Iceland

**Regulator:** The primary financial regulator is now the **Seðlabanki Íslands (Central Bank of Iceland)**, which absorbed the functions of the former Financial Supervisory Authority (Fjármálaeftirlitið, FME) in January 2020. It is responsible for supervising financial undertakings, including those dealing with virtual assets, primarily from an AML/CFT perspective.

**Focus:** The Central Bank's focus has been on implementing AML/CFT regulations for Virtual Asset Service Providers (VASPs), aligning with FATF recommendations and EU directives. They require VASPs to register and comply with the AML/CFT Act.

**No Publicly Announced Major Actions:** Unlike larger countries where regulatory bodies regularly announce fines or other penalties against specific crypto firms for violations, Iceland has not had such public announcements in the last three years. This doesn't mean there are no regulatory activities, but rather that any actions taken may be less "significant" in the public domain (e.g., private warnings, compliance orders, or smaller, non-public fines) or against individuals rather than companies, or relate to older cases outside the requested timeframe.

**Criminal Cases:** While there haven't been public administrative actions from the financial regulator, criminal cases involving cryptocurrency fraud or theft can occur, handled by the police and prosecutors. However, such cases are typically against individuals for criminal offenses rather than administrative enforcement against a regulated entity, and no major, widely publicized criminal actions against a crypto *company* have emerged in the last 3 years that would fit "enforcement action" in the regulatory sense. The prominent "Cloud Mining" Ponzi scheme was investigated and prosecuted years ago, outside the specified 3-year window.

**Central Bank of Iceland (Seðlabanki Íslands) on Virtual Assets:**

General information on virtual assets and regulation: https://www.sedlabanki.is/library/Frettir-og-utgafa/Rit/ymsar-skyrslur/Skyrsla_rafmynt_EN.pdf (This is an older report but provides context)

Central Bank's main page (English): https://www.sedlabanki.is/en/ (You would typically look under "Supervision" or "News" for enforcement actions, but specific public announcements of fines are rare.)

**AML/CFT Act in Iceland:** Iceland has implemented the 5th Anti-Money Laundering Directive (AMLD5), which covers virtual asset service providers. The legal framework is primarily the Act on Measures Against Money Laundering and Terrorist Financing No. 140/2018.

**VASP Registration:** Any entity providing services related to virtual assets, including the safekeeping and/or administration of virtual assets on behalf of customers (i.e., custody), is required to register as a Virtual Asset Service Provider (VASP) with the Central Bank of Iceland. This is not a "license" in the traditional sense of financial services but rather an AML/CFT registration that imposes significant obligations.

The registration is mandated by the **Act on measures to combat money laundering and terrorist financing No. 140/2018**, which transposes EU AML Directives (AMLD5, soon AMLD6) into Icelandic law.

**Scope:** This typically covers situations where the custodian holds private keys and has control over clients' virtual assets.

**Act on measures to combat money laundering and terrorist financing No. 140/2018:** https://www.althingi.is/lagas/nuna/2018140.html (Icelandic original)

**Central Bank of Iceland - AML/CFT:** https://www.cb.is/financial-supervision/aml-cft/

While not explicitly detailed *solely* for crypto-asset custody in current Icelandic law, general principles of financial services and AML/CFT best practices would strongly suggest the need for segregation. VASPs are expected to maintain clear records of ownership and transactions, and commingling of funds/assets would violate these principles and increase AML/CFT risks.

The AML Act requires VASPs to keep records of transactions and to identify beneficial owners, indirectly supporting the need for clear asset ownership distinctions.

There are no specific insurance or bonding requirements mandated for crypto custodians under the current AML-focused VASP registration framework. General business insurance would be expected, but no specific prudential safeguards for crypto custody are prescribed.

There are no specific legal mandates for the use of cold storage for crypto assets under current Icelandic law. However, robust security measures are expected as part of general operational risk management and AML/CFT compliance (e.g., preventing theft that could facilitate money laundering). Industry best practices for secure custody overwhelmingly recommend cold storage for the majority of assets.

