Liechtenstein

**Issuing public warnings** against unauthorized entities.

**Imposing supervisory measures** leading to remediation.

**Withdrawing or refusing licenses** for non-compliance.

**Regulator Name:** Financial Market Authority (FMA) Liechtenstein

**Entity Targeted:** Various companies identified for unauthorized operation, often involving crypto/token offerings. (Specific company names are usually listed on the FMA's warning page, which is regularly updated).

**Violation Type:** Operating financial services or token services without the necessary license under the TVTG or other relevant financial market laws, often coupled with allegations of scams or misleading information.

**Penalty Amount:** Not a direct monetary fine imposed by the FMA in this context, but rather a public warning and expectation of cessation of activity. Failure to comply can lead to further legal action.

**Date:** Ongoing, with new warnings issued regularly as unauthorized entities are identified. For the last 3 years, numerous such warnings would have been published.

**Outcome:** Public notification of unauthorized activity, demand for cessation of operations in Liechtenstein, consumer protection.

FMA Liechtenstein Warnings (This page is continuously updated with specific entities): https://www.fma-li.li/en/regulatory-information/warnings.html

*Note: As this page is dynamic, specific entries from the last 3 years would need to be manually sifted through. The FMA does not typically archive individual warning press releases as separate items, but updates the main list.*

**Entity Targeted:** Licensed TVTG service providers or other financial institutions. (Specific names are not always publicly disclosed for every action, but the FMA's annual reports provide aggregated data).

**Violation Type:** Non-compliance with the TVTG, Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) regulations, or other prudential requirements.

**Penalty Amount:** Not a direct public monetary fine, but the severe penalty of **loss of operating license**, resulting in the inability to conduct regulated activities in Liechtenstein. This represents significant financial loss and reputational damage for the entity.

**Date:** Ongoing, as part of continuous supervision and response to breaches. (Specific case dates are typically not released publicly unless deemed necessary for market protection).

**Outcome:** Withdrawal of authorization, cessation of regulated activities, safeguarding market integrity.

FMA Annual Reports (These provide summaries of supervisory activities and enforcement trends, including actions taken against licensed entities): https://www.fma-li.li/en/about-fma/fma-publications/annual-reports.html

*Note: Reviewing the annual reports from 2021, 2022, and 2023 would show statistics on the number of supervisory measures and license revocations, without always naming specific entities for confidentiality reasons.*

**Token and VT Service Provider Act (TVTG) / Blockchain Act:**

This is the fundamental law. While the official legal text is in German, the FMA provides significant guidance and information in English.

**FMA Information on TVTG:** https://www.fma-li.li/en/regulatory-sections/token-and-vt-service-provider-act-tvtg/

This page provides an overview, relevant documents, and links.

**Due Diligence Act (DDA) (Sorgfaltspflichtgesetz):**

This act governs anti-money laundering and combating the financing of terrorism (AML/CFT) in Liechtenstein and applies to all regulated entities, including VT Service Providers.

**FMA Information on AML/CFT:** https://www.fma-li.li/en/regulatory-sections/anti-money-laundering-and-combating-the-financing-of-terrorism/

The FMA often publishes fact sheets or guidance documents that provide concise summaries and practical advice on regulatory requirements. Look for these on their TVTG section.

*Direct link to a specific Fact Sheet may change, but they are usually found under the main TVTG section above.*

**Payment Services Act (Zahlungsdienstleistungsgesetz - ZDG):**

If a VT Payment Service Provider also engages in traditional fiat payment services that fall under the scope of PSD2, this act would also be relevant.

**FMA Information on Payment Services:** https://www.fma-li.li/en/regulatory-sections/payment-services/

**Law on Professional Due Diligence for the Prevention of Money Laundering, Organised Crime and Terrorist Financing (Due Diligence Act, Sorgfaltspflichtgesetz - SPG)**: This is the overarching AML/CFT law that sets out the due diligence obligations for all financial intermediaries, including VASPs.

