1. | Business risk assessment. In implementing adequate and appropriate AML/CFT policies, procedures, and controls to detect and prevent illicit activities, VASPs must conduct AML/CFT business risk assessments. |
2. | The AML/CFT business risk assessments must be designed and implemented in order for VASPs to understand, identify and assess money laundering risks specific to their business and operations, taking into consideration their nature, size, and complexity. This includes, but is not limited to, identifying and assessing the AML/CFT risks in relation to the development and use of new or existing— |
| a. | Virtual Assets (in particular, Anonymity-Enhanced Cryptocurrencies); |
| b. | Virtual Asset related technologies, products or services (in particular, methods in which Anonymity-Enhanced Transactions can be conducted); |
| c. | Virtual Asset related business and professional practices; |
| d. | other technologies not specific to Virtual Assets (e.g. artificial intelligence and machine learning); and |
| e. | other emerging risks. |
3. | Business risks assessments required under this Rule III.D must be carried out— |
| a. | at regular intervals no longer than every three (3) months; and |
| b. | in the event of a significant change or advancement in any of the areas listed in Rule III.D.2. |
4. | VASPs shall ensure, and be able to demonstrate to VARA on request, that the outcomes of business risk assessments directly inform— |
| a. | the development and update of the VASP's AML/CFT policies, procedures, systems, and controls, including specific risk mitigation measures where appropriate; and |
| b. | the areas in which the VASP prioritises the allocation of resources in its AML/CFT activities. |
5. | VASPs enabling Anonymity-Enhanced Transactions as part of their VA Activities must implement proportionately enhanced controls to ensure compliance with all applicable laws and regulations (including all Federal AML-CFT Laws), Regulations, Rules and Directives, as well as effectively monitor and prevent illicit uses. Such controls shall include conducting enhanced CDD on each client using those services, which shall be verified every six (6) months. In the case where the AML/CFT risks cannot be adequately mitigated, such products or services should not be offered. |
6. | Client risk assessment. In implementing adequate and appropriate AML/CFT policies, procedures, and controls to detect and prevent illicit activities, VASPs must conduct AML/CFT client risk assessments. |
7. | The AML/CFT client risk assessments must be designed and implemented in order for VASPs to understand, identify and assess money laundering risks specific to their client base and must include, but not be limited to, identifying and assessing— |
| a. | the criteria and methodology for the categorisations of each client's AML/CFT risk; |
| b. | how such assessments are planned to be documented and associated courses of action to prevent illicit activity in each case based on the tiers of risk and probability of occurrence; and |
| c. | requirements for maintaining comprehensive audit trails of all risk assessments. |
8. | Client risk assessments required under this Rule III.D must be carried out at regular intervals no longer than every three (3) months. |