Holy See -- AML/CFT Compliance Regulatory Overview

**Autorità di Supervisione e Informazione Finanziaria (ASF) / Supervisory and Financial Information Authority**

**Law No. CCXCVII (297) of 15 December 2018, concerning Measures for the Protection of the Financial System and Countering Money Laundering and the Financing of Terrorism:** This is the foundational AML/CFT law that provides the general framework for financial institutions.

**Decree No. CCCLVI (356) of 19 May 2021, issued by the Secretariat of State (amending Law No. CCXCVII and introducing specific provisions for Virtual Assets and Virtual Asset Service Providers):** This crucial decree specifically brought virtual assets and VASPs under the Holy See's AML/CFT regulatory scope, implementing FATF Recommendation 15 and its Interpretive Note. It defines virtual assets and VASPs and subjects them to the same AML/CFT obligations as traditional financial institutions.

**Decree No. CCCLVI (356) of 19 May 2021**: This decree specifically:

Defines "Virtual Assets" (VAs) as a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes.

Defines "Virtual Asset Service Provider" (VASP) as any natural or legal person who, as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

Exchange between VAs and fiat currencies.

Exchange between one or more forms of VAs.

Safekeeping and/or administration of VAs or instruments enabling control over VAs.

Participation in and provision of financial services related to an issuer's offer and/or sale of a VA.

Subjects VASPs to the obligations specified in Law No. CCXCVII (2018) and subsequent regulations.

**Licensing/Registration:** VASPs are required to be authorized or registered by ASIF before commencing operations.

**Natural Persons:** Obtain and verify the identity of the customer and any beneficial owner using reliable, independent source documents, data, or information (e.g., passport, national ID card).

**Legal Entities/Arrangements:** Obtain and verify the legal entity's name, legal form, proof of existence, powers that regulate and bind the legal person, and the names of relevant persons holding senior management positions. Identify and verify the identity of beneficial owners (those holding 25% or more of the shares/voting rights, or exercising control through other means).

**Purpose and Nature of the Business Relationship:** Understand and, where appropriate, obtain information on the purpose and intended nature of the business relationship.

**Ongoing Monitoring:** Conduct ongoing monitoring of the business relationship and transactions undertaken throughout the course of the relationship to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile. This includes scrutiny of transactions and the source of funds where necessary.

**Source of Funds/Wealth:** For higher-risk situations, VASPs must inquire about the source of funds and wealth of the customer.

**Politically Exposed Persons (PEPs):** Implement additional measures for customers who are PEPs, their family members, or close associates.

**High-Risk Jurisdictions:** Apply EDD to business relationships and transactions involving countries identified by FATF or ASIF as high-risk.

**Complex or Unusual Transactions:** Scrutinize transactions that are unusually large, complex, or have no apparent economic or lawful purpose.

**New Technologies/Products:** Evaluate the risks associated with new technologies or products, particularly those that might favor anonymity.

**Non-Face-to-Face Relationships:** Apply specific and adequate measures to compensate for the higher risk of non-face-to-face relationships.

**"Travel Rule" for VA Transfers:** Decree No. CCCLVI implements the FATF "Travel Rule," requiring VASPs to obtain, hold, and transmit originator and beneficiary information for VA transfers above a certain threshold (typically equivalent to EUR 1,000, but may be subject to specific ASIF instructions).

VASPs are obligated to report suspicious transactions to ASIF (acting as the FIU) without delay if they know, suspect, or have reasonable grounds to suspect that funds (including virtual assets) are proceeds of crime or are linked to terrorist financing.

The reporting obligation applies regardless of the amount of the transaction.

VASPs must refrain from executing the transaction if possible, or execute it after reporting if not doing so would alert the customer.

**Tipping-Off:** It is prohibited to disclose to the customer or third parties that a STR has been or will be submitted.

VASPs must retain all necessary records for at least **five years** following the completion of the transaction or the termination of the business relationship. This includes:

Identification and verification data obtained through CDD measures (e.g., copies of identification documents, account files).

Records of transactions, including the amounts, currencies, and types of virtual assets involved, and the identity of the parties to the transaction.

Records of analysis performed, especially regarding complex or suspicious transactions.

These records must be sufficient to permit reconstruction of individual transactions and to provide evidence for prosecution.