Link to SPG (German, unofficial English versions might be available via FMA): e-Laws Liechtenstein

**Ordinance on Professional Due Diligence (Sorgfaltspflichtverordnung - SPV)**: This ordinance provides detailed implementing provisions for the Due Diligence Act.

Link to SPV (German): e-Laws Liechtenstein

**Law on Token and Trustworthy Technology Service Providers (Token and TT Service Provider Act, TVTG - commonly known as the "Blockchain Act")**: This groundbreaking law defines and regulates various TT (Trustworthy Technology) service providers, which largely encompass VASPs. It explicitly brings these entities under the scope of the Due Diligence Act (SPG) for AML/CFT purposes.

Link to TVTG (German, unofficial English version via FMA is often available): e-Laws Liechtenstein

**FMA Guidelines**: The Financial Market Authority (FMA) Liechtenstein issues various guidelines and circulars to provide practical guidance on the implementation of AML/CFT obligations, including specific guidance for TT Service Providers.

**Token Issuers:** Issue tokens on behalf of a third party.

**Token Custodians:** Safely keep tokens or private keys for others.

**TT Key Depositors:** Keep private keys for TT systems.

**TT Protectors:** Hold tokens in their own name on behalf of third parties.

**Physical Validators:** Ensure the physical delivery of an asset connected to a token.

**TT Administrators / Managers:** Manage TT systems or tokens.

**Exchanges:** Provide services for the exchange of virtual assets against fiat currency or other virtual assets.

**Transfer Service Providers:** Perform virtual asset transfers.

**Identification and Verification of the Customer and UBO:**

**For natural persons:** Obtain and verify the identity of the customer by requiring official identification documents (e.g., passport, national ID card) and verifying their name, date of birth, nationality, and residential address.

**For legal entities (companies, foundations, trusts):** Obtain and verify the entity's name, legal form, registered address, registration number, articles of association, and the identities of directors/executives. Crucially, VASPs must identify and verify the **Ultimate Beneficial Owner (UBO)**, which typically means identifying any natural person who directly or indirectly owns or controls 25% or more of the entity, or otherwise exercises control.

**Proof of Address:** Often required (e.g., utility bill, bank statement).

**Screening:** Customers and their UBOs must be screened against national and international sanction lists (e.g., UN, EU, OFAC) and politically exposed persons (PEP) lists.

**Understanding the Purpose and Intended Nature of the Business Relationship:**

VASPs must understand why the customer wants to use their services, the typical volume and type of transactions expected, and the source of funds/wealth.

**Source of Funds (SoF) / Source of Wealth (SoW):**

For higher-risk relationships, significant transactions, or when red flags are raised, VASPs must establish the source of the funds being used (e.g., salary, investment income) and the overall source of the customer's wealth.

VASPs must continuously monitor the business relationship, including transactions, to ensure that the activities are consistent with their knowledge of the customer, their business, and risk profile.

Customer information and identification data must be kept up-to-date.

VASPs must develop and implement a risk-based AML/CFT program. This involves assessing the inherent risks associated with different customers, products, services, delivery channels, and geographic locations.

**Simplified Due Diligence (SDD):** Can be applied in specific, clearly defined low-risk situations, if explicitly permitted by law or FMA guidelines.

**Enhanced Due Diligence (EDD):** Must be applied in higher-risk situations, including but not limited to:

Politically Exposed Persons (PEPs) and their family members/close associates.

Customers from high-risk third countries identified by the EU or FATF.

Complex or unusually large transactions.

Business relationships conducted without face-to-face contact.

Unusual patterns of transactions that have no apparent economic or lawful purpose.

Products or technologies that favor anonymity (e.g., certain privacy coins, mixers/tumblers).

EDD measures typically include more intensive verification, senior management approval, and enhanced ongoing monitoring.

**Obligation to Report:** VASPs are obligated to report any facts or transactions that give rise to a suspicion of money laundering, predicate offences (e.g., fraud, drug trafficking), or terrorist financing.

