20/01/22

CSSF guidance on virtual assets - Recent developments in the financial sector

On 29 November 2021, the Commission de surveillance du Secteur Financier (the “CSSF”) published a Communiqué entitled “CSSF guidance on virtual assets” as well as an FAQ on “Virtual Assets” which were recently updated on 4 January 2022. These two initiatives are a follow up to a previous CSSF publication on ‘Financial Innovation: a challenge and an ambition for the CSSF’.

The tem ‘Crypto-assets’ from the document titled "CSSF guidance on virtual assets" was a reference from the European Proposal for a Regulation on Markets in Crypto-assets (the “MICA”) as well as to the amendments brought in 2020 to the Law on the fight against money laundering and terrorist financing (the “AML/CTF Law”). We commented these in a previous article of ours that we invite you to read it before pursuing with this paper.

In its recent Communiqué “CSSF guidance on virtual assets” (hereinafter the “Communiqué”), the CSSF informs all supervised entities of four specific aspects that, within this article, are listed hereunder in a reversed order to that of the Communiqué:

-   Follow continuous regulatory updates: all entities are required to closely follow the regulatory developments concerning the prudential treatment of virtual assets, assess their implications for investments as well as for customers, carefully weigh the risks and benefits associated with the proposed virtual assets activities, and adapt their business and operational arrangements activities to the near-future regulatory developments (i.e. MICA);

-   The need for internal governance arrangements: entities are also reminded that their management body is responsible (a) for developing a business strategy for activities involving virtual assets and in which all specific risks are properly considered; and (b) for the risk strategy concerning virtual assets, including determining the risk appetite and the overall framework for risk-taking and risk management;

-   Existing obligation of due diligence: any entity under the CSSF supervision and pursuing an activity involving virtual assets bears the responsibility to carry out a thorough due diligence and carefully weigh up the risks and benefits associated with the virtual assets activity;

-   Questions raised by professions under the supervision of the CSSF (FAQ): the CSSF seems to have received numerous questions on activities involving virtual assets – questions mostly concerning investments in virtual assets by investment funds, direct investments in virtual assets, or depository duties in the virtual assets context.

As a result, the CSSF also has drafted a Virtual Assets FAQ. The CSSF will continue to publish a separated FAQs on Virtual Assets for other entities under its supervision (i.e. FAQ – Virtual assets for credit institutions).

This first FAQ on Virtual Assets was initially based on four and contains now, up to this day, five questions regarding practical issues encountered by professionals of the financial sector. The document will likely be subject to ongoing updates given that it is a “Version 2 – 4 January 2021”. One could therefore expect to see more questions being added to it over time. All questions are currently under the same single general title: “Undertakings for Collective Investment” showing that the focus was put, this time around, exclusively over these professionals. The terms “Virtual Assets” and “Virtual asset service provider” are used therein with the meaning of the AML/CTF Law  (that we have discussed in our previous article).


Question 1: May a UCITS invest in virtual assets?
 

The CSSF reached the conclusion that investing in virtual assets is not suitable for all kind of investors and/or all investment objectives. Consequently, the following entities are not allowed to invest in virtual assets (directly or indirectly):

-   (1) Undertakings for the Collective Investment in Transferable Securities (UCITS),
-   (2) undertakings for collective investment (UCI) addressing non-professional customers, and
-   (3) Pension Funds. Given that the AML/CTF Law definition for ‘Virtual Assets’ excludes digital/virtual assets fulfilling the conditions of ‘financial instruments’ (namely financial instruments under a dematerialized form), these assets are not concerned by the ban.
 
Our analysis:
The UCITS exclusive purpose is the collective investment in transferable securities and/or in other liquid financial assets (transferable securities and money market instruments dealt in on a regulated market under certain conditions, authorised UCITS units, deposits with a credit institution, financial derivative instruments dealt in on a regulated market or dealt in over-the-counter under certain conditions, money market instruments, etc.) and capital raising from the public.

The Pension Funds purpose is the collection of funds and their investment with a view to  spreading the investment risks, whose shareholders are entitled to a capital sum at the time of retirement (SEPCAV); or the collection of funds and their investment with a view to  spreading the investment risks, in which the rights of the members take the form of claims and which provides for, at the time of  retirement, either a capital payment  or  the  annuity  payment  and,  where appropriate, ancillary benefits  (ASSEP) - arts. 5 and 25 of the amended Law of 13 July 2005 on institutions for occupational retirement provision in the form of pension savings companies with variable capital (SEPCAVs) and pension savings associations (ASSEPs).

