Paraguay -- Licensing Requirements Regulatory Overview

Paraguay has an evolving regulatory landscape for virtual assets. While initial legislative attempts (like Law No. 6903/2022) aimed to provide a comprehensive framework, much of the practical regulation for Virtual Asset Service Providers (VASPs) like exchanges and custodians currently stems from the Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT) regime overseen by SEPRELAD (Secretaría de Prevención de Lavado de Dinero o Bienes).

It's important to note the legislative history:

• Law No. 6903/2022 ("Ley que regula la industria y comercialización de criptoactivos") was the initial, comprehensive attempt to regulate crypto mining and commercialization.
• However, this law faced challenges and was repealed and replaced by Law No. 7041/2023 in January 2023. Law No. 7041/2023 itself underwent a presidential veto primarily regarding crypto mining, which was then overridden by the Congress. This law mainly focuses on the energy consumption and commercialization aspects related to crypto mining, rather than a broad licensing regime for VASPs.

For VASPs, the primary regulatory obligations fall under SEPRELAD's AML/CFT mandate, aligned with Financial Action Task Force (FATF) recommendations.

Regulatory Framework and Key Laws

1. SEPRELAD (Secretaría de Prevención de Lavado de Dinero o Bienes): This is the key regulatory body for AML/CFT compliance for virtual assets. SEPRELAD defines Virtual Asset Service Providers (VASPs) and sets forth their obligations.

   • Resolution No. 222/2022: This resolution from SEPRELAD specifically established guidelines for the prevention of money laundering and terrorism financing for Virtual Asset Service Providers. It defines what constitutes a VASP and outlines their obligations.
   • Resolution No. 24/2023: This resolution modified certain aspects of Resolution No. 222/2022, particularly detailing reporting requirements for VASPs.
   • FATF Recommendations: Paraguay, as a member of GAFILAT (the regional FATF-style body), adheres to FATF recommendations, which include guidance on virtual assets and VASPs (Recommendation 15 and its Interpretive Note).

2. Law No. 7041/2023: While primarily focused on the energy aspects of crypto mining, this law indirectly touches upon the commercialization of crypto. However, it does not establish a specific licensing regime for VASPs in the sense of financial services licensing, deferring that to SEPRELAD's AML/CFT framework.

Registration vs. Licensing Regime

For Virtual Asset Service Providers (VASPs) in Paraguay, the regime is primarily one of registration and ongoing AML/CFT compliance with SEPRELAD, rather than a traditional financial services licensing regime that might be overseen by the Central Bank (BCP) for banks or other financial institutions.

VASPs must register with SEPRELAD as "obligated subjects" (sujetos obligados) and comply with all AML/CFT regulations.

Required Registration/Compliance for Specific Activities

The SEPRELAD regulations define VASPs in line with FATF standards. Therefore, the following activities typically require registration and compliance with SEPRELAD:

• Exchanges (Virtual Asset Exchange Providers): Entities that conduct the exchange between virtual assets and fiat currencies, or between one or more forms of virtual assets, are considered VASPs.
• Custody Providers (Virtual Asset Custody Providers): Entities that provide safekeeping services for virtual assets or instruments enabling control over virtual assets are considered VASPs.
• Payment Processors (Virtual Asset Transfer Providers): Entities that perform transfers of virtual assets on behalf of another natural or legal person. If a payment processor facilitates transactions involving virtual assets (e.g., sending/receiving crypto), they would fall under this definition. If they only process fiat payments for crypto services without touching the crypto itself, they might be subject to traditional payment processor regulations but not necessarily VASP-specific rules.

