Iceland -- Licensing Requirements Regulatory Overview

Iceland, as a member of the European Economic Area (EEA), has incorporated relevant EU directives, particularly the Anti-Money Laundering Directives (AMLDs), into its national legislation. The regulatory landscape for virtual asset service providers (VASPs) is primarily focused on anti-money laundering and counter-terrorist financing (AML/CFT) supervision.

Regulatory Authority

The primary regulatory authority for virtual assets and financial services in Iceland is the Central Bank of Iceland (Seðlabanki Íslands). The Financial Supervisory Authority (FME) merged with the Central Bank of Iceland on January 1, 2020, and its functions are now integrated within the Central Bank.

• Central Bank of Iceland (Seðlabanki Íslands):
  • Website: https://www.cb.is/
  • Information on Financial Undertakings: https://www.cb.is/financial-supervision/licensed-entities/

Registration vs. Licensing Regime

Iceland primarily operates a registration regime for Virtual Asset Service Providers (VASPs) under its AML/CFT framework, rather than a full operating licensing regime in the traditional sense for all VASP activities.

• Registration: VASPs are required to register with the Central Bank of Iceland for AML/CFT purposes. This registration subjects them to AML/CFT obligations and supervision.
• Licensing: A full operating license (e.g., an electronic money institution license, payment institution license, or investment firm license) might be required if the VASP's activities extend beyond basic virtual asset services and fall under other specific financial services laws (e.g., dealing with fiat currency payments, issuing e-money, providing investment advice).

Required Licenses for Specific Activities

The key is whether the service provided falls under the definition of a "virtual asset service provider" (VASP) under AML/CFT law or a broader financial service under other legislation.

1. Exchanges (Virtual Asset to Fiat, or Virtual Asset to Virtual Asset):

   • Required License/Registration: VASP Registration with the Central Bank of Iceland.
   • Reason: This activity is explicitly defined as a virtual asset service under Icelandic AML/CFT law.

2. Custody Providers (Safekeeping and/or Administration of Virtual Assets):

   • Required License/Registration: VASP Registration with the Central Bank of Iceland.
   • Reason: This activity is explicitly defined as a virtual asset service under Icelandic AML/CFT law.

3. Payment Processors: This category requires careful distinction:

   • a) Processing only Virtual Assets (e.g., facilitating crypto-to-crypto payments, or receiving crypto payments for goods/services where the merchant receives crypto):
     • Required License/Registration: VASP Registration with the Central Bank of Iceland.
     • Reason: Falls under the "transfer of virtual assets" or "participation in and provision of financial services related to an issuer's offer and/or sale of virtual assets" definitions of a VASP.
   • b) Processing fiat currency payments related to virtual assets (e.g., receiving fiat for crypto, converting crypto to fiat for payout, or general payment processing services involving fiat currency):
     • Required License/Registration: This likely requires a Payment Institution (PI) license or an Electronic Money Institution (EMI) license under the Act on Payment Services (Act No. 87/2021).
     • Reason: Handling fiat currency as a payment service provider typically triggers these traditional financial services licenses. The VASP registration alone is insufficient.

Key Requirements

The primary legislation governing VASPs for AML/CFT purposes is the Act on Measures Against Money Laundering and Terrorist Financing No. 140/2018, as subsequently amended (implementing AMLD5 and AMLD6).

• Legal Basis:

  • Act No. 140/2018 on Measures Against Money Laundering and Terrorist Financing (Lög um aðgerðir gegn peningaþvætti og fjármögnun hryðjuverka):
    • Icelandic version: https://www.althingi.is/lagas/nuna/2018140.html
    • (Note: Official English translations of Icelandic laws are not always readily available online. The Icelandic Parliament's website is the authoritative source).

• Eligible Entities:

  • Applicants must be a legal entity established in Iceland (e.g., a limited liability company, einkahlutafélag or hlutafélag).

• AML/KYC (Anti-Money Laundering / Know Your Customer) Framework:

  • Comprehensive Policies and Procedures: Implement robust internal policies, controls, and procedures to prevent money laundering and terrorist financing.
  • Risk Assessment: Conduct a thorough risk assessment of their business, customers, products, and geographical areas.
  • Customer Due Diligence (CDD): Implement stringent KYC procedures, including identifying and verifying customers' identities (both natural persons and legal entities), identifying beneficial owners, and understanding the purpose and intended nature of the business relationship.
  • Enhanced Due Diligence (EDD): Apply EDD for higher-risk situations (e.g., politically exposed persons, complex transactions, high-risk countries).
  • Ongoing Monitoring: Continuously monitor customer transactions and activities for suspicious behavior.
  • Reporting Obligations: Report suspicious transactions (STRs) and other relevant information to the Financial Intelligence Unit (FIU) in Iceland.
  • Record-Keeping: Maintain records of all transactions and customer due diligence for at least five years.
  • AML Officer: Appoint a designated AML Officer (Money Laundering Reporting Officer - MLRO) responsible for implementing AML/CFT policies and reporting to the FIU.

