Sri Lanka -- Licensing Requirements Regulatory Overview

**The Prevention of Money Laundering Act, No. 5 of 2006 (PMLA):** This Act criminalizes money laundering and establishes the legal framework for its prevention.

**The Financial Transactions Reporting Act, No. 6 of 2006 (FTRA):** This Act mandates reporting institutions (which would include regulated VASPs) to report suspicious transactions and sets out customer due diligence (CDD) and record-keeping requirements. It also established the Financial Intelligence Unit (FIU).

**The Convention on the Suppression of Terrorist Financing Act, No. 25 of 2005 (CSTFA):** This Act criminalizes terrorist financing and implements the international convention.

**Financial Intelligence Unit (FIU) of Sri Lanka:**

**Role:** The FIU acts as the central national agency for receiving, analyzing, and disseminating financial information concerning suspected proceeds of crime and terrorist financing. It is responsible for enforcing compliance with AML/CFT laws by reporting institutions.

**Central Bank of Sri Lanka (CBSL):**

**Role:** The CBSL has been involved in discussions regarding the regulation of VASPs and is expected to develop the licensing framework and supervise VASPs for both financial stability and AML/CFT compliance.

**Identification and Verification of Customers:**

**Individuals:** Obtain and verify the customer's full name, permanent address, date of birth, nationality, and a unique identification number (e.g., National Identity Card (NIC) number, passport number). Verification must be done using reliable, independent source documents, data, or information.

**Legal Persons/Arrangements:** Obtain and verify the legal name, legal form, proof of existence, powers that regulate and bind the legal person/arrangement, and the names of relevant persons holding senior management positions.

**Beneficial Ownership:** Identify and take reasonable measures to verify the identity of the beneficial owner(s) of the customer, including for legal persons, identifying natural persons who ultimately own or control the customer.

**Purpose and Intended Nature of the Business Relationship:** Understand the nature of the customer's activities and the purpose for which they intend to use the VASP's services.

**Simplified Due Diligence (SDD):** May be applied where the risk of money laundering or terrorist financing is lower (e.g., small, low-value transactions), but the VASP must still be able to identify the customer and monitor transactions.

**Enhanced Due Diligence (EDD):** Must be applied in higher-risk situations, such as:

Politically Exposed Persons (PEPs) and their family members/close associates.

Complex, unusually large transactions, or unusual patterns of transactions.

Transactions involving new products or business practices, and new technologies.

Transactions where the identity of the beneficial owner is difficult to ascertain.

For VASPs, this would also involve understanding the source of funds/wealth in crypto assets, the nature of associated wallets, and the purpose of large or frequent transfers.

Conduct ongoing monitoring of the business relationship and transactions undertaken by the customer to ensure consistency with the VASP's knowledge of the customer, their business, and risk profile.

Keep customer identification data up-to-date, especially for high-risk customers.

**Reporting Threshold:** Any transaction (regardless of amount) or attempted transaction where there are reasonable grounds to suspect that it may be linked to money laundering, terrorist financing, or other criminal activities.

**"No Tipping-Off":** VASPs and their employees are prohibited from disclosing to the customer or any third party that a STR or related information is being or has been submitted to the FIU.

**Internal Process:** VASPs must establish internal procedures for identifying, assessing, and reporting suspicious transactions, including the appointment of a designated AML/Compliance Officer.

**Duration:** All records, including customer identification data, account files, business correspondence, and records of transactions, must be maintained for a period of **at least six (6) years** after the business relationship is terminated or after the transaction is completed.

**Accessibility:** Records must be maintained in a manner that allows for rapid retrieval by the FIU or other competent authorities upon request.

**Types of Records:** This includes records of all fiat and virtual asset transactions, including sender and recipient information, amounts, dates, and relevant wallet addresses, as well as the underlying CDD documentation.

**Internal Controls and Procedures:** Develop and implement internal policies, procedures, and controls to prevent and detect ML/TF.

**Appointment of an AML/Compliance Officer:** Designate a senior officer responsible for the VASP's AML/CFT program and for liaising with the FIU.

**Employee Training:** Provide ongoing AML/CFT training to all relevant employees, ensuring they are aware of their obligations and can recognize suspicious activities.

**Independent Audit:** Establish an independent audit function to test the VASP's AML/CFT system and policies.

**Sanctions Screening:** Implement systems to screen customers and transactions against national and international sanctions lists (e.g., UN Security Council Resolutions).

**Travel Rule:** As per FATF guidance, regulated VASPs will likely be required to implement the "Travel Rule" for virtual asset transfers, meaning they must obtain and transmit originator and beneficiary information for transactions above a certain threshold.