Liechtenstein -- AML/CFT Compliance Regulatory Overview

**Law on Professional Due Diligence for the Prevention of Money Laundering, Organised Crime and Terrorist Financing (Due Diligence Act, Sorgfaltspflichtgesetz - SPG)**: This is the overarching AML/CFT law that sets out the due diligence obligations for all financial intermediaries, including VASPs.

Link to SPG (German, unofficial English versions might be available via FMA): e-Laws Liechtenstein

**Ordinance on Professional Due Diligence (Sorgfaltspflichtverordnung - SPV)**: This ordinance provides detailed implementing provisions for the Due Diligence Act.

Link to SPV (German): e-Laws Liechtenstein

**Law on Token and Trustworthy Technology Service Providers (Token and TT Service Provider Act, TVTG - commonly known as the "Blockchain Act")**: This groundbreaking law defines and regulates various TT (Trustworthy Technology) service providers, which largely encompass VASPs. It explicitly brings these entities under the scope of the Due Diligence Act (SPG) for AML/CFT purposes.

Link to TVTG (German, unofficial English version via FMA is often available): e-Laws Liechtenstein

**FMA Guidelines**: The Financial Market Authority (FMA) Liechtenstein issues various guidelines and circulars to provide practical guidance on the implementation of AML/CFT obligations, including specific guidance for TT Service Providers.

**Token Issuers:** Issue tokens on behalf of a third party.

**Token Custodians:** Safely keep tokens or private keys for others.

**TT Key Depositors:** Keep private keys for TT systems.

**TT Protectors:** Hold tokens in their own name on behalf of third parties.

**Physical Validators:** Ensure the physical delivery of an asset connected to a token.

**TT Administrators / Managers:** Manage TT systems or tokens.

**Exchanges:** Provide services for the exchange of virtual assets against fiat currency or other virtual assets.

**Transfer Service Providers:** Perform virtual asset transfers.

**Identification and Verification of the Customer and UBO:**

**For natural persons:** Obtain and verify the identity of the customer by requiring official identification documents (e.g., passport, national ID card) and verifying their name, date of birth, nationality, and residential address.

**For legal entities (companies, foundations, trusts):** Obtain and verify the entity's name, legal form, registered address, registration number, articles of association, and the identities of directors/executives. Crucially, VASPs must identify and verify the **Ultimate Beneficial Owner (UBO)**, which typically means identifying any natural person who directly or indirectly owns or controls 25% or more of the entity, or otherwise exercises control.

**Proof of Address:** Often required (e.g., utility bill, bank statement).

**Screening:** Customers and their UBOs must be screened against national and international sanction lists (e.g., UN, EU, OFAC) and politically exposed persons (PEP) lists.

**Understanding the Purpose and Intended Nature of the Business Relationship:**

VASPs must understand why the customer wants to use their services, the typical volume and type of transactions expected, and the source of funds/wealth.

**Source of Funds (SoF) / Source of Wealth (SoW):**

For higher-risk relationships, significant transactions, or when red flags are raised, VASPs must establish the source of the funds being used (e.g., salary, investment income) and the overall source of the customer's wealth.

VASPs must continuously monitor the business relationship, including transactions, to ensure that the activities are consistent with their knowledge of the customer, their business, and risk profile.

Customer information and identification data must be kept up-to-date.

VASPs must develop and implement a risk-based AML/CFT program. This involves assessing the inherent risks associated with different customers, products, services, delivery channels, and geographic locations.

**Simplified Due Diligence (SDD):** Can be applied in specific, clearly defined low-risk situations, if explicitly permitted by law or FMA guidelines.

**Enhanced Due Diligence (EDD):** Must be applied in higher-risk situations, including but not limited to:

Politically Exposed Persons (PEPs) and their family members/close associates.

Customers from high-risk third countries identified by the EU or FATF.

Complex or unusually large transactions.

Business relationships conducted without face-to-face contact.

Unusual patterns of transactions that have no apparent economic or lawful purpose.

Products or technologies that favor anonymity (e.g., certain privacy coins, mixers/tumblers).

EDD measures typically include more intensive verification, senior management approval, and enhanced ongoing monitoring.

**Obligation to Report:** VASPs are obligated to report any facts or transactions that give rise to a suspicion of money laundering, predicate offences (e.g., fraud, drug trafficking), or terrorist financing.

**Reporting Body:** Reports must be submitted to the **Financial Intelligence Unit (FIU) Liechtenstein**.

**Timing:** Reports must be made *without delay* once a suspicion arises.

**No Tipping-Off:** VASPs, their directors, and employees are strictly prohibited from "tipping off" the customer or any third party that a report has been or will be made to the FIU.

**Internal Reporting:** VASPs must have internal procedures for employees to report suspicions to a designated internal AML officer, who then determines if an STR is necessary.

All data obtained for customer identification and verification (CDD documents).

Records of business relationships and transactions (including original documents, copies of correspondence, and analyses undertaken).

Results of any analysis conducted (e.g., risk assessments, EDD triggers).

Records of suspicious transaction reports (STRs) made to the FIU.

