Laos

**Law on Anti-Money Laundering and Combating the Financing of Terrorism (Law No. 67/NA, dated 17 November 2022):** This is the foundational AML/CFT law in Laos, superseding previous versions. It establishes the general obligations for reporting entities, including financial institutions, and covers key aspects of AML/CFT compliance.

**Decree on the Implementation of the Law on Anti-Money Laundering and Combating the Financing of Terrorism (Decree No. 37/GOV, dated 10 February 2020):** This decree provides detailed guidance and procedures for implementing the provisions of the AML/CFT Law.

**Instruction on the Management and Supervision of Virtual Assets (Instruction No. 001/BOL, dated 28 January 2022):** Issued by the Bank of Lao PDR, this instruction is highly specific to the pilot program for virtual assets. It outlines the regulatory framework, licensing requirements, and ongoing obligations (including AML/KYC) for entities authorized to engage in virtual asset activities (mining, trading platforms, exchanges, etc.). It designates authorized VASPs as reporting entities for AML/CFT purposes.

Obtain and verify the identity of the customer (individual or legal entity) using reliable, independent source documents, data, or information. For individuals, this includes full name, date of birth, nationality, residential address, and official identification document details (e.g., passport, national ID card).

For legal entities, this includes legal name, registered address, registration number, articles of association, and details of directors/senior management.

**Beneficial Ownership:** Identify and take reasonable measures to verify the identity of the beneficial owner(s) of the customer, including for legal entities and arrangements.

**Purpose and Nature of Relationship:** Understand and, where appropriate, obtain information on the purpose and intended nature of the business relationship or transaction.

**Ongoing Monitoring:** Conduct ongoing monitoring of the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions are consistent with the VASP's knowledge of the customer, their business, and risk profile.

**Risk-Based Approach:** Apply a risk-based approach to CDD, meaning enhanced due diligence (EDD) must be applied to higher-risk customers, business relationships, or transactions (e.g., politically exposed persons (PEPs), customers from high-risk jurisdictions, complex or unusual transactions, or transactions involving high-value virtual assets). Simplified due diligence (SDD) may be applied in lower-risk situations.

**"Travel Rule" (FATF Recommendation 16):** While specific detailed local regulations on the "Travel Rule" for VASPs may be further developed, authorized VASPs are generally expected to collect and transmit required originator and beneficiary information for virtual asset transfers above a certain threshold, in line with FATF recommendations, especially when transacting with other VASPs.

**Reporting Obligation:** Any transaction (regardless of amount) that the VASP knows, suspects, or has reasonable grounds to suspect involves money laundering, financing of terrorism, or other illicit activities, must be reported.

**No Tipping-Off:** VASPs and their employees are prohibited from disclosing to the customer or third parties that a suspicious transaction report has been or will be submitted.

**Timeliness:** Reports must be submitted to the FIU promptly, as soon as the suspicion is formed.

**Customer Identification Records:** All documents and information obtained during the CDD process, including copies of identification documents, beneficial ownership information, and risk assessments.

**Transaction Records:** Records of all transactions, including the amount, currency (both fiat and virtual asset), date, type of transaction, and the parties involved (originator and beneficiary information).

**STR Records:** Copies of all suspicious transaction reports submitted to the FIU and any internal analysis leading to those reports.

**Retention Period:** Records must generally be kept for a minimum of **five (5) years** after the business relationship has ended or after the date of the transaction.

**Bank of Lao PDR (BOL):** The BOL is the central bank and the primary financial regulator in Laos. It is responsible for issuing licenses/authorizations for VASPs under the pilot program, developing specific regulations (like Instruction No. 001/BOL), and conducting ongoing supervision and examinations to ensure compliance with AML/CFT and other prudential requirements.

**Financial Intelligence Unit (FIU) of Laos:** Operating under the Bank of Lao PDR, the FIU is the central agency for receiving, analyzing, and disseminating suspicious transaction reports to law enforcement agencies.

The FIU's information is integrated within the BOL structure.

**Regulatory Approach:** **Restrictive / Partial Ban (for the public) with Controlled Exceptions.**

For the general public and most businesses, engaging in cryptocurrency trading, exchanges, or financial services is largely prohibited or highly discouraged due to the Bank of the Lao PDR's warnings and notices.