Considering the purposes of these entities and the involvement of potential non-professional investors, the CSSF considers UCITS, UCIs and Pension Funds as not suitable for all kind of investors and/or all investment objectives, in particular to non-professional investors. As a consequence, the CSSF excluded them from investing, directly or indirectly, in virtual assets. This decision is not at all that surprising: non-professional investors are particularly vulnerable having regard to their lower financial resources and, more importantly, to their lack of experience, knowledge, expertise and appropriate internal procedures to duly assess the risks incurred.

This position is no different than the one the CSSF already took beginning 2018 in a warning against virtual currencies (considered as virtual assets under the AML/CTF Law) where it stated that “the entities under the prudential supervision of the CSSF must take into account that investing in virtual currencies is not suitable for all kinds of investors and investment objectives. UCITS, UCIs addressing non-professional customers and pension funds are thus not allowed to invest directly or indirectly in virtual currencies”.

Indeed, the CSSF specified, in this respect that virtual currencies are neither regulated, nor guaranteed by a central bank or a deposit guarantee scheme, nor stable (they constitute highly volatile and speculative investments), nor without risks (they bear a certain number of risks, including total loss of investment).

The above entities might however invest in digital/virtual assets fulfilling the conditions of ‘financial instruments’. Indeed, as we exposed in our previous article, the definition of Virtual Assets excludes the ‘virtual assets’ that would fulfil the conditions of ‘financial instruments’ within the meaning of Article 1, point (19), and Annex II, Section B, of the amended Law of 5 April 1993 on the financial sector. Indeed, financial instruments that fall within one of the eleven types of financial instruments listed in this Annex II, Section B, are not to be considered as virtual assets and are, therefore, not concerned by CSSF decisions on virtual assets. UCITS, UCIs and Pension Funds may therefore invest in those financial instruments as long as those investments do not constitute an indirect investment in Virtual Assets, given that the entities are precluded from also indirectly investing in Virtual Assets.

In contrast to the above, investments in virtual assets that only aim profession investors may be allowed insofar the entities concerned comply with the regulatory requirements: obtaining an authorisation extension from the CSSF for its new investment strategy and implement adequate internal control functions that are responsible for the approval of new products/investment strategies. Therefore, AIF, for example, may directly or indirectly invest in virtual assets should the fund’s shares or units be exclusively be sold to professional investors (see next question).
 

Question 2: May an AIF invest in virtual assets?

An Alternative Investment Fund (AIF) with an authorised AIFM may invest in virtual assets under the cumulative condition that (i) the AIF sells its units only to professional investors (and therefore not to retail investors); (ii) the authorised AIFM obtains a CSSF authorisation extension for this new investment strategy; and (iii) it implemented adequate internal control functions that are responsible for the approval of new products/investment strategies.
 
Our Analysis:
Investment funds aiming professional investors may invest in virtual assets, as defined by the AML/CTF Law, as long as they are able to apply and comply with the existing regulatory requirements. As opposed to UCITS, UCI and Pension Funds, which (also) aim retail investors, AIFs may invest in virtual assets under certain conditions, both directly and indirectly. However, this possibility is strictly conditioned by three specific requirements:

An AIF investing in virtual assets is only allowed to sell its shares or units to professional investors, which also implies that the authorised AIFM complies with the requirements provided by the amended Law of 12 July 2013 on alternative investment fund managers (hereinafter the “AIFM Law”).
A professional investor is a client who possesses the experience, knowledge and expertise to make its own investment decisions and properly assess the risks that it incurs (Article 1, para. (53), of the AIFM Law referring to the Annex II to the repealed Directive 2004/39/EC).