**Motu Proprio of Pope Francis of December 19, 2020**: This legislative act introduced important provisions regarding transparency, supervision, and financial information, explicitly mentioning the alignment of the Holy See/Vatican City State with international best practices in combating money laundering and the financing of terrorism, referring to the FATF recommendations. It updates the powers of ASIF to include supervision over "virtual asset service providers."

**Reference**: *Motu Proprio del Sommo Pontefice Francesco recante disposizioni in materia di trasparenza, vigilanza e informazione in campo finanziario* (Motu Proprio of the Supreme Pontiff Francis for certain provisions on matters of transparency, supervision and information in the field of finance), December 19, 2020.

**Regulation No. 1, 2021 (Implementazione delle norme sulla prevenzione e il contrasto del riciclaggio e del finanziamento del terrorismo)**: This is the key implementing regulation that details the AML/CTF obligations. It defines "virtual assets" and "virtual asset service providers (VASPs)" in line with FATF recommendations, bringing entities dealing with crypto under ASIF's supervision for AML/CTF purposes.

**Reference**: *Regolamento n. 1, 2021 – per l’attuazione delle norme sulla prevenzione e il contrasto del riciclaggio e del finanziamento del terrorismo* (Regulation No. 1, 2021 – for the implementation of the rules on the prevention and combating of money laundering and the financing of terrorism), January 21, 2021.

**No specific "crypto custody license" per se.** Instead, any entity offering virtual asset services, including custody, would be considered a **Virtual Asset Service Provider (VASP)**.

VASPs are explicitly brought under the scope of ASIF's supervision for AML/CTF purposes by the Motu Proprio of 2020 and Regulation No. 1, 2021. This means they are subject to registration/authorization and ongoing compliance with AML/CTF obligations.

**Key implication**: While not a standalone "custody license," performing custody services for virtual assets would require adherence to ASIF's regulatory oversight as a VASP, including reporting, due diligence, and other AML/CTF measures.

There are **no specific, detailed regulations mandating the segregation of client virtual assets** found within the Holy See's current public regulatory framework.

However, general principles of sound financial management and ethical conduct within any financial institution would strongly imply the necessity of segregating client assets from institutional assets. While not explicitly codified for crypto, this would likely be an expected best practice for any entity operating under ASIF's supervision, similar to traditional financial services.

There are **no specific regulations mandating insurance or bonding requirements for virtual asset custodians** within the Holy See's current public regulatory framework.

Such requirements are typically found in jurisdictions with more developed and specialized crypto regulatory frameworks focused on consumer protection or systemic risk.

There are **no specific regulations mandating cold storage** or other particular technical security measures for virtual assets held in custody.

Financial regulations in most jurisdictions (including the Holy See's AML/CTF rules) tend to focus on outcomes (e.g., prevention of theft, data integrity, access control) rather than prescribing specific technological solutions. Best practices in cybersecurity and operational resilience would dictate appropriate storage methods, but these are not regulatory mandates from ASIF's perspective.

The Holy See's framework, through Regulation No. 1, 2021, adopts definitions largely aligned with FATF.

**"Virtual Asset"**: Defined in Article 2, letter l) as "a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets."

**"Virtual Asset Service Provider (VASP)"**: Defined in Article 2, letter p) as "any natural or legal person that, as a business, carries out one or more of the following activities or operations for or on behalf of another natural or legal person:

**A "qualified custodian" in the context of the Holy See would be an entity meeting the definition of a VASP (specifically point 4: safekeeping and/or administration of virtual assets) and fulfilling the associated AML/CTF obligations under ASIF's supervision.** There is no separate, more stringent "qualified custodian" definition beyond that of a regulated VASP.

There is **no publicly announced or pending legislation specifically focused on detailed cryptocurrency custody rules** in the Holy See.

The framework established by the 2020 Motu Proprio and the 2021 Regulation is relatively recent (2020-2021) and reflects the Holy See's commitment to international AML/CTF standards for virtual assets. Any future developments are more likely to be updates to the broader AML/CTF regulations, interpretive guidance from ASIF, or adjustments to align with evolving FATF recommendations, rather than entirely new, crypto-specific custody laws.