• Fit and Proper Requirements:

  • Individuals in management, on the board of directors, and significant beneficial owners of the VASP must satisfy "fit and proper" criteria, demonstrating good repute, competence, and integrity. This involves background checks and assessment by the Central Bank.

• Capital Requirements:

  • For VASP registration under AML/CFT alone, there are typically no explicit minimum capital requirements specified in the same way as for licensed financial institutions (like banks or EMIs). However, the Central Bank expects the entity to be financially sound and capable of meeting its operational obligations.
  • For entities that require an EMI or PI license (e.g., complex payment processors handling fiat), specific and significant minimum capital requirements will apply as per the Act on Payment Services (e.g., often ranging from €20,000 to €350,000 depending on the scope of services for PIs/EMIs).

• Local Presence:

  • Legal Entity: The VASP must be an Icelandic legal entity, registered in the Icelandic Register of Companies.
  • Management: While not always explicitly requiring all management to be resident, there must be effective management and control exercised from Iceland, and the Central Bank will assess the adequacy of local oversight. The AML Officer generally needs to be locally based or easily accessible.

• Technology and Security:

  • Applicants are expected to have robust IT systems, security measures, and business continuity plans to protect virtual assets, customer data, and ensure operational resilience. While not explicitly listed as a "license requirement," it's integral to operational soundness assessed during the application.

Application Process

The application process for VASP registration with the Central Bank of Iceland generally involves the following steps:

1. Pre-Application Contact (Optional but Recommended): Engage with the Central Bank to discuss the proposed business model and clarify any specific requirements.
2. Preparation of Documentation: Compile a comprehensive application package, which typically includes:
   • Completed application forms provided by the Central Bank.
   • Detailed business plan, including operational model, target market, and projected financial performance.
   • Organizational structure, including governance arrangements, reporting lines, and outsourcing arrangements.
   • AML/CFT policies and procedures manual, risk assessments, and internal controls.
   • Information on key personnel (management, board members, AML Officer) including CVs, criminal records, and "fit and proper" declarations.
   • Information on significant beneficial owners.
   • Proof of incorporation in Iceland and other relevant legal documents.
   • IT security policies and disaster recovery plans.
3. Submission: Submit the complete application package to the Central Bank of Iceland.
4. Review and Assessment: The Central Bank will conduct a thorough review of the application, including:
   • Assessing the completeness and accuracy of the submitted information.
   • Evaluating the AML/CFT framework for compliance with the law.
   • Assessing the "fit and proper" criteria of management and owners.
   • Potentially requesting additional information or clarification.
5. On-site Visit (Possible): In some cases, the Central Bank may conduct an on-site visit to assess the operational readiness and controls.
6. Decision: The Central Bank will make a decision on the registration. If approved, the entity will be added to the register of VASPs supervised for AML/CFT purposes. If rejected, reasons will be provided.

The timeframe for obtaining registration can vary depending on the complexity of the application, the completeness of the submitted documentation, and the Central Bank's current workload, but it typically takes several months.

Specific Regulatory References with URLs

• Central Bank of Iceland (Seðlabanki Íslands) - Main Website:
  • https://www.cb.is/
• Central Bank of Iceland - Financial Supervision (including licensed entities):
  • https://www.cb.is/financial-supervision/licensed-entities/
• Act No. 140/2018 on Measures Against Money Laundering and Terrorist Financing (Lög um aðgerðir gegn peningaþvætti og fjármögnun hryðjuverka) - Icelandic Parliament:
  • https://www.althingi.is/lagas/nuna/2018140.html
• Act No. 87/2021 on Payment Services (Lög um greiðsluþjónustu) - Icelandic Parliament (Relevant for payment processors handling fiat):
  • https://www.althingi.is/lagas/nuna/2021087.html

Disclaimer: This information is provided for general informational purposes only and does not constitute legal advice. Cryptocurrency regulations are complex and subject to change. It is essential to consult with legal professionals specializing in Icelandic financial law for specific guidance regarding licensing requirements and the application process.