Norway

**Finanstilsynet (Financial Supervisory Authority of Norway):** This is the primary regulator for financial services and virtual assets in Norway. It is responsible for overseeing compliance with the Anti-Money Laundering Act, including the registration of Virtual Asset Service Providers (VASPs).

**Specific Guidance on Virtual Currencies (in Norwegian, but relevant):** https://www.finanstilsynet.no/tilsyn/hvitvasking/informasjon-til-virtuelle-valutatjenesteleverandorer/

**Økokrim (National Authority for Investigation and Prosecution of Economic and Environmental Crime):** While not a primary regulator, Økokrim plays a crucial role in investigating and prosecuting money laundering and other economic crimes related to virtual assets.

**Skatteetaten (Norwegian Tax Administration):** Responsible for the taxation of virtual assets.

**Specific Guidance on Virtual Currency (in Norwegian):** https://www.skatteetaten.no/person/skatt/hjelp-til-riktig-skatt/aksjer-og-verdipapirer/andre-verdipapirer/virtuell-valuta/

**Anti-Money Laundering Act (Hvitvaskingsloven) – June 1, 2018 (as amended):**

This act transposes the EU's 5th Anti-Money Laundering Directive (AMLD5) into Norwegian law. It defines "virtual currency services" and mandates that entities providing such services (Virtual Asset Service Providers or VASPs) must register with Finanstilsynet.

Registered VASPs are subject to comprehensive AML/CTF obligations, including Know Your Customer (KYC) procedures, transaction monitoring, and suspicious activity reporting.

**Reference (Lovdata - official Norwegian legal portal, in Norwegian):** https://lovdata.no/dokument/NL/lov/2018-06-01-23?q=hvitvaskingsloven

**Taxation Rules (various circulars and regulations from Skatteetaten):**

Norway treats virtual currency holdings as assets for tax purposes. Gains from the sale or disposal of virtual currency are subject to capital gains tax (currently 22%). Mining income is considered business or personal income and taxed accordingly. Virtual currency held at year-end is subject to wealth tax.

**Financial Institutions Act (Finansforetaksloven) – April 10, 2015:**

While not directly targeting virtual assets, if a crypto-asset is deemed to qualify as a traditional financial instrument (e.g., a security token or a derivative), then existing financial services legislation, including this act, would apply, requiring licensing for activities like custody or trading. Finanstilsynet assesses this on a case-by-case basis.

**Future Legislation: Markets in Crypto-Assets (MiCA) Regulation (EU Regulation 2023/1114) – Adopted by EU in May 2023:**

As an EEA member, Norway is legally bound to adopt EU regulations relevant to the internal market. MiCA is expected to be incorporated into Norwegian law, likely in **mid-2024 to early 2025**, following its phased implementation in the EU (stablecoin rules from June 2024, other rules from December 2024).

A harmonized licensing regime for various crypto-asset services (issuance, trading platforms, custody, advice).

Specific rules for different types of crypto-assets (e.g., asset-referenced tokens, e-money tokens).

Increased transparency requirements for crypto-asset issuers.

**Legality:** Crypto trading is legal in Norway. Individuals and entities are free to buy, sell, and hold virtual assets.

Entities offering virtual asset services, including crypto exchanges operating in Norway, are required to **register with Finanstilsynet** as Virtual Asset Service Providers (VASPs) under the Anti-Money Laundering Act.

Registration entails strict adherence to **AML/CTF requirements**, including:

Implementing robust KYC procedures for all customers.

Monitoring transactions for suspicious activities.

Reporting suspicious transactions to Økokrim.

Currently, beyond AML registration, there is no specific licensing regime for the general operation of crypto exchanges or other VASP services in Norway. However, this will change significantly with the implementation of MiCA, which will introduce a comprehensive licensing framework, requiring specific authorization from Finanstilsynet for various crypto-asset services.

**Consumer Protection:** While some general consumer protection laws apply, specific protections for crypto investors are currently less developed than for traditional financial products. MiCA is expected to bridge this gap.