Should such AIF be managed by a Luxembourg AIFM, the latter must obtain from the CSSF an authorisation extension for its new investment strategy in virtual assets. Indeed, articles 6, para. (3) and 9 of the amended Law of 12 July 2013 on alternative investment fund managers already require AIFM to notify the CSSF of any changes in the AIF investment strategies. To that end, the AIF has, among others, to check the case “Other - Other fund-Virtual assets”, in the “AIF strategies” form, published in CSSF Website.
One could notice here the CSSF’s silence on the possible need for the AIFM to obtain an authorisation for virtual asset service provider (VASP). Indeed, this authorisation is notably required for any person providing services related to an issuer’s offer or sale of a virtual asset – Article1, al. (20quater), AML/CTF Law. It would seem that the AIF could be concerned by these provisions and the CSSF briefly addresses this point in its answer to Question 3.

In this regard, we pointed out, in our previous article, that “the registration requirement for the VASPs (as defined) does not exclude the need for entities to apply for other licenses/registrations that may be required for other activities they may also perform, either by Luxembourg law or by the laws of other jurisdictions”. This was also specified by the CSSF itself in a document published back in 2020 (last paragraph). The reverse logic could be applied here: it is not excluded that an AIFM benefiting from a CSSF authorisation may also need to apply for other licenses/registrations depending on its activities, namely to the VASP.

Finally, the AIFM must implement adequate internal control functions aiming the approval of new investment strategies. This third requirement is already provided by article 6 of the amended Law of 12 July 2013 on alternative investment fund managers. The CSSF justified this requirement by pinpointing the risks involved with virtual assets, should the AIFM decide to integrate virtual assets in its investment policy: volatility, liquidity and technological risk (hacking) that could affect the risk profile of a given investment vehicle.
However, virtual assets (as defined by the AML/CTF Law) may aim different virtual assets: virtual assets strictly speaking (with no specific qualification), virtual currencies, NFTs (including NFTs that may represent financial assets), etc.

Although all tokens constitute a digital representation of value that can be digitally traded/transferred, they may have very distinct features: different purposes; different stabilisation mechanisms (e.g. “custodial” stablecoins collateralised by fiat, gold, etc.); different characteristics and, some, so specific and unique that they are not fungible (such as NFTs); they also may aim or not aim to finance a specific project (such as the creation of a new cryptocurrency or other in the context of an initial coin offering (ICO) or the tokenisation of real estate in the context of security token offering (STO)).

The “virtual asset” definition of the AML/CTF Law does not seem to require virtual assets to be specifically traded/transferred through distributed ledger technologies (unlike MICA’s “crypto-assets”) and may potentially aim virtual assets that are registered, traded and transferred by another technology. This definition does not contain any indication in this regard, nor any special required in terms of cryptography.
It follows from the above that virtual assets, although largely unregulated, do not all comprise the same risk level. They may use different technologies, have very different characteristics and serve as well different purposes. Therefore, AIFMs need to make a case-by-case assessment of the possible impact of virtual assets investments on the risk profile of the investment fund. They also need to ensure that their investors are informed in a complete, transparent and timely manner and that all relevant investment fund documentation is up-to-date.

The CSSF FAQ regarding specifically alternative investment fund managers, which was lastly updated in June 2021, does not contain, up to this date, a single reference of virtual assets, let alone the three AIF requirements seen hereinbefore.
 

Question 3: Do  IFM need any authorisation for the management of virtual assets?

An authorised Investment Fund Manager (IFM) may need to apply for a VASP registration should it provide one or more services listed under article 1, al. (20quater), of the AML/CTF Law.
 
Our Analysis:
An Investment Fund Manager (r the “IFM”) that intends to invest in virtual assets needs to obtain the prior authorisation from the CSSF for that investment strategy as “Other - Other fund-Virtual assets” and, to that end, must communicate a certain number of information to the CSSF – including a description of the project and of the different services providers/delegates involved, information on whether or not the investments in virtual assets will be made directly or indirectly; updated risk management and valuation policies; a description regarding the experience of the portfolio manager in virtual assets; a description of how the custody of the assets will be organised by the depositary; information regarding the targeted investors; any information on the AIF distribution channels; and the IFM’s AML/CTF analysis on the assets side.

Before investing in virtual assets, the CSSF requires the prior IMF authorisation or prior project presentation of an AIF initiator. An emphasis is put by the CSSF on assessing the conditions under which the IFM (or any participant in the fund business operations) is involved in the virtual assets control by means of access to/control over the cryptographic keys.

