Turks and Caicos

**Exchange between virtual assets and fiat currencies.**

**Exchange between one or more forms of virtual assets.**

**Safekeeping or administration of virtual assets or instruments enabling control over virtual assets.** (This specifically covers **custody providers**).

**Participation in, and provision of financial services related to, an issuer’s offer and/or sale of a virtual asset.**

**Operation of a trading platform for virtual assets.** (This covers **exchanges**).

**Exchanges:** Clearly require a license for activities like exchanging virtual assets with fiat, exchanging between different virtual assets, and operating a trading platform.

**Custody Providers:** Explicitly require a license for safekeeping or administration of virtual assets.

**Payment Processors:** If their processing involves the "transfer of virtual assets" or facilitating payments through virtual assets (e.g., converting fiat to VA for payment, or VA to fiat upon receipt), they will require a license.

**General Virtual Asset Business License:** A minimum paid-up capital of **TCI$500,000**.

**Restricted Virtual Asset Business License:** A minimum paid-up capital of **TCI$250,000**. (This license may be granted for a more limited scope of activities or under specific conditions).

**Customer Due Diligence (CDD):** Implementing comprehensive policies and procedures for identifying and verifying customers' identities, including beneficial owners.

**Enhanced Due Diligence (EDD):** For higher-risk customers, politically exposed persons (PEPs), and complex transactions.

**Record Keeping:** Maintaining records of customer identification data and transaction details for at least five years.

**Transaction Monitoring:** Implementing systems to monitor transactions for suspicious activity.

**Suspicious Transaction Reports (STRs):** Reporting suspicious activities to the Financial Intelligence Agency (FIA) without tipping off the customer.

**Risk Assessments:** Conducting regular, comprehensive risk assessments of their business, customers, products, and geographies.

**Compliance Officer:** Appointing a qualified Money Laundering Reporting Officer (MLRO) and Deputy MLRO, responsible for AML/CFT compliance and reporting.

**Training:** Providing ongoing AML/CFT training to all relevant staff.

**Internal Controls:** Establishing robust internal controls to mitigate AML/CFT risks.

**Registered Office:** A VASP must maintain a registered office in the Turks and Caicos Islands.

**Resident Agent:** A VASP must appoint a resident agent in the Turks and Caicos Islands.

**Directors and Senior Management:** The FSC requires directors and senior management to be "fit and proper" individuals, demonstrating competence, integrity, and sound financial standing. At least one director must typically be a resident of TCI, or there must be significant local operational oversight.

**Key Personnel:** The MLRO, Deputy MLRO, and compliance officer positions are critical and subject to FSC approval.

**Cybersecurity:** Robust cybersecurity frameworks and measures to protect virtual assets, customer data, and operational integrity.

**Data Protection:** Compliance with TCI's data protection laws.

**Business Continuity & Disaster Recovery:** Plans to ensure continued operation and data recovery in case of disruption.

**Systems and Controls:** Secure and reliable systems for processing, storing, and managing virtual assets.

**Robust Policies and Procedures:** Comprehensive operational, risk management, compliance, and governance policies.

**Risk Management Framework:** A sound framework for identifying, assessing, monitoring, and mitigating all risks, including operational, financial, and reputational risks.

**Audits:** Annual external audits of financial statements and potentially compliance audits.

**Pre-Application Consultation (Optional but Recommended):** Engagement with the FSC to discuss the proposed business model and clarify regulatory expectations.

**Application Form:** Duly completed official application form.

**Detailed Business Plan:** Outlining the proposed activities, target market, operational structure, technology stack, marketing strategy, and financial projections (typically 3-5 years).

**Financial Information:** Proof of capital, audited financial statements (if applicable), and financial projections.

**Organizational Structure:** Details of the legal entity, shareholding structure, and group entities.

**Fit and Proper Documentation:** Comprehensive personal questionnaires, police clearances, professional references, and CVs for all directors, senior management, shareholders (above a certain threshold), and beneficial owners.

**AML/CFT Manuals:** Detailed policies and procedures for AML/KYC, transaction monitoring, and reporting.

**Risk Management Framework:** Documentation outlining risk assessment and mitigation strategies.

**Technology & Cybersecurity Documentation:** Details of IT systems, security protocols, and third-party vendor agreements.

