Mongolia -- AML/CFT Compliance Regulatory Overview

**Law on Combating Money Laundering and Terrorism Financing (LMLCFT)**: This is the main AML/CFT law in Mongolia, originally adopted in 2013 and subsequently amended (e.g., in 2018 and 2021) to incorporate FATF recommendations, including those related to virtual assets. It establishes the legal framework for identifying, freezing, and confiscating assets obtained from criminal activities, as well as preventing the financing of terrorism.

*Note:* The Mongolian government, through various bodies, has issued specific regulations and guidance to clarify the application of this law to VASPs.

**Financial Regulatory Commission (FRC) Resolutions and Regulations**: The FRC is the primary regulator for non-banking financial services, including VASPs. They issue specific regulations, resolutions, and licensing requirements that detail how the LMLCFT applies to virtual asset businesses.

For instance, the FRC Resolution No. 278 (2021) outlines detailed VASP licensing requirements, including robust AML/KYC frameworks.

**For Individuals**: Obtain and verify the client's full name, date of birth, place of birth, nationality, permanent address, and unique identification number (e.g., national ID card number, passport number). Verification must be done using reliable, independent source documents, data, or information.

**For Legal Entities**: Obtain and verify the entity's legal name, legal form, registration number, address of registered office, and names of directors/partners. Understand the entity's ownership and control structure.

**Beneficial Ownership (BO)**: Identify and verify the identity of the natural persons who ultimately own or control the customer, as well as the natural persons on whose behalf a transaction is being conducted. For legal entities, this typically involves identifying individuals owning 25% or more of the shares or voting rights, or otherwise exercising control.

**Purpose and Nature of the Business Relationship**: Understand the purpose and intended nature of the business relationship or transaction. This helps assess the risk profile of the customer.

**Ongoing Monitoring**: Continuously monitor the business relationship and transactions undertaken by the customer to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile. This includes:

Scrutinizing transactions for unusual or suspicious patterns.

Keeping customer due diligence data up-to-date.

**Risk-Based Approach**: Implement policies and procedures to identify, assess, and understand the money laundering and terrorism financing (ML/TF) risks posed by customers, products, services, transactions, and delivery channels.

**Enhanced Due Diligence (EDD)**: Apply EDD measures for higher-risk customers (e.g., politically exposed persons - PEPs, customers from high-risk jurisdictions, complex structures) and transactions. This may involve obtaining additional information on the customer, sources of funds/wealth, and the reasons for the intended transactions.

**Simplified Due Diligence (SDD)**: May be applied in strictly defined low-risk scenarios, as permitted by regulations.

**Screening**: Screen customers against national and international sanctions lists (e.g., UN Security Council sanctions) and internal watchlists.

**Reporting Threshold**: Report any transaction (regardless of amount) or attempted transaction that the VASP knows, suspects, or has reasonable grounds to suspect is related to money laundering or terrorism financing.

**Reporting Body**: All STRs must be submitted to the **Financial Information Unit (FIU) of Mongolia**.

**Timing**: Reports must be filed promptly, without undue delay, typically within a few working days of forming a suspicion.

**Contents**: STRs must contain comprehensive details of the parties involved, the transaction(s), the reasons for suspicion, and any supporting documentation.

**No Tipping-Off**: VASPs and their employees are prohibited from disclosing to the customer or any third party that a report has been or will be made (i.e., "tipping-off").

**CDD Records**: All documents and data obtained through the CDD process (e.g., copies of identification documents, beneficial ownership information).

**Transaction Records**: Records of all virtual asset transactions, including amounts, types of virtual assets, sender and receiver addresses, timestamps, and any relevant metadata.

**Analysis Records**: Records of any internal inquiries, risk assessments, and the rationale behind decisions regarding customer risk categorization or suspicious activity.

**STRs and Communications**: Copies of all submitted STRs and any related communications with the FIU or other authorities.

**Retention Period**: Records must be kept for a minimum of **5 years** after the business relationship has ended or after the date of an occasional transaction.

**Financial Regulatory Commission (FRC) of Mongolia**:

**Role**: The FRC is responsible for licensing, supervising, and regulating VASPs in Mongolia. It sets the specific regulatory requirements for VASPs, including their AML/KYC obligations, and conducts compliance oversight.