**VASP Registration:** Companies that provide services for the **exchange** or **custody** of virtual assets are considered "virtual asset service providers" (VASPs) and must **register** with Finanstilsynet. This is an AML/CTF (Combatting the Financing of Terrorism) registration, not a full financial services license in the traditional sense, unless the specific virtual asset qualifies as a financial instrument under other legislation.

**Requirements for Registration:** To register, companies must demonstrate compliance with the Money Laundering Act, which includes:

Establishing robust internal control systems for AML/CTF.

Performing customer due diligence (CDD) procedures.

Monitoring transactions for suspicious activity.

Reporting suspicious transactions to **Økokrim (National Authority for Investigation and Prosecution of Economic and Environmental Crime)**.

Ensuring fit and proper management and ownership.

**If the Digital Asset is a Financial Instrument:** If a digital asset is classified as a "financial instrument" (e.g., a security token) under the **Securities Trading Act (Verdipapirhandelloven)** or the **Financial Institutions Act (finansforetaksloven)**, then offering custody services for such assets would fall under existing financial services licensing requirements, which are much more stringent than simple AML registration. Finanstilsynet conducts a case-by-case assessment.

**Finanstilsynet - Information about Virtual Assets:** https://www.finanstilsynet.no/en/financial-supervision/digital-assets/

**Money Laundering Act (Hvitvaskingsloven):** https://lovdata.no/dokument/NL/lov/2018-06-01-23 (Norwegian only, English translations are usually unofficial)

**General Financial Principles:** However, for any entity providing custody of client assets, the general principles of sound financial management and consumer protection would implicitly require proper segregation to protect client interests in case of insolvency or operational failure. Reputable custodians already implement such segregation as a best practice.

**If classified as a Financial Instrument:** If the virtual asset is deemed a financial instrument, then the rules under the **Financial Institutions Act** for safeguarding client funds/assets would apply, which mandates strict segregation from the firm's own assets.

**No Specific Mandate for VASPs:** There are no specific legal mandates for insurance or bonding solely for virtual asset custodians under the current AML registration regime.

**General Business Insurance:** Companies are expected to have general business insurance as part of their operational risk management, but this typically doesn't cover crypto-specific risks like private key loss or protocol hacks in the same way a specific custodian bond would.

**No Explicit Legal Mandate:** Norwegian law does not explicitly mandate the use of cold storage for virtual assets.

**Security Best Practice:** However, Finanstilsynet expects companies providing virtual asset services to have robust security measures in place to protect client assets. Cold storage (offline storage of private keys) is widely recognized as a critical security best practice for managing the risks associated with holding cryptocurrencies and would be considered an essential component of a sound risk management framework by the regulator.

**No Specific Definition:** Norway does not currently have a specific legal definition of a "qualified custodian" exclusively for virtual assets, akin to definitions found in some other jurisdictions (e.g., the U.S.).

**Registered VASP:** The closest concept is a VASP that is registered with Finanstilsynet to provide custody services and complies with the Money Laundering Act. If the asset is a financial instrument, then a licensed financial institution providing custody services would be the "qualified custodian" under existing financial laws.

**EEA Relevance:** Norway is part of the European Economic Area (EEA), which means that EU legislation relevant to the internal market, like MiCA, typically gets incorporated into Norwegian law.

**MiCA's Scope:** MiCA provides a comprehensive regulatory framework for crypto-asset markets and service providers (CASPs) not already covered by existing financial services legislation. It aims to harmonize rules across the EU/EEA, ensure consumer protection, market integrity, and financial stability.

**Impact on Custody:** MiCA introduces specific and stringent requirements for "custody and administration of crypto-assets on behalf of clients" as a regulated crypto-asset service.

**Authorization, Not Just Registration:** Under MiCA, entities wishing to provide custody services for crypto-assets (that are not financial instruments) will need to obtain **authorization** from their national competent authority (Finanstilsynet in Norway) as a Crypto-Asset Service Provider (CASP). This is a much more demanding process than the current AML registration.

**Organizational Requirements:** CASPs providing custody will need to:

Have sound internal control mechanisms.

Have robust IT systems and security protocols (implicitly supporting best practices like cold storage).

**Client Asset Segregation:** MiCA explicitly mandates that CASPs must **segregate client crypto-assets** from their own assets and ensure that client assets are not used for their own account.