Following the aforementioned authorisation/presentation, the CSSF will conduct an analysis of the services performed in light of the VASP activities listed under article 1, al. (20quater), AML/CTF Law. Should the IFM perform one or more of those activities/services, it will need to apply for a VASP registration before initiating its activity and a registration process may then take place. Therefore, the CSSF seems to admit the possibility for the IFM to invest in virtual assets and to apply for a VASP registration.

One must note the definition of “virtual asset service provider” (VASP) as ; (1) any person, be it a physical or a legal person, regardless of its form; (2) providing a service; (3) on behalf or for its customer; (4) in particular one the following 5 services:

(a)   the exchange between  virtual  assets  and  fiat  currencies,  including  the  service  of  exchange between virtual currencies and fiat currencies;
(b)   the exchange between one or more forms of virtual assets;
(c)   the transfer of virtual assets;
(d)   the safekeeping or administration of virtual assets or instruments enabling control over virtual assets, including the custodian wallet service;
(e)   the participation in and provision of financial services related to an issuer’s offer or sale of a virtual asset.

Question 4: Are there any specific considerations regarding the mitigation of AML risks? 

The CSSF expects that the Responsable du Contrôle (RC) and the Responsable du Respect (RR) of  supervised  entities  investing  in  virtual  assets  can  demonstrate an  adequate  understanding  of  the  new  money  laundering,  terrorist financing,  proliferation  financing  risks  posed by virtual assets and the necessary measures to mitigate them.
 
Our Analysis:
 
An entity under the CSSF supervision that intends to pursue an activity involving virtual assets is concerned by the 4 points seen initially herein regarding the Communiqué on the “CSSF guidance on virtual assets”. In particular, all entities need to carry out a thorough due diligence, carefully weigh up the risks and benefits associated with the virtual assets activity and their management body is responsible (a) for developing a business strategy for activities involving virtual assets and in which all specific risks are properly considered; and (b) for the risk strategy concerning virtual assets, including determining the risk appetite and the overall framework for risk-taking and risk management.

Furthermore, article 4(1), par. 4, of the AML/CTF Law obliges all professionals (including those seen above: UCITS, UCI, Pension Funds, AIF and IMF) to appoint, where appropriate, a person responsible for compliance with the AML/CTF professional obligations among the members of their management (Responsable du Respect).

Article 4(1), par.2, al. (a), of the AML/CTF Law requires professionals to put in place policies, controls and procedures to mitigate and manage AML/CTF risks, including the appointment of a compliance officer at appropriate hierarchical level (Responsable du Contrôle).

These obligations apply to all professionals supervised, authorised or registered by the CSSF, including Luxembourg branches of foreign professionals notified to the CSSF, as well as foreign professionals notified to the CSSF which provide services in Luxembourg without establishing a branch (article 2, CSSF Regulation NO 12-02).

The Responsable du Contrôle and the Responsable du Respect must have the professional experience, knowledge of the Luxembourg legal and regulatory framework relating to AML/CF (article 40 (3), CSSF Regulation NO 12-02). In this regard, the AML/CTF Law itself also obliges professionals to put  into place ex ante procedures, at the hiring level, in order to  “ensure  that  the  hiring  is  made  according  to  applicable  professional  standing and experience  criteria” (Article 4, par. 6, AML/CTF Law).

In particular, the new article 7-1 (3) of the AML/CTF Law also provides, regarding the VASPs authorisation, that “at least two persons must be responsible for the management of the virtual asset service provider and entitled to effectively determine the policy of the business. These persons shall possess adequate professional experience”.

Considering the above application of the “four eyes” principle, the CSSF stressed  that the mitigation measures implemented by the  supervised  entity  must  be  commensurate  with  these  increased  risks, and expects that the two Responsables have an adequate  understanding  of  the  new  money laundering,  terrorism financing,  proliferation  financing  risks  posed  by  virtual assets and the necessary measures to mitigate them – in particular, the  national  vertical  risk  assessment  of  money  laundering  and  terrorist  financing  related  to  VASP.

In this regard, the Ministry of Justice published in December 2020 an extensive document on the national vertical risk of money laundering and terrorism financing (stakeholders, data, threat assessment, vulnerabilities assessment, mitigating factor, etc.).

All entities with an activity related to virtual assets are advised to verify whether they need to register with the CSSF as a VASP and initiate that registration process and ensure how to comply with all their AML/CTF professional obligations.