**Financial Information Unit (FIU) of Mongolia**:

**Role**: The FIU is the national center for receiving, analyzing, and disseminating suspicious transaction reports and other financial intelligence concerning potential money laundering and terrorism financing. While it doesn't directly regulate VASPs, it is the recipient of all STRs and plays a crucial role in the overall AML/CFT ecosystem.

**URL**: http://www.fiu.mn/ (Note: This link can sometimes be slow to load or in Mongolian only. Search for "Financial Information Unit Mongolia" for alternative access.)

**No specific "custody license" exists distinct from a broader VASP license/registration.**

Entities providing virtual asset services, which would include custody, are generally expected to comply with the AML/CFT Law. This means they are likely classified as **Virtual Asset Service Providers (VASPs)**.

**VASP Registration/Licensing:** Under the AML/CFT framework, VASPs are subject to registration or licensing requirements with the FRC and are obligated to implement robust AML/CFT programs. This includes customer due diligence (CDD), record-keeping, and suspicious transaction reporting (STRs).

**Specific Legal Basis:** The amendments to the Law on Anti-Money Laundering and Combating Terrorism Financing (date of amendment for virtual assets is generally understood to be around 2020-2021) are the primary source for VASP obligations. Detailed regulations or implementing acts by the FRC would further specify the registration process and requirements.

**FRC Website (English):** https://www.frc.mn/ (While the English site provides general information, specific legislative texts might be more readily available in Mongolian or through legal counsel.)

**Bank of Mongolia (English):** https://www.mongolbank.mn/ (For general warnings and policy statements, though FRC is the VASP regulator).

**Limited Specificity:** Current public information does not indicate highly specific, legally mandated rules for the segregation of client digital assets from the custodian's own assets, such as those found in highly developed jurisdictions (e.g., trust structures, insolvency-remote vehicles).

**General Fiduciary Duty/Best Practice:** While not explicitly mandated by crypto-specific law, general principles of financial regulation and good corporate governance would imply that client assets should be clearly identifiable and separated from operational funds. However, specific legal mechanisms to ensure this in the event of custodian insolvency are unlikely to be detailed in the existing AML/CFT-focused framework.

**No Specific Mandates:** There are no publicly known specific regulatory mandates in Mongolia for digital asset custodians to hold insurance or bonding for potential losses or hacks.

**Market Practice:** Any such requirements would typically emerge as the market matures and comprehensive prudential regulations are introduced.

**No Specific Mandates:** Mongolian regulations do not currently mandate the use of cold storage (offline storage) for a specific percentage or amount of client digital assets.

**Operational Security:** While cold storage is considered a best practice for security in the crypto industry, its specific implementation details are typically left to the operational discretion and risk management policies of the VASP, rather than being a direct regulatory requirement.

**No Dedicated Definition:** Mongolia's regulatory framework does not appear to have a specific, separate legal definition of a "qualified custodian" for digital assets, distinct from the broader definition of a "Virtual Asset Service Provider (VASP)" or other regulated financial entities.

**VASP as the Regulated Entity:** Any entity providing custody services for virtual assets would fall under the VASP definition and be subject to the corresponding AML/CFT obligations. The FRC would likely assess the fitness and propriety of such an entity during the registration/licensing process.

**Ongoing Development:** The FRC has expressed intentions to further develop the regulatory framework for virtual assets to promote a secure and transparent market environment. This generally implies a continuous process of legislative and regulatory refinement.

**No Specific "Custody Law" Announced:** As of now, there is no public announcement of distinct, pending legislation solely focused on digital asset custody, separate from the broader VASP and AML/CFT framework. Any future developments are more likely to come in the form of amendments to existing laws, new implementing regulations issued by the FRC, or a more comprehensive virtual asset law that might include specific custody provisions.

**FATF Influence:** Mongolia, as a country subject to FATF standards, will continue to face pressure to align its VASP regulations with global best practices, which could eventually lead to more detailed requirements for custody.

Dedicated custodial licensing distinct from broader VASP registration.

