Mongolia

**Partial but Evolving:** Mongolia has moved from an unregulated state to establishing a foundational legal framework for virtual assets, specifically targeting Virtual Asset Service Providers (VASPs). The focus is heavily on AML/CFT compliance, risk management, and consumer protection through licensing. It's considered "partial" as it primarily regulates the *service providers* rather than attempting to regulate every facet of virtual assets or underlying technologies comprehensively at this stage.

**Financial Regulatory Commission (FRC) of Mongolia:**

**Role:** This is the primary regulator responsible for licensing, supervising, and overseeing Virtual Asset Service Providers (VASPs). The FRC defines the scope of virtual asset activities, sets licensing requirements, and monitors compliance with AML/CFT and other regulations.

**URL:** Financial Regulatory Commission of Mongolia (Note: English content might be limited for specific legal documents, but the overall institution and its role are outlined).

**Bank of Mongolia (Central Bank):**

**Role:** While the FRC directly regulates VASPs, the Bank of Mongolia (Central Bank) plays a role in overall monetary policy, financial stability, and broader financial sector supervision. It may collaborate with the FRC on matters relating to digital currencies, payment systems, and any potential systemic risks posed by virtual assets. The Bank of Mongolia has generally cautioned against crypto risks, similar to many central banks.

**URL:** Bank of Mongolia (English section available)

**Financial Information Unit (FIU) of Mongolia (under the General Intelligence Agency):**

**Role:** The FIU is crucial for implementing AML/CFT measures. Licensed VASPs are obligated to report suspicious transactions to the FIU, making it an integral part of the enforcement mechanism.

**Law on Regulation of Virtual Asset Service Providers (VASPs)**

**Date:** Enacted on **December 17, 2021** (effective from January 1, 2022).

**Purpose:** This law establishes the legal framework for the regulation of virtual assets and VASPs in Mongolia. Key provisions include:

**Definition of Virtual Assets:** Specifies what constitutes a virtual asset under Mongolian law.

**Definition of VASP Activities:** Outlines the services requiring a license, such as exchange between virtual assets and fiat currencies, exchange between one or more forms of virtual assets, transfer of virtual assets, safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets, and participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

**Licensing Requirements:** Mandates that all entities providing VASP services must obtain a license from the FRC.

**AML/CFT Compliance:** Imposes strict AML/CFT obligations on licensed VASPs, including Know Your Customer (KYC) procedures, transaction monitoring, record-keeping, and suspicious transaction reporting to the FIU.

**Risk Management:** Requires VASPs to implement robust risk management systems, cybersecurity measures, and capital adequacy requirements.

**Consumer Protection:** Aims to protect users of VASP services.

**URL:** An official English translation directly from the Mongolian government's legislation portal is often hard to find. However, reputable legal firms and international organizations have analyzed and summarized it. For context, you would typically look at the FRC's "Legal Framework" section or search for legal analyses.

**Law on Anti-Money Laundering and Combating the Financing of Terrorism:**

**Date:** Original law with various amendments (e.g., 2013, 2018, 2021). The VASP law integrates virtual asset service providers into the scope of this existing AML/CFT framework.

**Purpose:** Provides the overarching legal basis for preventing money laundering and terrorist financing activities, which virtual asset regulation now falls under.

**Permitted but Regulated:** Crypto trading and the operation of cryptocurrency exchanges are **legal in Mongolia**, provided they are conducted by entities that have obtained a **license from the Financial Regulatory Commission (FRC)**.

**Licensing is Mandatory:** Any entity wishing to operate as a Virtual Asset Service Provider (VASP) – including crypto exchanges, custodial services, or providers facilitating virtual asset transfers – must go through a rigorous licensing process with the FRC.

**Strict AML/CFT Compliance:** Licensed exchanges and VASPs are subject to strict AML/CFT requirements, including:

**KYC (Know Your Customer):** Verifying the identity of their users.

**Transaction Monitoring:** Monitoring transactions for suspicious activities.

**Record-Keeping:** Maintaining records of transactions and client information.

**Suspicious Transaction Reports (STRs):** Reporting suspicious activities to the FIU.

**Unlicensed Activities are Illegal:** Providing VASP services without the requisite license from the FRC is illegal and can result in penalties.

**User Responsibility:** While trading is permitted, individuals engaging in crypto trading must do so through licensed platforms and are subject to the KYC requirements of these platforms.

**Law on Combating Money Laundering and Terrorism Financing (LMLCFT)**: This is the main AML/CFT law in Mongolia, originally adopted in 2013 and subsequently amended (e.g., in 2018 and 2021) to incorporate FATF recommendations, including those related to virtual assets. It establishes the legal framework for identifying, freezing, and confiscating assets obtained from criminal activities, as well as preventing the financing of terrorism.

