Timor-Leste

**Lack of Specific Regulation is Not the Same as Legality or Full Freedom:** While there are no crypto-specific licenses, any entity operating within Timor-Leste would still be subject to general business laws, tax laws, and potentially, if their activities could be interpreted as traditional financial services, existing financial sector legislation overseen by the Banco Central de Timor-Leste (BCTL).

**AML/CFT Obligations:** Even without specific VASP regulation, Timor-Leste, as a member of the international community, is subject to the recommendations of the Financial Action Task Force (FATF). Its existing Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) laws (such as Law No. 2/2011 on the Prevention and Combat of Money Laundering and Financing of Terrorism, and any subsequent updates) would apply to financial institutions and designated non-financial businesses and professions (DNFBPs). The BCTL and other relevant authorities would expect any entity involved in financial transactions, even those involving virtual assets, to have robust AML/KYC controls in place to prevent illicit activities.

**No specific licenses are currently required for crypto-specific activities.**

If a service provider's activities blur the lines with traditional financial services (e.g., holding fiat currency deposits, facilitating fiat-to-fiat transfers through crypto, or providing lending services in fiat backed by crypto), they might inadvertently fall under existing financial services laws and require a license as a financial institution, payment service provider, or money service business from the BCTL. However, for pure crypto-to-crypto activities or non-custodial wallets, there is no direct precedent or requirement.

**Neither a specific registration nor a licensing regime exists for VASPs.**

Traditional financial institutions (banks, payment service providers, insurance companies, microfinance institutions) are licensed by the BCTL.

**Capital Requirements:** No specific capital requirements for VASPs as there are no specific licenses. If a business were to seek a traditional financial license (e.g., as a payment service provider), then the BCTL's requirements for that specific license would apply, which include significant capital.

**AML/KYC (Anti-Money Laundering/Know Your Customer):** This is the most critical area. While specific VASP regulations are absent, any business engaging in financial activities, including those involving virtual assets, is strongly advised to implement robust AML/KYC procedures. This includes:

Customer due diligence (identifying and verifying customers).

Monitoring transactions for suspicious activity.

Reporting suspicious transactions to the national Financial Intelligence Unit (FIU), likely housed within the Ministry of Finance or Central Bank.

The general AML/CFT laws of Timor-Leste (e.g., Law No. 2/2011) would be the guiding principles. Failure to comply with these general obligations could lead to criminal charges if illicit activities are facilitated.

**Local Presence:** No specific local presence requirements for VASPs given the lack of specific regulation. However, to operate any business in Timor-Leste, general company registration and business licensing laws would apply, which typically require a registered office and local representation.

**There is no specific application process for crypto licenses** as they do not exist.

For traditional financial licenses, the application process would involve submitting detailed business plans, financial projections, governance structures, and compliance frameworks to the Banco Central de Timor-Leste, adhering to their specific directives for the type of license sought.

**Banco Central de Timor-Leste (BCTL):**

This is the central bank and the primary financial regulator in Timor-Leste.

You would typically find information on their website under sections like "Legislation," "Financial Sector Supervision," or "Laws and Regulations" for general financial institutions.

**Relevant General Legislation (though not crypto-specific):**

**Law on the Central Bank of Timor-Leste:** Establishes the BCTL's powers and functions.

**Financial Institutions Law:** Governs the licensing and supervision of traditional financial institutions (banks, credit unions, etc.).

**Law on Payment Systems:** Regulates payment service providers and systems.

**Law No. 2/2011 on the Prevention and Combat of Money Laundering and Financing of Terrorism:** This is Timor-Leste's primary AML/CFT law. While it likely does not explicitly mention "virtual assets" or "VASPs," its general provisions apply to entities engaged in financial activities and would be the basis for any enforcement action related to money laundering or terrorism financing through crypto. Finding the official, current version of this law online through a public government portal can be challenging for Timor-Leste. You may need to consult local legal resources.

**Monitor official announcements** from the Banco Central de Timor-Leste and the Timorese government for any new draft legislation or policies.

**Not Legal Tender:** Cryptocurrencies are not recognized as legal tender in Timor-Leste.

**High Volatility and Risk:** Emphasizing the speculative nature, price volatility, and potential for significant losses.

**Lack of Regulatory Protection:** Stressing that consumers engaging in crypto activities are not protected by existing financial regulations or deposit guarantee schemes.

**Potential for Scams and Money Laundering:** Warning about the use of cryptocurrencies in fraudulent schemes and illicit financial activities.

