Virtual assets, AML and anti-terrorism financing

The popularity of virtual assets is booming. Investors can now purchase and trade virtual assets in a variety of ways, including through any number of virtual asset trading platforms. The rise in popularity of virtual assets and platforms has caught the attention of regulators, legislators, the media, and the public. Because of the anonymity and decentralized nature of recording and processing virtual asset transactions, criminal elements have been attracted to the medium and have used virtual assets to commit a variety of cybercrimes, launder money, and finance terrorism. The Financial Action Task Force (FATF”), a global money laundering and terrorist financing watchdog established by the G7, explicitly requires virtual asset service providers to be regulated so as to prevent money laundering and the financing of terrorism.

Previous Legislation

Requirements of Taiwan’s Money Laundering Control Act (the “Act”) apply to businesses operating virtual asset and trading platforms. Businesses that provide services related to virtual assets are not specifically defined in the Act, and there are no regulations or requirements under the Act that specifically address or apply to such businesses. The Act does provide that all businesses, including those offering virtual asset related services, must comply with certain rules such as establishing internal anti-money laundering systems and certain know-your-customer processes.

New Regulations

Based on recommendations from the FATF, Taiwan’s Financial Supervisory Commission (the “FSC”) has published new regulations entitled the “Regulations Governing Anti-Money Laundering and Countering the Financing of Terrorism for Enterprises Handling Virtual Currency Platforms or Transactions” (the “Regulations”), which took effect on 1 July 2021 (except for Article 7 of the Regulations, the effective date of which has yet to be determined by the FSC) to further clarify the obligations of virtual asset service providers. For the purposes of the Regulations, “Virtual Assets” means “assets stored, exchanged, or transferred through encryption, distributed ledger technology, or similar technologies, for the purpose of payment or investment.” “Virtual Assets” do NOT include fiat currencies issued digitally, nor securities or other financial assets regulated under other laws. Businesses providing the services set out below will be considered Virtual Asset service providers (“VASP”) and subject to the Regulations.

  • exchanges between Virtual Assets and fiat currencies, including New Taiwan dollars, foreign currencies, Renminbi, Hong Kong dollars, and Macau dollars;
  • exchanges between one or more forms of Virtual Assets;
  • transfers of Virtual Assets;
  • custodial services and/or administration of Virtual Assets or instruments enabling control over Virtual Assets[1]; and
  • participation in and provision of financial services related to an issuer’s offer and/or sale of a Virtual Asset.

Pursuant to the Regulations, there are a few key obligations imposed on VASPs, including the following:

1. Know Your Client

The Regulation sets out detailed know-your-client obligations. Pursuant to the Regulation, a VASP must verify the identity of each client when the client:

  • commences a business relationship with the VASP;
  • conducts one or multiple related transactions with a value equal to or over TWD30,000; or
  • appears to be engaging in a transaction with a heightened probability of involving money laundering or terrorist activities.

VASPs must understand the purpose and nature of each client’s business and verify the client’s identity based on reliable, independent documentation. VASPs may engage third party service providers to conduct identity checks; however, the VASP will remain ultimately responsible for confirming the identity of each client.

If the client is a trustee, a legal person (such as a corporation), or an organization, the VASP must obtain the client’s articles of association and the personal information of individuals holding senior management positions with the client.

Further, the VASP must obtain information on ultimate beneficial owner(s) owning twenty-five percent (25%) or more of the equity interests of the client, who should be natural persons. Under certain circumstances, the VASP may not be required to obtain information related to the ultimate beneficial owners, for instance if the client is a foreign government, a Taiwan government organization, a listed company, or a financial institution which is organized in a jurisdiction which already regulates such institutions in accordance with standards set forth by the FATF.

If a VASP identifies certain factors which indicate a heightened risk of prohibited behavior, the VASP must heighten its level of scrutiny and take additional precautions, such as implementing reasonable steps to determine the client’s ultimate source of capital. A common risk factor that results in heightened scrutiny requirements include a situation in which the client’s business is based in a jurisdiction with anti-money laundering laws that fail to meet international standards.

The VASP must refuse conducting business with a potential client if:

  • the VASP believes the potential client is masking their identity or that of another person by using a fake name or opening an account for and on behalf of another person, corporation, or group;
  • the VASP is unable to obtain information on the client sufficient for the VASP to comply with its obligations pursuant to the Regulations; and
  • the client, or its key personnel, or [any] ultimate beneficial owner is a natural person, corporation, or organization sanctioned under the Counter-Terrorism Financing Act or by an international organization or government.

The above know-your-client obligations are ongoing. We recommend a VASP reviews its clients’ identity at least once annually.

2. Internal Control System

A VASP must have anti-money laundering and counter terrorism control systems. Such internal control systems must be approved by the VASP’s board of directors. The directors, supervisors, and management of the VASP must all receive training regarding the internal control systems and the systems must be managed by persons at the management level. Like the know-your-client requirements, this training of employees is a continuing obligation meant to ensure that the VASP staff maintain adequate understanding of its internal control systems.

3. Record Keeping

Subject to other applicable laws, the Regulations requires a VASP to keep transaction records for at least five (5) years, including documents establishing the identity of clients as well as documented proof of all business transactions.

4. Disclosure Requirements

The Regulations imposes a reporting obligation on VASPs. VASPs must report any client which has conducted Virtual Assets transactions totaling over TWD500,000 within a five (5) business day period. These reports are to be made to the Ministry of Justice.

We expect the Regulations to be just the beginning and for relevant regulations to continue to evolve. We will keep our clients informed as to important new developments in this area.

If you have any questions or require additional information on the relevant regulations in relation to virtual assets in Taiwan, please contact Greg Buxton at gbuxton@winklerpartners.com.


[1] According to this definition, service providers keeping the “key” to the Virtual Assets will also be regulated under the Proposed Law.

Written November 2, 2021 By Gregory A. Buxton, Bryan Tan, Ming Teng.