*Note:* The Mongolian government, through various bodies, has issued specific regulations and guidance to clarify the application of this law to VASPs.

**Financial Regulatory Commission (FRC) Resolutions and Regulations**: The FRC is the primary regulator for non-banking financial services, including VASPs. They issue specific regulations, resolutions, and licensing requirements that detail how the LMLCFT applies to virtual asset businesses.

For instance, the FRC Resolution No. 278 (2021) outlines detailed VASP licensing requirements, including robust AML/KYC frameworks.

**For Individuals**: Obtain and verify the client's full name, date of birth, place of birth, nationality, permanent address, and unique identification number (e.g., national ID card number, passport number). Verification must be done using reliable, independent source documents, data, or information.

**For Legal Entities**: Obtain and verify the entity's legal name, legal form, registration number, address of registered office, and names of directors/partners. Understand the entity's ownership and control structure.

**Beneficial Ownership (BO)**: Identify and verify the identity of the natural persons who ultimately own or control the customer, as well as the natural persons on whose behalf a transaction is being conducted. For legal entities, this typically involves identifying individuals owning 25% or more of the shares or voting rights, or otherwise exercising control.

**Purpose and Nature of the Business Relationship**: Understand the purpose and intended nature of the business relationship or transaction. This helps assess the risk profile of the customer.

**Ongoing Monitoring**: Continuously monitor the business relationship and transactions undertaken by the customer to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile. This includes:

Scrutinizing transactions for unusual or suspicious patterns.

Keeping customer due diligence data up-to-date.

**Risk-Based Approach**: Implement policies and procedures to identify, assess, and understand the money laundering and terrorism financing (ML/TF) risks posed by customers, products, services, transactions, and delivery channels.

**Enhanced Due Diligence (EDD)**: Apply EDD measures for higher-risk customers (e.g., politically exposed persons - PEPs, customers from high-risk jurisdictions, complex structures) and transactions. This may involve obtaining additional information on the customer, sources of funds/wealth, and the reasons for the intended transactions.

**Simplified Due Diligence (SDD)**: May be applied in strictly defined low-risk scenarios, as permitted by regulations.

**Screening**: Screen customers against national and international sanctions lists (e.g., UN Security Council sanctions) and internal watchlists.

**Reporting Threshold**: Report any transaction (regardless of amount) or attempted transaction that the VASP knows, suspects, or has reasonable grounds to suspect is related to money laundering or terrorism financing.

**Reporting Body**: All STRs must be submitted to the **Financial Information Unit (FIU) of Mongolia**.

**Timing**: Reports must be filed promptly, without undue delay, typically within a few working days of forming a suspicion.

**Contents**: STRs must contain comprehensive details of the parties involved, the transaction(s), the reasons for suspicion, and any supporting documentation.

**No Tipping-Off**: VASPs and their employees are prohibited from disclosing to the customer or any third party that a report has been or will be made (i.e., "tipping-off").

**CDD Records**: All documents and data obtained through the CDD process (e.g., copies of identification documents, beneficial ownership information).

**Transaction Records**: Records of all virtual asset transactions, including amounts, types of virtual assets, sender and receiver addresses, timestamps, and any relevant metadata.

**Analysis Records**: Records of any internal inquiries, risk assessments, and the rationale behind decisions regarding customer risk categorization or suspicious activity.

**STRs and Communications**: Copies of all submitted STRs and any related communications with the FIU or other authorities.

**Retention Period**: Records must be kept for a minimum of **5 years** after the business relationship has ended or after the date of an occasional transaction.

**Financial Regulatory Commission (FRC) of Mongolia**:

**Role**: The FRC is responsible for licensing, supervising, and regulating VASPs in Mongolia. It sets the specific regulatory requirements for VASPs, including their AML/KYC obligations, and conducts compliance oversight.

**Financial Information Unit (FIU) of Mongolia**:

**Role**: The FIU is the national center for receiving, analyzing, and disseminating suspicious transaction reports and other financial intelligence concerning potential money laundering and terrorism financing. While it doesn't directly regulate VASPs, it is the recipient of all STRs and plays a crucial role in the overall AML/CFT ecosystem.

**URL**: http://www.fiu.mn/ (Note: This link can sometimes be slow to load or in Mongolian only. Search for "Financial Information Unit Mongolia" for alternative access.)