However, the government has, at times, indicated an openness to *pilot projects* for specific, state-controlled uses, particularly in areas like cryptocurrency mining to monetize surplus energy, but these are exceptions and not indicative of a liberalization for the broader market.

**Bank of the Lao PDR (BoL):** As the central bank, it is the primary financial regulator and has issued the most definitive pronouncements on cryptocurrencies, primarily warnings and prohibitions.

**Ministry of Technology and Communications (MoTC):** While not a financial regulator, the MoTC might be involved in the technological aspects of any approved digital asset or blockchain initiatives.

**Ministry of Finance:** Could be involved in broader economic policy, taxation, or if any national digital currency initiatives were to emerge.

**Key Legislation Names and Dates:**

**Notice No. 138/BOL, dated 23 February 2018:**

**Content:** This notice explicitly warned financial institutions and the public against the use, trading, and circulation of cryptocurrencies, citing risks such as price volatility, cybercrime, money laundering, and potential impacts on financial stability. It effectively prohibited commercial banks, payment system providers, and individuals from using or trading cryptocurrencies.

**Status:** While there haven't been subsequent comprehensive laws *legalizing* general crypto use, this notice remains a foundational document reflecting the BoL's cautious and prohibitive stance for the general market.

In late 2021, the Lao government approved a resolution allowing six companies to pilot cryptocurrency mining operations. This was a specific, limited initiative primarily aimed at utilizing surplus electricity and generating revenue, rather than opening up general crypto trading. These projects operate under strict governmental oversight and do not negate the BoL's general prohibition on public crypto trading or financial services. The status and outcomes of these pilots are not always transparently updated.

**Current Stance on Crypto Trading and Exchanges:**

**Illegal/Highly Discouraged for the Public:** Based on Notice No. 138/BOL, individuals and financial institutions are prohibited from engaging in cryptocurrency trading. There is no legal framework for the public to buy, sell, or exchange cryptocurrencies.

**No Legal Protection:** Individuals who engage in crypto trading do so at their own risk and have no legal recourse or protection under Lao law.

**Exceptions (Highly Controlled):** Any activities, such as mining, are part of specific, government-approved pilot projects and are not available for the general populace.

**No Licensed Exchanges for the Public:** There are no publicly licensed cryptocurrency exchanges operating legally in Laos for retail trading.

**Unlicensed Operations are Illegal:** Any local entities operating as crypto exchanges without explicit government approval would be operating illegally.

**Government-Approved Pilot Participants:** Any entities involved in the aforementioned pilot projects (e.g., mining) are operating under specific, limited approvals and are not general exchanges for public trading.

**No, not comprehensively.** While Laos has a general AML/CFT law, its framework for VAs and VASPs is still considered insufficient by international standards. The FATF Travel Rule (which stems from FATF Recommendation 15 and its Interpretive Note) requires countries to regulate VASPs for AML/CFT purposes, including implementing obligations to collect and transmit originator and beneficiary information for virtual asset transfers. Laos has yet to establish this comprehensive regulatory regime.

As the comprehensive regulatory framework for VASPs and the Travel Rule is not yet in place, there is **no specific effective date** for its implementation in Laos. The initial steps involve defining VAs and VASPs, bringing them under the regulatory scope, and then prescribing the specific Travel Rule obligations.

Given the absence of a comprehensive framework for the Travel Rule, **no specific threshold amounts** have been defined for VASP transactions in Laos related to the Travel Rule. The FATF standard typically applies to transactions above a certain threshold (e.g., USD/EUR 1,000) for cross-border transfers and sometimes lower for domestic.

This is the primary challenge. Laos's existing AML/CFT framework, while aiming to combat financial crime, **does not yet comprehensively define Virtual Assets (VAs) or Virtual Asset Service Providers (VASPs)** to bring them under direct AML/CFT supervision as required by FATF Recommendation 15 and its Interpretive Note.

Therefore, there isn't a clear list of "covered VASPs" that are currently subject to Travel Rule obligations. Any entities dealing with virtual assets operate in a largely unregulated or ambiguous legal environment concerning AML/CFT specifically for virtual assets.

