Libya -- AML/CFT Compliance Regulatory Overview

It's crucial to preface this by stating that the regulatory landscape for cryptocurrencies and virtual assets in Libya is highly restrictive and largely undefined, making the existence of legally recognized and licensed Virtual Asset Service Providers (VASPs) unlikely at present. The Central Bank of Libya (CBL) has historically maintained a very cautious, if not outright prohibitive, stance on cryptocurrencies.

Therefore, while Libya has general Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) legislation, it does not currently contain a specific, comprehensive framework for the licensing, operation, and AML/KYC compliance of VASPs. Any entity operating with virtual assets in Libya would face significant legal and operational risks.

Below, we outline the general AML/CFT requirements that would hypothetically apply to VASPs if they were to be regulated, based on Libya's existing AML/CFT framework and international standards (like those from the Financial Action Task Force - FATF) which Libya strives to implement.

AML/KYC Requirements for Cryptocurrency/Virtual Asset Service Providers in Libya (Hypothetical)

Current Status of Virtual Assets in Libya:

The Central Bank of Libya (CBL) has previously issued statements or circulars warning against the use of cryptocurrencies due to their volatility, lack of regulation, and potential for use in illicit activities. As of the latest information, there is no official framework for the legal recognition, licensing, or operation of VASPs. This means that, in practice, specific AML/KYC requirements for licensed VASPs do not exist because such entities are not officially permitted or regulated.

If VASPs were to be legalized and regulated in the future, the general AML/CFT laws would apply, and specific regulations would likely be issued by the Central Bank of Libya or another designated authority, closely mirroring FATF Recommendations.

1. AML/CFT Legislation:

Libya's primary AML/CFT legislation is:

• Law No. 1 of 2021 on Anti-Money Laundering and Combating the Financing of Terrorism (Amending and replacing earlier laws like Law No. 2 of 2005).
  • This law establishes the general framework for combating money laundering and terrorist financing, defining predicate offenses, specifying obligations for financial institutions and designated non-financial businesses and professions (DNFBPs), and outlining penalties. While it does not specifically mention "virtual assets" or "VASPs," its general provisions on financial transactions and illicit funds would apply to any entity processing value.

2. Customer Due Diligence (CDD) Requirements (Applied Generally to Financial Institutions):

If VASPs were subject to regulation, they would likely be required to implement CDD measures similar to those for traditional financial institutions, including:

• Identification and Verification:
  • For Individuals: Obtaining and verifying name, permanent address, date of birth, nationality, and official identification documents (e.g., national ID, passport).
  • For Legal Entities/Arrangements: Obtaining and verifying name, legal form, proof of existence, powers that regulate and bind the entity, and the names of relevant persons having a senior management position.
• Beneficial Ownership: Identifying and verifying the ultimate beneficial owner (UBO) of customers who are legal entities or arrangements, typically individuals who own or control 25% or more of the entity's shares or voting rights, or otherwise exercise control through other means.
• Purpose and Nature of Business Relationship: Understanding the purpose and intended nature of the business relationship or occasional transaction.
• Ongoing Monitoring: Conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship, to ensure that the transactions are consistent with the obliged entity’s knowledge of the customer, their business, and risk profile.
• Risk-Based Approach: Applying CDD measures based on a risk assessment of the customer, business relationship, or transaction. Enhanced Due Diligence (EDD) would be required for higher-risk situations, such as:
  • Politically Exposed Persons (PEPs).
  • Customers from or in high-risk jurisdictions.
  • Complex, unusually large transactions, or unusual patterns of transactions that have no apparent economic or visible lawful purpose.
  • Transactions involving new technologies or products that favor anonymity.

3. Suspicious Transaction Reporting (STR):

• VASPs, if regulated, would be obliged to report any suspicious transactions to the Financial Intelligence Unit (FIU).
• Reporting Obligation: Any transaction, attempted transaction, or activity that raises suspicions of money laundering or terrorist financing must be reported promptly.
• No Tipping-Off: Prohibitions on "tipping off" the customer or any third party that an STR has been made or that a money laundering/terrorist financing investigation is underway.
• Internal Controls: Implementation of internal policies, procedures, and controls for identifying and reporting suspicious activities.

4. Record-Keeping Obligations:

VASPs would be required to maintain records for a specified period, typically a minimum of five (5) years, including:

• Customer Due Diligence Records: All documents and information obtained during the CDD process (identification documents, beneficial ownership information).
• Transaction Records: Records of all transactions, including amounts, currencies, dates, and parties involved. This would be particularly critical for virtual asset transactions, including blockchain addresses.
• STRs: Copies of all suspicious transaction reports submitted.
• Account Files and Business Correspondence: Relevant documentation related to customer accounts and business relationships.

5. Oversight Authority:

Given the current legal framework, if VASPs were to be regulated, the oversight would likely fall under existing financial regulators and law enforcement:

• Central Bank of Libya (CBL):
  • Role: The primary regulatory and supervisory authority for financial institutions in Libya. If VASPs were legalized, the CBL would likely be responsible for their licensing, supervision, and enforcement of AML/CFT compliance.
  • Website: http://www.cbl.gov.ly/ (Note: Accessibility and content may vary due to the political situation.)
• Libyan Financial Intelligence Unit (LFIU):
  • Role: The national center for receiving, analyzing, and disseminating suspicious transaction reports (STRs) to relevant law enforcement agencies.
  • Website: Information on the LFIU is often integrated into Central Bank or Ministry of Justice reporting, a direct public-facing website specifically for the LFIU may not be readily available or consistently updated externally. You might find references to it on the Egmont Group website if Libya is a member. The LFIU operates under the framework established by the AML/CFT Law.

Conclusion:

Operating a cryptocurrency/virtual asset service in Libya carries significant legal and regulatory risks due to the absence of a clear legal framework and the prohibitive stance of the Central Bank of Libya. While general AML/CFT laws exist, specific regulations for VASPs and their compliance obligations are not established. Any entity attempting to provide VASP services in Libya would operate in a highly ambiguous and potentially illegal environment, subject to the general provisions of the AML/CFT Law and the discretion of authorities without clear guidelines for their specific business model.

It is strongly advised to seek local legal counsel in Libya for the most current and accurate interpretation of laws and regulations before attempting any virtual asset related business.