**Reporting Body:** Reports must be submitted to the **Financial Intelligence Unit (FIU) Liechtenstein**.

**Timing:** Reports must be made *without delay* once a suspicion arises.

**No Tipping-Off:** VASPs, their directors, and employees are strictly prohibited from "tipping off" the customer or any third party that a report has been or will be made to the FIU.

**Internal Reporting:** VASPs must have internal procedures for employees to report suspicions to a designated internal AML officer, who then determines if an STR is necessary.

All data obtained for customer identification and verification (CDD documents).

Records of business relationships and transactions (including original documents, copies of correspondence, and analyses undertaken).

Results of any analysis conducted (e.g., risk assessments, EDD triggers).

Records of suspicious transaction reports (STRs) made to the FIU.

**Financial Market Authority (FMA) Liechtenstein**

**Role:** The FMA is responsible for the licensing, supervision, and enforcement of financial intermediaries, including TT Service Providers/VASPs, to ensure their compliance with the Due Diligence Act (SPG), the TVTG, and other relevant regulations. It issues guidelines, conducts audits, and can impose sanctions for non-compliance.

**Financial Intelligence Unit (FIU) Liechtenstein**

**Role:** The FIU is the central national agency for receiving, analyzing, and disseminating suspicious transaction reports to combat money laundering and terrorist financing.

**Adopted:** Yes, Liechtenstein has adopted the FATF Travel Rule principles. This is primarily implemented through its **Token and VT Service Provider Act (TVTG)**, often known as the Blockchain Act, which came into force in 2020. The TVTG integrates with and is subject to the broader AML/CFT framework, specifically the **Due Diligence Act (DDA – Sorgfaltspflichtgesetz)** and the **Due Diligence Ordinance (DDO – Sorgfaltspflichtverordnung)**.

**Token and VT Service Provider Act (TVTG) / Blockchain Act:** Regulates VT Service Providers and lays the groundwork for AML/CFT compliance in the VA space.

*Reference (FMA information page on TVTG):* https://www.fma-li.li/en/financial-market-supervision/vt-service-providers-blockchain-act/

**Due Diligence Act (DDA) / Sorgfaltspflichtgesetz:** The main AML/CFT law in Liechtenstein, applicable to all obliged entities, including VT Service Providers.

**Due Diligence Ordinance (DDO) / Sorgfaltspflichtverordnung:** Provides specific implementation details for the DDA.

The Financial Market Authority (FMA) Liechtenstein is the supervisory body responsible for enforcing these regulations.

The **TVTG came into force on January 1, 2020**. While the core AML/CFT obligations were already in place, the TVTG explicitly brought VT Service Providers under the purview of the DDA, thus making the Travel Rule principles effective for them from that date, with subsequent guidance providing more specifics.

The threshold for transfers of virtual assets, consistent with FATF guidelines, is **EUR 1,000** (or equivalent in other currencies).

**VASP-to-VASP Transfers:** For transfers between two obliged entities (VT Service Providers), the Travel Rule generally applies regardless of the threshold for the transfer of information. However, the *full set* of originator and beneficiary information (as detailed below) is required for transactions exceeding €1,000. For transfers below €1,000, simplified information might be acceptable, but some basic information must still be exchanged.

**Transfers to/from Unhosted Wallets:** When a VASP initiates or receives a transfer from an unhosted (non-custodial) wallet, the VASP is required to collect originator or beneficiary information (and potentially verify it) if the transaction exceeds €1,000. Below this threshold, risk-based approaches apply.

The TVTG broadly defines "VT Service Providers" (Liechtenstein's term for VASPs). These include, but are not limited to:

**VT Custodians:** Entities that safeguard VT for third parties.

**VT Exchange Service Providers:** Entities that provide services for the exchange of VT against fiat currency or other VT.

