OBLIGATIONS OF PROVIDERS OF VIRTUAL ASSET EXCHANGE AND DIGITAL WALLET SERVICES
Legislative duties of providers of virtual asset exchange services and virtual asset digital wallet services may be classified as falling within one of the three main areas of regulation. Regulation of investment activities and services (MiFID II); AML/KYC/CFT (protection against money laundering and terrorist financing) and personal data protection (GDPR).
Investment activities and services are regulated by Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (the “MiFID II Directive”) and Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (the “MiFIR”); the MiFID II Directive and the MiFIR collectively as “MiFID II”. Based on the MiFID II Directive, the definition of the term investment services and investment activities provided in the annex to the MiFID II Directive was extended to include also the operation of the Organised Trading Facility (the so-called OTF).
The aim of the MiFID II legislation is to strengthen investors' trust, reduce the market risk and to improve effectivity of the financial markets as well as to prevent unnecessary expenses for the transaction participants. Provision of the virtual asset exchange services may be qualified as an organised trading system. MiFID II introduces new obligations regarding the issue of data storage. In particular, telephone and electronic communication between an investment company and a client with respect to all types of financial instruments when receiving, sending and executing the client's instructions.
Electronic and telephone communication must be retained for the period of five years and, when requested by a competent authority, for the period of seven years. In this context, investment companies are most impacted by the necessity to create or adapt IT infrastructures for retaining the electronic communication and the recordings of the electronic communication.
Then there is the AML regulation based on Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU, hereinafter collectively referred to as the “5th AML Directive”, which was supposed to be implemented within the legislation of the Slovak Republic by 10 January 2020. Even though the Slovak Republic failed to implement the 5th AML Directive by the said date, its provisions apply to the providers of the virtual asset exchange services and the providers of the virtual asset digital wallet services as of 10 January 2020 based on the direct effect of the 5th AML Directive. Therefore, all the obligations under the AML Act apply to the providers of the said services. They are mainly (however, not only) obligations such as verification of the clients' identity; finding out whether a client or an ultimate beneficial owner of the client is a politically exposed person or a sanctioned person; identification of the origin of the funds; reporting unusual business transactions to the financial information unit and providing all the required assistance; proper record keeping; obligation to produce its own operation scheme and keep it up-to-date.
The last area is personal data protection. It is regulated by Regulation (EU) 2016/679 of the European Parliament and of the Council based on which the data controller processes personal data in its own name with the data subject's consent and is obliged to ensure their protection, archiving, to acquaint the client with the client's right to rectification, the controller also ensures erasure, restriction of the processing of the client's personal data and functioning system of handling the personal data by way of required control mechanisms. Fine of up to 10 million euros, or 20 million euros, may be imposed on the controller for each individual breach of the GDPR-related obligations. The exact sum is always determined based on the specific obligation breached.