The term "qualified custodian" is not formally defined in Icelandic law specifically for crypto assets. A VASP registered with the Central Bank of Iceland to provide virtual asset services, including custody, would be the closest equivalent under the current framework.

**MiCA Authorization:** Under MiCA, "custody and administration of crypto-assets on behalf of clients" is explicitly defined as a crypto-asset service (Article 3, point 16). Providers of this service will be required to obtain **authorization** from their competent national authority (in Iceland, likely the Central Bank of Iceland) to operate as a Crypto-Asset Service Provider (CASP) (Article 59).

This authorization is a full financial services license, distinct from the current AML registration.

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

Relevant Articles: Chapter 2 (Authorization and operating conditions for CASPs), specifically Article 59, and Chapter 3 (Obligations of CASPs), specifically Section 6 for custody.

**Mandatory Segregation:** MiCA explicitly mandates strict segregation of client assets.

**Article 67 (Obligations of crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients), point 1:** "A crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients shall ensure that the crypto-assets of its clients are segregated from its own assets and from the assets of other clients."

It also requires making arrangements to ensure the timely return of clients' crypto-assets.

**Prudential Safeguards:** MiCA (Article 66, point 10 and Article 67, point 7) requires CASPs to have robust prudential safeguards. These safeguards can take the form of:

The amount of prudential safeguards depends on the services provided and the nature, scale, and complexity of operations, with specific thresholds set out in Annex IV.

MiCA does not *mandate* cold storage specifically but requires CASPs to implement robust security measures for the safekeeping of crypto-assets.

**Article 67, point 2:** "A crypto-asset service provider providing custody and administration of crypto-assets on behalf of clients shall establish, implement and maintain robust security policies and procedures regarding the access to, and the protection of, the crypto-assets, private cryptographic keys and, where applicable, the means of access to the crypto-assets of its clients."

This implies that CASPs must adopt industry-leading security practices, which in most cases for the majority of assets, would involve cold storage or highly secure offline solutions.

Under MiCA, an authorized **Crypto-Asset Service Provider (CASP)** that has obtained the specific authorization to provide "custody and administration of crypto-assets on behalf of clients" would essentially become the "qualified custodian." The authorization process ensures they meet the stringent capital, operational, security, governance, and organizational requirements laid out in MiCA.

**Shift from AML Registration to Full License:** A significant transition from merely registering as a VASP for AML purposes to obtaining a comprehensive financial services license as a CASP.

**Explicit Custody Rules:** Introduction of specific, detailed rules for crypto-asset custody covering segregation, security, and prudential requirements.

**Increased Regulatory Scrutiny:** CASPs will be subject to ongoing supervision by the Central Bank of Iceland to ensure compliance with MiCA's broad range of obligations.

**Central Bank of Iceland (Seðlabanki Íslands):**

Information on Financial Undertakings: https://www.cb.is/financial-supervision/licensed-entities/

**Registration:** VASPs are required to register with the Central Bank of Iceland for AML/CFT purposes. This registration subjects them to AML/CFT obligations and supervision.

**Licensing:** A full operating license (e.g., an electronic money institution license, payment institution license, or investment firm license) might be required if the VASP's activities extend beyond basic virtual asset services and fall under other specific financial services laws (e.g., dealing with fiat currency payments, issuing e-money, providing investment advice).

**Exchanges (Virtual Asset to Fiat, or Virtual Asset to Virtual Asset):**

**Required License/Registration:** VASP Registration with the Central Bank of Iceland.

**Reason:** This activity is explicitly defined as a virtual asset service under Icelandic AML/CFT law.

**Custody Providers (Safekeeping and/or Administration of Virtual Assets):**

**Payment Processors:** This category requires careful distinction:

**a) Processing *only* Virtual Assets (e.g., facilitating crypto-to-crypto payments, or receiving crypto payments for goods/services where the merchant receives crypto):**

**Reason:** Falls under the "transfer of virtual assets" or "participation in and provision of financial services related to an issuer's offer and/or sale of virtual assets" definitions of a VASP.