**Legal Opinions:** Potentially, legal opinions on specific aspects of the virtual assets or business model.

**Proof of Local Presence:** Documentation for registered office and resident agent.

**Fees:** Payment of non-refundable application fees.

**FSC Review and Due Diligence:** The FSC will conduct thorough due diligence on the applicant, its principals, and its proposed operations. This may involve interviews, requests for additional information, and background checks.

**On-Site Inspection (Possible):** For more complex operations, the FSC may conduct an on-site inspection.

**Approval and Licensing:** Upon satisfaction that all requirements are met, the FSC will grant the Virtual Asset Business License.

**Ongoing Compliance:** Licensees are subject to continuous supervision, periodic reporting to the FSC, and compliance with all relevant laws and regulations.

**Turks and Caicos Islands Financial Services Commission (FSC):**

The FSC website is the primary resource for announcements, legislation, application forms, and guidance notes related to virtual asset businesses.

**Virtual Asset Business Act 2023 (VABA 2023):**

(Search for "Virtual Asset Business Act 2023" within this portal or check the "Acts" section for recent legislation.)

*Note:* As legislation updates, direct PDF links can change. The portal is the most reliable place for the current official version.

**Proceeds of Crime Act, 2017 (as amended):**

This is the primary AML/CFT legislation for TCI.

(Search for "Proceeds of Crime Act 2017".)

**Anti-Money Laundering Regulations, 2010 (as amended):**

These regulations provide detailed requirements for AML/CFT compliance.

(Search for "Anti-Money Laundering Regulations 2010".)

**Virtual Asset Service Providers Act 2023 (VASP Act 2023):** This is the cornerstone legislation specifically regulating VASPs. It defines what constitutes a VASP, sets out licensing and registration requirements, and crucially, brings VASPs under the existing AML/CFT framework, making them "financial institutions" for AML/CFT purposes.

**Proceeds of Crime Ordinance 2017 (as amended):** This ordinance defines money laundering offenses, establishes the framework for investigation, seizure, and confiscation of assets derived from criminal activity.

**Anti-Money Laundering Regulations 2023:** These regulations provide the detailed operational requirements for AML/CFT compliance, including customer due diligence, record-keeping, internal controls, and suspicious transaction reporting.

**Terrorism (Prevention) Ordinance 2011 (as amended):** This ordinance addresses terrorist financing, defining offenses and establishing mechanisms for freezing assets and reporting suspicious activities related to terrorism.

**Financial Services Commission Ordinance 2019 (as amended):** This ordinance establishes the Turks and Caicos Islands Financial Services Commission (TCIFSC) and outlines its powers and responsibilities, including supervision of financial institutions and VASPs.

When establishing a business relationship.

When conducting occasional transactions above a specified threshold (e.g., USD 1,000 for wire transfers, or as otherwise prescribed by regulation).

When there is a suspicion of money laundering or terrorist financing.

When the VASP has doubts about the veracity or adequacy of previously obtained identification data.

**Key Information to Obtain (for Individuals):**

Unique identification number (e.g., passport number, national ID card number, driver's license number).

Purpose and nature of the business relationship.

Source of funds and source of wealth, especially for high-risk customers or large transactions.

**Key Information to Obtain (for Legal Entities/Corporations):**

Registered address and principal place of business.

Legal form (e.g., company, partnership, trust).

Governing law and proof of existence (e.g., certificate of incorporation, partnership agreement).

Names and addresses of all directors, partners, or trustees.

**Beneficial Ownership:** Identification and verification of natural persons who ultimately own or control the customer (typically 10% or 25% ownership threshold, but VASPs must identify anyone who exerts ultimate control).

Source of funds and source of wealth for the entity and its beneficial owners.

Information must be verified using reliable, independent source documents, data, or information. This could include government-issued identification, utility bills, public databases, or credit reports.

For legal entities, verification might involve corporate registries, financial statements, and reputable public sources.

Continuously monitor the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship, to ensure that the transactions are consistent with the VASP’s knowledge of the customer, their business, and risk profile.

Keep customer information up-to-date and conduct periodic reviews.

Implement a robust risk assessment methodology to identify, assess, and understand the ML/TF risks associated with different customers, products, services, delivery channels, and geographic areas.

Apply **Enhanced Due Diligence (EDD)** measures for higher-risk scenarios, such as:

Customers from high-risk geographic areas (FATF grey/black listed countries).

Complex or unusually large transactions.

Non-face-to-face business relationships (with specific verification measures).

**Simplified Due Diligence (SDD)** may be applied in strictly defined low-risk situations, where explicitly permitted by the regulations and with adequate justification.