**Physical Validators:** Entities that validate VT transactions (e.g., miners/stakers if providing a service).

**Token Issuers:** Entities that issue tokens.

**Identity Service Providers:** Entities that manage identity for token holders.

**Key Depositaries:** Entities that securely store private keys.

Essentially, any entity that provides services related to tokens or VT and falls under the scope of the TVTG and conducts transfers on behalf of customers will be subject to Travel Rule obligations.

The FMA, like most regulators, does not mandate a specific technical solution or protocol (e.g., TRISA, OpenVASP, Sygna). Instead, it requires VT Service Providers to have **robust systems and procedures in place** to:

Collect the required originator and beneficiary information accurately.

Verify the accuracy of the information where appropriate (especially for unhosted wallet interactions above the threshold).

Store the information securely and accessibly for the required retention period (typically 5 years after the business relationship ends or transaction).

Transmit the information to the beneficiary VASP in a secure and reliable manner.

Identify and handle transactions where the required information is missing or incomplete (e.g., block the transfer, report to FIU).

While not explicitly mandated by law, the industry-standard **InterVASP Messaging Standard (IVMS 101)** is widely adopted and recommended as a data model for exchanging Travel Rule information, ensuring interoperability.

Originator's account number (or unique transaction identifier)

Originator's physical address (or national identity number, customer identification number, or date and place of birth)

Beneficiary's account number (or unique transaction identifier)

**For the Beneficiary (to be received by the Beneficiary VASP from the Originator VASP):**

Non-compliance with AML/CFT obligations, including the Travel Rule, can lead to severe penalties under the **Due Diligence Act (DDA)** and the **TVTG**. These can include:

**Administrative Fines:** Significant financial penalties imposed by the FMA on the VASP and/or its responsible individuals. These can range from tens of thousands to millions of Swiss Francs/Euros, depending on the severity and nature of the breach.

**Withdrawal of Licenses/Registrations:** The FMA can revoke a VASP's registration or license, effectively preventing it from operating in Liechtenstein.

**Public Censure:** The FMA may publicly name non-compliant entities.

**Operational Restrictions:** The FMA can impose restrictions on a VASP's operations.

**Criminal Charges:** In cases of severe or intentional breaches, particularly those linked to money laundering or terrorist financing, individuals responsible could face criminal prosecution, including imprisonment.

**Definition of TT Custodian:** According to Art. 4 para. 1 lit. e TVTG, a TT Custodian is "a service provider who holds tokens in custody for third parties and provides services for the safeguarding of private keys or other means of access to tokens."

**Licensing Process:** Any entity wishing to act as a TT Custodian must obtain prior authorization from the FMA. The requirements for obtaining a license as a TT Service Provider are outlined in Articles 12-17 of the TVTG and include:

**Proper Organization:** The applicant must have an appropriate organizational structure, including robust internal controls, IT security, and risk management systems.

**Qualified Management:** The members of the board of directors and executive management must be "fit and proper," demonstrating professional qualifications, experience, and integrity.

**Reliable Business Plan:** A detailed business plan outlining the services, operational procedures, and risk assessments must be submitted.

**Minimum Capital Requirements:** As per Art. 17 TVTG, TT Service Providers, including TT Custodians, must have a minimum capital of **CHF 100,000**. The FMA may require higher capital based on the scope and risk of the services provided.

**AML/CFT Compliance:** Robust measures for combating money laundering and terrorist financing are mandatory, aligning with Liechtenstein's adherence to international standards (e.g., FATF recommendations).

**Tokens and TT Service Providers Act (TVTG) - Art. 4(1)(e), Art. 12-17:**

(Unofficial English translations are available from various legal firms, but the German text is binding.)

**Duty of Care Regarding Third-Party Tokens:** Art. 23 TVTG stipulates that a TT Custodian must take all necessary measures to protect the tokens against loss, theft, or misuse, and to ensure that they can always be identified and returned to the respective owner.

**Identification and Return:** This implicitly requires that the custodian must be able to clearly distinguish client assets from their own assets and from the assets of other clients. In practice, this leads to the implementation of technical and organizational measures for segregation, such as separate omnibus wallets per client or a sophisticated internal ledger system that tracks individual ownership within shared wallets, coupled with a robust reconciliation process.

