San Marino

**Law No. 171 of December 17, 2019, "Regulations for Distributed Ledger Technologies and Blockchain for Business" (Legge 171/2019)**: This law defines DLT, virtual assets, and establishes the framework for Operators in Distributed Ledger Technologies (ODLTs).

**BCRA Circular No. 64 of 15 September 2020, "Disciplining the activities of Operators in Distributed Ledger Technologies"**: This circular provides detailed implementation rules for Law 171/2019, specifying the requirements for obtaining authorization (registration) as an ODLT.

**BCRA Circular No. 67 of 11 May 2021, "Amendments and additions to Circular No. 64 of 15 September 2020"**: This circular introduced updates and clarifications to the initial implementing regulations.

**Decree No. 120 of 21 August 2019, "Provisions against money laundering and terrorist financing"**: This AML/CFT law is applicable to ODLTs and virtual asset service providers (VASPs).

**Exchanges (Virtual Asset Exchange Providers):** Entities operating a platform for the exchange of virtual assets for fiat currencies, or between one or more forms of virtual assets. This falls squarely under the ODLT/VASP authorization requirement.

**Custody Providers (Virtual Asset Custody Providers):** Entities that provide services for the safekeeping or administration of virtual assets or instruments enabling control over virtual assets on behalf of natural or legal persons. This also requires ODLT/VASP authorization.

If the payment processing involves the **transfer, exchange, or facilitation of payments directly in virtual assets**, or **between virtual assets and fiat currency**, the entity would be considered an ODLT/VASP and requires authorization.

If the entity is a traditional fiat payment processor merely providing services *to* a crypto business (e.g., handling fiat payments for a crypto exchange, but not touching virtual assets itself), it would fall under traditional payment services regulations, which also require BCRA authorization (e.g., as a Payment Institution). However, for *crypto-specific* payment processing, ODLT authorization is necessary.

Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

Providing other services related to virtual assets.

Must be a joint-stock company (Società per Azioni - S.p.A.) or a limited liability company (Società a responsabilità limitata - S.r.l.) established in San Marino.

Must have its registered office and effective management in San Marino.

**€150,000** for ODLTs that do not provide direct services to the public, do not hold client funds/virtual assets, and whose activity carries a low risk profile as assessed by the BCRA.

**€300,000** for ODLTs providing services directly to the public (including VASPs like exchanges and custody providers) and holding client funds or virtual assets.

The BCRA may require a higher capital amount based on the complexity, scale, and risk profile of the proposed activities.

ODLTs are considered "financial intermediaries" under San Marino's AML/CFT legislation (Decree 120/2019) and are subject to all related obligations.

Implementing robust **Customer Due Diligence (CDD)** procedures for all clients (identifying and verifying identity, beneficial ownership).

Conducting **risk assessments** for business relationships and transactions.

Implementing comprehensive **internal controls, policies, and procedures** for AML/CFT.

Appointing an **AML Officer** and a **Board-level AML Compliance Officer**.

Establishing a **Suspicious Transaction Reporting (STR)** mechanism and reporting to the Financial Intelligence Agency (AIF).

Providing **ongoing training** to staff.

Adherence to international sanctions lists.

At least one member of the board of directors must be resident in San Marino.

Key functions (e.g., compliance, risk management, IT management) are expected to be physically based and operational in San Marino.

Robust corporate governance structure with clear lines of responsibility.

Sound internal control systems, risk management frameworks, and compliance functions.

Business continuity plan and disaster recovery plan.

Comprehensive cybersecurity measures and IT infrastructure to protect virtual assets and data.

Shareholders holding significant stakes (e.g., >10%), directors, and key management personnel must meet stringent "fit and proper" criteria.

This includes demonstrating integrity, competence, professional qualifications, and a clean criminal record.

A detailed business plan outlining the proposed activities, operational structure, target market, financial projections for at least three years, technology infrastructure, risk management strategy, and internal organization.

Proof of robust and secure DLT infrastructure.

Independent audit of the DLT system (technical due diligence).

Adequate security protocols for the storage and transfer of virtual assets.

**Pre-Application Meeting (Optional but Recommended):** Applicants can engage in preliminary discussions with the BCRA to present their project and receive initial feedback.

**Formal Application Submission:** Submission of a comprehensive application package to the BCRA, including:

IT and cybersecurity policies and an independent technical audit report.