**No specific "custody license" exists distinct from a broader VASP license/registration.**

Entities providing virtual asset services, which would include custody, are generally expected to comply with the AML/CFT Law. This means they are likely classified as **Virtual Asset Service Providers (VASPs)**.

**VASP Registration/Licensing:** Under the AML/CFT framework, VASPs are subject to registration or licensing requirements with the FRC and are obligated to implement robust AML/CFT programs. This includes customer due diligence (CDD), record-keeping, and suspicious transaction reporting (STRs).

**Specific Legal Basis:** The amendments to the Law on Anti-Money Laundering and Combating Terrorism Financing (date of amendment for virtual assets is generally understood to be around 2020-2021) are the primary source for VASP obligations. Detailed regulations or implementing acts by the FRC would further specify the registration process and requirements.

**FRC Website (English):** https://www.frc.mn/ (While the English site provides general information, specific legislative texts might be more readily available in Mongolian or through legal counsel.)

**Bank of Mongolia (English):** https://www.mongolbank.mn/ (For general warnings and policy statements, though FRC is the VASP regulator).

**Limited Specificity:** Current public information does not indicate highly specific, legally mandated rules for the segregation of client digital assets from the custodian's own assets, such as those found in highly developed jurisdictions (e.g., trust structures, insolvency-remote vehicles).

**General Fiduciary Duty/Best Practice:** While not explicitly mandated by crypto-specific law, general principles of financial regulation and good corporate governance would imply that client assets should be clearly identifiable and separated from operational funds. However, specific legal mechanisms to ensure this in the event of custodian insolvency are unlikely to be detailed in the existing AML/CFT-focused framework.

**No Specific Mandates:** There are no publicly known specific regulatory mandates in Mongolia for digital asset custodians to hold insurance or bonding for potential losses or hacks.

**Market Practice:** Any such requirements would typically emerge as the market matures and comprehensive prudential regulations are introduced.

**No Specific Mandates:** Mongolian regulations do not currently mandate the use of cold storage (offline storage) for a specific percentage or amount of client digital assets.

**Operational Security:** While cold storage is considered a best practice for security in the crypto industry, its specific implementation details are typically left to the operational discretion and risk management policies of the VASP, rather than being a direct regulatory requirement.

**No Dedicated Definition:** Mongolia's regulatory framework does not appear to have a specific, separate legal definition of a "qualified custodian" for digital assets, distinct from the broader definition of a "Virtual Asset Service Provider (VASP)" or other regulated financial entities.

**VASP as the Regulated Entity:** Any entity providing custody services for virtual assets would fall under the VASP definition and be subject to the corresponding AML/CFT obligations. The FRC would likely assess the fitness and propriety of such an entity during the registration/licensing process.

**Ongoing Development:** The FRC has expressed intentions to further develop the regulatory framework for virtual assets to promote a secure and transparent market environment. This generally implies a continuous process of legislative and regulatory refinement.

**No Specific "Custody Law" Announced:** As of now, there is no public announcement of distinct, pending legislation solely focused on digital asset custody, separate from the broader VASP and AML/CFT framework. Any future developments are more likely to come in the form of amendments to existing laws, new implementing regulations issued by the FRC, or a more comprehensive virtual asset law that might include specific custody provisions.

**FATF Influence:** Mongolia, as a country subject to FATF standards, will continue to face pressure to align its VASP regulations with global best practices, which could eventually lead to more detailed requirements for custody.

Dedicated custodial licensing distinct from broader VASP registration.

Explicit rules for the segregation of client assets.

A distinct legal definition of a "qualified custodian."

**Adopted.** Mongolia passed comprehensive legislation for virtual asset service providers (VASPs) that incorporates the FATF Travel Rule requirements.

The **Law on Virtual Asset Service Providers (VASP Law)** was passed by the Mongolian Parliament on June 17, 2022.

It came into effect on **December 1, 2022**.

The **Financial Regulatory Commission (FRC) of Mongolia** is the primary regulator for VASPs and is responsible for licensing, supervision, and enforcement.

The Mongolian VASP Law implements the Travel Rule with a specific threshold.

**Article 11.1.2** of the VASP Law mandates that VASPs must collect and transmit originator and beneficiary information for virtual asset transactions that **exceed MNT 3,000,000** (Mongolian Tugrik).

*Note:* As of late 2023/early 2024, MNT 3,000,000 is approximately USD 880 - USD 900, which is lower than the FATF's recommended €1,000 threshold for cross-border transfers, indicating a stricter approach. For transactions below this threshold, simplified information requirements may apply.

The VASP Law broadly covers entities engaged in virtual asset services. **Article 4.1** defines a VASP as an entity that, on behalf of another natural or legal person, conducts any of the following activities:

Exchange between virtual assets and fiat currencies.

