|In implementing adequate and appropriate AML/CFT policies, procedures, and controls to detect and prevent illicit activities, VASPs must conduct AML/CFT business risk assessments.
|The AML/CFT business risk assessments must be designed and implemented to assist VASPs to better understand their risk exposure and areas in which they should prioritise allocation of resources in their AML/CFT activities. This includes identifying and assessing the AML/CFT risks in relation to the development and use of new or existing—
|Virtual Assets [in particular, Anonymity-Enhanced Cryptocurrencies];
|Virtual Asset related products or services [in particular, methods in which Anonymity-Enhanced Transactions can be conducted];
|Virtual Asset related business and professional practices; and
|technologies associated with VA Activities.
|VASPs enabling Anonymity-Enhanced Transactions as part of their VA Activities must implement proportionately enhanced controls to ensure compliance with all applicable laws and regulations [including all Federal AML-CFT Laws], Regulations, Rules and Directives, as well as effectively monitor and prevent illicit uses. Such controls shall include conducting enhanced CDD on each client using those services, which shall be verified every six  months. In the case where the AML/CFT risks cannot be adequately mitigated, such products or services should not be offered.