**Financial Market Authority (FMA) Liechtenstein**

**Role:** The FMA is responsible for the licensing, supervision, and enforcement of financial intermediaries, including TT Service Providers/VASPs, to ensure their compliance with the Due Diligence Act (SPG), the TVTG, and other relevant regulations. It issues guidelines, conducts audits, and can impose sanctions for non-compliance.

**Financial Intelligence Unit (FIU) Liechtenstein**

**Role:** The FIU is the central national agency for receiving, analyzing, and disseminating suspicious transaction reports to combat money laundering and terrorist financing.

**Adopted:** Yes, Liechtenstein has adopted the FATF Travel Rule principles. This is primarily implemented through its **Token and VT Service Provider Act (TVTG)**, often known as the Blockchain Act, which came into force in 2020. The TVTG integrates with and is subject to the broader AML/CFT framework, specifically the **Due Diligence Act (DDA – Sorgfaltspflichtgesetz)** and the **Due Diligence Ordinance (DDO – Sorgfaltspflichtverordnung)**.

**Token and VT Service Provider Act (TVTG) / Blockchain Act:** Regulates VT Service Providers and lays the groundwork for AML/CFT compliance in the VA space.

*Reference (FMA information page on TVTG):* https://www.fma-li.li/en/financial-market-supervision/vt-service-providers-blockchain-act/

**Due Diligence Act (DDA) / Sorgfaltspflichtgesetz:** The main AML/CFT law in Liechtenstein, applicable to all obliged entities, including VT Service Providers.

**Due Diligence Ordinance (DDO) / Sorgfaltspflichtverordnung:** Provides specific implementation details for the DDA.

The Financial Market Authority (FMA) Liechtenstein is the supervisory body responsible for enforcing these regulations.

The **TVTG came into force on January 1, 2020**. While the core AML/CFT obligations were already in place, the TVTG explicitly brought VT Service Providers under the purview of the DDA, thus making the Travel Rule principles effective for them from that date, with subsequent guidance providing more specifics.

The threshold for transfers of virtual assets, consistent with FATF guidelines, is **EUR 1,000** (or equivalent in other currencies).

**VASP-to-VASP Transfers:** For transfers between two obliged entities (VT Service Providers), the Travel Rule generally applies regardless of the threshold for the transfer of information. However, the *full set* of originator and beneficiary information (as detailed below) is required for transactions exceeding €1,000. For transfers below €1,000, simplified information might be acceptable, but some basic information must still be exchanged.

**Transfers to/from Unhosted Wallets:** When a VASP initiates or receives a transfer from an unhosted (non-custodial) wallet, the VASP is required to collect originator or beneficiary information (and potentially verify it) if the transaction exceeds €1,000. Below this threshold, risk-based approaches apply.

The TVTG broadly defines "VT Service Providers" (Liechtenstein's term for VASPs). These include, but are not limited to:

**VT Custodians:** Entities that safeguard VT for third parties.

**VT Exchange Service Providers:** Entities that provide services for the exchange of VT against fiat currency or other VT.

**Physical Validators:** Entities that validate VT transactions (e.g., miners/stakers if providing a service).

**Token Issuers:** Entities that issue tokens.

**Identity Service Providers:** Entities that manage identity for token holders.

**Key Depositaries:** Entities that securely store private keys.

Essentially, any entity that provides services related to tokens or VT and falls under the scope of the TVTG and conducts transfers on behalf of customers will be subject to Travel Rule obligations.

The FMA, like most regulators, does not mandate a specific technical solution or protocol (e.g., TRISA, OpenVASP, Sygna). Instead, it requires VT Service Providers to have **robust systems and procedures in place** to:

Collect the required originator and beneficiary information accurately.

Verify the accuracy of the information where appropriate (especially for unhosted wallet interactions above the threshold).

Store the information securely and accessibly for the required retention period (typically 5 years after the business relationship ends or transaction).

Transmit the information to the beneficiary VASP in a secure and reliable manner.

Identify and handle transactions where the required information is missing or incomplete (e.g., block the transfer, report to FIU).

While not explicitly mandated by law, the industry-standard **InterVASP Messaging Standard (IVMS 101)** is widely adopted and recommended as a data model for exchanging Travel Rule information, ensuring interoperability.

Originator's account number (or unique transaction identifier)

Originator's physical address (or national identity number, customer identification number, or date and place of birth)

Beneficiary's account number (or unique transaction identifier)

**For the Beneficiary (to be received by the Beneficiary VASP from the Originator VASP):**

Non-compliance with AML/CFT obligations, including the Travel Rule, can lead to severe penalties under the **Due Diligence Act (DDA)** and the **TVTG**. These can include:

**Administrative Fines:** Significant financial penalties imposed by the FMA on the VASP and/or its responsible individuals. These can range from tens of thousands to millions of Swiss Francs/Euros, depending on the severity and nature of the breach.

**Withdrawal of Licenses/Registrations:** The FMA can revoke a VASP's registration or license, effectively preventing it from operating in Liechtenstein.

**Public Censure:** The FMA may publicly name non-compliant entities.

**Operational Restrictions:** The FMA can impose restrictions on a VASP's operations.

**Criminal Charges:** In cases of severe or intentional breaches, particularly those linked to money laundering or terrorist financing, individuals responsible could face criminal prosecution, including imprisonment.