Resumes and fit & proper declarations for shareholders, directors, and key personnel.

Information on the DLT protocol and smart contracts (if applicable).

**BCRA Review and Due Diligence:** The BCRA conducts an in-depth review of the application, which may involve:

Requests for additional information or clarification.

Assessments of the proposed technical infrastructure and operational model.

**On-site Visit (Potentially):** The BCRA may conduct an on-site visit to verify the physical presence and operational readiness.

**Authorization Decision:** Upon satisfactory completion of the review, the BCRA issues an authorization (registration) and the entity is added to the official register of ODLTs.

**Post-Authorization Obligations:** ODLTs are subject to ongoing reporting requirements, regular audits, and compliance with all regulatory updates.

**Banca Centrale della Repubblica di San Marino (BCRA) - Normativa (Regulations) Page:** This is the central hub where all laws and circulars are typically published or linked.

*(You would typically need to navigate this page to find the specific PDFs for Circolare n. 64/2020 and Circolare n. 67/2021).*

**Law No. 171 of December 17, 2019 (Legge 171/2019):** While not always directly linked on the BCRA "Normativa" page as a standalone PDF, it's the foundational law. It can often be found on official government legislative archives or through legal databases specializing in San Marinese law. Searching "Legge 171/2019 San Marino" on official government portals (e.g., diritto.sm or archiviopubblico.sm) will usually yield the full text.

**Decree No. 120 of 21 August 2019 (AML/CFT Law):** Similarly, this core AML law can be found on government legislative archives.

*Note: Direct URLs to specific PDFs on government archive sites can be volatile. It's best to navigate from the main BCRA or government legislative portal.*

**Banca Centrale della Repubblica di San Marino (BCRSM)** - The Central Bank of the Republic of San Marino. It is the primary financial regulator responsible for licensing, supervision, and ongoing oversight of virtual asset service providers.

**Legge n. 200 del 19 dicembre 2023** – "Disposizioni per la prevenzione e il contrasto del riciclaggio e del finanziamento del terrorismo, nonché modifiche e integrazioni a leggi in materia di vigilanza prudenziale e di gestione delle crisi degli enti creditizi e finanziari."

*English translation:* "Provisions for the prevention and combating of money laundering and terrorist financing, as well as amendments and additions to laws concerning prudential supervision and crisis management of credit and financial institutions."

**Regolamento della Banca Centrale della Repubblica di San Marino n. 2023-01** – "Regolamento in materia di prestatori di servizi relativi ad attività virtuali (VASP)."

*English translation:* "Regulation of the Central Bank of the Republic of San Marino No. 2023-01 – Regulation concerning Virtual Asset Service Providers (VASPs)."

**Natural Persons:** Obtain and verify identity using reliable, independent source documents, data, or information (e.g., name, date of birth, place of birth, address, nationality, official identification number/document type).

**Legal Persons/Arrangements:** Obtain and verify legal name, legal form, address, proof of existence, powers that regulate and bind the legal person/arrangement, and names of individuals authorized to act on its behalf.

Identify the beneficial owner(s) (natural person(s) who ultimately own or control the customer and/or the natural person on whose behalf a transaction is being conducted).

Verify the identity of the beneficial owner(s) using relevant information and data.

For legal persons, this typically involves identifying natural persons holding more than 25% of shares or voting rights, or exercising control through other means.

**Purpose and Intended Nature of Business Relationship:** Obtain information on the purpose and intended nature of the business relationship or occasional transaction.

Conduct ongoing monitoring of the business relationship and transactions undertaken throughout the course of that relationship.

Ensure that the documents, data, or information collected under the CDD process are kept up-to-date.

**Risk-Based Approach (RBA):** VASPs must implement a risk-based approach to AML/CFT, meaning they should:

Assess their ML/TF risks, considering factors such as customer type, services offered, virtual asset types, geographic areas, and delivery channels.

Apply CDD measures proportionate to the identified risks.

**Enhanced Due Diligence (EDD):** Apply EDD in higher-risk situations, including but not limited to:

Relationships with Politically Exposed Persons (PEPs).

Complex, unusual, large transactions, and all unusual patterns of transactions that have no apparent economic or lawful purpose.

Use of new technologies or products that favor anonymity.

**Simplified Due Diligence (SDD):** May apply SDD in lower-risk situations, provided that a proper risk assessment confirms the low-risk nature and the competent authorities have not restricted its application.

