How Mauritius-headquartered Crypto Startups Can Detect And Handle Money Laundering Events Under New Rules

March 13, 2022

Mauritius, a country based off the coast of East Africa, has been rolling out rules targeted at regulating the crypto-currency industry in the country. In 2021, the country introduced the Virtual Assets and Initial Token Offering Services (“VAITOS”) Act 2021, which came into force on the 7th of February 2022. The Act establishes a regulatory framework for new and developing activities involving Virtual Assets (“VAs”) and Initial Token Offerings (“ITOs”) in Mauritius, as well as measures to combat money laundering and terrorist funding related with VAs.

Under the latest guidance from the Financial Services Commission, in charge of regulating the cryptocurrency industry in Mauritius, Virtual Assets Service Providers (“VASPs”) and Issuers of Initial Token Offerings (“IITOs”) must set out measures for the prevention of Money Laundering and Terrorism Financing (“ML/TF”) during the course of their business and operations.

According to the commission, the Guidance Notes, which is effective from 28 February 2022, should be read in conjunction with the VAITOS Act 2021, the Financial Intelligence and Anti-Money Laundering Act 2002 (“FIAMLA 2002”), the Financial Intelligence and Anti-Money Laundering Regulations 2018 (“FIAMLR 2018”) and the FSC’s Anti-Money Laundering and Combatting the Financing of Terrorism (“AML/CFT”) Handbook.

What Red Flags Should Licensed Crypto Startups Be Wary Of Under The New Guidance?

Crypto companies licensed under the VAITOS Act should be wary of the following red flag indicators in the course of their operations. 

Read also When war hits, even crypto can’t stay neutral

Anonymous Transactions

  • Customers paying highly for and using technological features providing higher anonymity.
  • Customers entering the crypto company’s digital platforms using an Internet protocol (IP) address that allows anonymous communication such as the Onion router, I2P or IP associated with a darknet.
  • Crypto companies receiving or sending funds from other crypto companies with weak or nonexistent Customer Due Diligence or Know Your Customer (“KYC”) requirements.
  • The practice of transporting cryptocurrency across borders via decentralized/non-hosted, hardware or paper wallets. In comparison to a centralised system, where some hazards are reduced, decentralized crypto systems are particularly prone to anonymity risks.
  • Crypto transactions involving mixing and tumbling services, implying an intention to conceal the movement of criminal money between known wallet addresses and darknet marketplaces.
  • Unusual volume of cryptos cashed out at exchanges from related wallets on P2P systems with no reasonable business explanation.
  • Vendors of cryptocurrency that assist crypto activities through terminals pose a greater danger if the machine or kiosk is located in a high-risk area and is utilized for repeated small transactions.

Suspicious Transactions

  • Similar to structuring cash transactions, structuring crypto transactions (e.g. exchange or transfer) in small amounts or amounts below record-keeping or reporting limits.
  • Multiple high-value transactions — in quick succession, such as within a 24-hour period, in a staggered and regular pattern, with no subsequent transactions recorded for an extended period of time, which is especially common in ransomware cases involving cryptos or newly created or previously inactive accounts.
  • The initial deposit made to a crypto account is too huge for the consumer profile.
  • Making a large initial deposit to start a new connection with a crypto company, funding the deposit in full the first day, and trading the entire deposit or a large portion of it the next day, or withdrawing the entire deposit the next day.
  • A new user tries to trade or remove all crypto balance from the platform.
  • Making large transfers to and from the same crypto account or IP address by multiple people in a short period of time (e.g. a day, a week, a month).
  • Exchanging crypto-fiat currencies at a loss. 

Suspicious Sender or Recipient Details

  • Creating multiple accounts with different names to avoid trading or withdrawal restrictions.
  • A consumer who refuses to provide KYC paperwork or answer questions about fund source.
  • Sender/recipient unaware of the transaction, funds source, or counterparty relationship.
  • A customer offers identity or account credentials that have been shared by another account.
  • Disparities exist between IP addresses connected with a customer’s profile and those used to begin transactions.

Questionable Source of Funds or Wealth

  • Making payments to sanctioned addresses, darknet marketplaces, or other illegal websites.
  • Crypto transactions to or from internet gambling services.
  • Using one or more connected credit or debit cards to withdraw significant quantities of fiat currency (crypto-to-plastic) or monies to purchase cryptos.
  • Deposits into a crypto address are unusually high, with an unknown source of funds, followed by a conversion to fiat currency.
  • Improper usage of shell businesses, monies placed in an Initial Token Offering where personal data of investors may not be available, or incoming transactions via online payment systems using credit/prepaid cards followed by immediate withdrawal.
  • Funds sourced directly from third-party mixing services or wallet tumblers by a customer.
  • The majority of a customer’s wealth comes from fake cryptos or Initial Token Offerings.
  • The majority of a customer’s money comes from other crypto firms or IITOs that lack AML/CFT safeguards.