**Insolvency Protection:** The segregation of client assets ensures that in the event of the custodian's insolvency, client assets are not part of the insolvency estate and can be returned to their rightful owners.

**Robust Risk Management:** TT Service Providers are required to establish a sound risk management framework (Art. 13 para. 1 lit. c TVTG), which includes identifying, assessing, and mitigating risks associated with custody, including potential losses from cyber-attacks, operational errors, or theft. While not explicitly an insurance *mandate*, adequate risk management could lead a custodian to secure insurance coverage as a best practice to protect against certain risks.

**FMA Discretion:** The FMA, during the licensing process or ongoing supervision, has the authority to impose additional conditions or requirements if deemed necessary to ensure the protection of clients and the stability of the financial market.

**Security Measures:** Art. 23 TVTG requires TT Custodians to implement "appropriate measures to protect the tokens against loss, theft or misuse." This broad requirement implies that custodians must employ state-of-the-art security practices suitable for the digital assets they hold.

**Risk-Based Approach:** For significant holdings, industry best practices for security almost universally involve some form of cold storage, multi-signature schemes, hardware security modules (HSMs), and robust key management policies. The FMA expects custodians to adopt a risk-based approach to security, meaning the higher the value and risk, the more stringent the security measures.

**IT Security Policy:** As part of the organizational requirements and risk management framework, custodians must have comprehensive IT security policies that address the entire lifecycle of private keys and access means.

**FMA Authorization:** A TT Custodian is "qualified" by virtue of having obtained the necessary authorization from the FMA. This licensing process ensures that the entity meets the rigorous standards set out in the TVTG regarding capital, management, organization, and operational integrity.

**Definition:** As reiterated from Art. 4(1)(e) TVTG: "a service provider who holds tokens in custody for third parties and provides services for the safeguarding of private keys or other means of access to tokens."

The FMA's role is to ensure that these entities are capable, reliable, and compliant with all regulatory requirements, thereby making them "qualified" to provide custody services.

**FMA Liechtenstein Website (General Information on TVTG):**

**MiCA Implementation:** MiCA is a comprehensive EU regulation for crypto-assets that will become fully applicable in phases, with most provisions for crypto-asset service providers (CASPs) applying from **December 30, 2024**.

**Impact on Liechtenstein:** As an EEA member, Liechtenstein will be required to transpose MiCA into its national law. This means that while the TVTG currently governs digital asset custody, Liechtenstein's legislation will need to be adapted to align with MiCA's requirements.

**Key MiCA Custody Requirements:** MiCA introduces specific and often more stringent requirements for CASPs providing custody and administration of crypto-assets on behalf of clients, including:

**Higher Minimum Capital Requirements:** MiCA may impose higher and more granular capital requirements depending on the type and scale of services.

**More Detailed Segregation Rules:** While TVTG already mandates segregation, MiCA further clarifies and strengthens these provisions.

**Robust Operational Requirements:** Detailed rules on IT security, business continuity, outsourcing, and safeguarding client crypto-assets.

**Specific Recovery Plans:** Requirements for plans to return assets in case of operational failure.

**Liability Regime:** CASPs will be liable to clients for loss of crypto-assets due.

**Insurance/Guarantees:** MiCA Article 67 specifies that a custodian must have either a prudential safeguard in the form of own funds (minimum €125,000 or 0.2% of assets held, whichever is higher) or an insurance policy or comparable guarantee.

**Timeline:** The FMA Liechtenstein is actively involved in the process of adapting national law to align with MiCA. This transposition will be the primary "pending" legislative activity impacting crypto custody in Liechtenstein in the near future.

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):**

**FMA Liechtenstein - Information regarding MiCA:**

The FMA regularly publishes updates on its website regarding its work on MiCA implementation. https://www.fma-li.li/en/ (Check news and publications sections for specific updates).