional Advice:** Given the complexity and evolving nature of regulations, it is highly recommended to seek legal and compliance advice from professionals specializing in Croatian and EU financial services law before commencing operations.

There is **no specific "custody license"** in Croatia dedicated solely to crypto assets.

However, entities providing services related to virtual assets, including the **safeguarding/custody of virtual assets**, are considered VASPs.

VASPs are required to **register with the Ministry of Finance – Financial Intelligence Office (Ured za sprječavanje pranja novca)** as part of their AML/CTF obligations.

This registration requires compliance with the Croatian **Anti-Money Laundering and Terrorist Financing Act (Zakon o sprječavanju pranja novca i financiranja terorizma)**, which transposes EU AML Directives (specifically AMLD5).

Implementing robust KYC/CDD (Know Your Customer/Customer Due Diligence) procedures.

Reporting suspicious activities to the Financial Intelligence Office.

Establishing internal AML policies and procedures.

**Zakon o sprječavanju pranja novca i financiranja terorizma (Anti-Money Laundering and Terrorist Financing Act):**

Latest consolidated version (in Croatian): Narodne Novine No. 108/17, 39/19, 151/22.

**Ministry of Finance – Financial Intelligence Office (Ured za sprječavanje pranja novca):**

Website: https://www.mfin.gov.hr/ (navigate to the Financial Intelligence Office section).

**Segregation of Client Assets Rules (Current):**

Explicit national rules for the **segregation of client crypto assets** from the firm's own assets are **not specifically detailed** within the current AML/CTF framework.

However, general principles of sound financial management, consumer protection, and impending EU regulations (MiCA) would strongly advocate for such segregation as a best practice.

There are **no specific national insurance or bonding requirements** explicitly mandated for crypto custody providers under the current AML/CTF framework.

There are **no explicit national mandates for cold storage** of crypto assets. Operational security measures, including the use of cold storage, are generally considered best practices for secure custody but are not yet regulatory requirements.

There is **no specific definition of a "qualified custodian"** for crypto assets within current Croatian national law. The concept of "qualified" custodian is more comprehensively introduced with the advent of MiCA.

**Custodial License Requirements (Under MiCA):**

Entities providing "custody and administration of crypto-assets on behalf of clients" will be categorized as **Crypto-Asset Service Providers (CASPs)**.

**Authorization:** CASPs will require an **authorization** from their competent national authority (in Croatia, this is expected to be the Croatian Financial Services Supervisory Agency - **HANFA**, or another designated authority).

This authorization will be subject to strict requirements, including:

Prudential requirements (e.g., minimum capital).

**Segregation of Client Assets Rules (Under MiCA):**

**Explicitly mandated:** MiCA Article 68, titled "Safeguarding of clients' crypto-assets and funds," states that CASPs providing custody services shall:

"*act honestly, fairly and professionally in accordance with the best interests of their clients.*"

"*make adequate arrangements to safeguard the ownership rights of clients in crypto-assets and prevent the use of clients' crypto-assets for their own account.*"

"*keep separate any crypto-assets held on behalf of clients from their own crypto-assets.*"

"*keep records and accounts that enable them, at any time and without delay, to distinguish crypto-assets held on behalf of one client from those held on behalf of other clients, and from their own crypto-assets.*"

**Mandated:** MiCA Article 67, "Prudential requirements of crypto-asset service providers," requires CASPs to have:

A minimum amount of own funds (capital requirements).

**Professional indemnity insurance** or own funds, which shall be at least the higher of:

The amount of own funds required for that CASP.

One tenth of the fixed overheads of the preceding year.

This insurance is specifically for covering professional liability risks.

**Cold Storage Mandates (Under MiCA):**

MiCA does not explicitly mandate "cold storage" as the *only* permissible method. However, it strongly emphasizes **operational resilience** and **safeguarding of client crypto-assets**.

Article 68 requires CASPs to implement "robust safeguarding arrangements" for the crypto-assets and access keys, including appropriate IT systems and security protocols. This implies that secure storage solutions (like cold storage, multi-signature wallets, hardware security modules) would be necessary to meet these requirements.