Explicit rules for the segregation of client assets.

A distinct legal definition of a "qualified custodian."

**Adopted.** Mongolia passed comprehensive legislation for virtual asset service providers (VASPs) that incorporates the FATF Travel Rule requirements.

The **Law on Virtual Asset Service Providers (VASP Law)** was passed by the Mongolian Parliament on June 17, 2022.

It came into effect on **December 1, 2022**.

The **Financial Regulatory Commission (FRC) of Mongolia** is the primary regulator for VASPs and is responsible for licensing, supervision, and enforcement.

The Mongolian VASP Law implements the Travel Rule with a specific threshold.

**Article 11.1.2** of the VASP Law mandates that VASPs must collect and transmit originator and beneficiary information for virtual asset transactions that **exceed MNT 3,000,000** (Mongolian Tugrik).

*Note:* As of late 2023/early 2024, MNT 3,000,000 is approximately USD 880 - USD 900, which is lower than the FATF's recommended €1,000 threshold for cross-border transfers, indicating a stricter approach. For transactions below this threshold, simplified information requirements may apply.

The VASP Law broadly covers entities engaged in virtual asset services. **Article 4.1** defines a VASP as an entity that, on behalf of another natural or legal person, conducts any of the following activities:

Exchange between virtual assets and fiat currencies.

Exchange between one or more forms of virtual assets.

Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

All VASPs operating in Mongolia are required to be licensed by the FRC and adhere to the VASP Law and related regulations.

While the law itself doesn't specify particular technical solutions (like TRISA, OpenVASP, etc.), it mandates the *outcome* of technical implementation. VASPs must:

**Collect and store:** Required originator and beneficiary information accurately for all relevant transactions (above the MNT 3,000,000 threshold).

**Transmit:** This information to the beneficiary VASP during or before the transaction.

**Verify:** The identity of their customers (KYC/CDD) to ensure the accuracy of the collected information.

**Monitor:** For suspicious transactions and report them to the Financial Information Unit (FIU) of Mongolia.

**Comply with AML/CFT policies:** Establish internal policies, procedures, and controls to prevent money laundering and terrorist financing.

The FRC is expected to issue further regulations or guidelines to clarify technical and operational aspects, but the core requirement is for VASPs to have systems capable of securely handling and transmitting this data.

The VASP Law includes provisions for liabilities and fines for non-compliance. **Article 20 (Liabilities and Fines)** outlines various penalties:

**Operating without a license:** Considered a criminal offense, potentially leading to significant fines and/or imprisonment.

**Non-compliance with VASP obligations:** (including Travel Rule requirements, KYC, record-keeping, reporting, etc.) can result in administrative fines for both the VASP entity and responsible individuals.

Fines typically range from MNT 10,000,000 (approx. USD 2,900) to MNT 50,000,000 (approx. USD 14,700) for legal entities, and MNT 1,000,000 to MNT 5,000,000 for individuals, depending on the severity and nature of the violation.

**License revocation:** The FRC has the power to suspend or revoke a VASP's license for serious or repeated breaches of the law.

**Other administrative measures:** The FRC can impose other sanctions, such as written warnings, orders to cease certain activities, or appointment of temporary managers.

**Law on Virtual Asset Service Providers (VASP Law) of Mongolia (2022):**

While an official English translation directly on the FRC website can be challenging to locate, the law itself (in Mongolian) is the primary source. Reliable summaries are often provided by legal firms.

**Summary/Analysis:** EY Report on Mongolia VASP Law (often provides good summaries): https://www.ey.com/en_mn/financial-services/mongolia-s-new-law-on-virtual-asset-service-providers

**FRC News Release (referencing the law):** Look for news releases around June-December 2022 on the FRC website.

Financial Regulatory Commission (FRC) Mongolia Official Website: https://www.frc.mn/en/ (Navigate to "Laws and Regulations" or "News" for relevant announcements).

The basis for the Travel Rule: https://www.fatf-gafi.org/recommendations.html

Guidance for Virtual Assets and VASPs: https://www.fatf-gafi.org/content/fatf-gafi/en/guidance/Guidance-Virtual-Assets-VASPs.html