**Law No. CCCLI of 8 October 2010 (as amended):** This is the foundational law concerning the prevention and contrast of money laundering and terrorist financing. It has been significantly updated by subsequent laws (e.g., Law No. CLXVII of 11 July 2013, Law No. CXCVI of 15 November 2018, and further amendments). These laws establish the regulatory framework and the powers of ASIF.

**ASIF Regulations:** ASIF issues specific regulations, instructions, and guidelines for supervised entities to implement the provisions of the laws.

**Implementation of UN Sanctions:** The Holy See is committed to implementing resolutions of the United Nations Security Council, particularly those concerning the freezing of assets related to terrorism financing and proliferation.

**Reference:** The relevant Holy See laws and ASIF regulations explicitly mandate the identification and freezing of funds and economic resources of individuals and entities designated by the UNSC.

**UN Sanctions Lists:** Financial institutions (and by extension, VASPs operating or dealing with the Holy See) are required to screen against the UN Consolidated Sanctions List.

**URL:** UN Security Council Sanctions Committees - List of individuals and entities

**FATF Recommendations and Moneyval:** The Holy See is a member of MONEYVAL (the Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism of the Council of Europe). MONEYVAL evaluates the Holy See's compliance with FATF Recommendations. This means that while FATF is not a sanctioning body, its standards (including those concerning virtual assets and VASPs) are influential in shaping the Holy See's AML/CFT regime.

**FATF Recommendation 15 (New Technologies):** Requires countries to assess and mitigate risks associated with virtual assets and VASPs, and to regulate VASPs for AML/CFT purposes, including implementing sanctions obligations.

**FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (2021):** Provides detailed guidance on applying FATF recommendations to VASPs, including customer due diligence, record-keeping, and sanctions screening.

**URL:** FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (2021)

**MONEYVAL Reports on Holy See:** These reports detail the Holy See's compliance and areas for improvement, directly influencing its legal framework.

**URL:** MONEYVAL - Holy See country page

**Extraterritorial Reach:** OFAC sanctions have broad extraterritorial reach. Any VASP, regardless of its location, that engages in transactions involving U.S. persons, U.S. financial institutions, U.S. dollar clearing, or entities on OFAC's Specially Designated Nationals (SDN) list, risks significant penalties.

**Crypto-Specific Guidance:** OFAC has issued guidance on sanctions compliance for the virtual currency industry, emphasizing that all entities subject to U.S. jurisdiction, and even foreign entities that transact with U.S. persons or use U.S. financial systems, must implement sanctions controls.

**Impact on VASPs in Holy See:** A VASP operating in or dealing with the Holy See must screen against OFAC lists (e.g., SDN List) to avoid being cut off from international financial systems and to avoid facilitating transactions with sanctioned entities.

**URL:** OFAC's Virtual Currency Guidance

**Indirect Influence:** While the Holy See is not an EU member, its financial institutions and any potential VASPs would inevitably interact with EU entities, customers, or financial systems. Non-compliance with EU sanctions could lead to reputational damage, de-risking by EU financial partners, and difficulties in accessing EU markets.

**EU Sanctions Maps:** The EU maintains various sanctions regimes.

**Perform Risk-Based Due Diligence:** Identify and verify the identity of their customers (KYC) and the beneficial owners.

**Ongoing Monitoring:** Continuously monitor transactions and customer relationships for suspicious activities.

**Screen Against Sanctions Lists:** Regularly screen customers, beneficial owners, and transaction counterparties against:

**UN Consolidated Sanctions List:** This is a direct legal requirement stemming from Holy See's domestic law implementing UNSC resolutions.

**OFAC SDN List & Other OFAC Lists:** Essential for global interoperability and avoiding U.S. secondary sanctions risk.

**EU Sanctions Lists:** Crucial for interactions with the European financial system.

**Freezing of Assets:** Immediately freeze funds and economic resources belonging to designated individuals and entities, and report the action to ASIF.

**Prohibition on Making Funds Available:** Prevent funds or economic resources from being made available to sanctioned persons or entities, directly or indirectly.

**High-Risk Jurisdictions:** The Holy See's AML/CFT framework, guided by FATF recommendations, requires enhanced due diligence for transactions involving high-risk jurisdictions identified by FATF (e.g., those on the FATF "Blacklist" or "Greylist").