**b) Processing *fiat currency* payments related to virtual assets (e.g., receiving fiat for crypto, converting crypto to fiat for payout, or general payment processing services involving fiat currency):**

**Required License/Registration:** This likely requires a **Payment Institution (PI) license** or an **Electronic Money Institution (EMI) license** under the Act on Payment Services (Act No. 87/2021).

**Reason:** Handling fiat currency as a payment service provider typically triggers these traditional financial services licenses. The VASP registration alone is insufficient.

**Act No. 140/2018 on Measures Against Money Laundering and Terrorist Financing (Lög um aðgerðir gegn peningaþvætti og fjármögnun hryðjuverka):**

(Note: Official English translations of Icelandic laws are not always readily available online. The Icelandic Parliament's website is the authoritative source).

Applicants must be a legal entity established in Iceland (e.g., a limited liability company, *einkahlutafélag* or *hlutafélag*).

**AML/KYC (Anti-Money Laundering / Know Your Customer) Framework:**

**Comprehensive Policies and Procedures:** Implement robust internal policies, controls, and procedures to prevent money laundering and terrorist financing.

**Risk Assessment:** Conduct a thorough risk assessment of their business, customers, products, and geographical areas.

**Customer Due Diligence (CDD):** Implement stringent KYC procedures, including identifying and verifying customers' identities (both natural persons and legal entities), identifying beneficial owners, and understanding the purpose and intended nature of the business relationship.

**Enhanced Due Diligence (EDD):** Apply EDD for higher-risk situations (e.g., politically exposed persons, complex transactions, high-risk countries).

**Ongoing Monitoring:** Continuously monitor customer transactions and activities for suspicious behavior.

**Reporting Obligations:** Report suspicious transactions (STRs) and other relevant information to the Financial Intelligence Unit (FIU) in Iceland.

**Record-Keeping:** Maintain records of all transactions and customer due diligence for at least five years.

**AML Officer:** Appoint a designated AML Officer (Money Laundering Reporting Officer - MLRO) responsible for implementing AML/CFT policies and reporting to the FIU.

Individuals in management, on the board of directors, and significant beneficial owners of the VASP must satisfy "fit and proper" criteria, demonstrating good repute, competence, and integrity. This involves background checks and assessment by the Central Bank.

For **VASP registration under AML/CFT alone**, there are typically no explicit *minimum capital requirements* specified in the same way as for licensed financial institutions (like banks or EMIs). However, the Central Bank expects the entity to be financially sound and capable of meeting its operational obligations.

For entities that require an **EMI or PI license** (e.g., complex payment processors handling fiat), specific and significant minimum capital requirements *will* apply as per the Act on Payment Services (e.g., often ranging from €20,000 to €350,000 depending on the scope of services for PIs/EMIs).

**Legal Entity:** The VASP must be an Icelandic legal entity, registered in the Icelandic Register of Companies.

**Management:** While not always explicitly requiring all management to be resident, there must be effective management and control exercised from Iceland, and the Central Bank will assess the adequacy of local oversight. The AML Officer generally needs to be locally based or easily accessible.

Applicants are expected to have robust IT systems, security measures, and business continuity plans to protect virtual assets, customer data, and ensure operational resilience. While not explicitly listed as a "license requirement," it's integral to operational soundness assessed during the application.

**Pre-Application Contact (Optional but Recommended):** Engage with the Central Bank to discuss the proposed business model and clarify any specific requirements.

**Preparation of Documentation:** Compile a comprehensive application package, which typically includes:

Completed application forms provided by the Central Bank.

Detailed business plan, including operational model, target market, and projected financial performance.

