Puerto Rico -- AML/CFT Compliance Regulatory Overview

Puerto Rico, as a U.S. territory, operates under a dual regulatory framework, meaning that both U.S. federal laws and Puerto Rico's local laws apply. For cryptocurrency/virtual asset service providers (VASPs), this translates into compliance with federal anti-money laundering (AML) and counter-financing of terrorism (CFT) requirements, primarily driven by the Financial Crimes Enforcement Network (FinCEN), as well as local regulations enforced by the Office of the Commissioner of Financial Institutions (OCFI).

Generally, VASPs operating in Puerto Rico, particularly those involved in exchanging virtual assets for fiat currency or other virtual assets, or transferring virtual assets, are considered "money transmitters" or "money services businesses" (MSBs) under both federal and local law, triggering comprehensive AML/KYC obligations.

AML/CFT Legislation and Regulatory Framework

1. U.S. Federal Legislation & Guidance (Applicable in Puerto Rico):

• Bank Secrecy Act (BSA) (31 U.S.C. § 5311 et seq.): This is the foundational AML legislation in the U.S. It requires financial institutions (including MSBs/VASPs) to keep records and file reports on certain financial transactions.
• FinCEN Regulations (31 CFR Chapter X): FinCEN, a bureau of the U.S. Department of the Treasury, issues regulations implementing the BSA.
  • Guidance on Application of FinCEN's Regulations to Persons Administering, Exchanging, or Using Virtual Currencies (FIN-2013-G001, March 18, 2013): This initial guidance clarified that exchangers and administrators of virtual currency are "money transmitters" under the BSA.
  • Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies (FIN-2019-G001, May 9, 2019): This updated guidance broadened the scope, clarifying that various VASP models (e.g., peer-to-peer exchangers, DApps, anonymity-enhanced coin providers) may also be MSBs.
  • Interpretive Ruling on the Application of the BSA to Mixed-Currency Transactions and Other Related Transactions (FIN-2023-R001, October 26, 2023): Clarifies that transactions involving both fiat currency and CVC are covered by BSA requirements.
• FATF Standards: While not direct legislation, the U.S. is a member of the Financial Action Task Force (FATF), and FinCEN's guidance is designed to align with FATF recommendations, particularly Recommendation 15 which specifically addresses new technologies and the "Travel Rule" for VASPs.

2. Puerto Rico Local Legislation:

• Puerto Rico Money Services Business Act (Act No. 17-2016): This act regulates money services businesses in Puerto Rico, including licensing, examination, and enforcement. VASPs operating as money transmitters in Puerto Rico are typically required to obtain a license under this Act and comply with its provisions, which include AML program requirements.
• Office of the Commissioner of Financial Institutions (OCFI) Regulations: OCFI issues regulations and circular letters to implement Act 17-2016 and other financial laws, which would apply to licensed entities, including VASPs.

Key AML/KYC Requirements for VASPs in Puerto Rico

Based on the federal and local framework, VASPs must implement a robust AML/CFT compliance program that includes, but is not limited to:

1. AML/CFT Program Requirements:

Every VASP considered an MSB must establish an effective written AML program that is reasonably designed to prevent the VASP from being used to facilitate money laundering or the financing of terrorist activities. This program must, at a minimum:

• Designate an AML Compliance Officer.
• Implement internal policies, procedures, and controls.
• Provide ongoing employee training.
• Conduct independent reviews/audits of the program.

2. Customer Due Diligence (CDD) Requirements:

VASPs must establish and maintain a Customer Identification Program (CIP) as part of their AML program, designed to verify the identity of each customer. This includes:

• Identity Verification:
  • For Individuals: Obtaining name, date of birth, residential address, and an identification number (e.g., Social Security Number, passport number, alien identification card number).
  • For Entities: Obtaining the legal name, principal place of business, and often identifying the beneficial owners of the entity.
• Verification Procedures: Using reliable, independent source documents (e.g., driver's license, passport, utility bill) or non-documentary methods (e.g., credit report, public databases).
• Risk-Based Approach: Conducting due diligence commensurate with the risks presented by the customer relationship. Higher-risk customers (e.g., those from high-risk jurisdictions, politically exposed persons - PEPs, or engaging in complex/unusual transactions) require Enhanced Due Diligence (EDD).
• Beneficial Ownership Identification: For legal entity customers, VASPs must identify and verify the identity of beneficial owners (individuals who directly or indirectly own 25% or more of the equity interests, and a single individual with significant responsibility to control, manage, or direct the legal entity customer).
• Ongoing Monitoring: Continuously monitoring customer transactions and activities for suspicious behavior.

3. Suspicious Transaction Reporting (STR):

• Requirement: VASPs must report suspicious transactions to FinCEN by filing a Suspicious Activity Report (SAR).
• Threshold: A SAR must be filed for any transaction(s) conducted or attempted by, at, or through the VASP that involves at least $5,000 in funds or other assets, if the VASP knows, suspects, or has reason to suspect that the transaction:
  • Involves funds derived from illegal activity or is intended to hide or disguise funds derived from illegal activity.
  • Is designed to evade any BSA requirement.
  • Has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the VASP knows of no reasonable explanation for the transaction after examining the available facts.
  • Involves the use of the VASP to facilitate criminal activity.
• Timeline: SARs generally must be filed within 30 calendar days after the date of initial detection of facts that may constitute a basis for filing a SAR. If no suspect is identified, the VASP may have an additional 30 days (total of 60 days).
• Confidentiality: SAR filings are strictly confidential and must not be disclosed to the persons involved in the transaction or to unauthorized third parties.

4. Record-Keeping Obligations:

VASPs must maintain records for five (5) years, including:

• Customer Identification Records: All information obtained during the CIP process.
• Transaction Records:
  • Records of funds transfers, including the "Travel Rule" data for transactions exceeding specific thresholds (typically $3,000 for transfers, but for virtual assets, FinCEN has advised the Travel Rule generally applies to transactions over $3,000 for fiat and $10,000 for virtual asset transfers). This includes originator and beneficiary names, account numbers, addresses, and other identifying information.
  • Records for currency transactions over $10,000 (Currency Transaction Reports - CTRs). While not directly applicable to crypto in the same way, equivalent records for large virtual asset exchanges are expected.
  • Records of purchases and sales of monetary instruments.
• AML Program Documentation: Policies, procedures, risk assessments, training materials, and audit reports.
• SARs: Copies of all SARs filed and supporting documentation.

Overseeing Authority

1. Primary Federal Overseer:

• Financial Crimes Enforcement Network (FinCEN):
  • Role: FinCEN is the lead administrator of the BSA and the primary regulator for AML/CFT compliance for MSBs (including VASPs) at the federal level. It issues regulations, guidance, and enforces compliance.
  • Website: https://www.fincen.gov/

2. Primary Local Overseer:

• Office of the Commissioner of Financial Institutions (OCFI) / Oficina del Comisionado de Instituciones Financieras (OCIF):
  • Role: OCFI is the financial regulatory authority in Puerto Rico responsible for licensing, examining, and supervising financial institutions, including money services businesses, under local law (like Act No. 17-2016). They ensure compliance with Puerto Rico's financial laws and often collaborate with federal authorities on AML/CFT matters.
  • Website: https://ocif.pr.gov/

Important Note: This information is for general guidance and educational purposes only and does not constitute legal advice. VASPs operating in Puerto Rico should seek independent legal counsel to ensure full compliance with all applicable federal and local laws and regulations. The regulatory landscape for virtual assets is constantly evolving.