**Obligation to Report:** VASPs are legally obligated to report any transaction (or attempted transaction) where they know, suspect, or have reasonable grounds to suspect that funds are the proceeds of criminal activity or are linked to terrorism financing.

**Reporting Authority:** All STRs must be submitted to the **Financial Intelligence Agency (FIA)** of Turks and Caicos.

**Internal Procedures:** VASPs must appoint a Money Laundering Reporting Officer (MLRO) and establish internal procedures for staff to report suspicions to the MLRO.

**No Tipping Off:** It is prohibited to "tip off" a customer or any third party that an STR has been filed or that an investigation is underway.

**Timeliness:** STRs must be filed promptly after the suspicion arises.

**Duration:** All records must be kept for a minimum of **five (5) years** after the business relationship has ended or after the date of an occasional transaction.

Copies of all customer identification and verification documents (e.g., passports, utility bills, corporate documents).

All transaction records, including details of the amount, currency, date, and parties involved in both fiat and virtual asset transactions.

Records of customer due diligence reviews and ongoing monitoring activities.

Business correspondence relating to customer accounts and transactions.

Records of all suspicious transaction reports filed.

Records of internal risk assessments and policies.

**Accessibility:** Records must be maintained in a manner that allows for rapid retrieval and access by the competent authorities (TCIFSC, FIA, law enforcement).

**Turks and Caicos Islands Financial Services Commission (TCIFSC)**

Licensing and registering VASPs under the VASP Act 2023.

Supervising VASPs to ensure ongoing compliance with AML/CFT legislation and regulations.

Issuing guidance notes and directives.

Imposing administrative penalties for non-compliance.

**Proceeds of Crime Ordinance (POCA), 2007 (as amended):** This is the principal AML/CFT legislation in TCI.

**Anti-Money Laundering and Counter-Terrorist Financing Regulations, 2010 (as amended):** These regulations provide detailed requirements for compliance. Significant amendments, particularly in **April 2021**, brought VASPs fully within the scope of AML/CFT obligations.

**FSC AML/CFT Supervisory Guidance for Virtual Asset Service Providers (VASPs):** The Financial Services Commission (FSC), as the primary regulator, has issued specific guidance to assist VASPs in understanding and complying with their obligations, including the Travel Rule.

**Cross-border transfers:** US$1,000 or EUR 1,000 or more.

**Domestic transfers:** US$3,000 or EUR 3,000 or more.

Exchanges between virtual assets and fiat currencies.

Exchanges between one or more forms of virtual assets.

Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

Name (of the customer who initiated the transfer).

Virtual asset wallet address (or other unique identifier) used for the transaction.

Geographical address, or national identity number, or customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the originating VASP, or date and place of birth.

**Transmit Information:** The originating VASP must transmit this information to the beneficiary VASP immediately and securely, along with the virtual asset transfer.

**Receive and Maintain Information:** The beneficiary VASP must receive and maintain this information.

**Record Keeping:** All VASPs must maintain records of the collected and transmitted information for a minimum of five (5) years.

**Risk-Based Approach:** VASPs must implement a risk-based approach to identify and mitigate money laundering and terrorist financing risks, which includes screening for suspicious transactions and reporting them to the Financial Intelligence Agency (FIA).

**Administrative Penalties:** The FSC has powers to impose significant administrative fines on institutions and individuals, issue public statements, directives, and operational restrictions.

**Civil Penalties:** Orders to cease and desist, freezing of assets.

Substantial monetary fines (e.g., up to hundreds of thousands of dollars for institutions, and tens of thousands for individuals).

Imprisonment for individuals (e.g., up to 7 years) for serious offenses such as failure to report suspicious transactions, falsifying records, or obstruction.

Revocation or suspension of licenses to operate as a VASP.

**Proceeds of Crime Ordinance, 2007 (as amended):** Usually available on the Attorney General's Chambers website or through legal research databases.

**Requirement for Licensing:** Any entity providing "custody or administration of virtual assets or instruments enabling control over virtual assets on behalf of another natural or legal person" (as per the definition of a VASP in Section 3 of the VASP Act 2022) is required to be licensed by the TCI FSC.

**Application Process:** Applicants must submit a comprehensive application to the FSC, which includes:

Information on the applicant's corporate structure, ownership, and management.

Proof of financial soundness and capital adequacy.