Organizational structure, including governance arrangements, reporting lines, and outsourcing arrangements.

AML/CFT policies and procedures manual, risk assessments, and internal controls.

Information on key personnel (management, board members, AML Officer) including CVs, criminal records, and "fit and proper" declarations.

Information on significant beneficial owners.

Proof of incorporation in Iceland and other relevant legal documents.

IT security policies and disaster recovery plans.

**Submission:** Submit the complete application package to the Central Bank of Iceland.

**Review and Assessment:** The Central Bank will conduct a thorough review of the application, including:

Assessing the completeness and accuracy of the submitted information.

Evaluating the AML/CFT framework for compliance with the law.

Assessing the "fit and proper" criteria of management and owners.

Potentially requesting additional information or clarification.

**On-site Visit (Possible):** In some cases, the Central Bank may conduct an on-site visit to assess the operational readiness and controls.

**Decision:** The Central Bank will make a decision on the registration. If approved, the entity will be added to the register of VASPs supervised for AML/CFT purposes. If rejected, reasons will be provided.

**Central Bank of Iceland (Seðlabanki Íslands) - Main Website:**

**Central Bank of Iceland - Financial Supervision (including licensed entities):**

**Act No. 87/2021 on Payment Services (Lög um greiðsluþjónustu) - Icelandic Parliament (Relevant for payment processors handling fiat):**

**Purpose:** This Act implements the EU's 5th Anti-Money Laundering Directive (AMLD5) into Icelandic law. It explicitly includes Virtual Asset Service Providers (VASPs) within its scope. VASPs in Iceland are therefore required to register with the Central Bank of Iceland, conduct due diligence on their customers, monitor transactions, and report suspicious activities. This is the cornerstone of current crypto regulation.

**Reference (Icelandic Parliament website):** https://www.althingi.is/lagasafn/pdf/1402018.pdf

**Markets in Crypto-Assets (MiCA) Regulation (EU Regulation 2023/1114)**

**Date:** Adopted by the EU in 2023, with phased implementation (stablecoins from June 2024, other provisions from December 2024).

**Purpose:** While an EU regulation, Iceland, as an EEA member, will be obliged to implement MiCA into its national law. MiCA provides a comprehensive regulatory framework for crypto-assets that are not already covered by existing financial services legislation. It will cover:

Authorization and supervision of crypto-asset service providers (CASPs).

Rules for the issuance and trading of various types of crypto-assets (e.g., asset-referenced tokens, e-money tokens).

Consumer protection and market integrity measures.

Requirements for transparent whitepapers and disclosure.

**Impact on Iceland:** Once implemented, MiCA will significantly expand Iceland's regulatory scope beyond just AML/CFT, introducing a full licensing regime for crypto businesses and comprehensive rules for crypto-asset offerings.

**Legality:** Crypto trading and the operation of crypto exchanges (VASPs) are generally **legal** in Iceland.

**AML/CFT Registration:** VASPs operating in Iceland are required to register with the **Central Bank of Iceland (Seðlabanki Íslands)** under Act No. 140/2018. This registration mandates adherence to strict AML/CFT obligations, including customer identification (KYC), transaction monitoring, and suspicious activity reporting.

**No Broad Licensing (Yet):** Currently, beyond the AML/CFT registration, there isn't a comprehensive licensing regime for crypto exchanges that covers broader aspects like prudential requirements, market conduct rules, or consumer protection, as is common for traditional financial institutions.

**Investor Warnings:** The Central Bank of Iceland has consistently issued warnings to the public about the high risks associated with investing in cryptocurrencies, citing their volatility, lack of regulation (beyond AML), and potential for fraud.

**Future with MiCA:** Once MiCA is fully implemented, crypto exchanges and other CASPs will need to obtain a specific license from the Central Bank of Iceland, adhere to detailed operational, organizational, and prudential requirements, and comply with new rules designed to protect investors and maintain market integrity.