**URL:** FATF High-Risk Jurisdictions subject to a Call for Action

**Sanctioned Countries:** Transactions involving countries under comprehensive UN, OFAC, or EU sanctions (e.g., North Korea, Iran in certain contexts, Cuba, Syria, etc.) would be highly restricted or prohibited. VASPs must implement controls to block or reject such transactions.

**Administrative Sanctions:** ASIF has the power to impose administrative fines, revoke licenses, or issue other administrative measures against institutions found to be non-compliant.

**Criminal Penalties:** Individuals or entities involved in money laundering, terrorist financing, or facilitating prohibited transactions (including sanctions evasion) can face criminal charges, which may include imprisonment and significant financial penalties under the Vatican's penal code and specific AML/CFT laws.

**Asset Seizure and Forfeiture:** Assets involved in or derived from illicit activities, including sanctions violations, can be frozen and subject to forfeiture.

**UN Sanctions Lists:** As a direct legal obligation.

**FATF Standards:** Which guide the regulation of virtual assets and VASPs for AML/CFT and sanctions compliance.

**International Best Practices:** Including adherence to OFAC and EU lists for practical reasons to maintain access to the global financial system.

**Payment Tokens:** Intended as a means of payment for goods and services.

**Utility Tokens:** Intended to provide access to a specific product or service on a blockchain platform.

**Asset-Referenced Tokens (ARTs) / E-money Tokens (EMTs) / Security Tokens:** Tokens that derive their value from an underlying asset or basket of assets, or grant rights akin to traditional financial instruments.

**Tokens granting ownership rights:** Tokens representing a share in the profits or ownership of a company or project.

**Tokens representing debt:** Tokens akin to bonds, offering a promise of future repayment with interest.

**Tokens representing claims on underlying assets:** Tokens that derive their value from a pool of assets, where the token holder has a claim on those assets and where there's an expectation of profit from the efforts of a third party (e.g., certain types of Asset-Referenced Tokens as defined by MiCA).

**Tokens providing voting rights or governance rights** within an entity that resemble corporate governance.

**Tokens that clearly function as an "investment contract,"** where purchasers invest money in a common enterprise with an expectation of profits to be derived from the managerial efforts of others. This is the underlying principle behind tests like Howey.

**ASIF Supervision (AML/CFT):** Any entity engaging in activities related to virtual assets (issuing, exchanging, transferring, providing custody, etc.) would likely fall under ASIF's supervision as a "financial entity" for AML/CFT purposes. This would entail:

**Licensing/Registration:** Entities providing "virtual asset services" would need to be registered with or authorized by ASIF for AML/CFT compliance.

**AML/CFT Obligations:** Implementing robust Know Your Customer (KYC) procedures, transaction monitoring, suspicious transaction reporting, and record-keeping, in line with FATF recommendations.

**Prudential Oversight:** For tokens that mimic financial instruments (like e-money or certain asset-referenced tokens), ASIF's existing prudential oversight mandate over financial institutions could extend to the issuer, requiring capital adequacy, risk management, and consumer protection measures, even if not explicitly codified for crypto tokens.

**No Specific Exemptions:** Because there aren't specific registration requirements for crypto securities offerings, there aren't codified exemptions either. Any "exemption" would likely be due to the activity falling outside the strict definition of a financial service requiring specific authorization, but *never* from AML/CFT obligations.

**AML/CFT Focus:** Any platform facilitating secondary trading of crypto assets, if operating within or connected to the Holy See, would be subject to ASIF's AML/CFT supervision. This means robust KYC for traders, transaction monitoring, and reporting of suspicious activities.

**No Regulated Exchanges:** There are no regulated cryptocurrency exchanges operating under Holy See jurisdiction that would provide a market for security tokens.

**Market Abuse:** Principles against market manipulation, insider trading, and other abusive practices, as found in international financial law, would implicitly be expected to be upheld for any financial instrument, including security-like tokens, even if not specifically legislated for crypto in the Holy See.

**AML/CFT Compliance:** Issuing directives, imposing sanctions, or taking corrective measures against financial institutions or entities under its supervision for failures in AML/CFT controls, suspicious transaction reporting, or adherence to international sanctions regimes.