Key Requirements for VASPs

Based on SEPRELAD's resolutions and the general AML/CFT framework, key requirements include:

1. AML/KYC (Anti-Money Laundering / Know Your Customer): This is the core requirement.

   • Robust Policies and Procedures: Implementation of comprehensive AML/CFT policies and procedures, including risk assessment, customer due diligence (CDD), enhanced due diligence (EDD) for high-risk customers, and ongoing monitoring.
   • Customer Identification and Verification: Collecting and verifying identity information for natural and legal persons (KYC).
   • Transaction Monitoring: Monitoring transactions for suspicious patterns and activities.
   • Suspicious Activity Reports (SARs): Reporting suspicious transactions to SEPRELAD.
   • Compliance Officer: Appointment of a qualified and designated Compliance Officer responsible for AML/CFT compliance.
   • Employee Training: Regular training for employees on AML/CFT obligations.
   • Record Keeping: Maintaining records of customer identification data and transactions for the prescribed period (usually 5 years).

2. Local Presence:

   • Legal Entity: The VASP must be established as a legal entity (e.g., corporation or limited liability company) duly registered in Paraguay.
   • Registered Office: Maintenance of a physical registered office in Paraguay.

3. Capital Requirements:

   • SEPRELAD's resolutions for VASPs do not explicitly define a minimum capital requirement for the purpose of AML/CFT registration. However, as a business operating in Paraguay, the entity must demonstrate financial solvency and operational capacity, which implies having sufficient capital to operate responsibly and meet its obligations. Financial institutions, if a VASP were to be considered one, would have capital requirements imposed by the Central Bank (BCP), but currently, VASPs are primarily regulated for AML/CFT purposes, not as licensed financial institutions.

4. Technology and Security:

   • While not explicitly detailed in every SEPRELAD resolution, robust technological infrastructure and security measures are implicitly required to comply with data protection, transaction monitoring, and secure record-keeping obligations. This includes cybersecurity protocols to protect customer assets and data.

5. Internal Controls and Governance:

   • Implementation of strong internal controls, governance structures, and internal audit functions to ensure compliance with all regulatory requirements and mitigate operational risks.

Application/Registration Process (General Steps)

The process for a VASP to comply with SEPRELAD's requirements typically involves:

1. Establish Legal Entity: Register a legal entity (e.g., an S.A. or S.R.L.) in Paraguay with the Public Registry (Dirección General de Registros Públicos).
2. Develop AML/CFT Compliance Program: Create comprehensive internal policies, procedures, and manuals for AML/CFT, tailored to the VASP's specific operations and risk profile, in accordance with SEPRELAD's Resolution No. 222/2022 and No. 24/2023.
3. Appoint Compliance Officer: Designate a qualified Compliance Officer, who must be registered with SEPRELAD.
4. Register as an "Obligated Subject" with SEPRELAD: Submit all required documentation to SEPRELAD, which typically includes:
   • Corporate registration documents.
   • Details of shareholders, directors, and beneficial owners.
   • The AML/CFT manual and risk assessment.
   • Details and qualifications of the Compliance Officer.
   • Business plan and operational details.
5. Obtain SEPRELAD Approval: SEPRELAD will review the submission. Upon approval, the entity is officially recognized as an "obligated subject" and can operate, subject to ongoing compliance.
6. Ongoing Compliance: Continuously monitor transactions, perform CDD, file SARs, submit periodic reports to SEPRELAD, and ensure staff training.

Specific Regulatory References with URLs

• SEPRELAD Official Website: This is the primary source for their resolutions and public information.
  • https://www.seprelad.gov.py/
• SEPRELAD Resolution No. 222/2022: (Often found as a downloadable PDF on the SEPRELAD website under "Normativas" or "Resoluciones")
  • Direct link can change, but search "Resolución N° 222/2022 SEPRELAD" on their site.
• SEPRELAD Resolution No. 24/2023: (Often found as a downloadable PDF on the SEPRELAD website under "Normativas" or "Resoluciones")
  • Direct link can change, but search "Resolución N° 24/2023 SEPRELAD" on their site.
• Law No. 7041/2023: While focused on mining, it's part of the broader legal context. It can be found on the National Congress website or official gazettes.
  • Can be found on the Paraguayan Congress website (e.g., https://www.bacn.gov.py/) by searching for the law number.

It is highly recommended to consult with local legal counsel specializing in financial regulation and AML/CFT compliance in Paraguay for the most current and specific guidance, as regulations can evolve rapidly.