Robust anti-money laundering (AML) and combating the financing of terrorism (CFT) policies and procedures.

Segregation of client assets policies.

**Fit and Proper Test:** All directors, senior officers, and significant shareholders are subject to "fit and proper" assessment by the FSC.

**Local Presence:** A licensed VASP must have a physical presence or designated contact in TCI.

**Virtual Asset Service Providers Act 2022**, Section 6 (Requirement to be Licensed).

TCI FSC Legislation Page (You may need to search for the specific Act once on the page, or navigate through the "Virtual Asset Services" section).

**Virtual Asset Service Providers Regulations 2023**, Regulation 3 (Application for License).

**Holding in Trust & Separate Accounts:** A licensed VASP must:

Hold client virtual assets in trust for the benefit of the client.

Maintain separate client accounts for each client.

**Protection from Insolvency:** Client virtual assets held by a VASP cannot be considered assets of the VASP in the event of its insolvency or winding-up, protecting clients from creditors.

*Specifically:* "A licensed VASP shall — (a) hold virtual assets or instruments enabling control over virtual assets in trust for and on behalf of its client; (b) maintain separate client accounts for its clients."

**Professional Indemnity Insurance:** Licensed VASPs are required to maintain adequate professional indemnity insurance or other comparable guarantee. The specific amount or nature of this "comparable guarantee" would be subject to FSC approval based on the VASP's business model and risk profile.

*Specifically:* "A licensed VASP shall — (c) maintain adequate professional indemnity insurance or other comparable guarantee to cover the risks associated with the safekeeping and management of virtual assets for clients."

**Policies and Procedures:** Licensed VASPs must establish and maintain sound policies and procedures for the secure storage and control of virtual assets.

**Cold Storage for Significant Proportion:** The regulations explicitly require the use of cold storage for a "significant proportion" of client virtual assets. This indicates a clear preference for offline storage for enhanced security against cyber threats.

**Secure Access Controls:** Procedures for secure access to virtual assets, including multi-factor authentication, robust private key management, and cryptographic security measures, are expected.

**Business Continuity and Disaster Recovery:** VASPs must have robust plans to ensure the continuity of services and the recovery of client assets in case of unforeseen events.

*Specifically:* "A licensed VASP shall — (e) establish and maintain sound policies and procedures for the secure storage and control of virtual assets or instruments enabling control over virtual assets."

*Specifically:* "A licensed VASP shall have appropriate — (d) policies and procedures for the secure storage of virtual assets, including the use of cold storage for a significant proportion of client virtual assets and the implementation of robust cryptographic security measures."

**International Sanctions (Prohibition of Financial Services) Regulations:** These regulations prohibit the provision of financial services to designated persons or entities under international sanctions.

**Specific Orders:** TCI also implements specific orders or regulations to give effect to particular UN Security Council Resolutions, for example, those related to proliferation financing or terrorism.

*General Link for TCI Legislation:* TCI Attorney General's Chambers publications often list current ordinances and regulations. While a single comprehensive link for all updated sanctions regulations can be elusive, the **FSC's Legislation & Regulations** page is the best starting point.

**Proceeds of Crime Ordinance (2022 Revised Edition):** This is the foundational legislation that criminalizes money laundering and terrorist financing, and provides for the confiscation of criminal proceeds.

Proceeds of Crime Ordinance (2022)

**Anti-Money Laundering Regulations (2022 Revised Edition):** These regulations set out the specific obligations for financial institutions, including VASPs, regarding customer due diligence (CDD), record-keeping, suspicious activity reporting, and compliance with sanctions.

**Virtual Asset Business Act (VABA) 2023:** This Act specifically regulates Virtual Asset Business in TCI. It mandates that VASPs comply with TCI's AML/CFT regime, including sanctions compliance.

*Legal Reference:* **Virtual Asset Business Act 2023, Sections 18-20** (Obligations regarding AML/CFT and financial crime prevention).

Virtual Asset Business Act 2023

**UN Sanctions:** TCI, through its implementation of UK law, is legally bound to enforce all UN Security Council resolutions imposing sanctions. These are automatically incorporated into UK domestic law and, by extension, TCI law.

**UK Sanctions:** VASPs in TCI must comply with the full scope of UK financial sanctions. This includes asset freezes, travel bans, trade restrictions, and other measures against designated persons, entities, and regimes. The UK's autonomous sanctions regime, established post-Brexit under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA), is comprehensive.