**Obligation to Report:** VASPs are obligated to report to the **Financial Intelligence Agency (AIF)** if they know, suspect, or have reasonable grounds to suspect that funds or other assets, regardless of the amount, are the proceeds of criminal activity or are related to terrorist financing.

**No Tipping-Off:** VASPs and their employees are prohibited from disclosing to the customer concerned or to third parties that an STR is being or has been filed, or that an investigation into money laundering or terrorist financing is being or may be carried out.

**Timeliness:** Reports must be made promptly.

**Retention Period:** All records, including those obtained through CDD measures, account files, business correspondence, and records of transactions, must be retained for at least **five years** after the end of the business relationship or after the date of an occasional transaction.

**Accessibility:** Records must be maintained in a way that allows for their timely retrieval by the competent authorities (BCSM, AIF, judicial authorities).

**Appointing an AML Compliance Officer:** A senior manager responsible for AML/CFT compliance, with sufficient authority and resources.

**Training:** Regular and ongoing AML/CFT training for all relevant employees.

**Internal Audit:** An independent audit function to test the AML/CFT systems.

**Risk Assessment:** Regular and documented institutional risk assessments.

**Blockchain Law (Law No. 147 of 2019, as amended)**: This law defines virtual assets and virtual asset service providers (VASPs), outlining licensing requirements, operational standards, and the application of AML/CTF provisions to the sector.

**AML/CTF Law (Law No. 182 of November 17, 2004, as amended)**: This is San Marino's primary AML/CTF legislation, which extends to VASPs and incorporates international standards set by the FATF. It mandates customer due diligence (CDD), ongoing monitoring, record-keeping, and suspicious transaction reporting.

**Central Bank of San Marino (BCSM)**: Responsible for licensing and prudential supervision of VASPs.

**Financial Intelligence Agency (AIF)**: Responsible for AML/CTF oversight and receiving Suspicious Transaction Reports (STRs).

**Direct Applicability**: As a UN member state, San Marino is directly bound by UN Security Council Resolutions imposing sanctions. These resolutions typically target individuals, entities, and groups involved in terrorism, proliferation of weapons of mass destruction, and other threats to international peace and security.

**Obligations**: VASPs in San Marino must immediately freeze the funds and other assets of individuals and entities designated by the UN Security Council and ensure that no funds, assets, or economic resources are made available to them, directly or indirectly. This includes virtual assets.

**Legal Basis**: Law No. 182/2004 (AML/CTF Law) and its implementing decrees provide the national legal framework for applying these international obligations.

**Practical Applicability**: While San Marino is not an EU member, it generally mirrors EU foreign and security policy, including the implementation of EU restrictive measures (sanctions). This is often achieved through national legislation that refers to or directly adopts EU regulations.

**Scope**: EU sanctions are extensive and include regimes targeting specific countries (e.g., Russia, Iran, North Korea, Syria, Venezuela), individuals/entities involved in terrorism, cyber-attacks, human rights violations, and chemical weapons proliferation.

**Obligations**: VASPs must identify and freeze assets belonging to, or controlled by, designated individuals and entities on EU sanctions lists. They are also prohibited from making funds or economic resources available to such listed parties. This includes all forms of virtual assets and related services.

**Extraterritorial Reach**: OFAC sanctions, while U.S. law, have a significant extraterritorial effect, particularly on financial institutions and entities dealing with U.S. persons, the U.S. financial system, or transactions denominated in U.S. dollars.

**Risk Mitigation**: While San Marino itself does not directly enforce OFAC sanctions as national law, VASPs operating in San Marino, especially those with international exposure, U.S. clients, or relying on U.S. dollar-denominated services, are highly advised to comply with OFAC regulations. Failure to do so can lead to:

Exclusion from the U.S. financial system (de-risking by correspondent banks).

**Obligations**: Prudent VASPs will screen against OFAC's Specially Designated Nationals (SDN) List and other relevant lists (e.g., Sectoral Sanctions Identifications List) and implement controls to prevent dealings with sanctioned persons or jurisdictions.

**Customer Due Diligence (CDD)**: Identify and verify the identity of customers, including beneficial owners, and assess their risk profile.

**Ongoing Monitoring**: Continuously monitor customer transactions and activities for any suspicious patterns or changes in risk profile.