It also requires CASPs to establish and maintain a policy on the recovery of crypto-assets in case of loss.

**Qualified Custodian Definitions (Under MiCA):**

While MiCA doesn't use the exact term "qualified custodian" in the US sense, the **authorization process and ongoing supervision** of CASPs providing custody services effectively establish them as "qualified" in the EU context.

Only authorized CASPs meeting the stringent requirements of MiCA will be permitted to offer these services.

**MiCA is the primary pending legislation.** Its direct applicability will largely supersede the current fragmented approach.

Croatia, like other EU member states, will need to adapt its national laws (e.g., the Law on the Croatian Financial Services Supervisory Agency, or specific implementing acts) to fully integrate MiCA's provisions and designate competent authorities (likely HANFA) for authorization and supervision.

**Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA):**

**Croatian Financial Services Supervisory Agency (HANFA):** Expected to be a key competent authority under MiCA for Croatia.

**Issuing warnings and guidance:** Both HNB and HANFA have repeatedly warned consumers about the risks associated with cryptocurrencies.

**Establishing AML/CTF compliance:** The Ministry of Finance's Office for Anti-Money Laundering (Ured za sprječavanje pranja novca) oversees Virtual Asset Service Providers (VASPs) registration and compliance. Non-compliance *would* lead to enforcement, but specific, publicly detailed cases with large fines against entities are not common in public records.

**Preparing for EU regulations:** Croatia is actively preparing for the implementation of the Markets in Crypto-Assets (MiCA) regulation, which will bring a comprehensive regulatory framework.

**Criminal investigations and arrests related to crypto fraud:** These are conducted by the police and state attorney's office, not financial regulators, and typically involve individuals or criminal groups rather than regulated entities. They fall under criminal law, not financial regulatory enforcement, and do not always have a "penalty amount" set by a regulator at the time of initial action.

**General warnings and regulatory updates:** Statements from HNB and HANFA regarding crypto risks and regulatory developments.

**Hrvatska narodna banka (HNB) - Croatian National Bank:**

**Role:** Responsible for the stability of the financial system, monetary policy. Primarily issues warnings about crypto risks and provides general guidance. It does not license or regulate crypto exchanges directly, but monitors financial stability implications.

**Activity:** Consistently warns consumers about the high risks of investing in cryptocurrencies, emphasizing their speculative nature and lack of consumer protection.

HNB - Upozorenje potrošačima o rizicima ulaganja u kriptoimovinu (Warning to consumers about risks of investing in crypto assets)

*Note:* This is a general warning, not an enforcement action.

**Hrvatska agencija za nadzor financijskih usluga (HANFA) - Croatian Financial Services Supervisory Agency:**

**Role:** Supervises financial markets, insurance companies, pension funds, and investment funds. Similar to HNB, HANFA issues warnings and prepares for future regulation under MiCA. It does not currently license or directly supervise most crypto activities outside of specific regulated financial instruments.

**Activity:** Provides guidance, issues warnings regarding crypto-asset risks, and actively participates in preparing for the implementation of MiCA.

HANFA - Kriptoimovinska ponuda i ulaganja u kriptoimovinu (Crypto-asset offerings and investments in crypto-assets)

*Note:* This is an informational piece, not an enforcement action.

**Ministarstvo financija, Ured za sprječavanje pranja novca (Office for Anti-Money Laundering - AMLO):**

**Role:** This is the primary body responsible for enforcing AML/CTF laws, including those applicable to Virtual Asset Service Providers (VASPs). VASPs in Croatia are required to register with the AMLO. Failure to register or comply with AML/CTF obligations *would* lead to enforcement.

**Activity:** Registers VASPs, provides guidance on AML/CTF compliance, and conducts supervision to prevent money laundering and terrorist financing through virtual assets. While they conduct oversight and can impose penalties for non-compliance, specific public disclosures of significant fines against crypto entities are not commonly published on their official channels in the same way as, for example, SEC actions in the US.

