Timor-Leste -- AML/CFT Compliance Regulatory Overview

**Law No. 3/2011 on Prevention and Combat of Money Laundering and Financing of Terrorism (Lei N.º 3/2011 de Prevenção e Combate ao Branqueamento de Capitais e ao Financiamento do Terrorismo)**: This is the foundational law that establishes the framework for AML/CFT in Timor-Leste. It defines money laundering and terrorist financing offenses, sets out reporting obligations for financial institutions and designated non-financial businesses and professions (DNFBPs), and establishes the Financial Intelligence Unit (FIU).

**Banco Central de Timor-Leste (BCTL - Central Bank of Timor-Leste)**:

The BCTL is responsible for the overall supervision of financial institutions in Timor-Leste, including ensuring their compliance with AML/CFT requirements.

**Unidade de Informação Financeira (UIF) / Financial Intelligence Unit (FIU) of Timor-Leste**:

The UIF operates within or in close coordination with the BCTL and is the central national agency responsible for receiving, analyzing, and disseminating suspicious transaction reports (STRs) to law enforcement agencies.

While there might not be a separate public website for the UIF, its functions are integral to the BCTL's regulatory mandate.

**For individuals:** Obtain and verify identity using reliable, independent source documents, data, or information (e.g., full legal name, date of birth, nationality, residential address, unique identification number from government-issued ID like passport or national ID card).

**For legal entities (companies):** Obtain and verify the company's name, legal form, proof of existence, powers that regulate and bind the legal person, names of relevant persons holding senior management positions, and identify and verify beneficial owners (those who ultimately own or control more than a certain percentage, typically 25% or 10%).

**Understanding the Purpose and Intended Nature of the Business Relationship:** VASPs must understand why a customer wants to use their services and how they intend to use them.

**Ongoing Monitoring:** Continuously monitor transactions and the business relationship to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile. This includes scrutinizing transactions to ensure they are not suspicious.

Apply EDD measures for higher-risk categories, including but not limited to:

Customers from high-risk geographic locations (as identified by FATF or national lists)

Complex, unusually large transactions, or unusual patterns of transactions that have no apparent economic or lawful purpose.

Business relationships and transactions with no face-to-face contact.

May apply SDD in clearly defined lower-risk situations, after a thorough risk assessment, but full CDD should always be available if required.

**Obligation to Report:** VASPs are obligated to report to the **Unidade de Informação Financeira (UIF)** any transaction, regardless of its value, where they have reasonable grounds to suspect that:

The funds are the proceeds of criminal activity (money laundering).

The funds are linked to terrorist financing.

**"No Tipping-Off" Rule:** VASPs, their directors, officers, and employees are prohibited from disclosing to the customer or any third party that an STR has been or will be submitted to the UIF.

**Customer Identification Data:** All records obtained through CDD procedures (e.g., copies of identification documents, verification data). These must be kept for at least **five (5) years** after the business relationship has ended.

**Transaction Records:** All records relating to transactions (e.g., amounts, currencies, dates, parties involved, account numbers, virtual asset wallet addresses/transaction IDs). These must be kept for at least **five (5) years** from the date of the transaction.

Records must be sufficient to permit the reconstruction of individual transactions and to provide evidence for prosecution of criminal activity.

**Registration/Licensing:** While specific VASP licensing might not be fully established, VASPs may be required to register or obtain a license from the BCTL as a "financial institution" or similar entity, depending on the nature of their services. VASPs should proactively inquire with the BCTL regarding any registration requirements.

**FATF Compliance:** Due to Timor-Leste's commitment to FATF standards, VASPs are strongly advised to adhere strictly to the FATF Recommendations for Virtual Assets and VASPs, including the "Travel Rule" (FATF Recommendation 16), which requires VASPs to obtain and transmit originator and beneficiary information for virtual asset transfers.

**Evolution of Regulations:** The regulatory landscape for virtual assets is constantly evolving. VASPs should monitor announcements from the BCTL and the Timor-Leste government for any new or updated guidance or legislation pertaining specifically to virtual assets.

**Law No. 7/2011 on the Prevention and Combating of Money Laundering and Financing of Terrorism (and subsequent regulations/amendments):** This law establishes the legal framework for AML/CTF in Timor-Leste and requires financial institutions (which VASPs are increasingly treated as under international standards) to implement measures to prevent and detect money laundering and terrorist financing, including compliance with international sanctions.

**Requirement:** As a UN member state, Timor-Leste is legally obligated to implement sanctions resolutions adopted by the UN Security Council. This means any VASP operating in or connected to Timor-Leste must comply with these sanctions.

**Freezing Assets:** Immediately freeze funds and other assets of individuals and entities designated by the UN Security Council as terrorists, proliferators, or subject to other sanctions.

**Prohibition of Services:** Refrain from making funds or economic resources available, directly or indirectly, to sanctioned individuals or entities.

**Reporting:** Report any frozen assets or attempted transactions involving sanctioned parties to the relevant authorities (likely the BCTL and/or the national financial intelligence unit).

**Sanctioned Entity Screening:** Screen all customers and transactions against the **UN Security Council Consolidated List**.

**Legal Reference:** UN Security Council Resolutions, accessible at: https://www.un.org/securitycouncil/sanctions/information

**OFAC (U.S.) Sanctions (Extraterritorial Reach):**

**Requirement:** The U.S. Office of Foreign Assets Control (OFAC) administers and enforces U.S. economic and trade sanctions programs. These sanctions have significant extraterritorial reach, meaning they can apply to non-U.S. persons and entities if they:

Use U.S.-origin technology or software.