**Sanctions List Screening**: Regularly screen all customers, beneficial owners, and counterparties against relevant international sanctions lists, including:

**EU Consolidated List of persons, groups and entities subject to EU financial sanctions** (and specific program lists).

**OFAC Specially Designated Nationals (SDN) and Blocked Persons List** (for U.S. nexus and best practice).

**Technology Solutions**: Utilizing automated sanctions screening software is best practice for efficient and accurate screening of large volumes of data and transactions, including blockchain addresses.

**Transaction Screening**: Screening of transaction counterparties and associated blockchain addresses for known sanctioned entities or addresses linked to illicit activities.

**Prohibitions on Dealing**: Complete or partial prohibitions on providing financial services (including virtual asset services) to certain countries or regions (e.g., North Korea, Iran, specific regions of Russia/Ukraine, Syria, Cuba, etc., depending on the specific sanctions regime).

**Geo-blocking/IP Restrictions**: Implementing technical controls like geo-blocking of IP addresses to prevent access to services from sanctioned jurisdictions.

**Source/Destination of Funds**: Assessing the origin and destination of virtual assets to ensure they do not originate from or are destined for sanctioned entities or jurisdictions.

**Criminal Penalties**: Individuals and legal representatives of VASPs found to be in breach of sanctions regulations can face fines and imprisonment. Law No. 182/2004 provides for criminal sanctions for AML/CTF offenses, which include failures related to sanctions compliance.

**Administrative Penalties**: The BCSM and AIF can impose administrative fines, operational restrictions, suspension or revocation of licenses, and public reprimands on VASPs that fail to comply with their obligations.

**Reputational Damage**: Significant damage to a VASP's reputation, making it difficult to attract customers and partners.

**UN Consolidated Sanctions List**: This list includes individuals and entities subject to asset freezes, travel bans, and arms embargoes based on various UN Security Council resolutions (e.g., Al-Qaida, ISIS, Taliban, DPRK, Iran proliferation).

**EU Consolidated List**: This list amalgamates all persons, groups, and entities subject to financial sanctions under various EU restrictive measures.

**OFAC Specially Designated Nationals (SDN) List**: While primarily a U.S. list, it is a critical reference for international VASPs due to its extraterritorial implications.

**Law No. 147 of December 17, 2019 – Blockchain Law (Legge 17 dicembre 2019 n.147)**:

*Official Bulletin (Bollettino Ufficiale)*: While specific direct links to current codified laws are not always stable from government sites, the official version would be in the "Bollettino Ufficiale della Repubblica di San Marino." Searching for "Legge 17 dicembre 2019 n.147 San Marino" often yields reputable legal databases. An example for reference (may not be the latest consolidated version): https://www.ilrestodelcarlino.it/san-marino/cronaca/tutto-sulla-blockchain-la-legge-sanmarinese-approvata-un-anno-fa-1.5833215 (This is a news article referencing it, the actual law needs to be sought from official government publications or legal databases.)

*For a consolidated English summary often used for industry understanding*: https://www.simonotti.sm/download/Legge-n-147-del-17-dicembre-2019-Norme-disciplinanti-i-Registri-Tecnologici-basati-su-blockchain-e-le-societa-che-li-emettono-Blockchain-Law.pdf (Note: This is a private firm's translation, use official versions for legal certainty).

**Law No. 182 of November 17, 2004 – Anti-Money Laundering and Counter-Terrorist Financing Law (Legge 17 novembre 2004 n.182, modificata)**:

*Official source (AIF website often references it with updates)*: https://www.aif.sm/it/quadro-normativo-aml-cft (This page provides links to the consolidated AML/CFT law and related regulations issued by the AIF).

**Central Bank of San Marino (BCSM) Regulations**:

Look under "Regolamentazione e Vigilanza" for specific circulars and regulations regarding VASPs.

**Financial Intelligence Agency (AIF) Guidelines**:

Look under "Normativa e Documenti" for guidelines on AML/CTF, including typologies and reporting requirements.

**Agenzia per l'Informazione Finanziaria (AIF)** - The Financial Intelligence Agency. This agency is responsible for preventing and combating money laundering and terrorist financing, operating within the broader AML/CFT framework that also applies to virtual asset activities.

**Law No. 166 of December 17, 2019, "Provisions for the Regulation of Virtual Assets and Providers of Virtual Asset Services"**

**Purpose:** This is the foundational law for virtual assets in San Marino. It defines virtual assets and virtual asset service providers (VASPs), establishes the general principles for their regulation, and designates the BCRSM as the competent authority for authorization and supervision. It aims to foster the development of blockchain technology while ensuring legal certainty and investor protection.