Without the foundational legal and regulatory framework for VASPs and the Travel Rule, there are **no established technical implementation requirements** for VASPs in Laos (e.g., specific data fields, messaging protocols, or record-keeping standards for Travel Rule compliance).

While Laos has penalties for general AML/CFT non-compliance under its primary **Law on Anti-Money Laundering and Counter-Terrorism Financing**, these would apply to entities *already covered* by the existing framework (e.g., banks, financial institutions, certain designated non-financial businesses and professions).

Since VASPs are not yet comprehensively defined or brought under this regulatory umbrella for virtual asset-specific AML/CFT obligations, there are **no specific penalties defined for non-compliance with the Travel Rule** by VASPs.

**Law on Anti-Money Laundering and Counter-Terrorism Financing (No. 55/NA, dated 26 December 2014, amended):** This is Laos's primary AML/CFT legislation. While it provides the general framework, its scope regarding virtual assets and VASPs is currently not comprehensive enough to implement the Travel Rule.

*Finding a publicly available English version with a direct government URL can be challenging. Often, international reports or legal analyses reference it.*

**APG Mutual Evaluation Reports for Laos:** These reports provide the most authoritative public assessment of Laos's compliance with FATF Recommendations.

The **APG 3rd Enhanced Follow-Up Report on Lao PDR (2022)**, for instance, highlights the ongoing deficiencies in addressing Virtual Assets and VASPs, noting that the country still needs to revise its legal and regulatory framework to ensure VAs and VASPs are adequately covered.

**A General Prohibition with Exceptions:** Initial stances were restrictive. However, a significant development was the Prime Minister's Order No. 001/PMO, which allowed for a controlled experiment.

**The "Sandbox" Approach:** The government initiated a pilot program or "sandbox" allowing a limited number of companies to mine and trade cryptocurrencies under strict supervision. This means that any entity engaging in activities that would involve custody must be part of this approved sandbox.

**Prime Minister's Order No. 001/PMO concerning the management of cryptocurrencies and digital assets (2021):** This Order effectively lifted a prior ban on crypto activities, allowing the Ministry of Technology and Communications, the Bank of Laos, and the Ministry of Finance to permit and manage the mining and trading of digital assets by selected companies within a controlled environment.

**Reference:** While a direct official English translation PDF might be difficult to access publicly, its existence and provisions are widely reported by reputable news outlets and legal advisories.

**Example News Source discussing PMO 001/PMO:**

*PwC Laos Advisory:* Often provides updates on such regulations. (While not a direct URL to the law, these resources explain it.)

**No specific "custodial license" exists.** Instead, entities wishing to provide any form of digital asset service that involves holding client funds (even if implicitly, like an exchange) must apply for and obtain a **license to participate in the government's digital asset sandbox program**.

This licensing is issued by a joint committee involving the Ministry of Technology and Communications, the Ministry of Finance, and the Bank of Laos. The criteria for obtaining such a license are likely stringent and include demonstrating technical capability, financial soundness, and compliance with general AML/CFT principles.

**No specific rules are publicly mandated.** While financial best practices and general Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) principles would strongly suggest the segregation of client assets from the firm's operational assets, there are no explicit legal requirements for this specifically for digital asset custodians in Laos at present. Any requirements would be ad-hoc conditions imposed during the sandbox licensing process.

**No specific insurance or bonding requirements for digital asset custody are publicly mandated.** General business insurance would be expected for any licensed entity, but crypto-specific insurance or bonding is not a known regulatory requirement.

**No specific cold storage mandates are publicly known.** While the use of cold storage for the majority of digital assets is a standard industry best practice for security, it is not a specific regulatory requirement in Laos. Security protocols would likely be reviewed as part of the sandbox licensing application, but without prescriptive mandates.

**No definition of a "qualified custodian" exists in Laotian law** in the context of digital assets. This concept is typically found in more mature financial markets with established securities laws (e.g., the SEC in the U.S.).

There is **no publicly known pending legislation specifically targeting digital asset custody**.

**Bank of Laos (BOL):** The central bank, responsible for monetary policy and financial stability. It has previously issued warnings regarding crypto risks.

