The Bangko Sentral ng Pilipinas (BSP) issued new regulations for service providers of virtual currencies and assets on Friday, instructing them to conduct background checks on customers and strengthen their financial consumer protection policies.
BSP Deputy Governor Chuchi G. Fonacier laid out the guidelines for virtual asset service providers (VASP), which are entities that offer financial services for virtual assets or cryptocurrencies such as Bitcoin, through memorandum No. 2021-013 dated Feb. 18.
“With strict risk-based implementation of KYC (know your customer) by BSP-supervised financial institutions, AML (anti-money laundering) risks are mitigated,” Ms. Fonacier said in a text message on Friday.
“Actually, (this applies) not just for VASPs but to all BSP-supervised financial institutions that offer financial services, consumer protection is a MUST. The public must be protected especially the vulnerable and also those availing of financial services for the first time,” she added.
Under the guidelines, VASPs were asked to conduct customer due diligence when establishing business relations with clients, including those that they do occasional transactions with.
They are also expected to do a background check if they suspect possible money laundering or terrorist financing activities happening, or have any doubt that the initial information of the customers obtained was not enough or was lacking accuracy.
A business transaction is considered relevant if a single transaction, or if two or more linked transactions combined, are worth at least P5,000.
“For this purpose, the VASP should have an appropriate system to identify and determine occasional customers or transactions,” the circular, which was posted on Friday, stated.
In ensuring the clients’ safety, VASPs are required to adopt customer awareness measures to educate their clients about: safeguarding their virtual assets (VAs) or currency wallets; keeping sensitive information such as login credentials safe; using mobile applications; the fees they are being charged during transactions as well as troubleshooting measures.
“VASPs shall clearly communicate and explain to their customers the terms and conditions prescribing the manner on how the losses and liabilities from security breaches, system failure, or human error will be settled between the VASP and its customers,” the BSP said.
They also need to disclose to their customers, in a “fair and not misleading way,” the potential risks that they might be encountering during transactions, including when they are acquiring, holding and trading their crypto assets.
“VASPS shall also disclose whether they are holding VAs in custody and the attendant risks or whether the customers have full control and responsibility of protecting and safeguarding their VAs,” the regulator said.
The service providers also need to set up a system where they will handle and respond to customer complaints.
In a text message, Fintech Alliance.ph Chairman Angelito “Lito” M. Villanueva said he believes the new guidelines will help minimize money-laundering activities and fraud in dealing with cryptocurrencies.
The BSP said a VASP with safekeeping and administration services for VAs should maintain a minimum capital requirement worth P50 million, while those without these services will only need to have at least P10 million.
Those that are offering wallet services where VAs can be held and stored should have a cybersecurity framework and security measures to ensure confidentiality, integrity and availability of data in the platforms.
The regulator said this will shield the platforms from malware, cyber-attacks and other threats that may arise against VAs.
Entities maintaining fiat wallets also need to maintain enough unencumbered liquid assets to make sure sudden redemptions will be met, as well as establish a system that will record receipts.
When using outsourcing services, VASPS will need to have a “sound risk management system” to minimize risks on confidentiality of information, data privacy and management and other security issues.
“The VASP shall be responsible for the performance of the service in the same manner and to the same extent as if it were directly performing the said activity,” it said.
The entities also need to have an internal control system based on the size and complexity of the business, with “competent offices” to perform key functions such as risk management, audit, compliance, anti-money laundering and information security, among other things.
The VASPs are limited to do business with companies authorized and licensed by regulations, and are required to have a robust accreditation process in choosing VAs that will be traded on the platforms.
VASPs, where VA transactions worth at least P50,000 will be coming from, should keep required and accurate records on where the funds originated and the information on the recipient. Such data will have to be sent to the beneficiary institution and should be readily available when asked by regulators.
The central bank started tightening its regulations on VASPS early this year after revising guidelines to include more service providers under its watch.
The move was meant to boost safeguards against risks in using these emerging digital services.
As of November last year, there were 17 money service businesses with virtual currency exchange services authorized by the central bank, based on latest available data.