Question 5: May a depositary act for funds investing directly in virtual assets? 

This question was recently added by the CSSF to the FAQ and most commentaries on this FAQ do not address it. The CSSF considers that Luxembourg fund depositaries may be mandated to act as depositary for investment funds investing directly in virtual assets.
 
Our Analysis

Are presumably excluded from the scope of the CSSF depositaries appointed by UCITS, UCIs addressing non-professional customers and pension funds, as the latter investment funds cannot directly or indirectly invest in virtual assets.

Fund depositaries have four main duties: safekeeping assets of investment funds; monitoring the cash flows; performing oversight duties; and maintaining accurate records in relation to these functions. Luxembourg fund depositaries are appointed by IFMs through a written contract.

In this respect, investment funds established in Luxembourg must appoint a depositary that is either a CSSF licensed (1) credit institution (also called “depositary bank”), (2) investment firm within the meaning of the amended Law of 5 April 1993 on the financial sector or (3) professional depositary of assets other than financial instruments (PDAOFI) (art.26-1 of the amended Law of 5 April 1993 on the financial sector).

Investment firms that wish to perform depositary duties must fulfil a certain number of regulatory conditions: They must be a legal person, set up internal governance procedures (including organisational structures and internal control procedures appropriate to their depositary activity) and hold an authorisation covering the ancillary service of ‘safekeeping and administration of financial instruments for the account of clients’ referred in point 1 of Section C of Annex II of the amended Law of 5 April 1993 on the financial sector.

Following the aforementioned requirement of having appropriate internal governance procedures, the CSSF emphasizes the need for all depositaries of investment funds investing in virtual assets (credit institutions, investment firms, and PDAOFI) to have adequate organisational arrangements and appropriate operational models, considering the specific risks related to the safekeeping of virtual assets.

Furthermore, all already licensed depositaries intending to act as a depositary for an investment fund investing in virtual assets (credit institutions, investment firms, and PDAOFI) must notify the CSSF beforehand.

The liability of depositaries providing services for investment funds with regards to virtual assets that qualify as “other assets” (and not as “financial instruments”) is limited to the (1) safekeeping duties regarding ownership verification based on information or documents provided by the IFM/investment fund as well as on external evidence; and (2) record keeping that is up-to-date. This is in line with article 19, para. (8), sub. (b), AIFM Law as well as with article 90 of the Commission Delegated Regulation (EU) no 231/2013 of 19 December 2012.

Whenever the depositary does not provide safekeeping/administration services relating to virtual assets, the IFM/investment fund may alternatively appoint a specialised virtual asset service provider (VASP). According to the CSSF, this VASP could be an entity providing “custodian wallet services” which is a service that, consists in safeguarding private cryptographic keys to hold, store and transfer – not virtual assets in general – but specifically ‘virtual currencies’. Depending on the virtual assets concerned, we would tend to think that a specialised VASP in ‘Safekeeping or administration service provider’ would be more adequate as it concerns the safekeeping or administration service provider of (all kinds of) virtual assets (as defined by the AML/CTF Law) or instruments enabling control over virtual assets.

Should the IFM/investment fund appoint a VASP, the virtual assets are not recognised in the off-balance sheet of the depositary and the depositary is not liable for the restitution of the assets. On the contrary, this liability is directly incumbent on the VASP and, to that effect, the IFM/investment fund is required to have a written contractual relationship with that VASP.

Finally, the depositary providing ‘administrative and depositary services’ to an investment fund investing in virtual assets needs to register as a VASP within the meaning of article 2, para. (20e), of the AML/CFT law, if that depositary provides ‘safekeeping or administration’ services relating to virtual assets to its client (including the custodian wallet service).

Virtual assets are then recognised in the off-balance sheet and the depositary has an obligation of restitution for the loss of these assets under civil law.

Fund depositaries that are considering to directly safeguard virtual assets are required to notify the CSSF of such plans in a timely manner in addition to VASP registration requirements.

Our team specialised in Fintech, DLT, NFT and Tokenization is able to respond in case of questions or need of assistance :
 
Erwin SOTIRI, Partner
Ruben MENDES, Associate
Maria CHIAPOLINO, Senior Counsel

dotted_texture