**Banco Central de Timor-Leste (BCTL) Official Website:**

**Law No. 3/2011 on Prevention and Combat of Money Laundering and Financing of Terrorism (Lei N.º 3/2011 de Prevenção e Combate ao Branqueamento de Capitais e ao Financiamento do Terrorismo)**: This is the foundational law that establishes the framework for AML/CFT in Timor-Leste. It defines money laundering and terrorist financing offenses, sets out reporting obligations for financial institutions and designated non-financial businesses and professions (DNFBPs), and establishes the Financial Intelligence Unit (FIU).

**Banco Central de Timor-Leste (BCTL - Central Bank of Timor-Leste)**:

The BCTL is responsible for the overall supervision of financial institutions in Timor-Leste, including ensuring their compliance with AML/CFT requirements.

**Unidade de Informação Financeira (UIF) / Financial Intelligence Unit (FIU) of Timor-Leste**:

The UIF operates within or in close coordination with the BCTL and is the central national agency responsible for receiving, analyzing, and disseminating suspicious transaction reports (STRs) to law enforcement agencies.

While there might not be a separate public website for the UIF, its functions are integral to the BCTL's regulatory mandate.

**For individuals:** Obtain and verify identity using reliable, independent source documents, data, or information (e.g., full legal name, date of birth, nationality, residential address, unique identification number from government-issued ID like passport or national ID card).

**For legal entities (companies):** Obtain and verify the company's name, legal form, proof of existence, powers that regulate and bind the legal person, names of relevant persons holding senior management positions, and identify and verify beneficial owners (those who ultimately own or control more than a certain percentage, typically 25% or 10%).

**Understanding the Purpose and Intended Nature of the Business Relationship:** VASPs must understand why a customer wants to use their services and how they intend to use them.

**Ongoing Monitoring:** Continuously monitor transactions and the business relationship to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile. This includes scrutinizing transactions to ensure they are not suspicious.

Apply EDD measures for higher-risk categories, including but not limited to:

Customers from high-risk geographic locations (as identified by FATF or national lists)

Complex, unusually large transactions, or unusual patterns of transactions that have no apparent economic or lawful purpose.

Business relationships and transactions with no face-to-face contact.

May apply SDD in clearly defined lower-risk situations, after a thorough risk assessment, but full CDD should always be available if required.

**Obligation to Report:** VASPs are obligated to report to the **Unidade de Informação Financeira (UIF)** any transaction, regardless of its value, where they have reasonable grounds to suspect that:

The funds are the proceeds of criminal activity (money laundering).

The funds are linked to terrorist financing.

**"No Tipping-Off" Rule:** VASPs, their directors, officers, and employees are prohibited from disclosing to the customer or any third party that an STR has been or will be submitted to the UIF.

**Customer Identification Data:** All records obtained through CDD procedures (e.g., copies of identification documents, verification data). These must be kept for at least **five (5) years** after the business relationship has ended.

**Transaction Records:** All records relating to transactions (e.g., amounts, currencies, dates, parties involved, account numbers, virtual asset wallet addresses/transaction IDs). These must be kept for at least **five (5) years** from the date of the transaction.

Records must be sufficient to permit the reconstruction of individual transactions and to provide evidence for prosecution of criminal activity.

**Registration/Licensing:** While specific VASP licensing might not be fully established, VASPs may be required to register or obtain a license from the BCTL as a "financial institution" or similar entity, depending on the nature of their services. VASPs should proactively inquire with the BCTL regarding any registration requirements.

**FATF Compliance:** Due to Timor-Leste's commitment to FATF standards, VASPs are strongly advised to adhere strictly to the FATF Recommendations for Virtual Assets and VASPs, including the "Travel Rule" (FATF Recommendation 16), which requires VASPs to obtain and transmit originator and beneficiary information for virtual asset transfers.

**Evolution of Regulations:** The regulatory landscape for virtual assets is constantly evolving. VASPs should monitor announcements from the BCTL and the Timor-Leste government for any new or updated guidance or legislation pertaining specifically to virtual assets.

**Law No. 7/2011 on the Prevention and Combating of Money Laundering and Financing of Terrorism (and subsequent regulations/amendments):** This law establishes the legal framework for AML/CTF in Timor-Leste and requires financial institutions (which VASPs are increasingly treated as under international standards) to implement measures to prevent and detect money laundering and terrorist financing, including compliance with international sanctions.

