KYC/AML Obligations for Virtual Currency Service Providers

You are a virtual currency service provider if you offer one or more of the following services:

• services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies (custodian wallet provider);
• exchange between virtual currencies and fiat currencies;
• exchange between one or more forms of virtual currencies;
• transfer of virtual currencies;
• participation in and provision of financial services related to an issuer's offer and sale of virtual currencies.

Virtual currency service providers will be obliged to apply customer due diligence in the following cases:

1. when establishing a business relationship;
2. when executing any transactions which are not conducted within the scope of a business relationship (occasional transactions)
   1. which involve an amount of at least EUR 15 000 or a euro equivalent value, regardless of whether the transaction is carried out in a single operation or in multiple operations between which there is an obvious connection; or
   2. which involves a transfer of funds as defined in Article 3 (9) of Regulation (EU) 2015/847 exceeding EUR 1 000;
3. for each deposit into savings deposits, and for each withdrawal of savings deposits if the amount deposited or withdrawn is at least EUR 15 000 or a euro equivalent value;
4. if the institution suspects or has reasonable grounds to suspect that the customer belongs to a terrorist organisation (Article 278b StGB) or the customer objectively participates in transactions which serve the purpose of money laundering (Article 165 StGB – including asset components which stem directly from a criminal act on the part of the perpetrator) or terrorist financing (Article 278d StGB);
5. when there are doubts as to the veracity or adequacy of previously obtained customer identification data.

The scope of customer due diligence generally comprises:

1. identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source, including electronic identification means and relevant trust services as set out in Regulation (EU) No 910/2014 and any other secure, remote or electronic identification process in accordance with para. 4;
2. identifying the beneficial owner and taking reasonable measures to verify that person's identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer. Where the beneficial owner identified is the senior managing official pursuant to Article 2 no. 1 point b WiEReG, obliged entities shall take the necessary reasonable measures to verify the identity of the natural person who holds the position of senior managing official and shall keep records of the actions taken as well as any difficulties encountered during the verification process. A reasonable measure is to inspect the register of beneficial owners in accordance with Article 11 WiEReG;
3. assessing and obtaining information on the purpose and intended nature of the business relationship;
4. obtaining and checking of information about the source of the funds used; such information may include details about professional or business activities, income or operating result or the general financial situation of the customer and their beneficial owners;
5. identification and verification of the trustor and the trustee pursuant to para. 3;
6. conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds.
7. regular checking of the availability of all required information, data and documents that are required under the federal act, and updating of such information data and documents.

Yes. Virtual currency service providers must first apply to the FMA for registration before conducting their activities in Austria or offering their activities from within Austria. The application must be accompanied by the following information and documents:

1. The name or company name of the service provider and if available the managing director(s);
2. the place of incorporation of the undertaking and the business address for delivery of relevant documents;
3. a description of the business model, indicating in particular the nature of the intended services;
4. a description of the internal control system that the applicant intends to implement and a description of the strategies and procedures planned to comply with the requirements of this federal act and Regulation (EU) 2015/847, and
5. in the case of a legal person, additionally the identity of and the amount contributed by owners who directly or indirectly possess a qualifying holding in the applicant pursuant to Article 4 para. 1 no. 36 of Regulation (EU) no. 575/2013.

Yes. Any person who offers services related to virtual currencies without the required registration commits an administrative offence and shall be punished by the FMA with a fine of up to EUR 200 000.

The obligation to register enters into force on 10 January 2020; however, virtual currency service providers will be able to submit an application to the FMA beginning 1 October 2019.