*Note: While a direct official URL to the specific law text might be difficult to access publicly in English, references are widely available in legal analyses.*

**BCRSM Regulation No. 2020-03 of December 10, 2020, "Regulation for the Authorisation and Supervision of Virtual Asset Operators"**

**Purpose:** This regulation provides the detailed implementation rules for Law No. 166. It specifies the requirements for obtaining authorization as a VASP from the BCRSM, including organizational, operational, capital, and governance requirements. It also outlines the ongoing supervisory framework, reporting obligations, and measures for consumer protection.

**Law No. 92 of June 17, 2008 (and subsequent amendments), "Prevention and Repression of Money Laundering and Terrorist Financing"**

**Date:** June 17, 2008 (with ongoing amendments to incorporate FATF recommendations, including those for virtual assets).

**Purpose:** This overarching AML/CFT law applies to all financial activities in San Marino, including virtual asset services. It mandates specific obligations for VASPs regarding customer due diligence, suspicious transaction reporting to the AIF, record-keeping, and internal controls to prevent money laundering and terrorist financing.

*Note: Specific amendments to include VASPs fall under the purview of this law, ensuring San Marino's compliance with FATF Recommendation 15.*

**Legality:** Crypto trading and the operation of crypto exchanges (classified as Virtual Asset Service Providers or VASPs) are legal in San Marino.

**Authorization Required:** Any entity wishing to provide virtual asset services, including operating an exchange, facilitating trading, custody, or transfer of virtual assets, must obtain a **specific authorization from the Banca Centrale della Repubblica di San Marino (BCRSM)**.

**Stringent Requirements:** VASPs are subject to a robust set of regulatory requirements, including:

Additional capital buffers are needed to ensure financial stability in San Marino, as current capital levels are not fully sufficient.

**Fit and Proper Tests:** For shareholders, management, and key personnel.

**Organizational and Operational Requirements:** Including robust IT security, governance frameworks, and internal controls.

**Investor Protection:** Measures to protect client assets, ensure transparency, and manage conflicts of interest.

**AML/CFT Compliance:** Strict adherence to anti-money laundering and counter-terrorist financing obligations, including comprehensive customer due diligence (KYC), transaction monitoring, and reporting suspicious activities to the AIF.

**Segregation of Client Assets:** Requirements to separate client virtual assets from the company's own assets.

**Transparency:** Obligations regarding clear and truthful information for users.

**Note:** This is the most recent comprehensive AML/CFT law that explicitly incorporates international standards and extends the scope to new sectors, including virtual assets and virtual asset service providers. It builds upon and supersedes previous AML legislation (e.g., Law No. 129 of July 17, 2008, as amended).

**Note:** This BCSM regulation provides specific rules and operational guidelines for VASPs to comply with the AML/CFT Law.

**No Licensed DLT Service Providers (as of last major assessment):** A key finding from the MONEYVAL (Council of Europe anti-money laundering body) "Fifth Round Mutual Evaluation Report on San Marino" published in July 2022 stated:

**Focus on Regulatory Framework Development:** San Marino has been more focused on building its regulatory framework. The BCSM is the primary regulator and issues circulars and regulations. Their focus in recent years has been on establishing robust AML/CFT measures for new technologies.

**Discretionary Enforcement/Lack of High-Profile Cases:** In smaller jurisdictions, enforcement actions, if they occur, might not always be widely publicized, especially if they are against smaller, unlicensed operations or result in administrative warnings rather than significant public penalties. It's also possible that San Marino hasn't experienced high-profile crypto-related financial crimes or major non-compliance incidents warranting significant public enforcement.

**Regulator Name:** Banca Centrale della Repubblica di San Marino (BCSM)

**Relevant Legislation:** Law No. 195 of 2020 on Distributed Ledger Technology (DLT) and subsequent BCSM regulations and circulars implementing AML/CFT measures.

**Title:** MONEYVAL Fifth Round Mutual Evaluation Report on San Marino

**Banca Centrale della Repubblica di San Marino (BCSM) Official Website:**

*The BCSM website provides official information on regulations, circulars, and the financial sector, but a search of their press releases or supervisory actions sections does not reveal specific crypto enforcement actions meeting the requested criteria within the timeframe.*