*Legal Reference (indirect):* The TCI **International Sanctions (Amendment) Regulations 2020** and similar legislation ensure that UK sanctions made under SAMLA are applicable in TCI.

*Compliance Expectation:* VASPs must have robust systems to identify and block transactions involving individuals or entities on the UK Sanctions List.

**EU Sanctions:** While TCI is not directly bound by EU sanctions post-Brexit, the UK's autonomous sanctions regime often mirrors or aligns with EU sanctions. Therefore, compliance with UK sanctions will often cover the intent of EU sanctions.

**OFAC Sanctions:** While OFAC sanctions are not directly enacted by TCI law, any VASP operating in TCI that deals with U.S. dollar transactions, has U.S. customers, or interacts with U.S. financial institutions (e.g., through correspondent banking relationships) *must* comply with OFAC sanctions to avoid severe penalties from U.S. authorities and potential de-risking by financial partners. This is a critical practical compliance requirement for VASPs with any U.S. nexus.

*Compliance Expectation:* Prudent VASPs will screen against OFAC's Specially Designated Nationals (SDN) List and other relevant OFAC lists.

**VASP Specific Requirements (VABA & AML Regulations):**

The **Virtual Asset Business Act 2023** mandates that licensed VASPs establish and maintain effective AML/CFT compliance programs, which explicitly include sanctions compliance.

**Anti-Money Laundering Regulations (2022)** require financial institutions, including VASPs, to:

Implement a risk-based approach to identify, assess, and mitigate money laundering, terrorist financing, and proliferation financing risks.

Conduct comprehensive customer due diligence (CDD) and enhanced due diligence (EDD) where appropriate, including screening clients against sanctions lists.

Monitor transactions for suspicious activity, including potential sanctions evasion.

Report suspicious transactions to the Financial Intelligence Agency (FIA) of TCI.

**UK Sanctions List (Consolidated List of Financial Sanctions Targets):** This is the definitive list for direct TCI legal compliance, maintained by His Majesty's Treasury (HMT).

GOV.UK: Financial Sanctions: Consolidated List of Targets

This list incorporates all UN sanctions and UK autonomous sanctions.

**Practical Screening:** Given the global nature of virtual assets and correspondent banking relationships, most VASPs will also screen against:

**OFAC SDN List:** U.S. Department of the Treasury: Specially Designated Nationals List (SDN)

**EU Sanctions Map:** (For reference, even if not directly binding) EU Sanctions Map

**Anti-Money Laundering Regulations (2022), Regulation 12 (Internal Controls and Compliance):** Requires financial institutions to establish appropriate internal controls and compliance management arrangements, including policies and procedures for sanctions compliance.

**Virtual Asset Business Act 2023, Section 18:** Mandates VASPs to maintain AML/CFT policies and procedures, which includes sanctions screening as a critical component.

**Prohibited/Restricted Jurisdictions:** Transactions involving, or for the benefit of, individuals or entities in countries under comprehensive UK sanctions (e.g., Russia, Iran, North Korea, Syria, Myanmar, etc.) are generally prohibited or heavily restricted.

**Sectoral Sanctions:** Restrictions may also apply to specific sectors or types of activity within certain countries, rather than a full embargo.

**Crypto Implications:** VASPs must block or reject transactions originating from or destined for sanctioned jurisdictions, or involving individuals/entities associated with those jurisdictions, as identified by their IP addresses, wallet analysis, or customer information.

**Proceeds of Crime Ordinance (2022):** Offences related to money laundering and terrorist financing can result in imprisonment for several years and substantial fines.

**Sanctions Legislation:** Breaching sanctions regulations (e.g., providing financial services to a designated person) can lead to severe penalties, including lengthy imprisonment and heavy fines, as specified in the relevant sanctions enforcement regulations.

**FSC Enforcement Powers:** The Financial Services Commission has broad powers under the **Virtual Asset Business Act 2023** and other financial services legislation to impose administrative penalties, including:

Suspension or revocation of a VASP license.

Disqualification of individuals from holding management positions.

**VABA 2023, Part VI (Enforcement):** Outlines the FSC's powers for enforcement, including penalties for non-compliance with the Act and associated regulations.

**United Nations Security Council (UNSC) Sanctions:** All persons and entities designated by the UNSC for asset freezes are automatically included.

**United Kingdom Autonomous Sanctions:** Designations made unilaterally by the UK government under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA) and subsequent regulations.