**Prudential Safeguards/Capital Requirements:** CASPs will need to hold a minimum amount of capital (own funds) to cover their operational risks.

**Liability:** MiCA places liability on CASPs for loss of client crypto-assets or loss of access to them as a result of an "actionable event" (e.g., cyber-attack, internal fraud, private key loss).

**Information to Clients:** CASPs must provide clear, fair, and not misleading information to clients, including details on the risks involved and the insolvency regime applicable.

**Timeline:** MiCA entered into force in the EU in June 2023, with rules on stablecoins applying from June 2024 and all other provisions for crypto-asset service providers (CASPs) applying from **December 30, 2024**. Norway will follow with its transposition into national law, likely around this timeframe or shortly after.

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

**Finanstilsynet - Information about MiCA (Norwegian, but confirms relevance):** https://www.finanstilsynet.no/regelverk/eokonomi-i-eus-rettsakter/fora/fora-12-markeder-for-kryptoverdier-og-endring-av-forordning-eu-2019/1935/

**Regulator Name:** Økokrim (National Authority for Investigation and Prosecution of Economic and Environmental Crime)

**Entity Targeted:** Unknown perpetrators of the Poly Network hack, and the stolen funds themselves.

**Violation Type:** Crypto theft, money laundering.

**Penalty Amount:** Recovery of stolen funds totaling approximately $5.8 million (at the time of recovery announcement). This is not a fine *on an entity*, but a successful recovery of criminal proceeds.

**Date:** Announced June 2022 (recovery efforts ongoing prior to this).

**Outcome:** Økokrim successfully recovered significant funds stolen in the August 2021 Poly Network hack, which were subsequently mixed using the Tornado Cash service. This was a major international collaboration highlighting Norway's capabilities in tracing and seizing crypto assets involved in sophisticated hacks.

Økokrim Press Release: Store verdier beslaglagt etter kryptokupp (Norwegian)

Chainalysis Blog Post referencing the recovery

**Regulator Name:** Finanstilsynet (The Financial Supervisory Authority of Norway)

**Entity Targeted:** Kryptobørs AS (a Norwegian crypto exchange).

**Violation Type:** Failure to comply with anti-money laundering (AML) regulations, inadequate internal controls, and operating without proper registration/licensing as a virtual asset service provider (VASP) for all services offered.

**Penalty Amount:** Ordered to terminate its business. No specific monetary fine was publicized in connection with this specific order, but the cessation of operations is a severe penalty.

**Outcome:** Finanstilsynet ordered Kryptobørs AS to terminate its business as a virtual asset service provider due to significant and persistent breaches of the Anti-Money Laundering Act and related regulations. This was a decisive action to remove a non-compliant entity from the market.

Finanstilsynet Press Release: Kryptobørs AS pålegges å avvikle virksomheten (Norwegian)

**Entity Targeted:** Norges Kryptobørs AS (a Norwegian crypto exchange).

**Penalty Amount:** Ordered to cease providing currency exchange services involving fiat currency. No specific monetary fine was publicized in connection with this order, but the restriction on services is a significant penalty.

**Outcome:** Finanstilsynet ordered Norges Kryptobørs AS to stop offering services involving the exchange between virtual and fiat currencies due to serious deficiencies in its AML compliance framework. The firm was permitted to continue offering exchange services between virtual assets.

Finanstilsynet Press Release: Norges Kryptobørs AS pålegges å stanse tilbud av vekslingstjenester (Norwegian)

**Exchange** between virtual assets and fiat currencies.

**Exchange** between one or more virtual assets.

**Custody** and/or administration of virtual assets on behalf of clients.

Participation in and provision of financial services related to an issuer's offer and/or sale of virtual assets.

**Required:** Registration as a VASP with Finanstilsynet.

**Reason:** Directly falls under the definition of "exchange between virtual assets and fiat currencies" and/or "exchange between one or more virtual assets."

**If the processor *only* handles virtual asset transactions (e.g., enabling merchants to accept crypto payments, but not converting to fiat or holding fiat funds on behalf of customers/merchants):**

**If the processor also handles *fiat currency payments* or holds fiat funds for customers/merchants (even if originating from crypto sales):**

**Required:** In addition to VASP registration (if applicable for crypto aspects), a **Payment Institution license** under the *Financial Contracts Act* (Finansavtaleloven) and related regulations might be required. This is a significantly more demanding license covering traditional payment services. Finanstilsynet assesses such activities on a case-by-case basis to determine if they constitute payment services.

**AML/CTF Compliance:** This is the cornerstone of the current regime. Applicants must demonstrate robust policies and procedures, including:

**Risk-Based Approach:** A documented assessment of money laundering and terrorist financing risks specific to their business model.

**Customer Due Diligence (CDD) / Know Your Customer (KYC):**

Identification and verification of customers and beneficial owners (e.g., using official ID, electronic verification).

Ongoing monitoring of business relationships.

Enhanced due diligence for high-risk customers or transactions.

**Transaction Monitoring:** Systems and processes to monitor transactions for suspicious activity.

**Reporting:** Reporting of suspicious transactions (STRs) to Økokrim (the National Authority for Investigation and Prosecution of Economic and Environmental Crime).

**Internal Controls:** Robust internal procedures, controls, and risk management systems.

**AML Officer:** Appointment of a qualified and experienced AML compliance officer (often based in Norway).

**Employee Training:** Regular training for relevant employees on AML/CTF obligations.

**Record-Keeping:** Maintenance of records for prescribed periods.

For **VASP registration alone**, there isn't a specific, high initial capital requirement mandated by law, unlike for banks or payment institutions. However, the entity must demonstrate sufficient financial resources to operate the business safely and effectively, and to meet its AML compliance obligations.

**If a Payment Institution license is also required**, then specific initial capital requirements (e.g., minimum €20,000 to €125,000 depending on services) and ongoing own funds requirements will apply.

Yes, generally required. The entity seeking VASP registration must be a legal entity incorporated in Norway (e.g., as a Norwegian limited company - AS).

Key management, board members, and the AML officer are typically expected to reside in Norway to ensure effective local supervision and oversight.

Owners, directors, and key personnel (especially the AML Officer) must meet "fit and proper" criteria. This involves assessments of their competence, integrity, reputation, and absence of criminal records.

Appropriate governance arrangements, risk management frameworks, and internal control mechanisms.

Robust IT systems, cybersecurity measures, and business continuity plans relevant to the services offered.

**Company Incorporation:** Establish a legal entity in Norway (e.g., an AS - aksjeselskap).

**Preparation of Documentation:** Compile a comprehensive application package, which typically includes:

Detailed business plan outlining services, target market, and operational model.

Resumes/CVs and "fit and proper" declarations for directors, key management, and significant owners.

A comprehensive AML/CTF manual, including detailed policies, procedures, risk assessment, KYC/CDD procedures, transaction monitoring framework, and suspicious activity reporting process.

Norway has implemented a comprehensive Digital Security Act (NIS Directive transposition) and is actively proposing new data protection rules, including a ban on social media for children under 16, so the regulatory landscape for IT systems, cybersecurity, and data protection is more specific and evolving beyond general information.

Proof of sufficient financial resources.

**Submission:** The application, along with all supporting documentation, is submitted to Finanstilsynet.

**Review and Dialogue:** Finanstilsynet reviews the application, which can be a thorough process. They may request additional information, clarifications, or amendments to the submitted documents.

**Decision:** Finanstilsynet issues a decision. If approved, the entity is added to Finanstilsynet's public register of supervised entities for AML purposes.

**Ongoing Compliance:** Registered VASPs are subject to ongoing supervision by Finanstilsynet and must continuously comply with all AML/CTF obligations and report any significant changes to their business or organization.

**Regulations on Anti-Money Laundering and Terrorist Financing (Hvitvaskingsforskriften):** Provides more detailed rules and guidance.

**Finanstilsynet's Regulations and Guidance:** Finanstilsynet issues various circulars, guidance notes, and regulations related to AML/CTF. It's best to consult their website directly for the latest publications.

**Finanstilsynet AML Topic Page:** https://www.finanstilsynet.no/en/topic/money-laundering/

**Finanstilsynet as Supervisory Authority for Money Laundering:** https://www.finanstilsynet.no/en/finanstilsynet-is-the-supervisory-authority-for-money-laundering/

**Full Licensing Regime:** MiCA introduces a comprehensive licensing regime for Crypto-Asset Service Providers (CASPs), requiring authorization from Finanstilsynet (or another EEA competent authority with passporting rights).

**Broader Scope:** MiCA covers not just AML, but also market integrity, governance requirements, operational resilience, consumer protection, and requirements for the issuance and admission to trading of various types of crypto-assets (e.g., asset-referenced tokens, e-money tokens).

**Passporting:** Licensed CASPs in one EEA member state will be able to "passport" their services across the entire EEA, including Norway.

**Increased Requirements:** The capital, organizational, and operational requirements under MiCA will generally be more extensive than the current AML-focused registration regime.

**Adopted:** Yes, Norway has adopted the FATF Travel Rule requirements. These are incorporated into Norwegian law, primarily through the **Money Laundering Act (Hvitvaskingsloven)** and its associated regulations (Hvitvaskingsforskriften).

**Lov om tiltak mot hvitvasking og terrorfinansiering (hvitvaskingsloven)** (Act on measures against money laundering and terrorist financing). This Act requires obliged entities, including Virtual Asset Service Providers (VASPs), to collect and transmit information about the originator and beneficiary of transfers.

**Hvitvaskingsforskriften** (Money Laundering Regulation) further elaborates on the requirements.

**Finanstilsynet's Guidance:** Finanstilsynet issues guidance documents and circulars to clarify how the law and regulations apply to VASPs.

**URL for Hvitvaskingsloven (Norwegian):** https://lovdata.no/dokument/NL/lov/2018-06-01-23 (This is the authoritative source on Norwegian legislation).

While the core Money Laundering Act (Hvitvaskingsloven) came into force on **October 15, 2018**, the specific provisions and interpretations applying the Travel Rule to virtual assets have been progressively clarified and enforced, especially following amendments and guidance issued by Finanstilsynet, aligning with the EU's 5AMLD (effective January 2020 for member states) and later 6AMLD.

For VASPs, the full expectation to comply with Travel Rule principles (collecting and transmitting originator/beneficiary info) has been increasingly explicit since **2020/2021** as Finanstilsynet issued clearer guidance on their obligations.

Norway generally follows the FATF and EU standard for the Travel Rule.

**Threshold:** A de minimis threshold of **EUR 1,000** (or its equivalent in NOK) applies to virtual asset transfers.

Below this threshold, VASPs typically do not need to transmit *all* required originator and beneficiary information (though they still need to collect some basic information for AML/CFT purposes).

For transfers *equal to or exceeding* EUR 1,000 (or NOK equivalent), VASPs are required to collect and transmit the full set of originator and beneficiary information.

**Important Note:** Even for transactions below the threshold, VASPs must still collect sufficient information to identify the customer and monitor transactions for suspicious activity as part of their broader AML obligations. Finanstilsynet also expects VASPs to aggregate linked transactions.

**Exchanges:** Providers engaged in the exchange between virtual assets and fiat currencies, or between one or more forms of virtual assets.

Providers offering custody or administration of virtual assets in Norway are now subject to licensing requirements under the EU Markets in Crypto-Assets Regulation (MiCAR), which has been fully implemented into Norwegian law.

**Transfer Services:** Providers engaged in the transfer of virtual assets (performing a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another).

**Issuers:** In some cases, entities involved in the initial offering and sale of a virtual asset may also be covered if they additionally provide services like exchange or custody.

**Required Information (for transfers ≥ EUR 1,000):**

Name (natural person) or legal name (legal entity)

Account number used to process the transaction (e.g., virtual asset wallet address)

National identity number (for natural persons) or customer identification number (for legal entities), or date and place of birth (for natural persons)

**Method of Exchange:** VASPs are expected to use secure and reliable methods to transmit this information to the beneficiary VASP (or to collect it from the originator VASP). Industry solutions like TRISA, OpenVASP, Sygna, or other peer-to-peer protocols are generally acceptable as long as they meet the data and security requirements.