Exchange between one or more forms of virtual assets.

Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

All VASPs operating in Mongolia are required to be licensed by the FRC and adhere to the VASP Law and related regulations.

While the law itself doesn't specify particular technical solutions (like TRISA, OpenVASP, etc.), it mandates the *outcome* of technical implementation. VASPs must:

**Collect and store:** Required originator and beneficiary information accurately for all relevant transactions (above the MNT 3,000,000 threshold).

**Transmit:** This information to the beneficiary VASP during or before the transaction.

**Verify:** The identity of their customers (KYC/CDD) to ensure the accuracy of the collected information.

**Monitor:** For suspicious transactions and report them to the Financial Information Unit (FIU) of Mongolia.

**Comply with AML/CFT policies:** Establish internal policies, procedures, and controls to prevent money laundering and terrorist financing.

The FRC is expected to issue further regulations or guidelines to clarify technical and operational aspects, but the core requirement is for VASPs to have systems capable of securely handling and transmitting this data.

The VASP Law includes provisions for liabilities and fines for non-compliance. **Article 20 (Liabilities and Fines)** outlines various penalties:

**Operating without a license:** Considered a criminal offense, potentially leading to significant fines and/or imprisonment.

**Non-compliance with VASP obligations:** (including Travel Rule requirements, KYC, record-keeping, reporting, etc.) can result in administrative fines for both the VASP entity and responsible individuals.

Fines typically range from MNT 10,000,000 (approx. USD 2,900) to MNT 50,000,000 (approx. USD 14,700) for legal entities, and MNT 1,000,000 to MNT 5,000,000 for individuals, depending on the severity and nature of the violation.

**License revocation:** The FRC has the power to suspend or revoke a VASP's license for serious or repeated breaches of the law.

**Other administrative measures:** The FRC can impose other sanctions, such as written warnings, orders to cease certain activities, or appointment of temporary managers.

**Law on Virtual Asset Service Providers (VASP Law) of Mongolia (2022):**

While an official English translation directly on the FRC website can be challenging to locate, the law itself (in Mongolian) is the primary source. Reliable summaries are often provided by legal firms.

**Summary/Analysis:** EY Report on Mongolia VASP Law (often provides good summaries): https://www.ey.com/en_mn/financial-services/mongolia-s-new-law-on-virtual-asset-service-providers

**FRC News Release (referencing the law):** Look for news releases around June-December 2022 on the FRC website.

Financial Regulatory Commission (FRC) Mongolia Official Website: https://www.frc.mn/en/ (Navigate to "Laws and Regulations" or "News" for relevant announcements).

The basis for the Travel Rule: https://www.fatf-gafi.org/recommendations.html

Guidance for Virtual Assets and VASPs: https://www.fatf-gafi.org/content/fatf-gafi/en/guidance/Guidance-Virtual-Assets-VASPs.html

**Compliance Requirement:** Mongolia is a member state of the UN and is thus legally bound to implement all sanctions regimes imposed by the UNSC. These include targeted sanctions against individuals and entities involved in terrorism financing, proliferation of weapons of mass destruction (WMD), and other threats to international peace and security.

**VASP Obligation:** VASPs operating in Mongolia must screen all their customers and transactions against the UN Consolidated Sanctions List. This list includes individuals, groups, undertakings, and entities subject to asset freezes, travel bans, and arms embargoes.

**Legal Basis:** The implementation of UNSC resolutions is typically embedded in a country's national Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) laws.

**UN Security Council Sanctions Committees:** https://www.un.org/securitycouncil/sanctions/committees

**UN Consolidated Sanctions List:** https://www.un.org/securitycouncil/content/un-sc-consolidated-list

**OFAC (U.S. Department of the Treasury's Office of Foreign Assets Control) Sanctions:**

**Compliance Requirement:** While OFAC sanctions are primarily U.S. law, their impact is global due to the dominance of the U.S. dollar in international finance and the broad reach of U.S. jurisdiction. Non-U.S. entities, including VASPs in Mongolia, can face secondary sanctions or de-risking by correspondent banks if they engage in transactions involving OFAC-sanctioned persons or entities, even if those transactions don't directly touch the U.S. financial system.

**VASP Obligation:** For international operations and to maintain access to the global financial system, VASPs in Mongolia are strongly advised to screen against OFAC's Specially Designated Nationals (SDN) and Blocked Persons List, as well as other OFAC sanctions lists.

**OFAC Sanctions Lists (including SDN List):** https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-list-tool

**Compliance Requirement:** Similar to OFAC, EU sanctions apply primarily to EU entities, but their impact extends globally through trade and financial relationships. VASPs engaging with European partners or clients would need to be aware of and comply with EU sanctions.

**VASP Obligation:** VASPs with international aspirations or European connections should screen against the EU Consolidated Sanctions List.

**Law on Combating Money Laundering and Terrorism Financing (AML/CFT Law):**

**Core Legislation:** This is the primary law governing AML/CFT obligations in Mongolia. It mandates financial institutions and designated non-financial businesses and professions (DNFBPs) to implement customer due diligence (CDD), monitor transactions, and report suspicious activities.

**VASP Inclusion:** While the initial law might not have explicitly mentioned VASPs, the global trend, driven by FATF recommendations, is to include them as "reporting entities" or "obliged entities." The Financial Regulatory Commission (FRC) of Mongolia has been actively working on regulations for virtual assets. Once licensed and regulated, VASPs will fall under the purview of this law.

**Sanctions Compliance:** The AML/CFT Law inherently requires compliance with international sanctions, especially UN resolutions, as a core component of combating terrorism financing and proliferation financing.

**Financial Intelligence Unit of Mongolia (MFIU):** http://fiu.mn/ (primarily in Mongolian, but provides an institutional reference)

**Regulatory Body:** The FRC is the primary regulator for non-bank financial institutions and is expected to oversee VASPs. It has been exploring and developing regulations for crypto assets.

**VASP Licensing & Obligations:** Once a VASP licensing regime is fully established by the FRC, licensed entities will be subject to stringent AML/CFT and sanctions compliance requirements as part of their operational obligations.

**Financial Regulatory Commission of Mongolia (FRC):** https://www.frc.mn/ (primarily in Mongolian, but is the official source for financial regulation)

**Before/During Transactions:** VASPs must implement robust systems to screen all prospective and existing customers (individuals and entities), beneficial owners, and transactions against relevant national and international sanctions lists (UN, OFAC, EU).

**Real-time Screening:** For high-risk transactions or continuously monitored accounts, real-time or near real-time screening may be required.

**Adverse Media Screening:** Screening for adverse media related to sanctions breaches or criminal activity is also a best practice.

**Technology Solutions:** VASPs are expected to utilize technology solutions for automated screening and monitoring to ensure efficiency and accuracy.

**Implicit from Sanctions:** Geographic restrictions are implicitly applied through the sanctions lists themselves. VASPs must not conduct transactions directly or indirectly with individuals, entities, or in jurisdictions subject to comprehensive sanctions (e.g., North Korea, Iran, parts of Russia, Cuba, Syria, Venezuela, etc., depending on the specific sanction regime).

**Risk-Based Approach:** VASPs must adopt a risk-based approach, applying enhanced due diligence to transactions involving high-risk jurisdictions or those with known AML/CFT deficiencies as identified by FATF.

**Internal Controls:** VASPs must establish comprehensive AML/CFT and sanctions compliance programs, including written policies and procedures, internal controls, and designated compliance officers.

**Training:** Regular training for all relevant staff on AML/CFT and sanctions compliance obligations is essential.

**Independent Audit:** Periodic independent audits of the compliance program to ensure effectiveness.

**Suspicious Transaction Reports (STRs):** VASPs must report any suspicious transactions or activities, including attempted transactions by sanctioned entities, to the Financial Intelligence Unit of Mongolia (MFIU).

**Freezing of Assets:** If a VASP identifies funds or virtual assets belonging to a sanctioned individual or entity, it must immediately freeze those assets and report the incident to the MFIU without prior notification to the customer (tipping-off is prohibited).

**No Dedicated Crypto-Specific Sanctions List:** Mongolia does not currently maintain a separate "crypto-specific" sanctions list.

**Application of General Lists:** Any national sanctions lists that Mongolia might maintain (e.g., a list of domestic terrorists or proliferators, if distinct from the UN list) would apply to *all* financial transactions, including those involving cryptocurrencies, once VASPs are fully integrated into the financial regulatory framework. The AML/CFT Law generally mandates the implementation of UN Security Council resolutions.

**Administrative Penalties:** Fines, revocation of licenses (once a licensing regime is in place for VASPs), and restrictions on operations.

**Civil Penalties:** Lawsuits for damages.

**Criminal Penalties:** Imprisonment for individuals involved in serious breaches, particularly those related to money laundering, terrorism financing, or proliferation financing.

**Legal Basis:** Penalties would be outlined in the Law on Combating Money Laundering and Terrorism Financing and the Mongolian Criminal Code.