**Official Website:** https://www.bol.gov.la/ (Note: Information specific to crypto regulations may be scarce in English on their main site, often communicated via press releases or government orders).

**Ministry of Finance (MOF):** Involved in fiscal policy and potentially taxation of digital asset activities.

**Ministry of Technology and Communications (MTC):** Plays a role in overseeing the technological aspects of digital assets and the sandbox.

**Financial Intelligence Unit (FIU):** Responsible for AML/CFT oversight, and any licensed digital asset entity would fall under their purview for reporting suspicious transactions.

**Compliance Requirements:** UN Security Council resolutions impose binding sanctions on UN member states, including Laos. These sanctions often target individuals and entities involved in terrorism, proliferation of weapons of mass destruction, or specific conflict situations. VASPs in Laos must screen all customers and transactions against the UN Consolidated Sanctions List. If a match is found, assets must be frozen, and relevant authorities must be notified.

**Application to Crypto:** UN sanctions are technology-neutral. If an individual or entity on a UN sanctions list uses virtual assets, the same prohibitions apply.

**UN Security Council Resolutions:** The basis for all UN sanctions. (No single URL for all, but specific resolutions are publicly available).

**UN Security Council Consolidated List:** https://www.un.org/securitycouncil/content/un-sc-consolidated-list

**Compliance Requirements:** OFAC sanctions have extraterritorial reach, meaning they can apply to non-U.S. persons (including VASPs in Laos) if their activities involve a U.S. nexus (e.g., transacting in USD, using U.S. financial infrastructure, or engaging with a U.S. person). OFAC designates individuals, entities, and entire jurisdictions. VASPs must screen all customers and transactions against OFAC's Specially Designated Nationals (SDN) List and other sanctions lists. They must block assets and prohibit transactions involving sanctioned parties or jurisdictions.

**Application to Crypto:** OFAC has explicitly applied sanctions to the virtual asset space. This includes sanctioning specific virtual currency mixers, exchanges, wallet addresses, and individuals for illicit activities.

**Examples:** Tornado Cash, Garantex, BTC-e, specific wallets linked to ransomware groups or North Korean state-sponsored hackers.

**OFAC's Guidance for the Virtual Currency Industry:** https://home.treasury.gov/system/files/126/virtual_currency_guidance_final.pdf

**Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments:** https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_1.pdf

**Compliance Requirements:** EU sanctions apply to all persons and entities operating within the EU and to EU nationals and entities worldwide. While they primarily affect EU-based VASPs, a VASP in Laos dealing with EU customers or partners, or engaging in transactions that touch the EU financial system, would need to consider EU sanctions. VASPs must screen against the EU sanctions lists, freeze assets, and prohibit transactions involving sanctioned parties.

**Application to Crypto:** Similar to OFAC, the EU's sanctions are sector-agnostic and apply to virtual assets when relevant. The EU has also specifically addressed crypto in its sanctions against Russia, prohibiting high-value crypto-asset services to Russian persons or entities.

**EU Sanctions Map:** https://www.sanctionsmap.eu/ (Provides an overview of all EU sanctions regimes).

**Consolidated List of Persons, Groups and Entities Subject to EU Financial Sanctions:** https://data.europa.eu/data/datasets/consolidated-list-of-persons-groups-and-entities-subject-to-eu-financial-sanctions?locale=en

**Customer Due Diligence (CDD) & Enhanced Due Diligence (EDD):** Identifying and verifying the identity of all customers, including beneficial owners.

**Sanctions Screening:** Implementing automated or manual systems to screen all customers, beneficial owners, and, where feasible, transaction counterparties against the UN, OFAC (SDN List, Non-SDN Palestinian Legislative Council List, Sectoral Sanctions Identifications List, etc.), and EU consolidated sanctions lists. This screening should be conducted before onboarding and on an ongoing basis.

**Transaction Monitoring:** Monitoring transactions for red flags indicative of sanctions evasion (e.g., transactions to high-risk jurisdictions, unusual transaction patterns, use of mixers).

