Home Knowledge Virtual Asset Service Providers’ AML/CFT Frameworks: Central Bank Observations on VASP Applications for Registration

Virtual Asset Service Providers' AML/CFT Frameworks: Central Bank Observations on VASP Applications for Registration


On 11 July 2022, the Central Bank issued a bulletin to virtual asset service providers (VASPs) outlining its regulatory expectations and setting out recurring weaknesses in, VASP registrations.

As is the case for all regulated entities, the Central Bank expects that VASPs have the necessary risk culture and appropriate risk and control frameworks to minimize the risk of criminals using their products or services to launder money or finance terrorism.

When assessing a VASP registration application, the Central Bank must be satisfied that the applicant’s AML/CFT policies and procedures are robust enough to effectively combat money laundering and terrorist financing risks associated with its business model.

Please see our briefing here for further information on the VASP registration process and obligations under the Anti-Money Laundering and Countering the Financing of Terrorism (AML/CTF) frameworks.

Applications Phase

Expectation – The Central Bank expects applicant firms to consider its guidance documents and reminds them of the option to attend a pre-application meeting.

Weakness – In certain instances, firms did not fulfil requirements for information and documentation. For example, policies were submitted without accompanying procedures, or an internal risk register was submitted in place of a documented risk assessment.

Assessment Phase

1) Risk Assessment

Expectation – The firm’s AML/CFT risk assessment must focus on specific risks arising from a firm’s business model and drive that firm’s AML/CFT control framework. Robust controls must be implemented to mitigate and manage the identified risks.

Weakness – AML/CFT risks specific to the firm, and the firm’s activities and consumers were not assessed or documented. There was a failure by firms to demonstrate how residual risk ratings were determined for each risk factor. Information in National Risk Assessment or CBI guidance was not considered (e.g. guidance on inherent risk factors such as Nature, Scale, Complexity, Geographical Risk, Products and Services risk) when documenting the firm’s risk assessment.

2) Policies and Procedures

Expectation – The firm should maintain a documented suite of AML/CFT policies and procedures, which are supplemented by guidance and accurately reflect operational practices. The policies and procedures should also demonstrate consideration of and compliance with Irish legal and regulatory requirements.

Weakness – Some policies and procedures submitted referred to legislative frameworks in other jurisdictions. In many instances, while policies were submitted, the procedures that detail how the firm implemented the policies were not provided.

3) Customer Due Diligence

Expectation – Firms should know their customers, persons purporting to act on behalf of customers and beneficial owners. Firms must also have enhanced due diligence procedures for dealing with politically exposed persons (PEPs).

Weakness – Insufficient information on the purpose and intended nature of the business relationship with a customer before establishing the relationship together with a failure to document screening processes for PEP’s and PEP approval processes within the firm.

4) Financial Sanctions

Expectation – The Central bank expects firms to have an effective screening system appropriate to the nature, size and risk of their business. Firms must follow clear escalation procedures in the event of a positive match.

Weakness – Failure to document a process to screen for financial sanctions and steps to be taken in the event of a financial sanctions hit.

5) Outsourcing

Expectation – Where an Irish registered VASP outsources its AML/CFT functions, a documented agreement must clearly define the outsourcing service provider’s obligations. The VASP should also maintain evidence of sufficient oversight. For more information on Central Bank outsourcing guidance, please see our briefing here.

Weakness – Several applicant firms did not submit their policies on outsourcing or service level agreements or demonstrate sufficient oversight of the outsourced activities or provide evidence of assurance testing.

6) PCFs

Expectation – Individual Questionnaires (IQs) for each proposed Pre-Approval Controlled Function (PCF) role holder to be submitted as soon as practical.

Weakness – A failure to or delay in submitting IQs for each PCF role holder.

7) Presence in Ireland

Expectation – The Central Bank expects at least one senior management employee to be located physically in Ireland.


While the observations of the Central Bank are focused primarily on VASPs, the expectations outlined together with the weaknesses observed are equally applicable to all firms seeking authorisation as a regulated entity and where such firms are obliged to have in place, an effective anti-money laundering and terrorist financing regime.

Contact Us

For more information, please contact any member of the Financial Regulation Unit or your usual William Fry contact.


Contributed by Jane Balfe