Oman -- AML/CFT Compliance Regulatory Overview

Oman has been progressively strengthening its anti-money laundering and combating the financing of terrorism (AML/CFT) framework, aligning it with international standards set by the Financial Action Task Force (FATF). While specific regulations for Virtual Asset Service Providers (VASPs) have been developing, the general AML/CFT legislation applies, and recent moves by the Capital Market Authority (CMA) indicate a clearer regulatory path for certain types of virtual assets.

Below are the key AML/KYC requirements for cryptocurrency/virtual asset service providers in Oman, considering both existing general AML/CFT laws and recent VASP-specific developments:

AML/CFT Legislation in Oman

The primary legislation governing AML/CFT in Oman is:

1. Royal Decree No. 30/2016 (Law on Combating Money Laundering and Terrorism Financing): This is the foundational AML/CFT law in Oman, outlining the obligations for financial institutions and designated non-financial businesses and professions (DNFBPs).
2. Ministerial Decision No. 63/2016 (Implementing Regulations of the Law on Combating Money Laundering and Terrorism Financing): This decision provides detailed regulations and guidelines for implementing Royal Decree 30/2016.

Specific VASP Regulatory Framework:

In a significant development, the Capital Market Authority (CMA) of Oman published its Virtual Assets Regulatory Framework in July 2023. This framework aims to regulate and license VASPs dealing with specific types of virtual assets, primarily:

• Stablecoins: Virtual assets designed to maintain a stable value relative to a fiat currency or other asset.
• Asset-Backed Tokens: Virtual assets representing a claim on an underlying asset (e.g., real estate, commodities).
• Utility Tokens: Virtual assets providing access to a product or service.

Important Note: The CMA framework currently excludes "crypto-assets with no underlying asset or backing" (e.g., Bitcoin, Ethereum) from its licensing scope. This means that VASPs dealing exclusively in such assets may operate in a grey area concerning specific VASP licensing, but they would still be subject to the general AML/CFT law if their activities are deemed to fall under the definition of financial activities or DNFBPs.

Customer Due Diligence (CDD) Requirements

Under Royal Decree 30/2016 and the CMA's VASP framework (where applicable), VASPs are expected to implement robust CDD measures, similar to traditional financial institutions. These include:

1. Identification and Verification (ID&V) of Customers:
   • Collecting identifying information such as name, address, date of birth, nationality, and unique identification number (e.g., passport, national ID card).
   • Verifying this information using reliable, independent source documents, data, or information (e.g., government-issued IDs, utility bills, biometric data).
   • For legal entities, this includes obtaining company name, legal form, address, proof of incorporation, and names of directors/senior management.
2. Beneficial Ownership Identification:
   • Identifying and verifying the identity of the natural persons who ultimately own or control the customer (typically individuals holding 25% or more of the shares or voting rights, or otherwise exercising control).
3. Understanding the Purpose and Intended Nature of the Business Relationship:
   • Gathering information about the customer's anticipated activity, the source of funds, and the purpose of the virtual asset transactions.
4. Ongoing Monitoring:
   • Conducting ongoing scrutiny of transactions undertaken throughout the course of the business relationship to ensure consistency with the VASP's knowledge of the customer, their business, and risk profile.
   • Ensuring that documents, data, or information obtained under the CDD process are kept up-to-date.
5. Politically Exposed Persons (PEPs):
   • Implementing procedures to determine whether a customer or beneficial owner is a PEP.
   • Applying Enhanced Due Diligence (EDD) for PEPs, including obtaining senior management approval for establishing business relationships and conducting enhanced ongoing monitoring.
6. Sanctions Screening:
   • Screening customers and transactions against national and international sanctions lists (e.g., UN, OFAC).
7. Enhanced Due Diligence (EDD):
   • Applying EDD for higher-risk categories of customers, business relationships, or transactions (e.g., non-face-to-face relationships, complex ownership structures, high-value transactions, cross-border correspondent virtual asset relationships, transactions involving high-risk jurisdictions).

Suspicious Transaction Reporting (STR)

VASPs, once recognized and regulated (especially those under the CMA framework), are obligated to report suspicious transactions to Oman's Financial Intelligence Unit (FIU):

• Obligation to Report: If a VASP knows, suspects, or has reasonable grounds to suspect that funds are proceeds of a criminal activity or are related to terrorism financing, it must promptly file a Suspicious Transaction Report (STR) with the Oman Financial Intelligence Unit (OMAFIU).
• No Tipping-Off: VASPs and their employees are prohibited from disclosing to the customer or any third party that an STR is being, or has been, submitted, or that an investigation is being conducted.

Record-Keeping Obligations

VASPs are required to maintain records for a specified period to assist in investigations and analysis:

• Transaction Records: All records of domestic and international transactions, including information on the origin and destination of the funds/virtual assets, transaction amount, date, and type.
• CDD Records: Records of all information obtained through the CDD process (identification data, beneficial ownership information, business relationship purpose, etc.).
• STRs and Internal Reports: Copies of all STRs filed and any internal reports generated concerning suspicious activities.
• Duration: Records must typically be maintained for a minimum of five (5) years after the completion of the transaction or the end of the business relationship.

Authority Overseeing Compliance

Several authorities are involved in AML/CFT supervision and enforcement in Oman:

1. Oman Financial Intelligence Unit (OMAFIU):

   • Role: The central national authority responsible for receiving, analyzing, and disseminating STRs to law enforcement agencies. It is the primary point of contact for suspicious transaction reporting.
   • URL: https://www.oma-fiu.gov.om/ (Note: The website is primarily in Arabic, but an English version may be available or linked).

2. Central Bank of Oman (CBO):

   • Role: While the CBO primarily regulates traditional banks and financial institutions, it also plays a critical role in overall financial stability and AML/CFT oversight. Historically, the CBO has maintained a cautious stance on cryptocurrencies, banning banks from dealing with them in 2018. It would likely continue to oversee any VASP activities that intersect with the traditional banking system.
   • URL: https://www.cbo.gov.om/

3. Capital Market Authority (CMA):

   • Role: With the introduction of its Virtual Assets Regulatory Framework in July 2023, the CMA is emerging as the primary regulatory and licensing authority for certain types of VASPs in Oman (specifically those dealing with stablecoins, asset-backed tokens, and utility tokens). It will be responsible for ensuring that these licensed VASPs comply with AML/CFT requirements in addition to other regulatory mandates.
   • URL: https://www.cma.gov.om/

4. National Committee for Combating Money Laundering and Terrorism Financing (NCCMLTF):

   • Role: This inter-agency committee coordinates national efforts to combat money laundering and terrorism financing, including policy formulation and oversight of implementation.

It is crucial for any VASP operating or planning to operate in Oman to stay updated on the evolving regulatory landscape, especially regarding the Capital Market Authority's framework, and to seek legal advice to ensure full compliance with all applicable laws and regulations.