Sri Lanka -- AML/CFT Compliance Regulatory Overview

Sri Lanka is in the process of developing a regulatory framework for Virtual Asset Service Providers (VASPs), with the Central Bank of Sri Lanka (CBSL) having historically issued warnings against cryptocurrencies due to their unregulated nature. However, aligning with international standards set by the Financial Action Task Force (FATF), Sri Lanka is moving towards regulating VASPs to combat money laundering and terrorist financing risks.

While a specific licensing regime for VASPs is still under development, any entity operating with virtual assets in Sri Lanka would eventually be subject to the existing general Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) legislation, and future VASP-specific regulations will build upon these foundational laws.

Here are the anticipated and existing AML/KYC requirements relevant to cryptocurrency/virtual asset service providers in Sri Lanka:

AML/CFT Legislation in Sri Lanka

The primary legislative framework for AML/CFT in Sri Lanka comprises:

1. The Prevention of Money Laundering Act, No. 5 of 2006 (PMLA): This Act criminalizes money laundering and establishes the legal framework for its prevention.
2. The Financial Transactions Reporting Act, No. 6 of 2006 (FTRA): This Act mandates reporting institutions (which would include regulated VASPs) to report suspicious transactions and sets out customer due diligence (CDD) and record-keeping requirements. It also established the Financial Intelligence Unit (FIU).
3. The Convention on the Suppression of Terrorist Financing Act, No. 25 of 2005 (CSTFA): This Act criminalizes terrorist financing and implements the international convention.

Overseeing Authority for Compliance

The primary authority overseeing AML/CFT compliance in Sri Lanka is:

• Financial Intelligence Unit (FIU) of Sri Lanka:
  • Role: The FIU acts as the central national agency for receiving, analyzing, and disseminating financial information concerning suspected proceeds of crime and terrorist financing. It is responsible for enforcing compliance with AML/CFT laws by reporting institutions.
  • URL: https://www.fiu.gov.lk/

While the FIU is the AML/CFT compliance body, the Central Bank of Sri Lanka (CBSL) is the main regulator for financial institutions and is expected to be the licensing and prudential supervisor for VASPs once the specific framework is enacted.

• Central Bank of Sri Lanka (CBSL):
  • Role: The CBSL has been involved in discussions regarding the regulation of VASPs and is expected to develop the licensing framework and supervise VASPs for both financial stability and AML/CFT compliance.
  • URL: https://www.cbsl.gov.lk/

Customer Due Diligence (CDD) Requirements (Anticipated for Regulated VASPs)

Once regulated, VASPs will be considered "reporting institutions" and will need to implement robust CDD measures, aligning with FATF Recommendation 15 and Sri Lanka's FTRA. These will likely include:

1. Identification and Verification of Customers:
   • Individuals: Obtain and verify the customer's full name, permanent address, date of birth, nationality, and a unique identification number (e.g., National Identity Card (NIC) number, passport number). Verification must be done using reliable, independent source documents, data, or information.
   • Legal Persons/Arrangements: Obtain and verify the legal name, legal form, proof of existence, powers that regulate and bind the legal person/arrangement, and the names of relevant persons holding senior management positions.
   • Beneficial Ownership: Identify and take reasonable measures to verify the identity of the beneficial owner(s) of the customer, including for legal persons, identifying natural persons who ultimately own or control the customer.
2. Purpose and Intended Nature of the Business Relationship: Understand the nature of the customer's activities and the purpose for which they intend to use the VASP's services.
3. Risk-Based Approach:
   • Simplified Due Diligence (SDD): May be applied where the risk of money laundering or terrorist financing is lower (e.g., small, low-value transactions), but the VASP must still be able to identify the customer and monitor transactions.
   • Enhanced Due Diligence (EDD): Must be applied in higher-risk situations, such as:
     • Customers from high-risk jurisdictions.
     • Politically Exposed Persons (PEPs) and their family members/close associates.
     • Complex, unusually large transactions, or unusual patterns of transactions.
     • Transactions involving new products or business practices, and new technologies.
     • Transactions where the identity of the beneficial owner is difficult to ascertain.
     • For VASPs, this would also involve understanding the source of funds/wealth in crypto assets, the nature of associated wallets, and the purpose of large or frequent transfers.
4. Ongoing Due Diligence:
   • Conduct ongoing monitoring of the business relationship and transactions undertaken by the customer to ensure consistency with the VASP's knowledge of the customer, their business, and risk profile.
   • Keep customer identification data up-to-date, especially for high-risk customers.

Suspicious Transaction Reporting (STR) Obligations

Regulated VASPs will be legally obligated to report suspicious transactions to the FIU Sri Lanka. This includes:

• Reporting Threshold: Any transaction (regardless of amount) or attempted transaction where there are reasonable grounds to suspect that it may be linked to money laundering, terrorist financing, or other criminal activities.
• "No Tipping-Off": VASPs and their employees are prohibited from disclosing to the customer or any third party that a STR or related information is being or has been submitted to the FIU.
• Internal Process: VASPs must establish internal procedures for identifying, assessing, and reporting suspicious transactions, including the appointment of a designated AML/Compliance Officer.

Record-Keeping Obligations

In accordance with the FTRA, regulated VASPs will be required to maintain records for a specified period:

• Duration: All records, including customer identification data, account files, business correspondence, and records of transactions, must be maintained for a period of at least six (6) years after the business relationship is terminated or after the transaction is completed.
• Accessibility: Records must be maintained in a manner that allows for rapid retrieval by the FIU or other competent authorities upon request.
• Types of Records: This includes records of all fiat and virtual asset transactions, including sender and recipient information, amounts, dates, and relevant wallet addresses, as well as the underlying CDD documentation.

Other Key AML/CFT Requirements for VASPs (Anticipated)

Beyond CDD, STR, and record-keeping, regulated VASPs will likely need to implement a comprehensive AML/CFT program including:

• Internal Controls and Procedures: Develop and implement internal policies, procedures, and controls to prevent and detect ML/TF.
• Appointment of an AML/Compliance Officer: Designate a senior officer responsible for the VASP's AML/CFT program and for liaising with the FIU.
• Employee Training: Provide ongoing AML/CFT training to all relevant employees, ensuring they are aware of their obligations and can recognize suspicious activities.
• Independent Audit: Establish an independent audit function to test the VASP's AML/CFT system and policies.
• Sanctions Screening: Implement systems to screen customers and transactions against national and international sanctions lists (e.g., UN Security Council Resolutions).
• Travel Rule: As per FATF guidance, regulated VASPs will likely be required to implement the "Travel Rule" for virtual asset transfers, meaning they must obtain and transmit originator and beneficiary information for transactions above a certain threshold.

Important Note: As of late 2023/early 2024, Sri Lanka is actively working on formalizing the regulatory framework for VASPs. While the general AML/CFT laws (PMLA, FTRA, CSTFA) apply broadly, specific VASP licensing requirements and detailed AML/KYC guidelines tailored to virtual assets are expected to be issued by the CBSL in due course. VASPs intending to operate in Sri Lanka should closely monitor announcements from the CBSL and the FIU.