Ured za sprječavanje pranja novca - Obavijesti o zakonodavnom okviru za virtualnu imovinu (Notifications on the legislative framework for virtual assets)

*Note:* This PDF document outlines the AML framework for VASPs, indicating the regulatory requirement for registration and compliance, which is the basis for potential enforcement actions.

**Direct Applicability:** EU regulations imposing sanctions are directly applicable in all Member States, including Croatia, without the need for national transposition.

**Treaty on European Union (TEU), Article 29:** Provides the legal basis for the EU to adopt decisions on restrictive measures.

**Treaty on the Functioning of the European Union (TFEU), Article 215:** Provides the legal basis for the EU to adopt regulations to implement restrictive measures.

**Council Regulation (EC) No 2580/2001:** On specific restrictive measures directed against certain persons and entities with a view to combating terrorism.

EUR-Lex: Council Regulation (EC) No 2580/2001

**Council Regulation (EC) No 881/2002:** Imposing specific restrictive measures directed against certain persons and entities associated with the ISIL (Da'esh) and Al-Qaeda organisations.

EUR-Lex: Council Regulation (EC) No 881/2002

**Country-Specific Regulations:** Numerous regulations impose sanctions on specific countries (e.g., Russia, Belarus, Syria, Iran, North Korea), including asset freezes, travel bans, and restrictions on trade and services. These are updated frequently.

The EU publishes a **Consolidated List of Persons, Groups and Entities Subject to EU Financial Sanctions**, which VASPs must screen against.

EU Sanctions Map (Official Tool for EU Sanctions Information)

**UN Security Council Resolutions:** Mandate Member States to impose sanctions to address threats to international peace and security.

**Implementation:** The EU transposes these resolutions into EU law, ensuring their uniform application across all Member States.

United Nations Security Council Sanctions Committees

**Extraterritorial Reach:** OFAC sanctions can have extraterritorial implications, potentially impacting non-US persons who cause a violation or engage in transactions prohibited by OFAC.

**SDN List:** VASPs should screen against OFAC's Specially Designated Nationals and Blocked Persons (SDN) List.

**Crypto-Specific Sanctions:** OFAC has actively sanctioned crypto mixers, exchanges, and individuals involved in illicit finance using crypto, notably including entities like Tornado Cash and Garantex, and specific wallet addresses.

U.S. Department of the Treasury – OFAC

**Council Regulation (EU) No 833/2014:** Concerning restrictive measures in view of Russia's actions destabilising the situation in Ukraine, as amended multiple times.

Specifically, **Article 5b** was introduced by **Council Regulation (EU) 2022/1904** (8th sanctions package) and subsequently reinforced. It initially prohibited providing crypto-asset wallet, account, or custody services to Russian persons/entities if the total value of crypto assets exceeded a certain threshold (initially EUR 10,000, later EUR 0).

**Council Regulation (EU) 2022/2474** (9th sanctions package) removed the threshold, meaning a **full prohibition** on providing crypto-asset wallet, account, or custody services to Russian nationals, natural persons residing in Russia, or legal persons established in Russia.

This prohibition extends to any service that allows for the safe storage or control over crypto assets.

EUR-Lex: Council Regulation (EU) No 833/2014 (consolidated version) (check latest consolidated version for amendments).

EUR-Lex: Council Regulation (EU) 2022/1904 (8th package)

EUR-Lex: Council Regulation (EU) 2022/2474 (9th package)

**Implementation of EU Lists:** Croatian authorities, primarily the Ministry of Foreign and European Affairs (MVEP) and the Ministry of Finance (including the Financial Intelligence Office), are responsible for implementing and enforcing the EU's restrictive measures. They monitor compliance with the EU consolidated lists.

**Guidance from National Authorities:** While no separate list exists, Croatian regulators (like HANFA for VASPs, and the Financial Intelligence Office) may issue specific guidance or directives on applying EU sanctions within the Croatian context.

Croatian Ministry of Foreign and European Affairs (MVEP) - International Restrictive Measures (The MVEP portal often provides links and information on the EU's restrictive measures).

Croatian Financial Services Supervisory Agency (HANFA) - Regulator for financial services, including virtual asset service providers under MiCA.