**Cooperation with International Bodies:** Collaborating with foreign financial intelligence units (FIUs) and supervisory authorities on cases of international financial crime.

**Financial Stability:** Ensuring the sound and prudent management of financial resources within the Vatican system.

**Law No. CLIX (previously Law No. CVIII):** This is the foundational law on transparency, supervision, and financial intelligence for the Holy See and Vatican City State. It has undergone several amendments to align with international standards, particularly FATF.

**ASIF Statute:** Defines the structure, functions, and responsibilities of ASIF.

**ASIF Regulations:** These provide detailed rules on prudential supervision, anti-money laundering and combating the financing of terrorism (AML/CFT), and other aspects of financial oversight. While there isn't a specific regulation titled "Crypto Securities Regulation," relevant regulations on AML/CFT for financial institutions and virtual asset service providers (VASPs) would apply.

**Role:** This is the primary financial intelligence unit and prudential supervisory authority for the Holy See and Vatican City State. It is responsible for AML/CTF oversight across all Vatican entities and has been tasked with supervising virtual assets and VASPs.

**Institute for the Works of Religion (IOR) / "Vatican Bank"**

**Role:** While not a regulator, the IOR is the primary financial institution within the Vatican. Its operations fall under the supervision of the ASF. Any potential interaction with virtual assets by the IOR would be subject to the ASF's regulations.

**Law No. CLXXVI (176) of 25 October 2021: "Modifications to the criminal law and to the law regarding anti-money laundering and anti-terrorism financing"**

**Significance:** This is the most critical piece of legislation directly addressing virtual assets. It amended the previous foundational AML/CTF laws (primarily Law No. XVIII of 2013) to explicitly include virtual assets and Virtual Asset Service Providers (VASPs) within the scope of the Holy See's AML/CTF regulations. It brings the Holy See's framework further in line with FATF Recommendation 15 and its updated guidance for VASPs.

**Reference:** This law was promulgated in the *Acta Apostolicae Sedis* (Official Gazette of the Holy See). While a direct public English translation URL is often not available for specific Vatican laws, its content and impact are widely discussed in MONEYVAL reports and ASF statements. The ASF's "Normative Framework" section usually lists applicable laws: https://www.asf.va/EN/Regolamentazione/Quadro_Normativo

**Law No. XVIII of 8 October 2013: "Provisions on transparency, supervision and financial information"**

**Significance:** This was the foundational AML/CTF law establishing the ASF and setting out the initial framework for financial supervision and combatting illicit financial activities. Law No. CLXXVI of 2021 built upon and amended this law to incorporate virtual assets.

**Reference:** Often referred to as a key part of the Holy See's AML framework.

The ASF regularly issues ordinances and regulations to implement the provisions of the laws. These would specify the practical requirements for entities dealing with virtual assets, such as reporting obligations, customer due diligence, and supervision parameters for VASPs, should any operate within the jurisdiction or interact with its financial system.

**Reference:** These are published on the ASF's website, for instance, under their "Regulations" section.

**No Ban, but Strict AML/CTF Controls:** The Holy See does not have a general ban on cryptocurrencies. However, any activity involving virtual assets that falls within its jurisdiction, particularly those that could be construed as financial services, is subject to its robust AML/CTF framework.

**Virtual Asset Service Providers (VASPs) under Supervision:** Following Law No. CLXXVI of 2021, any entity defined as a Virtual Asset Service Provider (VASP) under FATF guidelines would be subject to the supervision of the ASF for AML/CTF purposes. This includes exchanges, custodians, and other service providers dealing with virtual assets.

**Limited Local Market:** Given the extremely small size and specific nature of Vatican City State's financial system and economy, there is no significant local market for crypto trading or a proliferation of crypto exchanges operating within its physical borders. The regulations are primarily in place to ensure that the Holy See's financial system cannot be exploited for illicit activities using virtual assets, consistent with its international obligations to MONEYVAL and FATF.

**Focus on Risk Mitigation:** The Holy See's stance reflects a commitment to mitigate the risks associated with money laundering and terrorist financing, regardless of the technology used. This means that while virtual assets are not prohibited, their use within or through the Vatican's financial system would be highly scrutinized for compliance with AML/CTF rules.