**Record Keeping:** Maintaining records of all screening results and actions taken.

**Reporting:** Reporting any matches or suspicious transactions to Laos's Financial Intelligence Unit (FIU) and, where applicable, to the relevant foreign authorities (e.g., OFAC for a U.S. nexus).

**Crimea, Donetsk, Luhansk regions of Ukraine (and other occupied territories)**

**International Regimes (OFAC, EU):** Violations of U.S. and EU sanctions can result in severe penalties, including:

**Civil Monetary Penalties:** Substantial fines, which can be millions of dollars per violation.

**Criminal Penalties:** Imprisonment for individuals and even larger fines for entities.

**Reputational Damage:** Significant harm to the VASP's reputation and ability to conduct international business.

**Loss of Access:** Prohibition from accessing U.S. or EU financial markets.

**Laos Domestic Penalties:** While Laos does not have its own crypto-specific sanctions violation penalties, its Anti-Money Laundering and Counter-Terrorist Financing Law enforces the country's obligations under international conventions and FATF recommendations. Non-compliance with AML/CFT requirements, which *include* sanctions compliance, can lead to:

**Fines:** Imposed by the Bank of the Lao PDR or other regulatory bodies.

**Imprisonment:** For individuals involved in severe violations.

**License Revocation:** Loss of operational license for the VASP.

**Asset Forfeiture:** Seizure of assets linked to illicit activities.

**Law on Anti-Money Laundering and Counter-Terrorism Financing, No. 05/NA (2014):** This law, and subsequent amendments or implementing regulations from the Bank of the Lao PDR, form the domestic legal basis for AML/CFT compliance in Laos, which encompasses sanctions. (A specific URL for an official English translation is hard to find, but it's the primary legal instrument).

**Issuing Official Warnings and Prohibitions:** The BOL has repeatedly reminded the public and financial institutions that cryptocurrencies are not legal tender and pose significant risks.

**A Brief Experiment with Authorized Mining (and subsequent cooling):** There was a period in late 2021 where the Lao government approved a pilot project for a few companies to mine and trade cryptocurrencies, primarily to generate revenue for the state. However, this was a government initiative, not an enforcement action, and the enthusiasm seems to have significantly cooled since.

**Regulator Name:** Bank of the Lao PDR (BOL)

**Entity Targeted:** The general public, financial institutions, and potentially anyone engaging in cryptocurrency activities.

**Violation Type:** Engaging in activities with unrecognized digital assets, not being compliant with existing financial regulations, operating outside authorized financial systems. The BOL views cryptocurrencies as speculative assets that are not legal tender and pose risks like money laundering, fraud, and financial instability.

**Penalty Amount:** Not applicable to warnings; potential penalties for actual illegal operations would fall under existing financial or criminal laws, not specific crypto regulations.

**Date:** Warnings have been issued periodically, with renewed emphasis in recent years. Key periods include late 2021 when global crypto interest surged, and ongoing reminders.

**Outcome:** Reinforcement of the official position that cryptocurrencies are not recognized as legal tender or regulated financial products in Laos. Discouragement of public participation.

https://www.vientianetimes.org.la/archive/Economy/Laos%20approves%20six%20companies.php (This link points to an archived article, direct access might require searching the Vientiane Times archives for "cryptocurrency Laos" around October 2021).

**The Diplomat (June 2022, providing context on Laos's crypto journey including warnings):**

**Laos Public Security News (April 2023, warning against cryptocurrency investment scams):** This type of article from a government agency often reflects the general enforcement approach against fraud involving crypto. (Note: Direct links to specific articles from Lao government sites in English can be ephemeral. This is indicative of the *type* of enforcement focus).

*Search Term Example:* "Lao Public Security warns crypto scam"

**Regulator/Initiator:** Government of Laos, potentially via relevant ministries and the BOL.

**Entity Targeted:** N/A (this was a policy approval, not an enforcement action).

**Date:** Approved in principle in late 2021.

**Outcome:** A small number of companies were initially authorized for a pilot project to mine and trade crypto, primarily to generate revenue for the state. This policy shift was covered by international news. However, detailed updates on the success or continuation of this project have been scarce, suggesting it did not lead to widespread adoption or a robust regulatory framework. The general sentiment remains cautious.