**Requirement:** As a UN member state, Timor-Leste is legally obligated to implement sanctions resolutions adopted by the UN Security Council. This means any VASP operating in or connected to Timor-Leste must comply with these sanctions.

**Freezing Assets:** Immediately freeze funds and other assets of individuals and entities designated by the UN Security Council as terrorists, proliferators, or subject to other sanctions.

**Prohibition of Services:** Refrain from making funds or economic resources available, directly or indirectly, to sanctioned individuals or entities.

**Reporting:** Report any frozen assets or attempted transactions involving sanctioned parties to the relevant authorities (likely the BCTL and/or the national financial intelligence unit).

**Sanctioned Entity Screening:** Screen all customers and transactions against the **UN Security Council Consolidated List**.

**Legal Reference:** UN Security Council Resolutions, accessible at: https://www.un.org/securitycouncil/sanctions/information

**OFAC (U.S.) Sanctions (Extraterritorial Reach):**

**Requirement:** The U.S. Office of Foreign Assets Control (OFAC) administers and enforces U.S. economic and trade sanctions programs. These sanctions have significant extraterritorial reach, meaning they can apply to non-U.S. persons and entities if they:

Use U.S.-origin technology or software.

Involve U.S. persons or entities (e.g., U.S.-based crypto exchanges, stablecoin issuers).

Touch the U.S. financial system in any way.

**Obligations for VASPs:** VASPs in Timor-Leste dealing with any U.S. nexus must:

**Geographic Restrictions:** Prohibit transactions with sanctioned countries/regions (e.g., Iran, North Korea, Cuba, Syria, specific regions of Ukraine/Russia).

**Prohibition of Services:** Not facilitate transactions or provide services to OFAC-sanctioned individuals, entities, or jurisdictions.

**Legal Reference:** OFAC's website and compliance guidance: https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions

**Requirement:** The European Union implements its own autonomous sanctions regimes. These can apply to VASPs in Timor-Leste if they:

Deal with EU persons or entities.

Use EU-based services or infrastructure.

Involve EU-regulated stablecoins or virtual assets.

**Obligations for VASPs:** Similar to OFAC, VASPs must:

**Sanctioned Entity Screening:** Screen against the **EU Sanctions Map** and the consolidated list of persons, groups, and entities subject to EU financial sanctions.

**Geographic Restrictions:** Adhere to restrictions concerning sanctioned countries/regions.

**Legal Reference:** EU Sanctions Map and relevant legal acts: https://www.sanctionsmap.eu/

**Customer Due Diligence (CDD) / Know Your Customer (KYC):** Screening all new and existing customers against relevant sanctions lists upon onboarding and on an ongoing basis.

**Transaction Monitoring:** Monitoring transactions for patterns or beneficiaries that might indicate a sanctions violation.

**Ultimate Beneficial Ownership (UBO) Screening:** Identifying and screening the true owners of legal entities.

**Source of Funds/Wealth:** Investigating the origin of assets, especially for high-risk customers or transactions.

**UN Security Council Consolidated List:** https://www.un.org/securitycouncil/sanctions/information

**OFAC Specially Designated Nationals (SDN) List:** https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists

**EU Consolidated Financial Sanctions List:** https://www.sanctionsmap.eu/ (searchable database)

Russia (specific entities, individuals, and sectors, particularly in relation to Ukraine)

Designated regions like Crimea, Donetsk, Luhansk, Zaporizhzhia, and Kherson (Ukraine).

Violations of Timor-Leste's **Law No. 7/2011 on the Prevention and Combating of Money Laundering and Financing of Terrorism** (which would include failure to implement UN sanctions) can result in:

**Fines:** Significant monetary penalties for institutions.

**Imprisonment:** For individuals involved in serious breaches.

**Loss of License/Operating Authority:** For financial entities.

Specific penalty details would be outlined in the law itself or its implementing regulations, which are generally aligned with international AML/CTF standards.

Non-compliance with OFAC or EU sanctions, even by entities outside their direct jurisdiction, can lead to severe consequences:

**Blocking/Designation:** The VASP itself could be placed on the SDN list or an EU sanctions list, effectively cutting it off from the global financial system.

**Financial Penalties:** Massive fines levied by U.S. or EU authorities.

**Reputational Damage:** Significant harm to the VASP's brand and trustworthiness.

**Loss of Access:** Inability to access crucial services, banking relationships, stablecoin issuers, and international crypto exchanges that comply with OFAC/EU rules.