Involve U.S. persons or entities (e.g., U.S.-based crypto exchanges, stablecoin issuers).

Touch the U.S. financial system in any way.

**Obligations for VASPs:** VASPs in Timor-Leste dealing with any U.S. nexus must:

**Geographic Restrictions:** Prohibit transactions with sanctioned countries/regions (e.g., Iran, North Korea, Cuba, Syria, specific regions of Ukraine/Russia).

**Prohibition of Services:** Not facilitate transactions or provide services to OFAC-sanctioned individuals, entities, or jurisdictions.

**Legal Reference:** OFAC's website and compliance guidance: https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions

**Requirement:** The European Union implements its own autonomous sanctions regimes. These can apply to VASPs in Timor-Leste if they:

Deal with EU persons or entities.

Use EU-based services or infrastructure.

Involve EU-regulated stablecoins or virtual assets.

**Obligations for VASPs:** Similar to OFAC, VASPs must:

**Sanctioned Entity Screening:** Screen against the **EU Sanctions Map** and the consolidated list of persons, groups, and entities subject to EU financial sanctions.

**Geographic Restrictions:** Adhere to restrictions concerning sanctioned countries/regions.

**Legal Reference:** EU Sanctions Map and relevant legal acts: https://www.sanctionsmap.eu/

**Customer Due Diligence (CDD) / Know Your Customer (KYC):** Screening all new and existing customers against relevant sanctions lists upon onboarding and on an ongoing basis.

**Transaction Monitoring:** Monitoring transactions for patterns or beneficiaries that might indicate a sanctions violation.

**Ultimate Beneficial Ownership (UBO) Screening:** Identifying and screening the true owners of legal entities.

**Source of Funds/Wealth:** Investigating the origin of assets, especially for high-risk customers or transactions.

**UN Security Council Consolidated List:** https://www.un.org/securitycouncil/sanctions/information

**OFAC Specially Designated Nationals (SDN) List:** https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists

**EU Consolidated Financial Sanctions List:** https://www.sanctionsmap.eu/ (searchable database)

Russia (specific entities, individuals, and sectors, particularly in relation to Ukraine)

Designated regions like Crimea, Donetsk, Luhansk, Zaporizhzhia, and Kherson (Ukraine).

Violations of Timor-Leste's **Law No. 7/2011 on the Prevention and Combating of Money Laundering and Financing of Terrorism** (which would include failure to implement UN sanctions) can result in:

**Fines:** Significant monetary penalties for institutions.

**Imprisonment:** For individuals involved in serious breaches.

**Loss of License/Operating Authority:** For financial entities.

Specific penalty details would be outlined in the law itself or its implementing regulations, which are generally aligned with international AML/CTF standards.

Non-compliance with OFAC or EU sanctions, even by entities outside their direct jurisdiction, can lead to severe consequences:

**Blocking/Designation:** The VASP itself could be placed on the SDN list or an EU sanctions list, effectively cutting it off from the global financial system.

**Financial Penalties:** Massive fines levied by U.S. or EU authorities.

**Reputational Damage:** Significant harm to the VASP's brand and trustworthiness.

**Loss of Access:** Inability to access crucial services, banking relationships, stablecoin issuers, and international crypto exchanges that comply with OFAC/EU rules.

**No.** Timor-Leste has not yet adopted specific legislation to regulate VASPs or to implement the FATF Travel Rule for virtual assets. The APG MER for Timor-Leste (adopted July 2021) identified significant gaps in this area. It noted that virtual assets and VASPs were not defined or covered by the existing AML/CFT legal framework. Recommendation 15 (New Technologies) and Recommendation 16 (Wire Transfers, extended to VA transfers) were rated as Non-Compliant (NC) for VASPs due to the absence of the necessary legal and regulatory framework.

While Timor-Leste has a foundational AML/CFT law (e.g., Law No. 7/2011 on Prevention and Combating of Money Laundering and Financing of Terrorism), it does not extend to virtual assets or VASPs.

**N/A.** Since the framework has not been adopted, there is no effective date for the Travel Rule concerning VASPs in Timor-Leste.

**N/A for VASPs.** Because VASPs are not regulated, there are no specific threshold amounts established for them under an AML/CFT context for the Travel Rule. For traditional financial institutions, Timor-Leste's AML framework would apply thresholds for wire transfers as per FATF Recommendation 16 (e.g., EUR 1,000 for full originator/beneficiary information), but this does not currently extend to virtual assets.

**None, explicitly.** VASPs are not currently defined or subject to AML/CFT obligations in Timor-Leste's legal framework. This means that entities that would typically be considered VASPs (e.g., exchanges, custodians) are not regulated for AML/CFT purposes, and thus the Travel Rule does not apply to them.

**N/A.** As there is no legal requirement for VASPs to implement the Travel Rule, there are no technical implementation standards or requirements in place.

**N/A for VASPs regarding the Travel Rule.** Since VASPs are not regulated under the AML/CFT framework, there are no specific penalties for their non-compliance with the Travel Rule. Penalties would apply to traditional financial institutions for failures related to traditional wire transfers under the existing AML/CFT law.

**APG Mutual Evaluation Report of Timor-Leste (adopted July 2021):**

This is the primary source of information regarding Timor-Leste's compliance with FATF Recommendations, including those related to virtual assets and VASPs. The report explicitly details the deficiencies in regulating VASPs.

**Banco Central de Timor-Leste (BCTL):**

The BCTL is the primary regulatory authority for financial services in Timor-Leste and would be responsible for issuing any future regulations concerning VASPs. Their official website is the place to monitor for updates.