Cambodia -- AML/CFT Compliance Regulatory Overview

Cambodia, like many jurisdictions, is adapting its Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) framework to address the risks posed by virtual assets (cryptocurrencies) and Virtual Asset Service Providers (VASPs). While a comprehensive and dedicated licensing framework specifically for VASPs is still evolving, the existing AML/CFT legislation generally extends to activities involving virtual assets, especially in line with the Financial Action Task Force (FATF) recommendations.

Here's a breakdown of the AML and KYC requirements for cryptocurrency/virtual asset service providers in Cambodia:

I. AML/CFT Legislation

The primary legislation governing AML/CFT in Cambodia that applies to relevant reporting entities, including those involved in virtual assets, includes:

1. Law on Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT Law)

   • Date: Passed in 2020. This law replaced the previous 2007 AML/CFT Law and was enacted to bring Cambodia's framework closer to international standards, particularly the FATF Recommendations.
   • Key Provisions: Defines money laundering and terrorist financing offenses, establishes the legal framework for identifying, verifying, and reporting suspicious activities, and outlines penalties for non-compliance. It also identifies "reporting entities" (or "obliged entities") that must comply. VASPs, by the nature of their services, are generally considered reporting entities under this broad definition, especially concerning the movement of value.

2. Prakas on the Implementation of the Law on Anti-Money Laundering and Combating the Financing of Terrorism (Prakas 285 on AML/CFT)

   • Issuing Body: National Bank of Cambodia (NBC) and the Ministry of Economy and Finance.
   • Date: Issued in 2020.
   • Key Provisions: Provides detailed regulations and guidelines for financial institutions and other reporting entities (which would encompass VASPs) on how to implement the AML/CFT Law, including specific requirements for customer due diligence, suspicious transaction reporting, and record-keeping.

Cambodia is a member of the Asia/Pacific Group on Money Laundering (APG), a FATF-style regional body, and has been under scrutiny by FATF. Its inclusion on the FATF "grey list" until 2023 underscored the pressure to strengthen its AML/CFT regime, including for emerging areas like virtual assets.

II. Customer Due Diligence (CDD) / Know Your Customer (KYC) Requirements

VASPs in Cambodia, like other financial institutions, are expected to apply a risk-based approach to CDD/KYC. This includes:

1. Identification and Verification of Customers:

   • For Individuals: Obtaining and verifying proof of identity (e.g., national ID card, passport, driver's license), date of birth, address, and nationality.
   • For Legal Entities/Corporations: Obtaining and verifying legal name, address, proof of incorporation/registration (e.g., certificate of incorporation, business license), names of directors/senior management, and beneficial owners.
   • Method: Verification must be performed using reliable, independent source documents, data, or information.

2. Beneficial Ownership:

   • Identifying and taking reasonable measures to verify the identity of the beneficial owner(s) of the customer, especially for legal entities. This typically means identifying individuals who ultimately own or control more than a specified percentage (e.g., 25%) of the entity, or who exercise control through other means.

3. Purpose and Intended Nature of Business Relationship:

   • Understanding the purpose and intended nature of the business relationship or transaction (e.g., why the customer wants to use virtual asset services, expected transaction volumes, types of assets).

4. Ongoing Monitoring:

   • Conducting ongoing due diligence on the business relationship and scrutinizing transactions undertaken throughout the course of that relationship to ensure that the transactions are consistent with the VASP's knowledge of the customer, their business, and risk profile, including, where necessary, the source of funds.
   • Ensuring that documents, data, or information collected under the CDD process are kept up-to-date.

5. Risk-Based Approach:

   • Implementing a risk-based approach to CDD, which means:
     • Simplified Due Diligence (SDD): Permitted in low-risk situations, with sufficient measures to mitigate any potential risks.
     • Enhanced Due Diligence (EDD): Required for high-risk customers, business relationships, or transactions (e.g., Politically Exposed Persons - PEPs, customers from high-risk jurisdictions, complex or unusually large transactions, new technologies with inherent anonymity).

6. Screening:

   • Screening customers against relevant national and international sanctions lists (e.g., UN Security Council sanctions) and PEP lists.