**Data Retention:** VASPs must retain all collected information for at least **five years** after the transaction.

**Finanstilsynet Guidance:** Finanstilsynet has issued guidance that details these requirements, emphasizing secure data transfer and adherence to data protection regulations (like GDPR).

**Fines:** Finanstilsynet can impose substantial administrative fines (foretaksstraff/sanksjonsgebyr) on VASPs for breaches of their AML/CFT obligations. The amount of the fine can be significant, calculated based on the severity and duration of the breach, the financial strength of the VASP, and the potential for financial gain.

**Orders and Sanctions:** Finanstilsynet can issue orders requiring a VASP to take specific corrective actions.

**Withdrawal of License/Registration:** In severe cases or for persistent non-compliance, Finanstilsynet can withdraw a VASP's registration or license to operate.

**Fines and Imprisonment:** Individuals responsible for serious breaches of the Money Laundering Act, particularly those involving wilful intent or gross negligence that facilitate money laundering or terrorist financing, can face criminal prosecution. This can lead to personal fines and imprisonment.

**Corporate Criminal Liability:** The VASP itself (as a legal entity) can also be held criminally liable, leading to corporate fines.

**Lov om iverksetting av internasjonale sanksjoner (sanksjonsloven)** (Act on the implementation of international sanctions (the Sanctions Act)).

This is the primary legal framework for implementing international sanctions in Norway. It grants the King in Council (the government) the authority to issue regulations to implement UN Security Council resolutions and other international obligations concerning sanctions.

**Legal Reference:** Lovdata - Sanksjonsloven

**Lov om tiltak mot hvitvasking og terrorfinansiering (hvitvaskingsloven)** (Act on measures against money laundering and terrorist financing (the Anti-Money Laundering Act)).

This is the fundamental AML/CFT law in Norway. It designates VASPs as "reporting entities" (rapporteringspliktige) and imposes extensive obligations, including customer due diligence (CDD), ongoing monitoring, and reporting of suspicious transactions. Sanctions screening is an integral part of these obligations.

**Legal Reference:** Lovdata - Hvitvaskingsloven

**Forskrift om virtuell eiendelstjenesteyting** (Regulation on Virtual Asset Service Provision).

This regulation specifically defines and governs VASPs, bringing them under the supervision of Finanstilsynet (the Financial Supervisory Authority of Norway). It reiterates that VASPs are subject to the Anti-Money Laundering Act and must comply with its requirements.

**Legal Reference:** Lovdata - Forskrift om virtuell eiendelstjenesteyting

For each sanctions regime (e.g., against Russia, North Korea, Syria), the Norwegian government issues specific regulations under the Sanctions Act. These regulations detail the specific prohibitions, asset freezes, and individuals/entities targeted, mirroring the UN and EU lists.

**Example:** Lovdata - Forskrift om sanksjoner mot Russland (Regulation on sanctions against Russia)

**UN Security Council Consolidated List:** Maintained by the UN.

**EU Consolidated Sanctions List:** Maintained by the EU (accessible via EUR-Lex and EEAS websites).

**Norwegian Ministry of Foreign Affairs:** Publishes current lists and relevant regulations implementing UN and EU sanctions. This is the primary source for Norway-specific implementation details.

**Legal Reference:** Utenriksdepartementet - Sanksjoner (Ministry of Foreign Affairs - Sanctions)

**OFAC SDN List:** Maintained by the U.S. Treasury.

Sanctions regimes often target specific countries (e.g., Russia, North Korea, Iran, Syria, Venezuela, Myanmar).

**Comprehensive Embargoes:** Prohibit nearly all transactions with certain countries or regimes (e.g., North Korea).

**Sectoral Sanctions:** Target specific sectors of an economy (e.g., financial, energy, defense sectors in Russia).

**Asset Freezes:** Apply to designated individuals and entities regardless of their location, meaning any assets (including crypto) they own or control, directly or indirectly, must be frozen.

For VASPs, this implies implementing geo-blocking measures, transaction monitoring for IP addresses from sanctioned regions, and careful scrutiny of the origin and destination of virtual assets.