Funds From High-risk Countries

  • Moving funds to crypto firms or IITOs 11 domiciled or run in jurisdictions with no or inadequate AML/CFT rules.
  • These jurisdictions may not have a licensing/registration system, or have not extended STR standards to cover crypto operations, or have not implemented all preventive measures.

How Crypto Companies Can Achieve Compliance With The AML/CFT Rules

First of all, it must be noted that the Guidance Notes, which is effective from 28 February 2022, must be observed in conjunction with the VAITOS Act 2021, the Financial Intelligence and Anti-Money Laundering Act 2002 (“FIAMLA 2002”), the Financial Intelligence and Anti-Money Laundering Regulations 2018 (“FIAMLR 2018”) and the FSC’s Anti-Money Laundering and Combatting the Financing of Terrorism (“AML/CFT”) Handbook.

Read also Ghanaian Fintech Dash Sets Record With $32.8M Seed To Build A Unified Payments App For Africa

That said, crypto companies with headquarters in Mauritius must implement the following compliance checks in the course of their operations:

Risk Assessment

  • They should identify areas where their products/services could be exposed to ML/TF risks; 
  • Take appropriate steps to ensure that any identified risks are managed and mitigated through the establishment of appropriate and effective policies, procedures and controls.

Customer Due Diligence

  • Crypto companies and IITOs must keep accurate customer records. Examining their wealth and sources of cash.
  • They must also identify their customers and, where relevant, their beneficial owners, and then verify their identities.
  • When performing covered crypto activities for or on behalf of their clients, they must gather necessary due diligence information.
  • Due diligence should also be able to identify clients and their beneficial owners, as well as the purpose and intended nature of the business relationship, as well as acquiring additional information in high-risk scenarios.
  • Due diligence measurement can also be conducted using a trustworthy and independent digital identification system, even if clients are not physically present.
  • In order to decide if they can rely on the results obtained, or whether extra processes are required to supplement the existing controls, they must evaluate the controls inherent in these digital identity systems.
  • The electronic KYC documents must be valid and adequately verify that the customers are who they claim to be.
  • They must gather, hold, and communicate required and correct originator and beneficiary information instantly and securely when undertaking virtual asset transfers.
  • They may not effect a crypto transfer without the required and accurate information.
  • A financial institution must follow the Travel Rule requirements when transmitting or receiving crypto asset transfers on behalf of a customer.
  • They should employ applicable software to: identify counterparty wallet type (pre-transaction); identify risk-related details about the beneficiary through blockchain analytics and sanctions screening providers; allow to safely send or receive encrypted customer’s Personally Identifiable Information (“PII”) through various messaging protocols; store encrypted customer PII for up to seven years.
  • For occasional transactions, they must apply customer due diligence measures to an amount equal to or above 1000 US dollars, or an equivalent amount in foreign currency, where the exchange rate to be used to calculate the US dollar equivalent is the selling rate in force at the time of the transaction, whether conducted as a single transaction.
  • They should keep all customer due diligence-secured identification documents for at least 7 years.

Enhanced Due Diligence (EDD)

  • Crypto companies and IITOs will be expected to develop internal controls and other procedures to combat ML/TF, including EDD procedures for high-risk persons, business ties and transactions, as well as persons formed in countries without appropriate systems in place. 
  • Particularly, they should follow Regulation 15 of the FIAMLR 2018 when dealing with Politically Exposed Persons (“PEPs”).
  • If they cannot perform the requisite EDD, they must end the business connection and file a suspicious transaction report under FIAMLA 2002 Section 14.

Transaction Monitoring And Reporting

  • In addition to applying robust KYC methods that enable identification of suspected ML/TF activities, crypto companies must to establish effective transactional monitoring systems to ascertain the origin and destination of cryptos on their accounts.
  • They are expected to act responsibly and to report any suspicious behaviour by participants transacting with cryptos.
  • If they notices suspicious activity or have reason to suspect a transaction is suspicious, they must: a) get EDD in accordance with Regulation 12 of the FIAMLR 2018; and b) make an internal disclosure in accordance with Regulation 27 of the FIAMLR 2018.
  • These reporting processes must also apply to prospective customers and attempted transactions that did not occur.
  • The Money Laundering Reporting Officer of the crypto company should next assess if a Suspicious Transaction Reporting (STR) to the Financial Intelligence Unit is required.

Crypto money laundering Mauritius Crypto money laundering Mauritius Crypto money laundering Mauritius Crypto money laundering Mauritius

Security Token Trading In Mauritius Now Eligible For Licensing Under New Regulation

Charles Rapulu Udoh

Charles Rapulu Udoh is a Lagos-based lawyer who has advised startups across Africa on issues such as startup funding (Venture Capital, Debt financing, private equity, angel investing etc), taxation, strategies, etc. He also has special focus on the protection of business or brands’ intellectual property rights ( such as trademark, patent or design) across Africa and other foreign jurisdictions.
He is well versed on issues of ESG (sustainability), media and entertainment law, corporate finance and governance.
He is also an award-winning writer

Tags: