Key takeaways from Latvijas Banka’s webinar on crypto-asset regulation and recording
Here I would like to share my thoughts and underline once again major areas of interest focusing on four critical areas:
- licensing,
- anti-money laundering (AML) requirements,
- prudential supervision,
- Digital Operational Resilience Act (DORA) requirements for crypto-asset service providers (CASPs).
The rapid growth of the crypto sector has created a strong need for regulatory frameworks to ensure financial stability, safeguard consumers, and maintain market integrity. The webinar aimed to provide participants with the knowledge and tools necessary to successfully navigate the regulatory landscape in Latvia and the broader EU.
If you missed the live session or would like to revisit any part of the discussion, the webinar recording is available below.
Licensing process for CASPs is streamlined and efficient
The first thing I would like to stress is that the licensing process for CASPs in Latvia is designed to be smooth and efficient, providing market participants with the clarity and support they need. During the webinar, Latvijas Banka introduced its "CASP Roadmap" – a comprehensive guide to help newcomers understand regulatory expectations and the steps involved in obtaining authorisation.
One of the key features highlighted was the pre-licensing process. As part of this process, Latvijas Banka offers support in the preparatory stage of authorisation by examining the initial business model and conducting a risk assessment. This allows market participants to validate key aspects of their applications with the regulator and receive feedback on the initial submission. This approach helps ensure that the licensing process is smooth and efficient, saving both time and resources for applicants.
Latvijas Banka aims to complete its initial assessment of submitted documentation within 25 days. Then it informs the applicant about the next steps or any clarifications required. This tailor-made approach is intended to make the process as streamlined as possible while addressing the unique aspects of each applicant's business model.
At Latvijas Banka, we always highlight the importance of meeting certain requirements regarding management structure, capital reserves, internal controls, and the custody of reserve assets. These are essential to ensure the stability and reliability of CASPs operating in the Latvian market. During the webinar, we also advised companies to consult Latvijas Banka's AML Handbook and website for further clarifications throughout the preparatory stage of licensing.
AML risk supervision guide
During the webinar, we provided a comprehensive overview of the AML regulatory framework that CASPs must adhere to. According to the EU's AML regulations and guidelines from the European Banking Authority (EBA), CASPs are subject to the same rules as other financial institutions, reinforcing the importance of transparency and accountability in crypto-related businesses.
In respect to AML risk supervision, I would like to emphasise that there are requirements to be followed: the need for a clear and transparent business model and the necessity of having a physical presence in Latvia. The appointment of an AML compliance officer who is readily available to the regulatory body is mandatory, as are high-quality internal control systems to ensure compliance with AML regulations. Blockchain analytics tools must be used to enhance internal control systems, enabling better monitoring and reporting of suspicious transactions.
Latvijas Banka has prepared an AML checklist, featuring eight key elements of internal control that CASPs can use to assess their readiness. These elements include risk assessments, governance structures, customer due diligence processes, transaction monitoring systems, and reporting mechanisms. The bank expects to receive quarterly reports from CASPs, ensuring ongoing oversight and compliance with AML requirements.
Risk-based approach and regulatory expectations
In terms of supervision, Latvijas Banka honours its commitment to a risk-based approach to overseeing CASPs. The bank has set high standards for management and governance, expecting CASP executives to be trustworthy, knowledgeable about the business, and capable of ensuring timely and high-quality reporting.
Supervision is about ensuring that CASPs have the right management, systems, and processes in place to mitigate risks.
Key expectations include proper conflict of interest management, segregation of customer funds, and adherence to robust IT security and cybersecurity protocols. Additionally, board members must have a thorough understanding of the crypto business, and communication with the regulator must be timely and effective.
As the fintech sector development is one of our priorities, Latvijas Banka has established a dedicated Financial Technology Supervision Department, staffed with certified experts and equipped with advanced crypto supervision tools. The department allocates resources based on the risk profile of each CASP and implements a risk-based approach to supervision. This helps to ensure that resources are focused on the highest-risk areas, allowing for efficient and targeted regulatory oversight.
During the webinar, participants were also introduced to the capital requirements, prudential safeguards, and regulatory technical standards that CASPs must meet. An important element of prudential supervision is the segregation of customer funds, a requirement designed to protect customers in the event of insolvency or other financial difficulties.
Recently, Latvijas Banka also published a crypto-asset classification guide. It includes information on tokenisation. This guide is a valuable resource for CASPs looking to ensure compliance with regulatory standards.
Preparation for the DORA Regulation
Starting from 2025, the DORA Regulation will apply to financial institutions, including CASPs in Latvia. This new regulation focuses on digital operational resilience in the area of Information and Communication Technology (ICT) risk management.
During the webinar, our experts explained that CASPs will need to develop robust ICT risk management frameworks. Identifying risks, ensuring protection and detection mechanisms, and implementing strong incident response and recovery processes will be critical. These requirements will apply to four key areas: ICT risk management, incident management, operational resilience testing, and third-party risk management.
DORA defines specific criteria for incident reporting and classification, which CASPs must adhere to. One of the most important aspects of the regulation is outsourcing management, which requires CASPs to engage with third-party ICT providers in a manner that minimises risk. Companies will need to conduct gap analyses, follow the development of regulatory technical standards (RTS), and adopt an implementation plan that ensures compliance with DORA's requirements.
Additionally, CASPs must prepare and test their ICT incident reporting processes, ensuring that they can respond to incidents in a timely and effective manner. The management body of each CASP is responsible for approving the necessary budget and resources to comply with DORA, highlighting the need for a top-down approach to digital resilience.
Open for consultations
With this webinar, I would like to underline that regulatory compliance is achievable, but it requires preparation, transparency, and a strong commitment to internal controls. Latvijas Banka is here to support potential market participants, offering consultations and resources to ensure that CASPs can meet the regulatory requirements effectively. We encourage participation in the Innovation hub, where potential CASPs can seek consultations and guidance. For more information, please visit fintechlatvia.eu and bank.lv.
Q&A session
Yes, the functions related to ICT service provision and ICT risk management could be outsourced to appropriate third parties. This may appear as a feasible approach for smaller financial entities or within group structures. However, it’s crucial to remember that the management bodies bear ultimate responsibility for ICT risk management and functions, even if the function is provided under contract.
The AML auditors may be based outside Latvia; however, the rationale for the choice of the auditor and the scope of the audit must be agreed upon with the supervisor prior to the audit. External auditors can be certified in another EU country. The financial entity must verify that IT auditors, whether internal or external, possess appropriate skills and knowledge to effectively perform the relevant audits and assessments. Financial entities must ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defense model or an internal risk management and control model. It is not required to get the regulator's approval for a particular audit company.
It is required that a company have at least two individuals in its management team to effectively handle both business operations and risk management. One person should be responsible for overseeing the business, while the second should focus on managing risks, ensuring that potential threats to the business are identified and addressed. This separation helps to create a balanced approach, preventing conflicts of interest and ensuring that both business development and risk control receive adequate attention.
Starting December 30, 2024, CASPs will be classified as financial institutions themselves; therefore, AML requirements applicable to financial institutions will also apply to CASPs. The example of a correspondent relationship mentioned during the presentation means that if a CASP onboards another CASP, it will have to apply the same controls as if a bank onboards another bank or a payment institution onboards another payment institution. This means it will need to conduct enhanced due diligence (AML Law, Article 22) and apply additional measures in addition to customer due diligence (AML Law, Article 24). If a bank opens an account for a CASP providing higher-risk services with large asset transfers, it is expected that the bank would also have a blockchain analytics tool to properly assess the level of risk associated with the CASP and mitigate it. However, a blockchain analytics tool would not be necessary if the CASP is providing, for example, advisory services on crypto-assets or managing a low-volume portfolio of crypto-assets.
CASPs, during the licensing process, may already submit the relevant passport notification form. Immediately after authorization, we will send the notification to other Member States and register and publish your cross-border activity.
Latvijas Banka is in the process of developing the quarterly reporting forms. These will include information on the products and services offered by CASPs, their customer base, geographies, volumes and types of assets, and wallet IDs. More detailed information will be available by the end of this year.
Board members do not necessarily have to be Latvians or residents of Latvia, but the company’s seat must be in Latvia, and the board must be reachable at its legal address.
For submission in the authorization process, procedures and policies must be in Latvian or, even better, bilingual (Latvian and another language). However, documents regarding officials, the origin of funds, and shareholders may be in English. During the pre-licensing process, documents can be in English.
The AML person does not have to be a resident of Latvia, but they must be easily accessible to the Latvian supervisor and must have an understanding of the Latvian AML framework.
The AML responsible person can be English-speaking, but they must have an understanding of the Latvian AML framework. Official correspondence with Latvijas Banka is in Latvian.