**No.** Timor-Leste has not yet adopted specific legislation to regulate VASPs or to implement the FATF Travel Rule for virtual assets. The APG MER for Timor-Leste (adopted July 2021) identified significant gaps in this area. It noted that virtual assets and VASPs were not defined or covered by the existing AML/CFT legal framework. Recommendation 15 (New Technologies) and Recommendation 16 (Wire Transfers, extended to VA transfers) were rated as Non-Compliant (NC) for VASPs due to the absence of the necessary legal and regulatory framework.

While Timor-Leste has a foundational AML/CFT law (e.g., Law No. 7/2011 on Prevention and Combating of Money Laundering and Financing of Terrorism), it does not extend to virtual assets or VASPs.

**N/A.** Since the framework has not been adopted, there is no effective date for the Travel Rule concerning VASPs in Timor-Leste.

**N/A for VASPs.** Because VASPs are not regulated, there are no specific threshold amounts established for them under an AML/CFT context for the Travel Rule. For traditional financial institutions, Timor-Leste's AML framework would apply thresholds for wire transfers as per FATF Recommendation 16 (e.g., EUR 1,000 for full originator/beneficiary information), but this does not currently extend to virtual assets.

**None, explicitly.** VASPs are not currently defined or subject to AML/CFT obligations in Timor-Leste's legal framework. This means that entities that would typically be considered VASPs (e.g., exchanges, custodians) are not regulated for AML/CFT purposes, and thus the Travel Rule does not apply to them.

**N/A.** As there is no legal requirement for VASPs to implement the Travel Rule, there are no technical implementation standards or requirements in place.

**N/A for VASPs regarding the Travel Rule.** Since VASPs are not regulated under the AML/CFT framework, there are no specific penalties for their non-compliance with the Travel Rule. Penalties would apply to traditional financial institutions for failures related to traditional wire transfers under the existing AML/CFT law.

**APG Mutual Evaluation Report of Timor-Leste (adopted July 2021):**

This is the primary source of information regarding Timor-Leste's compliance with FATF Recommendations, including those related to virtual assets and VASPs. The report explicitly details the deficiencies in regulating VASPs.

**Banco Central de Timor-Leste (BCTL):**

The BCTL is the primary regulatory authority for financial services in Timor-Leste and would be responsible for issuing any future regulations concerning VASPs. Their official website is the place to monitor for updates.

There are **no specific licensing requirements** for cryptocurrency custodians or digital asset service providers in Timor-Leste.

Any entity operating within the financial sector might fall under the general oversight of the Banco Central de Timor-Leste (BCTL), but this would be for traditional financial activities, not specifically for digital asset custody.

**Segregation of Client Assets Rules:**

**No specific rules** mandate the segregation of client digital assets from a custodian's proprietary assets.

In traditional financial services, such segregation is a common prudential requirement, but it has not been extended to digital assets through specific legislation.

**No specific insurance or bonding requirements** for cryptocurrency custodians are in place.

Traditional financial institutions operating in Timor-Leste might have general insurance requirements, but these would not cover the specific risks associated with digital asset custody.

There are **no mandates** regarding the use of cold storage or specific security protocols for digital assets.

Best practices for digital asset security would suggest cold storage, but it is not a regulatory requirement.

**No official definition** of a "qualified custodian" specifically for digital assets exists within Timor-Leste's regulatory framework.

There is **no publicly announced or pending legislation** specifically addressing cryptocurrency custody.

Timor-Leste, like all countries, is subject to international AML/CTF standards, particularly through the Financial Action Task Force (FATF) and the Asia/Pacific Group on Money Laundering (APG). The FATF has issued guidance for Virtual Asset Service Providers (VASPs), which would include custodians. While Timor-Leste has enacted AML/CTF laws (e.g., Law No. 7/2021 on the Prevention and Combating of Money Laundering and Terrorist Financing), it is not clear if these explicitly define or impose specific regulatory obligations on VASPs beyond general reporting requirements. The focus is usually on identifying and reporting suspicious transactions, not on specific operational or custody-related requirements.

**Banco Central de Timor-Leste (BCTL) Official Website:**

Their focus remains on traditional banking, insurance, and payment systems.

**Timor-Leste AML/CTF Law (Law No. 7/2021):** While this law addresses anti-money laundering and terrorist financing, it is a general framework. For it to impact crypto custody specifically, it would need to explicitly define "virtual assets" and "virtual asset service providers" and then assign specific obligations to them beyond just reporting. Without explicit provisions, it's difficult to infer specific custody requirements. Details are typically found within the legal framework section of the BCTL or Ministry of Finance websites.