III. Suspicious Transaction Reporting (STR)

VASPs are obligated to report suspicious transactions to the Financial Intelligence Unit (FIU):

1. Obligation to Report: Any VASP that suspects or has reasonable grounds to suspect that funds or other assets, regardless of the amount, are derived from criminal activity, or are related to terrorist financing, must report promptly.
2. Recipient: The Cambodia Financial Intelligence Unit (CAFIU).
3. Timeline: Reports must be made without delay, typically within 24-48 hours of forming the suspicion.
4. Content of Report: The report should include all available information concerning the customer, the transaction(s), the nature of the suspicion, and any supporting documents.
5. No Tipping-Off: VASPs and their employees are prohibited from disclosing to the customer or to third parties that an STR has been or will be submitted.

IV. Record-Keeping Obligations

VASPs must maintain comprehensive records to facilitate investigations and demonstrate compliance:

1. Types of Records:

   • Records of all transactions, including virtual asset transfers (sender, receiver, amount, timestamp, type of virtual asset, associated fiat currency conversions).
   • All CDD/KYC information obtained for customers, including identification documents, verification data, and beneficial ownership information.
   • Records of all suspicious transaction reports filed, including internal analysis and supporting documentation.
   • Records of internal policies, procedures, and training related to AML/CFT compliance.

2. Duration: Records must be maintained for a minimum period of five (5) years after the business relationship has ended or after the date of the transaction.

3. Accessibility: Records must be readily accessible to the competent authorities (e.g., NBC, CAFIU) upon request.

V. Authority Overseeing Compliance

The oversight of AML/CFT compliance for financial institutions and related entities, which include VASPs, is primarily shared among several key authorities:

1. National Bank of Cambodia (NBC)

   • Role: The primary regulatory and supervisory authority for financial institutions in Cambodia. This includes setting out detailed regulations (Prakas) and supervising the implementation of AML/CFT requirements by financial institutions. While there isn't a specific licensing regime for VASPs yet, NBC's general authority over financial activities means it plays a crucial role in ensuring AML compliance in this sector. NBC has also previously issued warnings regarding the risks of cryptocurrency.
   • URL: https://www.nbc.org.kh/

2. Cambodia Financial Intelligence Unit (CAFIU)

   • Role: Operates as a department within the National Bank of Cambodia. CAFIU is the central national authority responsible for receiving, analyzing, and disseminating suspicious transaction reports (STRs) and other financial information concerning potential money laundering and terrorist financing.
   • URL: As a department within NBC, its information is typically integrated with the NBC website.

3. Securities and Exchange Regulator of Cambodia (SERC)

   • Role: While NBC focuses on banking and general financial stability, SERC is responsible for regulating Cambodia's securities market. If a virtual asset is deemed a security (e.g., an "initial coin offering" or "security token offering"), SERC's regulations would apply, potentially including specific AML/CFT requirements for securities firms. SERC has also issued warnings regarding unregulated crypto activities.
   • URL: https://www.serc.gov.kh/

4. National Coordination Committee for AML/CFT (NCC)

   • Role: This high-level committee, involving various ministries and institutions, is responsible for coordinating the overall national policy and strategy on AML/CFT.

Important Considerations for VASPs in Cambodia:

• Evolving Landscape: The regulatory framework for virtual assets is still evolving globally and in Cambodia. VASPs should monitor for new laws, Prakas, and guidelines.
• FATF Standards: Cambodia's regulatory efforts are heavily influenced by FATF Recommendations. VASPs should ensure their compliance programs align with these international standards, especially Recommendation 15 which specifically addresses new technologies and virtual assets.
• Lack of Specific Licensing: As of the latest information, Cambodia does not have a dedicated, comprehensive licensing framework for VASPs akin to those in some other jurisdictions. This means that while AML/CFT obligations apply, the broader operational legality and specific regulatory permissions for operating a VASP business might fall under existing general business laws or remain in a less defined state. This poses both opportunities and risks for operators.
• Warnings from Authorities: Both NBC and SERC have historically issued warnings about the risks associated with cryptocurrencies and the importance of exercising caution due to the lack of specific regulations and investor protection mechanisms.

VASPs operating or intending to operate in Cambodia must ensure they have robust internal AML/CFT policies, procedures, and controls in place, including appointing a compliance officer, conducting regular training, and implementing appropriate technology solutions for monitoring and reporting. Legal advice from local experts is highly recommended given the dynamic nature of regulations.